| Info |
|---|
This article is valid for Smart ID 24.R1 and later. |
...
For Docker deployment, libjpkcs11 needs to be placed onto the docker host and then mounted into a the respective containers.
This is done by adding a volume mount to docker/compose/identitymanager/admin/docker-compose.yml and docker/compose/identitymanager/operator/docker-compose.yml.
In the example below we have libjpkcs11_x64-3.6.3.1.so (version number may vary) placed into the docker/compose/identitymanager/config/ folder, which is then mounted into the container’s Tomcat folder for native libs as libjpkcs11.so.
| Code Block | ||
|---|---|---|
| ||
volumes:
- "../config/libjpkcs11_x64-3.6.3.1.so:/usr/local/tomcat/native-jni-lib/libjpkcs11.so:ro" |
...
Example extract of config XML
| Code Block | ||
|---|---|---|
| ||
<?xml version="1.0" encoding="UTF-8"?>
<engineSignEncrypt>
<descriptors>
<!-- other descriptors go here... ->
<descriptor name="EncryptedFields" version="1">
<type algorithm="AES/CBC/PKCS7Padding" size="256" result="NX02" key="encryptedFieldsCertificateV1"
asymCipher="RSA/ECB/OAEPWithSHA-384AndMGF1Padding"/>
</descriptor>
<descriptor name="ConfigZipSigner" version="1">
<type algorithm="SHA-256" key="configZipSignerCertificateV1" />
</descriptor>
<descriptor name="ObjectHistorySigner" version="1">
<type algorithm="SHA-256" key="objectHistorySignerCertificateV1" />
</descriptor>
<descriptor name="SignEmailDescriptor" version="1">
<type algorithm="SHA256withRSA" key="signEmailCertificateV1"/>
</descriptor>
</descriptors>
<keys>
<!-- other keys go here... ->
<key name="encryptedFieldsCertificateV1">
<type name="HSM" locationValue="C:\Program Files\Utimaco\CryptoServer\Lib\cs_pkcs11_R2" pin.encrypted="132435"
alias="encryptedFieldsCertificateV1" slot="0" />
</key>
<key name="configZipSignerCertificateV1">
<type name="HSM" locationValue="C:\Program Files\Utimaco\CryptoServer\Lib\cs_pkcs11_R2" pin.encrypted="132435"
alias="configZipSignerCertificateV1" slot="0" />
</key>
<key name="objectHistorySignerCertificateV1">
<type name="HSM" locationValue="C:\Program Files\Utimaco\CryptoServer\Lib\cs_pkcs11_R2" pin.encrypted="132435"
alias="objectHistorySignerCertificateV1" slot="0" />
</key>
<key name="signEmailCertificateV1">
<type name="HSM" locationValue="C:\Program Files\Utimaco\CryptoServer\Lib\cs_pkcs11_R2" pin.encrypted="132435"
alias="signEmailCertificateV1" slot="0" />
</key>
</keys>
</engineSignEncrypt> |
...
If you do not handle this, errors like this can occur:Caused by: java.lang.IllegalArgumentException:Parameter must be of typecom.id2tech.security.store.Pkcs11LoadStoreParametersbut iscom.id2tech.security.store.Pkcs11LoadStoreParameters
In addition, you may get a ClassNotFoundException for various BouncyCastle classes in crypto-related use-cases like softtoken requests, for example:Caused by: java.lang.ClassNotFoundException: org.bouncycastle.jce.provider.BouncyCastleProvider
To avoid this, you have these options:
Deploy each Identity Manager webapp on its own dedicated Tomcat instance (Docker deployments always work like this).
OR
Remove all CMSDK JARs and all BouncyCastle JARs from all webapps' tomcat\<webapp>\WEB-INF\lib folders and place them in tomcat\libs instead (this ensures those JARs are served from the Tomcat common classloader for all webapps).
CMSDK JARs:
cmcommon*.jar
cmsdk-*.jar
common-*.jar
BouncyCastle JARs:
bcmail-*.jar
bcpgp-*.jar
bcpkix-*.jar
bcprov-*.jar (including bcprov-ext-*.jar)
Additional information
| Expand | ||
|---|---|---|
| ||