...

High-Level Bootstrapping Procedure

1. Acquire suitable certificates and keys for each descriptor.
   Mostly they will be requested from a certificate authority (e.g. Smart ID Certificate Manager or a public CA), with some exceptions where self-signed credentials created via tools like Keystore Explorer are sufficient.

2. Place any of those credentials which are stored in PKCS#12 files as opposed to an HSM into the correct folders:

   1. Tomcat on Windows: C:\PATH\TO\TOMCAT\webapps\idm-[admin|operator]\WEB-INF\classes\

   2. Tomcat on Linux: /path/to/tomcat/idm-[admin|operator]/WEB-INF/classes/

   3. Docker on Linux: /PATH/TO/smartid/docker/compose/certs/

3. Edit the XML configuration file(s) to reference the appropriate files:

   1. Tomcat on Windows: C:\PATH\TO\TOMCAT\webapps\idm-[admin|operator]\WEB-INF\classes\engineSignEncryptConfig.xml

   2. Tomcat on Linux: /path/to/tomcat/idm-[admin|operator]/WEB-INF/classes/engineSignEncryptConfig.xml

   3. Docker on Linux: /PATH/TO/smartid/docker/compose/identitymanager/config/signencrypt.xml
      Note: each file needs to be referenced by the path within the container, as opposed to the path on the host.
      For example: file:/certs/MYFILE.p12

...

Here each descriptor is described in detail, including requirements how it shall be bootstrapped.

...

.

EncryptedFields

...

• use-case: authenticate to the IN Groupe Inside Server, which performs certain cryptographic operations on behalf of IDM when using the Idopte middleware (see Encoding using Idopte middleware in Identity Manager)

• configured in this application:

  • Identity Manager Operator

• general requirements:

  • descriptor can be omitted entirely (not even a placeholder needed) if Idopte middleware is not used, otherwise correct certificate and keypair is required

  • PKI card encoding via the Idopte middleware will fail if missing or configured incorrectly

• algorithm attribute not used

  •  (we only use certificate and private key from the descriptor)

• versioning: not needed

• storage: pkcs12

• key requirements:

  • supported types:

    • RSA 2048

    • RSA 3072

    • RSA 4096 (recommended)

    • ECC support unknown

• certificate requirements:

  • validity DOES matter, connection to Inside server will fail when expired

  • unsure if self-signed certs would work (recommend to use CA)

  • must be trusted by Inside server

  • key usage: digitalSignature

...

• descriptor names: can be any descriptor listed in the pinBlobDecryptor.keyDescriptorNames property of system.properties (or its Docker counterpart)

• use-case: decrypting pin-blobs from pre-personalized cards to e.g. print pin letters for them (see Encodings using Personal Desktop Client middleware in Identity Manager (section "Read encrypted PINs")

• configured in this application:

  • Identity Manager Operator

• supported algorithm value: RSA

• storage: pkcs12, HSM (recommended)

• versioning: not needed

• general requirements:

  • by default the property is empty, hence no descriptors  are needed, unless the feature is required

• key requirements:

  • supported types:

    • RSA 2048

    • other keysizes: unknown

• certificate requirements:

  • issued by Nexus Certificate Manager

  • validity ignored by IDM

  • does not need to be trusted by IDM

  • key usage is not checked (recommended for informational purposes: set dataEncipherment + keyEncipherment)

...