Versions Compared

Version Old Version 62 New Version 63
Changes made by

David Banz

David Banz

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.
Info

This article is valid for Smart ID Identity Manager 24.R1 or later.

...

  1. Acquire suitable certificates and keys for each descriptor (mostly from Certificate Authorities, for some use-cases .
    Mostly they will be requested from a certificate authority (e.g. Smart ID Certificate Manager or a public CA), with some exceptions where self-signed credentials created via tools like Keystore Explorer are sufficient).

  2. Place any of those credentials which are stored in PKCS#12 files as opposed to an HSM into the correct folders:

    1. Tomcat on Windows: C:\PATH\TO\TOMCAT\webapps\idm-[admin|operator]\WEB-INF\classes\

    2. Tomcat on Linux: /path/to/tomcat/idm-[admin|operator]/WEB-INF/classes/

    3. Docker on Linux: /PATH/TO/smartid/docker/compose/certs/

  3. Edit the XML configuration file(s) to reference the appropriate files:

    1. Tomcat on Windows: C:\PATH\TO\TOMCAT\webapps\idm-[admin|operator]\WEB-INF\classes\engineSignEncryptConfig.xml

    2. Tomcat on Linux: /path/to/tomcat/idm-[admin|operator]/WEB-INF/classes/engineSignEncryptConfig.xml

    3. Docker on Linux: /PATH/TO/smartid/docker/compose/identitymanager/config/signencrypt.xml
      Note: each file needs to be referenced by the path within the container, as opposed to the path on the host.
      For example: file:/certs/MYFILE.p12

...

  • use-case: authenticate to the IN Groupe Inside Server, which performs certain cryptographic operations on behalf of IDM when using the Idopte middleware (see Encoding using Idopte middleware in Identity Manager)

  • configured in this application:

    • Identity Manager Operator

  • general requirements:

    • descriptor can be omitted entirely (not even a placeholder needed) if Idopte middleware is not used, otherwise correct certificate and keypair is required

    • PKI card encoding via the Idopte middleware will fail if missing or configured incorrectly

  • algorithm attribute not used

    •  (we only use certificate and private key from the descriptor)

  • versioning: not needed

  • storage: pkcs12

  • key requirements:

    • supported types:

      • RSA 2048

      • RSA 3072

      • RSA 4096 (recommended)

      • ECC support unknown

  • certificate requirements:

    • validity DOES matter, connection to Inside server will fail when expired

    • unsure if self-signed certs would work (recommend to use CA)

    • must be trusted by Inside server

    • key usage: digitalSignature

...

  • descriptor names: can be any descriptor listed in the pinBlobDecryptor.keyDescriptorNames property of system.properties (or its Docker counterpart)

  • use-case: decrypting pin-blobs from pre-personalized cards to e.g. print pin letters for them (see Encodings using Personal Desktop Client middleware in Identity Manager (section "Read encrypted PINs")

  • configured in this application:

    • Identity Manager Operator

  • supported algorithm value: RSA

  • storage: pkcs12, HSM (recommended)

  • versioning: not needed

  • general requirements:

    • by default the property is empty, hence no descriptors  are needed, unless the feature is required

  • key requirements:

    • supported types:

      • RSA 2048

      • other keysizes: unknown

  • certificate requirements:

    • issued by Nexus Certificate Manager

    • validity ignored by IDM

    • does not need to be trusted by IDM

    • key usage is not checked (recommended for informational purposes: set dataEncipherment + keyEncipherment)

...