Versions Compared

Version Old Version 20 New Version 21
Changes made by

David Banz

Paul Zachos

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.
Info

This article is valid for Smart ID 24.R1 and later.

...

Table of Contents
stylenone

Keys and certificates for the sign and encrypt engine can be stored in a Hardware Security Model (HSM) for several use cases:

...

. This is a more secure solution for signing and encryption than PKCS#12 files, which are files in the file system, only protected by a PIN code.

The following use cases support storing the keys in an HSM:

  • Encryption and decryption of fields in the Identity Manager database

  • Sign Signing and verify verification of the object history

  • Sign and validate config zip files

  • Encrypt config zip files

  • Sign and encrypt emails

  • Authenticate Signing, validation and encryption of the configuration files

  • Signing and encryption of emails

  • Creation of JWS signatures used for Smart ID messaging content provider API

  • Authentication of Smart ID Self-Service users to the Identity Manager backend

  • Creating JWS signatures used for Hermod's content provider API

  • Decrypting Decryption of PIN blobs from pre-personalized smart-cards created with the Personal Desktop Client

  • Attestation for provisioning to Smart ID Mobile / Desktop Apps

...

The set of JAR files in Certificate Manager (CM) 8.4 and later has changed. This applies to Identity Manager in Smart ID 21.10 and later - see this note for the updates, see also section "Configure Tomcat" below.

Note

Different set of JAR files for Identity Manager in Smart ID 21.10 and later

Certificate Manager SDK 8.4 and later (as used in IDM 21.10 and later) has a different set of JAR files compared to previous versions:

cmcommon-x.y.z.jar => renamed to cm-common-x.y.z.jar
cmsdk-x.y.z.jar => renamed to cm-sdk-x.y.z.jar
csp-x.y.z.jar => removed, all code moved to common-x.y.z.jar
common-x.y.z.jar => now includes csp code as well and carries JCE provider signature

See also the section "Configure Tomcat" below.

Prerequisites

  • Installed Smart ID 24.R1 or later

  • Installed and running HSM with PKCS#11 library available on the Identity Manager server

...

  1. To avoid this, you have these options:

    1. Deploy each Identity Manager webapp on its own dedicated Tomcat instance (Docker deployments always work like this).

      OR

    2. Remove all CMSDK JARs and all BouncyCastle JARs from all webapps' tomcat\<webapp>\WEB-INF\lib folders and place them in tomcat\libs instead (this ensures those JARs are served from the Tomcat common classloader for all webapps).

      1. CMSDK JARs:

        • cmcommon*.jar

        • cmsdk-*.jar

        • common-*.jar

      2. BouncyCastle JARs:

        • bcmail-*.jar

        • bcpgp-*.jar

        • bcpkix-*.jar

        • bcprov-*.jar (including bcprov-ext-*.jar)

Additional information

Expand
titleUseful links