...
use-case: Signing and verification of the object history
configured in these applications:
Identity Manager Admin (technically not used here, but required for startup due to bean requirements - subject to change in future releases)
Identity Manager Operator
configured in these special-case tools:
batch_re-sign_history
(repair tool for history signature)
batch_migration_smartact_to_prime
(for migration of data from Identity Manager's/PRIME's predecessor SmartAct)
storage: pkcs12, HSM (recommended)
versioning: supported (signatures created with old versions can still be verified)
supported digest values: (changing the digest after history entries have been written requires a new version of the descriptor or startup will fail!)
SHA-256
SHA-384
SHA-512
general requirements:
placeholder allowed only if history verification is disabled (via
activitiHistoryCleanerJobTrigger.cronExpression
set to a date in the distant future, see List of Identity Manager system properties)integrity of history signature would be as risk
re-signing requires use of the batch_re-sign_history tool once the first history entry is created
if you plan on enabling it at a later date, it is recommended not to use a placeholder
key requirements:
supported types:
RSA 2048
RSA 3072
RSA 4096 (recommended)
certificate requirements:
if key usage extension is critical, then digitalSignature is required
may be self-signed
validity is ignored
certificate does not need to be trusted
...