...
| Note |
|---|
Descriptor included in default configuration. Correct bootstrapping is may be required for productive use!Only devuse, depending on the use-case. Dev- and test systems may use placeholders (e.g. created with bootstrap.zip package or the corresponding Docker container). |
use-case: Signing and verification of the object history
configured in these applications:
Identity Manager Admin (technically not used here, but required for startup due to bean requirements - subject to change in future releases)
Identity Manager Operator
configured in these special-case tools:
batch_re-sign_history
(repair tool for history signature)
batch_migration_smartact_to_prime
(for migration of data from Identity Manager's/PRIME's predecessor SmartAct)
storage: pkcs12, HSM (recommended)
versioning: supported (signatures created with old versions can still be verified)
supported digest values: (changing the digest after history entries have been written requires a new version of the descriptor or startup will fail!)
SHA-256
SHA-384
SHA-512
general requirements:
placeholder keys forbidden for productive useallowed only if history verification is disabled
integrity of history signature would be as risk
re-signing requires use of the batch_re-sign_history tool once the first history entry is created
key requirements:
supported types:
RSA 2048
RSA 3072
RSA 4096 (recommended)
certificate requirements:
if key usage extension is critical, then digitalSignature is required
may be self-signed
validity is ignored
certificate does not need to be trusted
...