Versions Compared

Version Old Version 27 New Version 28
Changes made by

David Banz

Josefin Klang (Deactivated)

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.
Info

This article is valid includes updates for Smart ID Identity Manager 24.R1 and later.

Table of Contents
stylenone

Keys and certificates for the sign and encrypt engine can be stored in a Hardware Security Model (HSM) for several use cases. This is a more secure solution for signing and encryption than PKCS#12 files, which are files in the file system, only protected by a PIN code.

...

  • Encryption and decryption of fields in the Identity Manager database (descriptor: encryptedFields)

  • Signing and verification of the object history (descriptor: objectHistorySigner)

  • Signing and validation of the configuration files (descriptor: configZipSigner)

  • Encryption of the configuration files (descriptor: configZipEncrypter)

  • Signing of emails (descriptor: signEmailDescriptor)

  • Creation of JWS signatures used for Smart ID messaging content provider API (descriptor: ContentProviderJWSSigner)

  • Authentication of Smart ID Self-Service users to the Identity Manager backend (descriptor: SelfServiceJWTSigner)

  • Decryption of PIN blobs from pre-personalized smart-cards created with the Personal Desktop Client (arbitrarily named descriptors)

  • Attestation for provisioning to Smart ID Mobile / Desktop Apps (descriptors: att_*)

...

Different set of JAR files for Identity Manager in Smart ID 21.10 and later

Certificate Manager SDK 8.4 and later (as used in

...

Identity Manager 21.10 and later) has a different set of JAR files compared to previous versions:

  • cmcommon-x.y.z.jar => renamed to cm-common-x.y.z.jar

  • cmsdk-x.y.z.jar => renamed to cm-sdk-x.y.z.jar

  • csp-x.y.z.jar => removed, all code moved to common-x.y.z.jar

  • common-x.y.z.jar => now includes csp code as well and carries JCE provider signature

...

For more information, see the section "Configure Tomcat" below.

Prerequisites

  • Installed Smart ID 24.R1 or later

  • Installed and running HSM with PKCS#11 library available on the Identity Manager server

...

To be accessed, the library needs to must be available in the PATH environment variable.

  • Create a new folder for it and add the folder to the PATH

...

OR

...

  • or copy it to your C:\Windows\System32 folder.

Docker Deployment

For Docker deployment, libjpkcs11 needs to be placed onto the docker host and then mounted into a the respective containers.
This is done by adding a volume mount to docker/compose/identitymanager/admin/docker-compose.yml and docker/compose/identitymanager/operator/docker-compose.yml.
In the example below we have libjpkcs11_x64-3.6.3.1.so (version number may vary) placed into the docker/compose/identitymanager/config/ folder, which is then mounted into the container’s Tomcat folder for native libs as libjpkcs11.so.

...

  1. To avoid this, you have these options:

    1. Deploy each Identity Manager webapp on its own dedicated Tomcat instance (Docker deployments always work like this).

      OR

    2. Remove all CMSDK JARs and all BouncyCastle JARs from all webapps' tomcat\<webapp>\WEB-INF\lib folders and place them in tomcat\libs instead (this ensures those JARs are served from the Tomcat common classloader for all webapps).

      1. CMSDK JARs:

        • cmcommon*.jar

        • cmsdk-*.jar

        • common-*.jar

      2. BouncyCastle JARs:

        • bcmail-*.jar

        • bcpgp-*.jar

        • bcpkix-*.jar

        • bcprov-*.jar (including bcprov-ext-*.jar)

Additional information

Expand
titleUseful links