| Info |
|---|
This article is valid for Smart ID Identity Manager 24.R1 or later. |
...
...
Overview
...
of descriptors
The engine’s descriptors are the following:
encryptedFields: Encryption and decryption of fields in the Identity Manager database
configZipEncrypter: Encryption of the configuration files
configZipSigner: Signing and validation of the configuration files
objectHistorySigner: Signing and verification of the object history
signEmailDescriptor: Signing of emails
hermodDeviceEnc: Creation of device encryption certificates that are used in Smart ID messaging
SelfServiceJWTSigner: Authentication of Smart ID Self-Service users to the Identity Manager backend
ContentProviderJWSSigner: Creation of JWS signatures used for Smart ID messaging content provider API
idopteAuthentication: Initial handshake with Idopte client-side middleware
insideClientAuth: Authentication to the IN Groupe Inside Server
att_*: Attestation for provisioning to Smart ID Mobile / Desktop Apps
(arbitrary name): Decryption of PIN blobs from pre-personalized smart-cards created with the Personal Desktop Client
Here For detailed descriptions of each descriptor is described in detail, including requirements how it shall be bootstrapped.
EncryptedFields
...
Descriptor included in default configuration.
, including requirements on how it should be bootstrapped, see below.
WORK IN PROGRESS - TRYING TO DISPLAY INFO IN ANOTHER WAY. PERHAPS A TABLE?
Descriptor | Included in default configuration | Use case | Required | Configurations | Storage | Versioning | Supported asymClipher values: | Requirements |
|---|---|---|---|---|---|---|---|---|
EncryptedFields | This descriptor is included in the default configuration. Correct bootstrapping is required for productive use. Only dev- and test systems may use placeholders, for example, created with bootstrap.zip package or the corresponding Docker container. | Encryption and decryption of fields in the Identity Manager database | Always | Configured in the applications
Configured in special-case tools:
|
| not supported, always uses version 1 |
| general requirements:
key requirements:
certificate requirements:
|
ConfigZipEncrypter | This descriptor is included in the default configuration. Correct bootstrapping may be required for productive use, depending on the use-case. Dev- and test systems may use placeholders (for example, created with bootstrap.zip package or the corresponding Docker container). | Encryption of the configuration files | Always |
|
|
|
You cannot reconfigure the asymCipher after exporting an encrypted ZIP, as config import of such a ZIP will fail. | general requirements:
key requirements:
certificate requirements:
|
ConfigZipSigner | This descriptor is included in the default configuration. Correct bootstrapping may be required for productive use, depending on the use-case. Dev- and test systems may use placeholders (for example, created with bootstrap.zip package or the corresponding Docker container). | Signing and validation of the configuration files | - |
| ||||
| Expand | ||
|---|---|---|
| ||
EncryptedFields
|
...
|
...
|
...
|
...
|
| Expand | ||
|---|---|---|
| ||
ConfigZipEncrypter
|
...
|
...
|
...
|
ConfigZipSigner
| Note |
|---|
Descriptor This descriptor is included in the default configuration. Correct bootstrapping may be required for productive use, depending on the use-case. Dev- and test systems may use placeholders (e.g. for example, created with bootstrap.zip package or the corresponding Docker container). |
use-case: Signing and validation of the configuration files
configured in these applications:
Identity Manager Admin
Identity Manager Operator
certificate requirements:
if key usage extension is critical, then digitalSignature is required
issuing certificate has to be installed in the Identity Manager trust-store
certificate must not be self-signed
storage: pkcs12, HSM (recommended)
versioning: possible, but unnecessary (It is sufficient that the certificate that signed the old configs is trusted via the IDM truststore)
supported digest value: (selecting SHA-384 or SHA-512 only affects MANIFEST.MF, other parts use SHA-256 always)
SHA-256
general requirements:
placeholder allowed only if config ZIP signing and verification is disabled
key requirements:
supported types:
RSA 2048
RSA 3072
RSA 4096 (recommended)
certificate requirements:
if key usage extension is critical, then digitalSignature is required
issuing CA cert must be in IDM truststore
must not be self-signed!
validity considerations:
if expired download is blocked unless ZIP signing is disabled
if expired config upload will fail with the message "Verification failed. The certificate has expired."
issues if not configured as above:
export is blocked unless unless ZIP signing is disabled
verification does not work, ZIP appears unsigned
ObjectHistorySigner
| Note |
|---|
Descriptor This descriptor is included in the default configuration. Correct bootstrapping may be required for productive use, depending on the use-case. Dev- and test systems may use placeholders (e.g. for example, created with bootstrap.zip package or the corresponding Docker container). |
use-case: Signing and verification of the object history
configured in these applications:
Identity Manager Admin (technically not used here, but required for startup due to bean requirements - subject to change in future releases)
Identity Manager Operator
configured in these special-case tools:
batch_re-sign_history
(repair tool for history signature)
batch_migration_smartact_to_prime
(for migration of data from Identity Manager's/PRIME's predecessor SmartAct)
storage: pkcs12, HSM (recommended)
versioning: supported (signatures created with old versions can still be verified)
supported digest values: (changing the digest after history entries have been written requires a new version of the descriptor or startup will fail!)
SHA-256
SHA-384
SHA-512
general requirements:
placeholder allowed only if history verification is disabled (via
activitiHistoryCleanerJobTrigger.cronExpressionset to a date in the distant future, see List of Identity Manager system properties and Quartz CronTrigger tutorial )integrity of history signature would be as risk
re-signing requires use of the batch_re-sign_history tool once the first history entry is created
if you plan on enabling it at a later date, it is recommended not to use a placeholder
key requirements:
supported types:
RSA 2048
RSA 3072
RSA 4096 (recommended)
certificate requirements:
if key usage extension is critical, then digitalSignature is required
may be self-signed
validity is ignored
certificate does not need to be trusted
SignEmailDescriptor
| Note |
|---|
Descriptor This descriptor is included in the default configuration. Correct bootstrapping may be required for productive use, depending on the use-case. Dev- and test systems may use placeholders (e.g. for example, created with bootstrap.zip package or the corresponding Docker container). |
use-case: send signed e-mails from IDM
configured in this application:
Identity Manager Operator
storage: pkcs12, HSM (recommended)
versioning: supported, but unnecessary
supported algorithm values:
for RSA keys only
SHA256withRSA
SHA384withRSA
SHA512withRSA
for ECC keys only
SHA256withECDSA
SHA384withECDSA
SHA512withECDSA
general requirements:
placeholders allowed only if email signing is not used
e-mail verification will fail if not issued by a trusted S/MIME CA
integrity of e-mails sent by IDM may be at risk if placeholder key is used
key requirements:
supported types:
RSA 2048
RSA 3072
RSA 4096
ECC NIST P-256
ECC NIST P-384
ECC NIST P-521
certificate requirements:
proper S/MIME certificate with configured IDM e-mail sender address in DN's E field and/or SAN RFC-822 entry
if subject DN email field is absent, SAN extension must be critical!
IDM up to 23.10.x only accepted SAN and ignored DN.E (fixed in IDM 24.R1)
must not be self-signed!
key usage: if present, must be critical and at least either digitalSignature or nonRepudiation
validity: adhering to CAB-Forum requirements from https://cabforum.org/working-groups/smime/requirements/#632-certificate-operational-periods-and-key-pair-usage-periods (825 days max. at the time of writing)
hermodDeviceEnc
| Info |
|---|
Descriptor This descriptor is included in the default configuration. Bootstrapping required for technical reasons, but with relaxed security requirements compared to other use-cases. |
use-case: generate dummy certificate for transient key-pairs generated on a target device when provisioning Smart ID Mobile / Desktop App profiles (the certificates themselves are merely used as transport container for the key-usage parameter)
configured in this application:
Identity Manager Operator
storage: pkcs12
versioning: possible, but unnecessary
supported algorithm values:
for RSA keys only
SHA256withRSA
SHA384withRSA
SHA512withRSA
for ECC keys only
SHA256withECDSA
SHA384withECDSA
SHA512withECDSA
general requirements:
placeholders allowed
key requirements:
supported types:
RSA 2048
RSA 3072
RSA 4096
ECC NIST P-256 (best performance)
ECC NIST P-384
ECC NIST P-521
certificate requirements
may be self-signed
validity is ignored
key usage is not checked (recommended for informational purposes: set digitalSignature)
certificate does not need to be trusted
SelfServiceJWTSigner
| Note |
|---|
Descriptor This descriptor is included in the default configuration. Correct bootstrapping is required for productive use!. Only dev- and test systems may use placeholders (e.g. for example, created with bootstrap.zip package or the corresponding Docker container). |
...
ContentProviderJWSSigner
| Note |
|---|
Descriptor This descriptor is included in the default configuration. Correct bootstrapping may be required for productive use, depending on the use-case. Dev- and test systems may use placeholders (e.g. for example, created with bootstrap.zip package or the corresponding Docker container). |
...
Misc Attestation Key Descriptors (att_…)
| Info |
|---|
Descriptors This descriptor is included in the default configuration. Replacement of the default certificates is optional. |
default descriptor names:
att_external-attestation-1 (mobile only)
att_external-attestation-2 (mobile only)
att_external-attestation-3 (mobile only)
att_external-attestation-4 (mobile only)
att_ATTESTATION (mobile+desktop, default)
use-case:
verify Certification Signing Requests (CSR) from Smart ID Mobile / Smart ID Desktop App.
optionally limit profile provisioning with Smart ID Mobile / Smart ID Desktop App to certain devices, e.g. , for example, company devices. This can be done by using Mobile/Desktop apps with custom private keys and configuring the corresponding public keys into IDM (by default IDM includes certificates for the built-in keys of any Mobile and Desktop App installation)
configured in these applications:
Identity Manager Operator
Identity Manager Admin (technically not used here, but required for startup due to bean requirements - subject to change in future releases)
versioning: supported
storage: pkcs12, HSM (recommended)
general requirements:
default certificates do not need to be changed, unless you want to limit profile provisioning to certain devices
no private keys is configured for IDM, only each public key inside a certificate
key requirements:
supported types:
RSA 2048
RSA 3072
RSA 4096 (recommended)
certificate requirements:
when replacing, generated via tooling shown here: https://doc.nexusgroup.com/pub/configure-custom-attestation-keys
verification only uses the key, no part of the certificate is considered
key usage is not checked (recommended for informational purposes: set digitalSignature)
validity is ignored
idopteAuthentication
| Info |
|---|
Descriptor not present This descriptor is excluded by default, . It can be ignored unless the Idopte middleware is used for PKI card production. |
use-case: initial handshake with Idopte client-side middleware, see Encoding using Idopte middleware in Identity Manager
configured in this application:
Identity Manager Operator
storage: pkcs12
versioning: not supported (always uses the default (i.e. highest) version
supported algorithm value: NONEwithRSA
general requirements:
descriptor can be omitted entirely (not even a placeholder needed) if Idopte middleware is not used, otherwise correct certificate and keypair is required
PKI card encoding via the Idopte middleware will fail if missing or configured incorrectly
key requirements:
supported type:
RSA 2048
certificate requirements:
Idopte webapp cert, issued by Idopte based on CSR for a customer-generated keypair
one customer-specific SAN URI (does not have to point to an existing website), e.g. for example, https://idopte.customer.com (using hosts like localhost or 127.x.y.z is discouraged, as it severely restricts the maximum validity period of the certificate Idopte can issue)
validity: defined by the Idopte CA
insideClientAuth
| Info |
|---|
Descriptor not present This descriptor is excluded by default, . It can be ignored, unless the Idopte middleware is used for PKI card production. |
...
Pin-Blob Decryption Descriptors
| Info |
|---|
Descriptors not present This descriptor is excluded by default, . It can be ignored, unless pin-blobs from pre-personalized cards (using Personal Desktop Client / KGS) have to must be decrypted. |
descriptor names: can be any descriptor listed in the pinBlobDecryptor.keyDescriptorNames property of system.properties (or its Docker counterpart)
use-case: decrypting pin-blobs from pre-personalized cards to e.g. for example, print pin letters for them (see Encodings using Personal Desktop Client middleware in Identity Manager (section "Read encrypted PINs")
configured in this application:
Identity Manager Operator
supported algorithm value: RSA
storage: pkcs12, HSM (recommended)
versioning: not needed
general requirements:
by default the property is empty, hence no descriptors are needed, unless the feature is required
key requirements:
supported types:
RSA 2048
certificate requirements:
issued by Nexus Certificate Manager
validity ignored by IDM
does not need to be trusted by IDM
key usage is not checked (recommended for informational purposes: set dataEncipherment + keyEncipherment)
...