Versions Compared

Version Old Version 95 New Version 96
Changes made by

David Banz

Ylva Andersson

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

Comment: One suggestion is to rename the heading to “Sign and encrypt engine descriptors”. What do you think David Banz?

Info

This article is valid for Smart ID Identity Manager 24.R1 or later.

...

Info

Descriptor included in default configuration.

Correct bootstrapping is required for productive use.

Only dev- and test systems may use placeholders (for example created with bootstrap.zip package or the corresponding Docker container).

Descriptor name

Use-case

Required

Configurations

Storage

Versioning

Supported asymClipher values

Requirements

EncryptedFields

Encryption and decryption of fields in the Identity Manager database

Always

Configured in the following tools:

  • Identity Manager Admin (previously know as PRIME Designer)

  • Identity Manager Operator (previously known as PRIME Explorer)

Configured special-case tools:

  • batch_secretfieldstore_change_encryption_key

    (repair tool for secret fields)

  • batch_migration_smartact_to_prime

    (for migration of data from Identity Manager's/PRIME's predecessor SmartAct, it has additional requirements for decrypting secret fields and config entries from the source system)

  • HSM (recommended)

  • pkcs12

Not supported, always uses version 1

For HSM:

  • RSA/ECB/OAEPWithSHA-384AndMGF1Padding

  • RSA/ECB/OAEPWithSHA-512AndMGF1Padding

For PKCS#12:

  • RSA/None/OAEPWithSHA384AndMGF1Padding

    • RSA/None/OAEPWithSHA512AndMGF1Padding

General requirements
Placeholder keys/certs forbidden for productive use:

  • confidentiality of database secrets would be at risk

  • the key can only be changed with the tool batch_secretfieldstore_change_encryption_key once the first secret is stored in the database

Key requirements

Supported types:

  • RSA 2048

  • RSA 3072

  • RSA 4096 (recommended)

Certificate requirements:

  • no special requirements, as only the key-pair is used

  • may be self-signed

  • key usage is not checked (recommended for informational purposes: set dataEncipherment)

  • validity is ignored

  • certificate does not need to be trusted

  • use-case: Encryption and decryption of fields in the Identity Manager database

  • required: always

  • configured in these applications:

    • Identity Manager Admin (previously know as PRIME Designer)

    • Identity Manager Operator (previously known as PRIME Explorer)

  • configured in these special-case tools:

    • batch_secretfieldstore_change_encryption_key

      (repair tool for secret fields)

    • batch_migration_smartact_to_prime

      (for migration of data from Identity Manager's/PRIME's predecessor SmartAct, it has additional requirements for decrypting secret fields and config entries from the source system)

  • storage: pkcs12, HSM (recommended)

  • versioning: not supported, always uses version 1

  • supported asymClipher values:

    • for HSM

      • RSA/ECB/OAEPWithSHA-384AndMGF1Padding

      • RSA/ECB/OAEPWithSHA-512AndMGF1Padding

    • for PKCS#12

      • RSA/None/OAEPWithSHA384AndMGF1Padding

      • RSA/None/OAEPWithSHA512AndMGF1Padding

  • general requirements:

    • placeholder keys/certs forbidden for productive use

      • confidentiality of database secrets would be at risk

      • the key can only be changed with the tool batch_secretfieldstore_change_encryption_key once the first secret is stored in the database

  • key requirements:

    • supported types:

      • RSA 2048

      • RSA 3072

      • RSA 4096 (recommended)

  • certificate requirements:

    • no special requirements, as only the key-pair is used

      • may be self-signed

      • key usage is not checked (recommended for informational purposes: set dataEncipherment)

      • validity is ignored

      • certificate does not need to be trusted

...