Page Comparison

Comment: This article is new for Smart ID Identity Manager 24.R1. Remember to update the release Comment: This article is new for Smart ID Identity Manager 24.R1.

Remember to update the release version number before publishing externally.

...

• Placeholder keys/certs forbidden for productive use

  • confidentiality Confidentiality of database secrets would be at risk

  • the The key can only be changed with the tool batch_secretfieldstore_change_encryption_key once the first secret is stored in the database

...

• No special requirements, as only the key-pair is used

  • may May be self-signed

  • key Key usage is not checked (recommended for informational purposes: set dataEncipherment)

  • validity Validity is ignored

  • certificate Certificate does not need to be trusted

...

• RSA/None/OAEPWithSHA384AndMGF1Padding

  • RSA/None/OAEPWithSHA512AndMGF1Padding

...

General requirements

• Placeholder allowed only if config ZIP encryption is disabled

  • after After changing the key you cannot decrypt previously exported config ZIPs that use encryption

...

• No special requirements, as only the key-pair is used

  • may May be self-signed

  • key Key usage is not checked (recommended for informational purposes: set dataEncipherment + keyEncipherment)

  • validity Validity is ignored

  • certificate Certificate does not need to be trusted

...

...

use-case: Signing and validation of the configuration files

...

configured in these applications:

• Identity Manager Admin

• Identity Manager Operator

certificate requirements:

...

Use-case

Signing and validation of the configuration files

Required

David Banz this info is missing for ConfigZipSigner, so just want to confirm that it was not forgotten. Should I remove this section?

Configured in the following applications

• Identity Manager Admin

• Identity Manager Operator

Certificate requirements

David Banz this section is here, but also in a different format below under “Supported types”., Which section is correct and which one should be removed?

• If key usage extension is critical, then digitalSignature is required

• issuing

  Issuing certificate has to be installed in the Identity Manager trust-store

• certificate

  Certificate must not be self-signedstorage: pkcs12,

Storage

• HSM (recommended)versioning: possible

• pkcs12

Versioning

Possible, but unnecessary. (It is sufficient that the certificate that signed the old configs is trusted via the IDM truststore.)

...

Supported digest value

...

(

...

Selecting SHA-384 or SHA-512 only affects MANIFEST.MF, other parts use SHA-256 always.)

• SHA-256general

General requirements

...

• placeholder

  Placeholder allowed only if config ZIP

  signing and verification

  encryption is disabledkey

Key requirements

...

...

Supported types

...

• RSA 2048

• RSA 3072

• RSA 4096 (recommended)certificate

Certificate requirements

...

• if

  If key usage extension is critical, then digitalSignature is required

• issuing

  Issuing CA cert must be in IDM truststore

• must

  Must not be self-signed

  !

• validity

  Validity considerations:

  • if expired download is blocked unless ZIP signing is disabled

  • if expired config upload will fail with the message "Verification failed. The certificate has expired."

• issues Issues if not configured as above:

  • export is blocked unless unless ZIP signing is disabled

  • verification does not work, ZIP appears unsigned

...

Info
Descriptor included in default configuration. Correct bootstrapping may be required for productive use, depending on the use-case. Dev- and test systems may use placeholders (for example created with bootstrap.zip package or the corresponding Docker container).

...

use-case: Signing and verification of the object history

...

Use-case

Signing and verification of the object history

Required

David Banz this info is missing for ObjectHistorySigner, so just want to confirm that it was not forgotten. Should I remove this section?

Configured in the following applications

• Identity Manager Admin (technically not used here, but required for startup due to bean requirements - subject to change in future releases)

• Identity Manager Operator configured

Configured in these special-case tools

...

• batch_re-sign_history

  (repair tool for history signature)

• batch_migration_smartact_to_prime

  (for migration of data from Identity Manager's/PRIME's predecessor SmartAct)

Storage

• storage: pkcs12, HSM (recommended)versioning: supported

• pkcs12

Versioning

Supported (signatures created with old versions can still be verified)

...

Supported digest values

...

Note
Changing the digest after history entries have been written requires a new version of the descriptor or startup will fail

...

.

• SHA-256

• SHA-384

• SHA-512general

General requirements

...

• placeholder

  Placeholder allowed only if history verification is disabled (via activitiHistoryCleanerJobTrigger.cronExpression set to a date in the distant future

  , see

  . See List of Identity Manager system properties and Quartz CronTrigger tutorial for more information)

  • integrity

    Integrity of history signature would be as risk

  • re

    Re-signing requires use of the batch_re-sign_history tool once the first history entry is created

  • if

    If you plan on enabling it at a later date, it is recommended not to use a placeholder

  key

Key requirements

...

...

Supported types

...

• RSA 2048

• RSA 3072

• RSA 4096 (recommended)certificate

Certificate requirements

...

• if

  If key usage extension is critical, then digitalSignature is required

• may

  May be self-signed

• validity

  Validity is ignored

• certificate

  Certificate does not need to be trusted

SignEmailDescriptor

...

use-case: send signed e-mails from IDM

...

Use-case

Send signed e-mails from IDM

Required

David Banz this info is missing for SignEmailDescriptor, so just want to confirm that it was not forgotten. Should I remove this section?

Configured in the following application

• Identity Manager Operator

Storage

• storage: pkcs12, HSM (recommended)versioning: supported

• pkcs12

Versioning

Supported, but unnecessary

...

Supported algorithm values

...

...

For RSA keys only

• SHA256withRSA  

• SHA384withRSA

• SHA512withRSA

  for

For ECC keys only

• SHA256withECDSA

• SHA384withECDSA

• SHA512withECDSAgeneral

General requirements

...

• placeholders

  Placeholders allowed only if email signing is not used

  • e-mail

    Email verification will fail if not issued by a trusted S/MIME CA

  • integrity

    Integrity of e-mails sent by IDM may be at risk if placeholder key is used

  key

Key requirements

...

...

Supported types

...

• RSA 2048

• RSA 3072

• RSA 4096

• ECC NIST P-256

• ECC NIST P-384

• ECC NIST P-521certificate

Certificate requirements

...

• proper

  Proper S/MIME certificate with configured IDM e-mail sender address in DN's E field and/or SAN RFC-822 entry

  • if

    If subject DN email field is absent, SAN extension must be

    critical!

    criticalM

  • IDM up to 23.10.x only accepted SAN and ignored DN.E (fixed in IDM 24.R1) David Banzcan we rewrite this last part to just say it is fixed in this version?

• must not be self-signed

  !

• key

  Key usage:

  if

  
  If present, must be critical and at least either digitalSignature or nonRepudiation

  validity

• Validity:

  adhering

  
  Adhering to CAB-Forum requirements from https://cabforum.org/working-groups/smime/requirements/#632-certificate-operational-periods-and-key-pair-usage-periods (825 days max. at the time of writing) David Banz can we remove or clarify this last part to not have to update in the future?

hermodDeviceEnc

...