Versions Compared

Version Old Version 113 New Version 114
Changes made by

Josefin Klang (Deactivated)

Ylva Andersson

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

Comment: This article is new for Smart ID Identity Manager 24.R1.

Remember to update the release version number before publishing externally.

Info

This article includes updates for Smart ID Identity Manager 24.R1.

...

  • RSA/None/OAEPWithSHA384AndMGF1Padding

    • RSA/None/OAEPWithSHA512AndMGF1Padding

  • NOTE: you cannot reconfigure the asymCipher after exporting an encrypted ZIP, as config import of such a ZIP will fail

General requirements

  • Placeholder allowed only if config ZIP encryption is disabled

    • after changing the key you cannot decrypt previously exported config ZIPs that use encryption

...

  • RSA 2048

  • RSA 3072

  • RSA 4096 (recommended)

Certificate requirements

  • if key usage extension is critical, then digitalSignature is required

  • issuing CA cert must be in IDM truststore

  • must not be self-signed!

  • validity considerations:

    • if expired download is blocked unless ZIP signing is disabled

    • if expired config upload will fail with the message "Verification failed. The certificate has expired."

  • issues if not configured as above:

    • export is blocked unless unless ZIP signing is disabled

    • verification does not work, ZIP appears unsigned

  • use-case: Encryption of the configuration files

  • required: always

  • configured in these applications

    • Identity Manager Admin / (earlier know as PRIME Designer)

    • Identity Manager Operator / (earlier known as PRIME Explorer)

  • storage: pkcs12, HSM (recommended)

  • versioning: not supported, always uses version 1

  • supported asymClipher values:

    • for HSM

      • RSA/ECB/OAEPWithSHA-384AndMGF1Padding

      • RSA/ECB/OAEPWithSHA-512AndMGF1Padding

    • for PKCS#12

      • RSA/None/OAEPWithSHA384AndMGF1Padding

      • RSA/None/OAEPWithSHA512AndMGF1Padding

    • NOTE: you cannot reconfigure the asymCipher after exporting an encrypted ZIP, as config import of such a ZIP will fail

  • general requirements:

    • placeholder allowed only if config ZIP encryption is disabled

      • after changing the key you cannot decrypt previously exported config ZIPs that use encryption

  • key requirements:

    • supported types:

      • RSA 2048

      • RSA 3072

      • RSA 4096 (recommended)

  • certificate requirements:

    no

    No special requirements, as only the key-pair is used

    • may be self-signed

    • key usage is not checked (recommended for informational purposes: set dataEncipherment + keyEncipherment)

    • validity is ignored

    • certificate does not need to be trusted

ConfigZipSigner

Info

Descriptor included in default configuration.

Correct bootstrapping may be required for productive use, depending on the use-case.

Dev- and test systems may use placeholders (for example created with bootstrap.zip package or the corresponding Docker container).

...