Versions Compared

Version Old Version 128 New Version 129
Changes made by

Josefin Klang

Ylva Andersson

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

Comment: This article is new for Smart ID Identity Manager 24.R1.

Remember to update the release version number before publishing externally.

Info

This article includes updates for Smart ID Identity Manager 24.R1.

...

Info

Descriptor included in default configuration.

Correct bootstrapping is required for productive use.

Only dev- and test systems may use placeholders (for example created with bootstrap.zip package or the corresponding Docker container).

Use

...

case

Encryption and decryption of fields in the Identity Manager database

...

Info

Descriptor included in default configuration.

Correct bootstrapping may be required for productive use, depending on the use-case.

Dev- and test systems may use placeholders (for example created with bootstrap.zip package or the corresponding Docker container).

Use

...

case

Encryption of the configuration files

...

Info

Descriptor included in default configuration.

Correct bootstrapping may be required for productive use, depending on the use-case.

Dev- and test systems may use placeholders (for example created with bootstrap.zip package or the corresponding Docker container).

Use

...

case

Signing and validation of the configuration files

...

Info

Descriptor included in default configuration.

Correct bootstrapping may be required for productive use, depending on the use-case.

Dev- and test systems may use placeholders (for example created with bootstrap.zip package or the corresponding Docker container).

Use

...

case

Signing and verification of the object history

...

Info

Descriptor included in default configuration.

Correct bootstrapping may be required for productive use, depending on the use-case.

Dev- and test systems may use placeholders (for example created with bootstrap.zip package or the corresponding Docker container).

Use

...

case

Send signed e-mails from IDM

...

Info

Descriptor included in default configuration.

Bootstrapping required for technical reasons, but with relaxed security requirements compared to other use-cases.

Use

...

case

Generate dummy certificate for transient key-pairs generated on a target device when provisioning Smart ID Mobile/Desktop App profiles (the certificates themselves are merely used as transport container for the key-usage parameter)

...

Info

Descriptor included in default configuration.

Correct bootstrapping is required for productive use.

Only dev- and test systems may use placeholders (for example created with bootstrap.zip package or the corresponding Docker container).

Use

...

case

Authentication of Smart ID Self-Service users to the Identity Manager ba

...

Info

Descriptor included in default configuration.

Correct bootstrapping may be required for productive use, depending on the use-case.

Dev- and test systems may use placeholders (for example created with bootstrap.zip package or the corresponding Docker container).

Use

...

case

Signing content for Visual ID provisioning to Smart ID Mobile App

...

Certificate requirements

  • Must not be self-signed!

  • Key usage is not checked (recommended for informational purposes: set digitalSignature)

  • Issuing CA cert must be trusted by the app onto which to provision Visual IDs

  • Validity: at your discretion (make sure you do not forget to renew before the expiry date!), validity is checked on the SDK side

  • Versioning not needed (always uses the default (i.e. that is, highest) version)

Misc Attestation Key Descriptors (att_…)

...

  • att_external-attestation-1 (mobile only)

  •  att_external-attestation-2 (mobile only)

  •  att_external-attestation-3 (mobile only)

  •  att_external-attestation-4 (mobile only)

  •  att_ATTESTATION (mobile+desktop, default)

Use

...

case

  • Verify Certification Signing Requests (CSR) from Smart ID Mobile/Smart ID Desktop App.

  • Optionally limit profile provisioning with Smart ID Mobile/Smart ID Desktop App to certain devices, for example company devices. This can be done by using Mobile/Desktop apps with custom private keys and configuring the corresponding public keys into IDM Identity Manager (by default IDM Identity Manager includes certificates for the built-in keys of any Mobile and Desktop App installation)

...

  • Default certificates do not need to be changed, unless you want to limit profile provisioning to certain devices

  • No private keys is configured for IDMIdentity Manager, only each public key inside a certificate

...

Info

Descriptor not present by default, can be ignored unless the Idopte middleware is used for PKI card production.

Use

...

case

Initial handshake with Idopte client-side middleware, see Encoding using

...

  • Idopte webapp cert, issued by Idopte based on CSR for a customer-generated keypair

  • One customer-specific SAN URI (does not have to point to an existing website), e.g. for example https://idopte.customer.com (using hosts like localhost or 127.x.y.z is discouraged, as it severely restricts the maximum validity period of the certificate Idopte can issue)

  • Validity: defined by the Idopte CA

...

Info

Descriptor not present by default, can be ignored unless the Idopte middleware is used for PKI card production.

Use

...

case

Authenticate to the IN Groupe Inside Server, which performs certain cryptographic operations on behalf of IDM when using the Idopte middleware (see Encoding using Idopte middleware in Identity Manager)

...

Can be any descriptor listed in the pinBlobDecryptor.keyDescriptorNames property of system.properties (or its docker counterpart)

Use

...

case

Decrypting pin-blobs from pre-personalized cards to e.g. for example print pin letters for them (see Encodings using Personal Desktop Client middleware in Identity Manager (section "Read encrypted PINs")

...