Versions Compared
Key
- This line was added.
- This line was removed.
- Formatting was changed.
This article describes the concept of chained signature for object history in Smart ID Identity Manager.
Chained signature means that each entry of In the object history, all changes on each object (employees, cards, certificates, requests etc.) are tracked. This can, for example, start process, change data, end process, ...) be that data is changed, status (like deactivate card) is changed, or if a process is executed (start Smart ID Mobile App provisioning) etc. This history is signed, so that it is recognized if someone modifies the records in the database. Chained signature means that each entry of the object history is signed. The signature is based on the signature of the previous entry, so it is not possible to add, remove or change an entry without breaking the chain. Thus every manipulation of the object history can be detected as long as the head of the chain is protected. The chained signature spans over all history entries, regardless of tenant.
Prerequisites
Expand | ||
---|---|---|
| ||
The certificates used for signing and verification need to be valid for digital signatures. Otherwise Identity Manager will fail on writing to the database. |
Configure chained signature
Expand | ||||||||||
---|---|---|---|---|---|---|---|---|---|---|
| ||||||||||
The keys and certificates used for signing and verification are configured in the encrypt and sign engine's configuration, typically found under engineSignEncryptConfig.xml.
|
Verify chained signature
Verification consists of traversing over all entries of the object history, regardless of tenant, and verifying its signature.
Expand | |||||||||
---|---|---|---|---|---|---|---|---|---|
| |||||||||
|
Expand | ||||||||||
---|---|---|---|---|---|---|---|---|---|---|
| ||||||||||
A scheduled job regularly checks the signature chain of the object history. If an error is found, it will send an email to configurable recipients. As the object history signature spans over all history entries, regardless of the tenant, the verification on a multi tenant system should be done by a dedicated user that belongs to no tenant (that is, it has a null tenantId), but who performs this task for the whole system. Use the Identity Manager Tenant application to create such a user:
|
Expand | |||||
---|---|---|---|---|---|
| |||||
To allow deletion of older entries, the verification of object history can be limited to a window of the most recent N months, with N being >= 12. Smaller values will be overridden by 12. If no interval is specified, the entire history is validated (default).
Note that if a verification window is set, the following applies:
|
Expand | ||
---|---|---|
| ||
The periodically running The following applies:
|
Clustering
Expand | ||
---|---|---|
| ||
In a clustered environment there is a separate chain per cluster node. With the default configuration, the chain's name is derived from the cluster node, that is, the If there is a special cluster configuration, or if a cluster is not based on a unique |
Multitenancy
Expand | ||
---|---|---|
| ||
Each history entry corresponds to an action that was performed on a core object in Identity Manager. Thus it belongs to a single tenant. The chained signature of the history on the other hand is global: there's exactly one chain for each cluster node, that spans over all history entries, regardless of the tenant. The signature ensures that no history entry of a Identity Manager cluster node has been manipulated. For this reason it is recommended that the signature verification is performed by an administrator that is not bound to a tenant, that is, with an tenantId of null. The scheduled task that performs history verification should, in case of an error, be configured to send an email to a global user that administers Identity Manager for all tenants. It is still possible to verify the signatures with a user belonging to a tenant, but this should only be done on single tenant systems. |