Versions Compared
Key
- This line was added.
- This line was removed.
- Formatting was changed.
This article describes the concept of chained signature for object history in Smart ID Identity Manager.
To allow deletion of older entries, the deletion of object history can be limited to a window of the previous N months, with N being >= 12. Smaller values will be overridden by 12.
In the object history, all changes on each object (employees, cards, certificates, requests etc.) are tracked. This can, for example, be that data is changed, status (like deactivate card) is changed, or if a process is executed (start Smart ID Mobile App provisioning) etc. This history is signed, so that it is recognized if someone modifies the records in the database. Chained signature means that each entry of the object history is signed. The signature is based on the signature of the previous entry, so it is not possible to add, remove or change an entry without breaking the chain. Thus every manipulation of the object history can be detected as long as the head of the chain is protected. The chained signature spans over all history entries, regardless of tenant.
Prerequisites
Expand | |||||||||
---|---|---|---|---|---|---|---|---|---|
| |||||||||
|
Step-by-step instruction
Configure chained signature
Expand | ||||||||||
---|---|---|---|---|---|---|---|---|---|---|
| ||||||||||
The keys and certificates used for signing and verification are configured in the encrypt and sign engine's configuration, typically found under engineSignEncryptConfig.xml.
|
Verify chained signature
Verification consists of traversing over all entries of the object history, regardless of tenant, and verifying its signature.
Expand | |||||||||
---|---|---|---|---|---|---|---|---|---|
| |||||||||
|
Expand | ||||||||||
---|---|---|---|---|---|---|---|---|---|---|
| ||||||||||
A scheduled job regularly checks the signature chain of the object history. If an error is found, it will send an email to configurable recipients. As the object history signature spans over all history entries, regardless of the tenant, the verification on a multi tenant system should be done by a dedicated user that belongs to no tenant (that is, it has a null tenantId), but who performs this task for the whole system. Use the Identity Manager Tenant application to create such a user:
|
Delete old history entries
The periodically running HistoryCleaningJob
deletes history entries that are no longer needed for verification in the current verification window, as defined by the configured cut-off (see below).
Expand | ||||||||||
---|---|---|---|---|---|---|---|---|---|---|
| ||||||||||
A scheduled job regularly cleans the signature chain of the object history. As the object history signature spans over all history entries, regardless of the tenant, the cleaning on a multi tenant system should be done by a dedicated user that belongs to no tenant (that is, it has a null tenantId), but who performs this task for the whole system. Use the Identity Manager Tenant application to create such a user:
|
Expand | |||||||||
---|---|---|---|---|---|---|---|---|---|
| |||||||||
To be able to delete history entries when deleting a core object, you need to must add the
|
Define cut-off for verification/cleanup window
Expand | |||||||
---|---|---|---|---|---|---|---|
| |||||||
By default the verification windows spans the entire history. You can limit it to the last N >= 12 months. This will enable deletion of older entries outside the verification window. Smaller values will be overridden by 12. This will enable cleanup of older entries outside the verification window to reduce the amount of stored data.
If no cut-off is specified, the entire history is validated (default), and cleanup has no effect.
Note that if a verification window is set, the following applies:
|
Clustering
Expand | ||
---|---|---|
| ||
In a clustered environment there is a separate chain per cluster node. With the default configuration, the chain's name is derived from the cluster node, that is, the If there is a special cluster configuration, or if a cluster is not based on a unique |
Multitenancy
Expand | ||
---|---|---|
| ||
Each history entry corresponds to an action that was performed on a core object in Identity Manager. Thus it belongs to a single tenant. The chained signature of the history on the other hand is global: there's exactly one chain for each cluster node, that spans over all history entries, regardless of the tenant. The signature ensures that no history entry of a Identity Manager cluster node has been manipulated. For this reason it is recommended that the signature verification is performed by an administrator that is not bound to a tenant, that is, with an tenantId of null. The scheduled task that performs history verification should, in case of an error, be configured to send an email to a global user that administers Identity Manager for all tenants. It is still possible to verify the signatures with a user belonging to a tenant, but this should only be done on single tenant systems. |
This article includes updates for Smart ID 22.10.