Versions Compared

Old Version 7

changes.mady.by.user Ylva Andersson

Saved on

compared with

New Version Current

changes.mady.by.user Ylva Andersson

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.
Comment: Minor
Info

This article is valid for Smart ID 20.06.1 and later.

...

  • You started using a productive Identity Manager installation while still using the supplied, insecure example keys. Those must be replaced by your own keys and any existing secret fields must be re-keyed with those keys.
  • You started using an Identity Manager installation based on soft-tokens for encrypting secret fields, and you want to improve security by switching to keys generated by a Hardware Security Module (HSM). Any existing keys must be re-keyed with the new keys.
  • The keys for secret field encryption have been compromised and existing secrets need to be re-keyed with new keys.
  • You want to change the keys for encryption of secret fields for any other reason and have existing secret fields in the database.

...

Expand
titlePrerequisites

This is a summary of what must be in place before the migration starts.

  • A Windows host.
  • The same Java version as for the corresponding Identity Manager release is installed and its java.exe in your PATH. See Identity Manager requirements IDM 23.10.3 - Requirements and interoperability.
  • Java has the Unlimited Strength Jurisdiction Policy Files installed.
  • The new keypair has been generated.
  • For every tenant on the system have access to:
    • tenant ID
    • administrative username + password

...

Expand
titleShutdown and backup

Before you start the migration:

  1. Stop the Identity Manager applications (shut down Tomcat or the respective docker containers by running docker compose down from within docker/compose/identitymanager/<webappname>/).
  2. Create a backup of the respective databases.

...

Expand
titleSet up Identity Manager to use the new keypair
  1. For docker:
    Open docker/compose/identitymanager/config/signencrypt.xml for editing.
    or:
    For WAR file deployment: 
    Open WEB-INF/classes/engineSignEncrypt.xml in Identity Manager Operator, Identity Manager Admin and Identity Manager Tenant for editing.
  2. Change the attributes of the EncryptedFields descriptor and its referenced key to the values needed for the new keypair, as you set them for the NewEncryptedFields descriptor in the migration application. Note that the descriptor's name must still be EncryptedFields and not NewEncryptedFields for Identity Manager.
  3. For docker:
    Run docker compose up from within  docker/compose/identitymanager/<webappname>/ for all Identity Manager applications (Admin, Operator and Tenant) to recreate the docker containers.
    or:
    For WAR file deployment:
    Start Identity Manager.