...
| Info |
|---|
This article is new for |
...
Identity Manager |
...
Remember to update the release version number before publishing externally.
| Info |
|---|
This article includes updates for Smart ID Identity Manager 24.R15.0.1. |
Descriptor overview
The engine’s descriptors are the following:
...
Each descriptor is described in detail in the sections below, including requirements how it shall be bootstrappedin the sections below, including requirements how it shall be bootstrapped.
Certain descriptors are used for optional features. If a certain feature (for example email signing) is not used in a given deployment, then you may configure the descriptor in question with a placeholder. Any PKCS#12 file containing a self-signed keypair will be sufficient in this case.
EncryptedFields
| Info |
|---|
Descriptor included in default configuration. Correct bootstrapping is required for productive use. Only dev- and test systems may use placeholders (for example created with bootstrap.zip package or the corresponding Docker docker container). |
Use
...
case
Encryption and decryption of fields in the Identity Manager database
...
| Info |
|---|
Descriptor included in default configuration. Correct bootstrapping may be required for productive use, depending on the use - case. Dev- and test systems may use placeholders (for example created with bootstrap.zip package or the corresponding Docker docker container). |
Use
...
case
Encryption of the configuration files
...
| Info |
|---|
Descriptor included in default configuration. Correct bootstrapping may be required for productive use, depending on the use - case. Dev- and test systems may use placeholders (for example created with bootstrap.zip package or the corresponding Docker docker container). |
Use
...
case
Signing and validation of the configuration files
...
If key usage extension is critical, then digitalSignature is required
Issuing CA cert must be in IDM truststore
Must not be self-signed
Validity considerations:
if expired download is blocked unless ZIP signing is disabled
if expired config upload will fail with the message "Verification failed. The certificate has expired."
Issues if not configured as above:
export is blocked unless unless ZIP signing is disabled
verification does not work, ZIP appears unsigned
...
| Info |
|---|
Descriptor included in default configuration. Correct bootstrapping may be required for productive use, depending on the use - case. Dev- and test systems may use placeholders (for example created with bootstrap.zip package or the corresponding Docker docker container). |
Use
...
case
Signing and verification of the object history
...
Placeholder allowed only if history verification is disabled (via
activitiHistoryCleanerJobTrigger.cronExpressionset to a date in the distant future. See List of Identity Manager system properties and Quartz CronTrigger tutorial for more information)Integrity of history signature would be as risk
Re-signing requires use of the batch_re-sign_history tool once the first history entry is created
If you plan on enabling it at a later date, it is recommended not to use a placeholder
Key requirements
...
| Info |
|---|
Descriptor included in default configuration. Correct bootstrapping may be required for productive use, depending on the use - case. Dev- and test systems may use placeholders (for example created with bootstrap.zip package or the corresponding Docker docker container). |
Use
...
case
Send signed e-mails emails from IDM
Required
When e-mail email signing is configured
Configured in the following application
...
Placeholders allowed only if email signing is not used
Email verification will fail if not issued by a trusted S/MIME CA
Integrity of e-mails emails sent by IDM may be at risk if placeholder key is used
...
Proper S/MIME certificate with configured IDM e-mail email sender address in DN's E field and/or SAN RFC-822 entry
If subject DN email field is absent, SAN extension must be critical
Note: broken Broken support for DN.E was is fixed in IDM 245.0.0.R1
must not be self-signed
Key usage:
If present, must be critical and at least either digitalSignature or nonRepudiationValidity:
Adhering to CAB-Forum requirements from https://cabforum.org/working-groups/smime/requirements/#632-certificate-operational-periods-and-key-pair-usage-periods
...
| Info |
|---|
Descriptor included in default configuration. Bootstrapping required for technical reasons, but with relaxed security requirements compared to other use - cases. |
Use
...
case
Generate dummy certificate for transient key-pairs generated on a target device when provisioning Smart ID Mobile/Desktop App profiles (the certificates themselves are merely used as transport container for the key-usage parameter)
...
David Banz what should we add here? This info is misssing.
Configured in the following application
...
| Info |
|---|
Descriptor included in default configuration. Correct bootstrapping is required for productive use. Only dev- and test systems may use placeholders (for example created with bootstrap.zip package or the corresponding Docker docker container). |
...
Use case
...
Authentication of Smart ID Self-Service users to the Identity Manager backend
...
Configured in the following applications
Identity Manager Operatorstorage: pkcs12,
Storage
HSM (recommended)versioning: possible
pkcs12
Versioning
Possible, but unnecessary.
...
General requirements
...
- placeholder
Placeholder keys forbidden for productive use
- even
Even if Smart ID Self-Service is not deployed the related REST endpoints could face the risk of unauthenticated access
- even
Key requirements
...
...
Supported types
...
RSA 2048
RSA 3072
RSA 4096 (recommended)certificate
Certificate requirements
...
- may
Maybe self-signed
- validity
Validity is ignored
- key
Key usage is not checked (recommended for informational purposes: set digitalSignature)
- certificate
Certificate does not need to be trusted
ContentProviderJWSSigner
| Info |
|---|
Descriptor included in default configuration. Correct bootstrapping may be required for productive use, depending on the use - case. Dev- and test systems may use placeholders (for example created with bootstrap.zip package or the corresponding Docker docker container). |
...
Use case
...
Signing content for Visual ID provisioning to Smart ID Mobile App
...
Configured in the following applications
Identity Manager Operator (
seeSee Set up visual ID layout in Identity Manager for more information.)storage: pkcs12,
Storage
HSM (recommended)versioning: possible)
pkcs12
Versioning
Possible, but unnecessary.
...
General requirements
...
- placeholder
Placeholder allowed only if Visual ID is not used
- if
If the certificate configured here is not trusted by the end-user (mobile-) device, then Visual ID provisioning will fail
- forgery
Forgery of Visual ID possible if placeholder key is used and also trusted by the end-user device
- if
Key requirements
...
...
Supported types
...
RSA 2048
RSA 3072
RSA 4096 (recommended)certificate
Certificate requirements
...
- must
Must not be self-signed
! - key
Key usage is not checked (recommended for informational purposes: set digitalSignature)
- issuing
Issuing CA cert must be trusted by the app onto which to provision Visual IDs
- validity
Validity: at your discretion (make sure you do not forget to renew before the expiry date!), validity is checked on the SDK side
versioning Versioning not needed (always uses the default (i.e. that is, highest) version)
Misc Attestation Key Descriptors (att_…)
| Info |
|---|
Descriptors included in default configuration. Correct bootstrapping may be required for productive use, depending on the use case. Replacement of the default certificates is optional. |
...
Default descriptor names
...
att_external-attestation-1 (mobile only)
att_external-attestation-2 (mobile only)
att_external-attestation-3 (mobile only)
att_external-attestation-4 (mobile only)
att_ATTESTATION (mobile+desktop, default)use-
Use case
...
- verify
Verify Certification Signing Requests (CSR) from Smart ID Mobile/Smart ID Desktop App.
- optionally
Optionally limit profile provisioning with Smart ID Mobile/Smart ID Desktop App to certain devices,
e.g.for example company devices. This can be done by using Mobile/Desktop apps with custom private keys and configuring the corresponding public keys
into IDMin Identity Manager (by default
IDMIdentity Manager includes certificates for the built-in keys of any Mobile and Desktop App installation)configured
Configured in
...
the following applications
...
Identity Manager Operator
Identity Manager Admin (technically not used here, but required for startup due to bean requirements - subject to change in future releases)
versioning: supported
storage: pkcs12,
Storage
HSM (recommended)
general requirements:
defaultpkcs12
Versioning
Supported
General requirements
Default certificates do not need to be changed, unless you want to limit profile provisioning to certain devices
- no
No private keys is configured for
IDMIdentity Manager, only each public key inside a certificatekey
Key requirements
...
...
Supported types
...
RSA 2048
RSA 3072
RSA 4096 (recommended)certificate
Certificate requirements
...
- when
When replacing, generated via tooling shown here:
https://doc.nexusgroup.com/pub/configure-custom-attestation-keys verification Verification only uses the key, no part of the certificate is considered
- key
Key usage is not checked (recommended for informational purposes: set digitalSignature)
- validity
Validity is ignored
idopteAuthentication
| Info |
|---|
Descriptor not present by default, can be ignored unless the Idopte middleware is used for PKI card production. |
...
Use case
Initial handshake with Idopte client-side middleware, see Encoding using Idopte middleware in Identity Manager
...
Configured in
...
the following application
...
Identity Manager Operatorstorage:
Storage
pkcs12
Versioning
...
Not supported (always uses the default (
...
that is, highest) version
...
Supported algorithm
...
values
NONEwithRSAgeneral
General requirements
...
- descriptor
Descriptor can be omitted entirely (not even a placeholder needed) if Idopte middleware is not used, otherwise correct certificate and keypair is required
PKI card encoding via the Idopte middleware will fail if missing or configured incorrectlykey
Key requirements
...
...
Supported types
RSA 2048certificate
Certificate requirements
...
Idopte webapp cert, issued by Idopte based on CSR for a customer-generated keypair
- one
One customer-specific SAN URI (does not have to point to an existing website),
e.g.for example https://idopte.customer.com (using hosts like localhost or 127.x.y.z is discouraged, as it severely restricts the maximum validity period of the certificate Idopte can issue)
- validity
Validity: defined by the Idopte CA
insideClientAuth
| Info |
|---|
Descriptor not present by default, can be ignored skipped unless the Idopte middleware is used for PKI card production. |
...
Use case
Authenticate to the IN Groupe Inside Server, which performs certain cryptographic operations on behalf of IDM when using the Idopte middleware (see Encoding using Idopte middleware in Identity Manager)
...
configured in this application:
Identity Manager Operator
general requirements:
...
Configured in the following applications
Identity Manager Operator
Storage
pkcs12
Versioning
Not needed
General requirements
Descriptor can be omitted entirely (not even a placeholder needed) if Idopte middleware is not used, otherwise correct certificate and keypair is required
PKI card encoding via the Idopte middleware will fail if missing or configured incorrectly
algorithm Algorithm attribute not used
(we We only use certificate and private key from the descriptor)
versioning: not needed
storage: pkcs12
key requirements:
supported types:Key requirements
Supported types
RSA 2048
RSA 3072
RSA 4096 (recommended)certificate
Certificate requirements
...
- validity
Validity DOES matter, connection to Inside server will fail when expired
- recommend
Recommend to use a CA, unclear if self-signed certificates work
- must
Must be trusted by Inside server
- key
Key usage: digitalSignature
Pin-Blob Decryption Descriptors
| Info |
|---|
Descriptors not present by default, can be ignored skipped unless pin-blobs from pre-personalized cards (using Personal Desktop Client/KGS) have to be decrypted. |
...
Descriptor names
...
Can be any descriptor listed in the pinBlobDecryptor.keyDescriptorNames property of system.properties (or its
...
docker counterpart)
...
Use case
Decrypting pin-blobs from pre-personalized cards to
...
for example print pin letters for them (see Encodings using Personal Desktop Client middleware in Identity Manager (section "Read encrypted PINs")
...
Configured in the following applications
Identity Manager Operator
supported algorithm value: RSA
storage: pkcs12, HSM (recommended)
versioning: not needed
general requirements:
byStorage
pkcs12
Versioning
Not needed
Supported algorithm values
RSA
General requirements
By default the property is empty, hence no descriptors are needed, unless the feature is requiredkey
Key requirements
...
...
Supported types
...
RSA 2048certificate
Certificate requirements
...
- issued
Issued by Nexus Certificate Manager
- validity
Validity ignored by IDM
- does
Does not need to be trusted by IDM
- key
Key usage is not checked (recommended for informational purposes: set dataEncipherment + keyEncipherment)
Additional information
For more information, see Encrypt configuration files in Identity Manager.
...