Comment: This article is new for Smart ID Identity Manager 24.R1.
Remember to update the release version number before publishing externally.
| Info |
|---|
This article is new for Smart ID Identity Manager 245.0.R11. |
Descriptor overview
The engine’s descriptors are the following:
...
Certain descriptors are used for optional features. If a certain feature (e.g. E-mail for example email signing) is not used in a given deployment, then you may configure the descriptor in question with a placeholder. Any PKCS#12 file containing a self-signed keypair will be sufficient in this case.
...
| Info |
|---|
Descriptor included in default configuration. Correct bootstrapping may be required for productive use, depending on the use case. Dev- and test systems may use placeholders (for example created with bootstrap.zip package or the corresponding docker container). |
...
| Info |
|---|
Descriptor included in default configuration. Correct bootstrapping may be required for productive use, depending on the use case. Dev- and test systems may use placeholders (for example created with bootstrap.zip package or the corresponding docker container). |
...
| Info |
|---|
Descriptor included in default configuration. Correct bootstrapping may be required for productive use, depending on the use case. Dev- and test systems may use placeholders (for example created with bootstrap.zip package or the corresponding docker container). |
...
| Info |
|---|
Descriptor included in default configuration. Correct bootstrapping may be required for productive use, depending on the use case. Dev- and test systems may use placeholders (for example created with bootstrap.zip package or the corresponding docker container). |
Use case
Send signed e-mails emails from IDM
Required
When e-mail email signing is configured
Configured in the following application
...
Placeholders allowed only if email signing is not used
Email verification will fail if not issued by a trusted S/MIME CA
Integrity of e-mails emails sent by IDM may be at risk if placeholder key is used
...
Proper S/MIME certificate with configured IDM e-mail email sender address in DN's E field and/or SAN RFC-822 entry
If subject DN email field is absent, SAN extension must be critical
Note: broken Broken support for DN.E was is fixed in IDM 245.0.0.R1
must not be self-signed
Key usage:
If present, must be critical and at least either digitalSignature or nonRepudiationValidity:
Adhering to CAB-Forum requirements from https://cabforum.org/working-groups/smime/requirements/#632-certificate-operational-periods-and-key-pair-usage-periods
...
| Info |
|---|
Descriptor included in default configuration. Correct bootstrapping is required for productive use. Only dev- and test systems may use placeholders (for example created with bootstrap.zip package or the corresponding docker container). |
...
| Info |
|---|
Descriptor included in default configuration. Correct bootstrapping may be required for productive use, depending on the use case. Dev- and test systems may use placeholders (for example created with bootstrap.zip package or the corresponding docker container). |
...
Identity Manager Operator (See Set up visual ID layout in Identity Manager for more information.)
Storage
...
| Info |
|---|
Descriptor not present by default, can be ignored skipped unless the Idopte middleware is used for PKI card production. |
Use case
Authenticate to the IN Groupe Inside Server, which performs certain cryptographic operations on behalf of IDM when using the Idopte middleware (see Encoding using Idopte middleware in Identity Manager)
Configured in the following applications
...
| Info |
|---|
Descriptors not present by default, can be ignored skipped unless pin-blobs from pre-personalized cards (using Personal Desktop Client/KGS) have to be decrypted. |
Descriptor names
Can be any descriptor listed in the pinBlobDecryptor.keyDescriptorNames property of system.properties (or its docker counterpart)
...
Decrypting pin-blobs from pre-personalized cards to for example print pin letters for them (see Encodings using Personal Desktop Client middleware in Identity Manager (section "Read encrypted PINs")
...