Versions Compared

Old Version 21

changes.mady.by.user Ylva Andersson

Saved on

compared with

New Version Current

changes.mady.by.user Ylva Andersson

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.
Comment: Updated regarding Linux.

Comment: IDM 5.0.0: Updates throughout the entire article.

Info

This article includes updates for Identity Manager 5.0.01.

This article describes how to change the secret fields encryption keypair in Smart ID Identity Manager. In addition to changing the keypair and adjusting the secret engine configuration, you must use an application provided by Nexus to update the already existing secrets in the database with the new keys, otherwise Identity Manager cannot decrypt them. The application is referenced as Secret Fields Key Updater in this article.

Example use cases

Some of the use cases where you might need to change the fields encryption keypair are:

  • You started using a production Identity Manager installation while still using the supplied, insecure example keys. Those must be replaced by your own keys and any existing secret fields must be re-keyed with those keys.

  • You started using an Identity Manager installation based on soft-tokens for encrypting secret fields, and you want to improve security by switching to keys generated by a Hardware Security Module (HSM). Any existing keys must be re-keyed with the new keys.

  • The keys for secret field encryption have been compromised and existing secrets need to be re-keyed with new keys.

  • You want to change the keys for encryption of secret fields for any other reason and have existing secret fields in the database.

...

  • You must have access to a Windows host.The same host with a Java version as that is supported for the corresponding Identity Manager release is installed and its java.exe . Its java executable must be in your PATH. For more information, see Identity Manager requirements and interoperability.

  • Java has the Unlimited Strength Jurisdiction Policy enabled (default since Java 8u151).

  • The new keypair has been generated.

  • For every tenant on the system have access to:

    • tenant ID

    • administrative username and password

...

  1. Open the file config/encryption-config.xml.

  2. Update the EncryptedFields and NewEncryptedFields field descriptors and their referenced keys as described below. For more information on this file, see 24.R1: Sign and encrypt engine in Identity Manager.

    • EncryptedFields is the old, to be replaced, descriptor. Adapt its values to match the ones that are currently set up in Identity Manager. In this example, EncryptedFields references oldEncCert as its key. Change the referenced key to match the one that is currently referenced in Identity Manager.

    • NewEncryptedFields is the new descriptor, holding the information of the replacement key. Change its values accordingly.
      In this example, NewEncryptedFields references newEncCert as its key. Change the referenced key to match the key that will replace the old one in Identity Manager.

...

Attribute

Description

username

Name of the administrator of the respective tenant. This user will be used to perform the update.

password

The administrator's password.

tenantId

The Tenant ID.

Execute migration for a tenant

  1. Double-check that all preparation steps were executed, especially a database update of the state before migrating the first tenant.

  2. Start the Secret Fields Key Updater by executing :

    1. on Windows, execute the batch file start_migration.bat

    on Windows.

    2. on Linux, make the .sh file executable with chmod +x start_migration.sh and then execute it with ./start_migration.sh

If the application is interrupted or fails, you can restart it at a later time. It will restart from the beginning and not from where it stopped the previous time.

...