Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.
Comment: Minor
Info

This article includes updates is new for Smart ID Identity Manager 24.R1 or later5.0.1.

This article provides guidance and troubleshooting tips for addressing common error scenarios related to the sign and encrypt engine and how to solve them.

...

This means that one or more demo keys, keys that are considered compromised and unfit for productive use, are still blacklisted keys (such as publicly known demo keys) are in use. Each message indicates the offending descriptor and version from the config configuration XML.

For information about how to replace the keys, see Bootstrapping the sign and encrypt engine.

Note
  • Replacing the EncryptedFields descriptor's key requires re-encryption of existing secrets via thebatch_secretfieldstore_change_encryption_key tool. For more information, see Change encryption key of secret field store.

  • Replacing the ObjectHistorySigner descriptor's key requires re-signing existing history entries via the batch_re-sign_history tool.

  • Replacing the ConfigZipSigner descriptor's key means any previously exported encrypted config ZIP files cannot be decrypted anymore, versioning to enable decryption with historical keys is not supported.

...

Startup of Identity Manager might fail with an exception message like this in the log:.

Example

Code Block
Aborting deployment! 
Unable to verify the last Object History entry of the chain [PRIME1]. 
There appears to be an error in the engineSignEncrypt configuration of the descriptor [ObjectHistorySigner (version: 2)]. 
The referenced key is probably wrong. Another possible explanation for this error is that the ObjectHistory entry was manipulated. 
Offending entry id: [4711]. Please check the engineSignEncrypt config xml and the referenced keys! 
If the configured key is correct, the entry might be corrupted. 
This can be worked around by starting a new chain.

Potential causes:

  1. The key configured for the ObjectHistorySigner descriptor in the current version (version 2 in the example error message above) is wrong, the wrong P12 file might been configured.

  2. The object history got corrupted by accident or deliberate manipulation, forensic analysis may be advisable.

A quick workaround to get restart the application to start again is to switch to a new chain name for idm-operator:

...

Tomcat deployment: Set chain name in system.properties

Code Block
... etc. ...
commonHistoryService.chainName=NEW_CHAIN_NAME_GOES_HERE
... etc. ...

Docker-deployment: Set chain name in docker-compose.yml

Code Block
languageyaml
... etc. ...
    environment:
... etc. ...
      - 'SYSTEM_PROPERTIES={
          "commonHistoryService.chainName": "NEW_CHAIN_NAME_GOES_HERE",
... etc. ...

...

This means that the configuration XML for the sign and encrypt engine references a file that does not exist at the given location. All files referenced via the location classpath: usually need to be inside the WEB-INF\classes\ folder of the web application. In Identity Manager versions before 24.R1, that folder did contain all demo keys, which were since removed. Furthermore, the engineSignEncryptConfig.xml shipped in WAR files of 24.R1 and above references additional P12 files not used or not bootstrapped previously. By default, a dedicated P12 file per descriptor is used instead of sharing files between descriptors.

For docker deployment the files have to be placed into the docker/compose/certs folder, which is mounted into /certs inside the container. These files need to be referenced as shown below (replace example.p12 with the proper filename):

Code Block
file:/certs/example.p12

For more information, see Bootstrapping the sign and encrypt engine to bootstrap any missing keys/certificates.

...