...
...
...
...
...
Remember to update the release version number before publishing externally.
| Info |
|---|
This article includes updates for Smart ID Identity Manager 245.0.R11. |
Keys and certificates for the sign and encrypt engine can be stored in a Hardware Security Model (HSM) for several use cases. This is a more secure solution for signing and encryption than PKCS#12 files, which are files in the file system, only protected by a PIN code.
...
For more information, see Configure Tomcat below.
Prerequisites
Installed Smart ID 24.R1 IDM 5.0.0 or later
Installed and running HSM with PKCS#11 library available on the Identity Manager server
...
Perform the Identity Manager HSM configuration in the file engineSignEncryptConfig.xml in the WEB-INF/classes folder for each of the relevant Identity Manager clients. In case of Docker docker deployment, edit the file docker/compose/identitymanager/config/signencrypt.xml.
...
Configuration attribute | Value | Comments |
|---|---|---|
| RSA/ECB/OAEPWithSHA-384AndMGF1Padding | Must be declared so the iD2 provider accepts it:
|
| ||
| HSM | Must be "HSM" for keys stored in the HSM. |
|
| |
| The user PIN of the HSM. | The For docker deployments it is required to scramble the PINs before starting the Identity Manager Admin and Identity Manager Operator containers (stop them by invoking |
| The alias of the respective key. | In the HSM, the keypair and the certificate must be stored within the same label/alias. |
| Optional if your keys are stored in HSM slot 0. | The first slot is not guaranteed to be 0. Slot numbering may differ, depending on the HSM. |
For more information, see Sign and encrypt engine in Identity Manager for further use cases that can be configured.
...
bcmail-*.jar
bcpgp-*.jar
bcpkix-*.jar
bcprov-*.jar (including bcprov-ext-*.jar)
Additional information
| Expand | ||
|---|---|---|
| ||