Versions Compared

Version Old Version 6 New Version Current
Changes made by

Paul Zachos

Ylva Andersson

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

Info

This article is new for Identity Manager 5.0.1.

The sign and encrypt engine has one configuration file. On Docker docker deployments it is located in docker/compose/identitymanager/config/signencrypt.xml, on WAR deployments it is located in WEB-INF/classes/engineSignEncryptConfig.xml of IDM Identity Manager Admin and IDM Identity Manager Operator.
There are also several tools including a similar configuration file.

...

The configuration is divided into entries for descriptors and keys. Each descriptor handles one distinct use case and references uses one of the key-entries.Below is an example of the XML configuration.

Descriptors

Identity Manager references descriptors by their name: for each use case there is a known descriptor name. Most names are fixed (for example, ConfigZipEncrypter is always used for encrypting configuration files) and a few can be named arbitrarily (for example, descriptors for PIN blob decryption).

Descriptor example

Code Block
languagexml
<?xml<descriptor versionname="1.0ObjectHistorySigner" encodingversion="UTF-81"?>
<engineSignEncrypt>     <descriptors>
        <descriptor name="EncryptedFields" version="1">
            <type algorithm="AES/CBC/PKCS7Padding" size="256" result="NX02" key="encCert" 
                  asymCipher="RSA/None/OAEPWithSHA384AndMGF1Padding"/>
        </descriptor>
        <descriptor name="ConfigZipEncrypter" version="1">
            <type algorithm="AES/CBC/PKCS7Padding" size="256" key="configZipEncrypterCert"
                  asymCipher="RSA/None/OAEPWithSHA384AndMGF1Padding"/>
        </descriptor>
        <descriptor name="ConfigZipSigner" version="1">
            <type algorithm="SHA-256" key="configZipSignerCert" />
        </descriptor>
        <descriptor name="ObjectHistorySigner" version="1">
            <type algorithm="SHA-256" key="objectHistorySignerCert" />
        </descriptor>
        <descriptor name="SignEmailDescriptor" version="1">
            <type algorithm="SHA256withRSA" key="emailSigningCert" />
        </descriptor>
        <descriptor name="hermodDeviceEnc" version="1">
            <type algorithm="SHA256withRSA" key="serverCert" />
        </descriptor>
        <descriptor name="SelfServiceJWTSigner" version="1">
            <type algorithm="RSA" key="selfServiceJWTSignerCert" />
        </descriptor>
        <descriptor name="ContentProviderJWSSigner" version="1<type algorithm="SHA-256" key="objectHistorySignerCert" />
</descriptor>

See the following tables for more information on the different possible attributes of a descriptor/-type.

descriptor element attribute

Description

name

Used by Identity Manager to refer to this descriptor. There might be different descriptors with the same name but with different versions.

version

A numeric value that denotes the descriptor's version. This is only needed for the ObjectHistorySigner.

A new version of a descriptor is needed, for example, when an old key needs to be replaced.

The descriptor with the highest version number is used. Verification of Object History entries will automatically select the right descriptor version.

Attribute of the type element inside descriptor

Description

algorithm

For EncryptedFields/ConfigZipEncrypter: symmetric algorithm to be used, usually AES/CBC/PKCS7Padding.

For SelfServiceJWTSigner/ContentProviderJWSSigner: always RSA.

For ConfigZipSigner/ObjectHistorySigner: hashing algorithm to be used (for example, SHA-256).

For SignEmailDescriptor/hermodDeviceEnc/att_* and pin-blob decryption descriptors: signature algorithm to be used (for example, SHA256withRSA).

For idopteAuthentication: always NoneWithRSA.

size

For EncryptedFields/ConfigZipEncrypter only.

Size of the symmetric key, either 128or 256 (recommended).

result

For EncryptedFields only.
Output format, currently always NX02.

key

The descriptor’s key. Refers to a key defined in the same document.

asymCipher

For EncryptedFields/ConfigZipEncrypter only.

Cipher definition, for example, RSA/None/OAEPWithSHA384AndMGF1Padding.

When used with an HSM, you need to adjust the cipher format to be compatible with the JCE provider used for HSM access. For example, instead of the above cipher definition, specify RSA/ECB/OAEPWithSHA-384AndMGF1Padding (ECBinstead of Noneand SHA-384 instead of SHA384).

initVector

Only needed for migrating EncryptedFields from SmartAct or ProAct: a fixed Initialization Vector (IV).

For other descriptors, omit this attribute in order to use randomly generated IVs.

Descriptor versioning

The ObjectHistorySigner supports multiple versions. You can replace its key by adding a descriptor with the same name and a newer version, and leaving the existing descriptor with the old version configured. This will cause any new signatures to be created with the new key, but you can still verify signatures made with the old one.

Expand
titleExample
Code Block
languagexml
<?xml version="1.0" encoding="UTF-8"?>
<engineSignEncrypt>
    <descriptors>
        <descriptor name="ObjectHistorySigner" version="2">
            <type algorithm="
RSA
SHA-256" key="
contentProviderJWSSignerCert
newKey" />
        </descriptor>
        <descriptor name="
att_external-attestation-1
ObjectHistorySigner" version="1">
            <type algorithm="
SHA256withRSA
SHA-256" key="
attestationKey_mobile_1
oldKey" />
        </descriptor>
<descriptor name="att_external-attestation-2" version="1"
       <!-- others descriptors -->
    </descriptors>
    
<keys>
<type
algorithm="SHA256withRSA"
key="attestationKey_mobile_2"
/>
    <key name="newKey">
</descriptor>
<descriptor
<type name=
"att_external-attestation-3" version="1"
"pkcs12" locationValue="classpath:sign_new.p12" pin="1234"/>
        </key>
<type algorithm="SHA256withRSA" key="attestationKey_mobile_3" /> 
     <key name="oldKey">
</descriptor>
     
<type
<descriptor 
name=
"att_external-attestation-4" version="1"
"pkcs12" locationValue="classpath:sign_old.p12" pin="1234"/>
<type algorithm="SHA256withRSA" key="attestationKey_mobile_4" />
</key>
        <
/descriptor>
!-- other keys -->
<descriptor name="att_ATTESTATION" version="1"> <type algorithm="SHA256withRSA" key="attestationKey_mobile_pda_def" /> </descriptor> </descriptors> <keys> <key name="encCert"> <type name="pkcs12" locationValue="classpath:hybridEncKeypair.p12" pin="1234"/> </key> <key name="configZipEncrypterCert"> <type name="pkcs12" locationValue="classpath:encryptConfig.p12" pin="1234"/> </key> <key name="configZipSignerCert"> <type name="pkcs12" locationValue="classpath:signConfig.p12" pin="1234"/> </key> <key name="objectHistorySignerCert"> <type name="pkcs12" locationValue="classpath:sign.p12" pin="1234"/> </key> <key name="selfServiceJWTSignerCert"> <type name="pkcs12" locationValue="classpath:signJWT.p12" pin="1234"/> </key> <key name="contentProviderJWSSignerCert
</keys>
</engineSignEncrypt>

There are also descriptors which cannot be versioned, for example, EncryptedFields. For those the version always must be set to 1.

Currently most descriptors either do not support versioning at all or do not benefit from defining multiple versions.

Key

Key elements are referenced by the descriptors. They describe keys found in HSMs and/or keystores. Each key should be used by only one descriptor.

Key example

Code Block
languagexml
<key name="objectHistorySignerCert">
    <type name="pkcs12" locationValue="classpath:sign.p12" pin="1234"/>
</key>

See the tables below for more information about the key/-type.

key element attribute

Description

name

Used by descriptors' key attribute to reference this key.

Attribute of the type element inside key

Description

name

Type of storage: pkcs12or HSM.

locationValue

For docker:

  • For a software keystore (pkcs12): place the keystore under docker/compose/certs before creating the container with docker compose. Then set its location as absolute path, prefixed with file: pointing to the mounted file in/certs (inside the container), for example: locationValue="file:/certs/keystore.p12".

Default attestation keys are referenced from the classpath, for example, locationValue="classpath:attKeyMobileDef.p12". Change this only if you need your own keys.

  • For an HSM: ensure the PKCS11 library is mounted into the container, then use the container’s path of the PKCS11 library, without filename extension, for example: locationValue="/usr/local/lib/libpkcs11hsm"

For WAR file deployment: 

  • For a software keystore: place the keystore under WEB-INF/classes and set its location, prefixed with classpath:, for example: locationValue="classpath:keystore.p12"

  • For an HSM: use the path of the PKCS11 library, without filename extension, for example: locationValue="/usr/local/lib/libpkcs11hsm"

pin

PIN for the keystore or HSM.

To avoid having clear text PINs in this file, the pin should be scrambled. That can be achieved by setting it with pin.encrypted="1234" instead of pin="1234".

For WAR deployments the pin will then be scrambled on the next (re-)start of Tomcat.

For docker deployments you need to scramble the pins with a dedicated tool while Identity Manager Admin/Identity Manager Operator containers are not running.

After scrambling, the PIN will look something like pin="encrypted:someBase64EncodedValue". See Scramble sensitive data in Identity Manager files for detailed instructions.

Configuration file example

Expand
titleExample of a typical configuration file
Code Block
languagexml
<?xml version="1.0" encoding="UTF-8"?>
<engineSignEncrypt>
    <descriptors>
        <descriptor name="EncryptedFields" version="1">
            <type
name
 algorithm="AES/CBC/PKCS7Padding" size="
pkcs12
256"
locationValue
result="
classpath:signJWS.p12
NX02"
pin
key="
1234
encCert"
/>
</key>
<key
name
asymCipher="
emailSigningCert
RSA/None/OAEPWithSHA384AndMGF1Padding"/>
        </descriptor>
<type name="pkcs12" locationValue="classpath:emailSigning.p12" pin="1234"/>
     <descriptor name="ConfigZipEncrypter" version="1">
</key>
   <type algorithm="AES/CBC/PKCS7Padding" size="256" key="configZipEncrypterCert"
<key
name="serverCert">
<type
name="pkcs12"
locationValue="classpath:deviceEncCA.p12" pin="1234
asymCipher="RSA/None/OAEPWithSHA384AndMGF1Padding"/>
        </
key>
descriptor>
<key
<descriptor name=
"attestationKey_mobile_
"ConfigZipSigner" version="1">
            <type
name
algorithm="
pkcs12
SHA-256"
locationValue
key="
classpath:attKeyMobile1.p12
configZipSignerCert"
pin="936584967"
/>
        </
key>
descriptor>
<key
<descriptor name="
attestationKey_mobile_2
ObjectHistorySigner"
>
 version="1">
            <type
name
algorithm="
pkcs12
SHA-256"
locationValue
key="
classpath:attKeyMobile2.p12
objectHistorySignerCert"
pin="873145568"
/>
        </
key>
descriptor>
<key
<descriptor name="ObjectHistorySigner" version="
attestationKey_mobile_3
2">
            <type
name
algorithm="
pkcs12
SHA-256"
locationValue
key="
classpath:attKeyMobile3.p12
newObjectHistorySignerCert"
pin="8564789632"
/>
        </
key>
descriptor>
<key
<descriptor name=
"attestationKey_mobile_4
"SignEmailDescriptor" version="1">
            <type
name
algorithm="
pkcs12
SHA256withRSA"
locationValue
key="
classpath:attKeyMobile4.p12
emailSigningCert"
pin="9263564893"
/>
        </
key>
descriptor>
<key
<descriptor name="
attestationKey_mobile_pda_def
hermodDeviceEnc" version="1">
            <type
name
algorithm="
pkcs12
SHA256withRSA"
locationValue="classpath:attKeyMobileDef.p12" pin="2586453793"/>
key="serverCert" />
        </descriptor>
        <descriptor name="SelfServiceJWTSigner" version="1">
</key>
  <type algorithm="RSA" key="selfServiceJWTSignerCert"
<
/
keys> </engineSignEncrypt>

Descriptor names

IDM references descriptors by their name. Most names are fixed (e.g. ConfigZipEncrypter is always used for encrypting configuration files) and a few can be named arbitrarily (e.g. descriptors for PIN blob decryption).

Descriptor versioning

Some descriptors support multiple versions. For example, you can replace the key of the ObjectHistorySigner by adding a descriptor of this name with a newer version, and leaving the existing descriptor with the old version configured. This will cause any new signatures to be created with the new key, but you can still verify signatures made with the old one.

See the following example:

Code Block
languagexml
<?xml version="1.0" encoding="UTF-8"?> <engineSignEncrypt> <descriptors>
>
        </descriptor>
        <descriptor name="ContentProviderJWSSigner" version="1">
            <type algorithm="RSA" key="contentProviderJWSSignerCert" />
        </descriptor>
        <descriptor name="att_external-attestation-1" version="1">
            <type algorithm="SHA256withRSA" key="attestationKey_mobile_1" />
        </descriptor>
        <descriptor name="
ObjectHistorySigner
att_external-attestation-2" version="
2
1">
            <type algorithm="
SHA-256
SHA256withRSA" key="
newHistorySigner
attestationKey_mobile_2" />
        </descriptor>
        <descriptor name="
ObjectHistorySigner
att_external-attestation-3" version="1">
            <type algorithm="
SHA-256
SHA256withRSA" key="
oldHistorySigner
attestationKey_mobile_3" />
        </descriptor>
<!-- others descriptors --> </descriptors>
<descriptor name="att_external-attestation-4" version="1">
<keys>
<key name
<type algorithm="
newHistorySigner
SHA256withRSA"
> <type name="pkcs12" locationValue="classpath:sign_new.p12" pin="1234"
 key="attestationKey_mobile_4" />
        </
key>
descriptor>
<key
<descriptor name="att_ATTESTATION" version="
oldHistorySigner
1">
            <type
name
algorithm="
pkcs12
SHA256withRSA"
locationValue
key="
classpath:sign_old.p12" pin="1234"
attestationKey_mobile_pda_def" />
        </
key>
descriptor>
    </descriptors>
    <keys>
<!--
other
keys -->
<key name="encCert">
</keys> </engineSignEncrypt>

There are also descriptors which cannot be versioned, e.g. EncryptedFields. For those the version always needs to be set to 1.

Configuration elements

Descriptor

See the tables below the example for more information on the different possible attributes of a descriptor/-type.

Descriptor example

Code Block
languagexml
<descriptor name="ObjectHistorySigner" version="1">
 <type name="pkcs12" locationValue="classpath:hybridEncKeypair.p12" pin="encrypted:UPYN6QD/Vd45fbrQ/QF2DrYlRbaBOvriXkD3OxWLetgiXbQ="/>
        </key>
<type
<key
algorithm="SHA-256" key="objectHistorySignerCert" /> </descriptor>

...

descriptor element attribute

...

Description

...

name

...

Used by Identity Manager to refer to this descriptor. There might be different descriptors with the same name but with different versions.

...

version

...

A numeric value that denotes the descriptor's version. This is only needed for the ObjectHistorySigner.
A new version of a descriptor is needed, for example, when an old key needs to be replaced.
The descriptor with the highest version number is used. Verification of Object History entries will automatically select the right descriptor version.

...

Attribute of the type element inside descriptor

...

Description

...

algorithm

...

For EncryptedFields/ConfigZipEncrypter: symmetric algorithm to be used, usually AES/CBC/PKCS7Padding.

For SelfServiceJWTSigner/ContentProviderJWSSigner: always RSA.

For ConfigZipSigner/ObjectHistorySigner: hashing algorithm to be used (for example, SHA-256).

For SignEmailDescriptor/hermodDeviceEnc/att_* and pin-blob decryption descriptors:
signature algorithm to be used (for example, SHA256withRSA).

For idopteAuthentication: always NoneWithRSA.

...

size

...

For EncryptedFields/ConfigZipEncrypter only.
Size of the symmetric key, either 128or 256 (recommended).

...

result

...

For EncryptedFields only.
Output format, currently always NX02.

...

key

...

The descriptor’s key. Refers to a key defined in the same document.

...

asymCipher

...

For EncryptedFields/ConfigZipEncrypter only.
Cipher definition, e.g. RSA/None/OAEPWithSHA384AndMGF1Padding.

When used with an HSM, you need to adjust the cipher format to be compatible with the JCE provider
used for HSM access. 
For example, instead of the above cipher definition, specify RSA/ECB/OAEPWithSHA-384AndMGF1Padding
(ECBinstead of Noneand SHA-384 instead of SHA384).

...

initVector

...

Only needed for migrating EncryptedFields from SmartAct or ProAct. A fixed Initialization Vector (IV).

For other descriptors, omit this attribute in order to use randomly generated IVs.

Key

See the tables below the example for more information about the key/-type.

Key example

Code Block
languagexml
<key name="objectHistorySignerCert">
name="configZipEncrypterCert">
            <type name="pkcs12" locationValue="classpath:encryptConfig.p12" pin="encrypted:waKnF9aR6YCwamkL5/aKfVk3A1YjZbApclCpwmRuScmSfm0="/>
        </key>
        <key name="configZipSignerCert">
            <type name="pkcs12" locationValue="classpath:signConfig.p12" pin="encrypted://1p2CV3vDLvjyCuQKj4Zg2gSJGNhJ3R5qfgPKnqoyVwhGA="/>
        </key>
        <key name="newObjectHistorySignerCert">
            <type name="pkcs12" locationValue="classpath:historySignNew.p12" pin="encrypted:RC1w/BVMH1bwgM4DGKUeMvxIYonTKXrPa/sKr+JFbWgd/4o="/>
        </key>
        <key name="objectHistorySignerCert">
            <type name="pkcs12" locationValue="classpath:historySign.p12" pin="encrypted:nr7t9dSRu21RWpc95C6/JyczKI2wMkOo+93JLy7da/jkg7E="/>
        </key>
        <key name="selfServiceJWTSignerCert">
            <type name="pkcs12" locationValue="classpath:signJWT.p12" pin="encrypted:8ri1LiK3J8Ur8F1wSw0Qa/UYDoaJjo85I4QZC9mX9f/H7zc="/>
        </key>
        <key name="contentProviderJWSSignerCert">
            <type name="pkcs12" locationValue="classpath:signJWS.p12" pin="encrypted:4Kj0VidwLlISBKXAFZ+ZorOjL4HK6c86zESBaeoPWJ6oEcI="/>
        </key>
        <key name="emailSigningCert">
            <type name="pkcs12" locationValue="classpath:emailSigning.p12" pin="encrypted:mwd15YNfR2LyUaLtoCIO9R0fGvd3O2z7kfaYw2ObSqsigtA="/>
        </key>
        <key name="serverCert">
            <type name="pkcs12" locationValue="classpath:
sign
deviceEncCA.p12" pin="encrypted:yZJ7NcLs82mSs/nmV0s83c/sjvDA1kXspYWjvD3D7KsAS/c="
pin="1234"/> </key>

...

key element attribute

...

Description

...

name

...

Used by descriptors' key attribute to reference this key.

...

Attribute of the type element inside key

...

Description

...

name

...

Type of storage: pkcs12or HSM.

...

locationValue

...

  • For docker:

    • For a software keystore (pkcs12): place the keystore under docker/compose/certs before creating the container with docker compose. Then set its location as absolute path, prefixed with file: pointing to the mounted file in/certs,
      for example: locationValue="file:/certs/keystore.p12".
      Note: Default attestation keys are referenced from the classpath, e.g. locationValue="classpath:attKeyMobileDef.p12". Change this only if you need your own keys.

    • For an HSM: ensure the PKCS11 library is mounted into the container, then use the container’s path of the PKCS11 library, without filename extension, for example: locationValue="/usr/local/lib/libpkcs11hsm"

  • For WAR file deployment: 

    • For a software keystore: place the keystore under WEB-INF/classes and set its location, prefixed with classpath:,
      for example: locationValue="classpath:keystore.p12"

    • For an HSM: use the path of the PKCS11 library, without filename extension,
      for example: locationValue="/usr/local/lib/libpkcs11hsm"

...

pin

PIN for the keystore or HSM.

To avoid having clear text PINs in this file, the pin should be scrambled.
That can be achieved by setting it with pin.encrypted="1234" instead of pin="1234".

For WAR deployments the pin will then be scrambled on the next (re-)start of Tomcat.

...

/>
        </key>
        <key name="attestationKey_mobile_1">
            <type name="pkcs12" locationValue="classpath:attKeyMobile1.p12" pin="936584967"/>
        </key>
        <key name="attestationKey_mobile_2">
            <type name="pkcs12" locationValue="classpath:attKeyMobile2.p12" pin="873145568"/>
        </key>
        <key name="attestationKey_mobile_3">
            <type name="pkcs12" locationValue="classpath:attKeyMobile3.p12" pin="8564789632"/>
        </key>
        <key name="attestationKey_mobile_4">
            <type name="pkcs12" locationValue="classpath:attKeyMobile4.p12" pin="9263564893"/>
        </key>
        <key name="attestationKey_mobile_pda_def">
            <type name="pkcs12" locationValue="classpath:attKeyMobileDef.p12" pin="2586453793"/>
        </key>
    </keys>
</engineSignEncrypt>