...
Info |
---|
This article is new for Identity Manager 5.0.1. |
Bootstrapping of the sign and encrypt engine must be done before the system is used for the first time. Bootstrapping of production systems involve use of various certificate authorities to generate keys and issue certificates used by IDMIdentity Manager.
Most descriptors, such as EncryptedFields
and ObjectHistorySigner
, always require proper bootstrapping for secure operation. However, depending Depending on the subset of IDM Identity Manager features to be used, certain descriptors may be configured with placeholder keys and certificates (e.g. , for example, SignEmailDescriptor
, if E-Mail email signing in IDM Identity Manager is not enabled).
Productive Production systems can neither rely on any default keys that were installed with some older version nor on the development and test bootstrapping tools. Certificates must instead be requested and issued by real Certification Authorities (CA), taking care that they fulfill all requirements, and then installed prior to the first start of the system.
Bootstrapping
...
an already used system
If Identity Manager has already been used with test certificates, these insecure certificates may have been used. If object history entries and/or secrets were created with the demo keys, then after the bootstrapping you must resign the object history (without proper bootstrapping, the system must be bootstrapped again as described in this article. After the bootstrapping:
if any object history entries exist, they must be resigned by using the batch_re-sign_history tool
...
.
if any secrets exist in the database, they must be re-encrypted by using the batch_secretfieldstore_change_encryption_key tool
...
as described in Change
...
...
.
any previously exported configuration’s signature will not be verifiable.
any previously encrypted exported configuration will not be readable.
Bootstrapping procedure
Identify requirements
The first step is to go through the list of all descriptors, and compile a list of the descriptors for which your IDM installation actually needs a proper key. For each descriptor in the list, look up the general requirements. For the descriptors where a placeholder is sufficient for you, just create dummy certificates. You can print out this table and fill it out.
With the list at hand, repeat the following steps for each descriptor you have identified:
read the certificate requirements of each descriptor and decide
...
and fill out the table for all the descriptors.
Detailed overview to identify requirements
Requirement type | Comment | More detail |
---|---|---|
Setup | Is this descriptor required in your installation? Most descriptors are required. A few are only required if you use the feature they support. | In the list of descriptors, see use case. |
Placeholder | Are you going to use a placeholder? If a descriptor is required but you do not need its use case, use a placeholder with some dummy certificate. | In the list of descriptors, see use case. |
HSM | Where will you store the keys and/or certificates? Most keys and/or certificates can be stored in an HSM. An HSM is more secure than a file. | In the list of descriptors, see storage. |
Key type or size | Are you using RSA or ECC? What key size? | In the list of descriptors, see key requirements. |
Validity | - | In the list of descriptors, see certificate requirements. |
Trusted by | Who needs to trust the certificate? You may need to install the certificate or the issuer’s certificate to a machine. | In the list of descriptors, see general requirements and certificate requirements. |
Issuer | Who will issue this certificate? This will depend on who needs to trust it. You can use more than one CA. |
...
The choices are:
|
...
|
...
|
...
|
...
who needs to trust the issuer. You may have to install the issuer certificate in the IDM truststore or some other system, if this is stated in the certificate requirements
...
what key usage each certificate needs to have
...
until when the certificate shall be valid
In the list of descriptors, see certificate requirements. |
Request certificates
Generate For all the required descriptors, generate keypairs and Certification Signing Requests (CSRs) and request the certificates or create your own. If you want to use store the keys in a Hardware Security Module (HSM), which is highly recommended, use it for generating keypairs wherever possible. The storage entry of each descriptor details where the keypair can be stored.
Getting certificates from a CA may take some time, for example, due to manual verification steps. It is recommended to plan accordingly to have enough time to acquire all necessary keys and certificates before beginning the bootstrapping procedure.
Configure certificates in
...
Identity Manager
Import the certificates into your HSM and/or place any of the credentials which are stored in PKCS#12 files to the correct location:
Tomcat on Windows: C:\PATH\TO\TOMCAT\webapps\idm-[admin|operator]\WEB-INF\classes\
Tomcat on Linux: /path/to/tomcat/idm-[admin|operator]/WEB-INF/classes/
Docker on Linux: /PATH/TO/smartid/docker/compose/certs/(additionally /PATH/TO/smartid/docker/compose/cacerts/ for CA certificates that need to be trusted)
Edit the XML configuration file(s) to reference the appropriate files:
Tomcat on Windows: C:\PATH\TO\TOMCAT\webapps\idm-[admin|operator]\WEB-INF\classes\engineSignEncryptConfig.xml
Tomcat on Linux: /path/to/tomcat/idm-[admin|operator]/WEB-INF/classes/engineSignEncryptConfig.xml
Docker on Linux: /PATH/TO/smartid/docker/compose/identitymanager/config/signencrypt.xml
Note: each file needs to Each file must be referenced by the path within the container, as opposed to the path on the host.
For example:file:/certs/MYFILE.p12
Import the configZipSigner certificate or its issuer into the Identity Manager truststore (place it into/PATH/TO/smartid/docker/compose/cacerts/ on docker).