Versions Compared

Old Version 9

changes.mady.by.user David Banz

Saved on

compared with

New Version Current

changes.mady.by.user Ylva Andersson

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.
Comment: Minor
Info

This article is valid new for Smart ID Identity Manager 24.R1 or later5.0.1.

Upon startup, IDM Identity Manager Operator and IDM Identity Manager Administrator will perform various checks of the Sign and Encrypt engine's configuration. Depending on the severity, failed checks will lead to log messages or even prevent the system from starting. These checks in the sections below carried out:

Check

...

the

...

If you wish, you can add certificates to the blacklist, e.g. the ones that you used during development of your solution. The blacklist is contained in the file blacklist.p12, the default password is "blacklist"

If this check fails, booting will not be aborted, as this is an acceptable scenario for development, testing and demonstrations. To fix the error, change the keys of the offending descriptors.

Check the Secret Fields Store configuration

Secrets are stored in the Secret Fields Store. If the wrong key is configured, IDM Identity Manager will not be able to decrypt existing secrets. This check makes sure that the correct key is configured.

If this check fails, start up will be aborted. To fix the error, please configure the correct key for the offending descriptor. If you want to change this keypair, please follow the documentation for doing so.

...

This particular check is performed by IDM Identity Manager Operator only.

IDM Identity Manager signs the history of the objects it manages. When you are using an already existing Object History chain, this check makes sure that certificates for signing and verification of this chain are properly configured in a way that allows the chain to be continued. This means that the certificate and associated keypair used for the last entry of the chain must still be available.

A failure of this test indicates that the descriptors used for the Object History signing are wrong. In this case, start up will be aborted. Please check Check that the correct certificate/keypair is configured for the descriptor and that the versioning is correct.

...

For Tomcat deployment: add the following toWEB-INF/classes/system.properties of the IDM Identity Manager Operator webapp:

Code Block
languagenone
# replace NEW_CHAIN with the desired name for the replacement chain
commonHistoryService.chainName=NEW_CHAIN

For Docker docker deployment: add the following to the start of the SYSTEM_PROPERTIESdefinition in docker/compose/identitymanager/operator/docker-compose.yml:

Code Block
languageyaml
# replace NEW_CHAIN with the desired name for the replacement chain
          "commonHistoryService.chainName": "NEW_CHAIN",

Thus, the The old chain will remain intact for further analysis. The new chain will be signed with the currently configured descriptor.

Check for Demo Keys

This check will go through all the configured keys of the sign and encrypt engine and check them against a blacklist. The blacklist contains known demo keys by default (publicly known and thus not suitable for productive use). If a descriptor uses a blacklisted keypair, an error message will be logged with details of the offending descriptor.

You can add certificates to the blacklist, for example, the ones that you used during development of your solution. The blacklist is contained in the file blacklist.p12, the default password is "blacklist".

If this check fails, booting will not be aborted, as this is an acceptable scenario for development, testing and demonstrations. To fix the error, change the keys of the offending descriptors.