Bootstrapping of productive systems involves use of various certificate authorities to generate keys and issue certificates used by IDM.
Most descriptors, such as EncryptedFields
and ObjectHistorySigner
, always require proper bootstrapping for secure operation. However, depending on the subset of IDM features to be used, certain descriptors may be configured with placeholder keys and certificates (e.g. SignEmailDescriptor
, if E-Mail signing in IDM is not enabled).
Productive systems can neither rely on any default keys that were installed with some older version nor on the development and test bootstrapping tools. Certificates must instead be requested and issued by real Certification Authorities (CA), taking care that they fulfill all requirements, and then installed prior to the first start of the system.
Bootstrapping of the sign and encrypt engine must be done before the system is used for the first time.
If IDM has already been used with test certificates, these insecure certificates may have been used. If object history entries and/or secrets were created with the demo keys, then after the bootstrapping you must resign the object history (using the batch_re-sign_history tool) and/or re-encrypt the secrets (using the batch_secretfieldstore_change_encryption_key tool) as described in Change Encryption key of secret field store). The batch_re-sign_history tool is not described anywhere. Need some clarification here!
Bootstrapping procedure
Identify requirements
The first step is to go through the list of all descriptors, and fill out this table for all the descriptors.
required: Is this descriptor required in your installation? Most descriptors are required. However, a few are only required if you use the feature they support. See use-case
placeholder: Will you use a placeholder? If a descriptor is required but you don’t need its use case, use a placeholder with some dummy certificate. See use-case
HSM: Where will you store the keys/certificates? Most keys/certificates can be stored in an HSM. An HSM is much more secure than a file. See storage
Key type / size: RSA or ECC? What keysize? See key requirements
Key usage: in most cases this is not required but recommended. See certificate requirements
Validity: See certificate requirements
Trusted by: who needs to trust the certificate. You may need to install the certificate or the issuer’s certificate to a machine. See general requirements and certificate requirements
Issuer: Who will issue this certificate? This will depend on who needs to trust it. You can use more than one CA. Choices are:
any CA, e.g. your own SmartID Certificate Manager or a public CA
a trusted S/MIME CA. This is needed in case you want IDM to sign emails, otherwise clients may fail to validate the emails
for placeholders or certificates that don’t require trust you can create your own keypairs and certificates with any suitable tool you like. See certificate requirements
Request certificates
Generate keypairs and Certification Signing Requests (CSRs) and request the certificates or create your own. If you want to store the keys in a Hardware Security Module (HSM), which is highly recommended, use it for generating keypairs. Note that getting certificates from a CA may take some time.
Configure certificates in IDM
Import the certificates into your HSM and/or place any of the credentials which are stored in PKCS#12 files to the correct location:
Tomcat on Windows: C:\PATH\TO\TOMCAT\webapps\idm-[admin|operator]\WEB-INF\classes\
Tomcat on Linux: /path/to/tomcat/idm-[admin|operator]/WEB-INF/classes/
Docker on Linux: /PATH/TO/smartid/docker/compose/certs/
Edit the XML configuration file(s) to reference the appropriate files:
Tomcat on Windows: C:\PATH\TO\TOMCAT\webapps\idm-[admin|operator]\WEB-INF\classes\engineSignEncryptConfig.xml
Tomcat on Linux: /path/to/tomcat/idm-[admin|operator]/WEB-INF/classes/engineSignEncryptConfig.xml
Docker on Linux: /PATH/TO/smartid/docker/compose/identitymanager/config/signencrypt.xml
Note: each file needs to be referenced by the path within the container, as opposed to the path on the host.
For example:file:/certs/MYFILE.p12