Bootstrapping of the sign and encrypt engine must be done before the system is used for the first time. Bootstrapping of production systems involve use of various certificate authorities to generate keys and issue certificates used by Identity Manager.

Most descriptors, such as EncryptedFields and ObjectHistorySigner, always require proper bootstrapping for secure operation. Depending on the subset of Identity Manager features to be used, certain descriptors may be configured with placeholder keys and certificates, for example, SignEmailDescriptor, if email signing in Identity Manager is not enabled.

Production systems can neither rely on any default keys that were installed with some older version nor on the development and test bootstrapping tools. Certificates must instead be requested and issued by real Certification Authorities (CA), taking care that they fulfill all requirements, and then installed prior to the first start of the system.

Bootstrapping an already used system

If Identity Manager has already been used without proper bootstrapping, the system must be bootstrapped again as described in this article. After the bootstrapping:

• if any object history entries exist, they must be resigned by using the batch_re-sign_history tool.

• if any secrets exist in the database, they must be re-encrypted by using the batch_secretfieldstore_change_encryption_key tool as described in Change encryption key of secret field store.

• any previously exported configuration’s signature will not be verifiable.

• any previously encrypted exported configuration will not be readable.

Bootstrapping procedure

Identify requirements

The first step is to go through the list of all descriptors and fill out the table for all the descriptors.

Detailed overview to identify requirements

Request certificates

For all the required descriptors, generate keypairs and Certification Signing Requests (CSRs) and request the certificates or create your own. If you want to store the keys in a Hardware Security Module (HSM), which is highly recommended, use it for generating keypairs.

Configure certificates in Identity Manager

1. Import the certificates into your HSM and/or place any of the credentials which are stored in PKCS#12 files to the correct location:

   1. Tomcat on Windows: C:\PATH\TO\TOMCAT\webapps\idm-[admin|operator]\WEB-INF\classes\

   2. Tomcat on Linux: /path/to/tomcat/idm-[admin|operator]/WEB-INF/classes/

   3. Docker on Linux: /PATH/TO/smartid/docker/compose/certs/ (additionally /PATH/TO/smartid/docker/compose/cacerts/ for CA certificates that need to be trusted)

2. Edit the XML configuration file(s) to reference the appropriate files:

   1. Tomcat on Windows: C:\PATH\TO\TOMCAT\webapps\idm-[admin|operator]\WEB-INF\classes\engineSignEncryptConfig.xml

   2. Tomcat on Linux: /path/to/tomcat/idm-[admin|operator]/WEB-INF/classes/engineSignEncryptConfig.xml

   3. Docker on Linux: /PATH/TO/smartid/docker/compose/identitymanager/config/signencrypt.xml
      Each file must be referenced by the path within the container, as opposed to the path on the host. For example: file:/certs/MYFILE.p12

3. Import the configZipSigner certificate or its issuer into the Identity Manager truststore (place it into /PATH/TO/smartid/docker/compose/cacerts/ on docker).