Nexus' software components have new names:

Nexus PRIME -> Smart ID Identity Manager
Nexus Certificate Manager -> Smart ID Certificate Manager
Nexus Hybrid Access Gateway -> Smart ID Digital Access component
Nexus Personal -> Smart ID clients

Go to Nexus homepage for overviews of Nexus' solutions, customer cases, news and more.


Skip to end of metadata
Go to start of metadata

The configuration of Smart ID Identity Manager (PRIME) is defined with Identity Manager Admin (PRIME Designer) and then synchronized to the installation where Identity Manager operator UI (PRIME Explorer) is running.

To avoid any modification on the transport path, the configuration file can be signed. The signature will be verified when the configuration is read into the target system.

The keys and certificates used for signing and verification are configured in the encrypt and sign engine's configuration, in engineSignEncryptConfig.xml. The certificate used for signing and verifying the configuration file is specified in the key referenced by the descriptor "ConfigZipSigner". Read more in this article: Sign and encrypt engine in Identity Manager.

Also, read more in Transfer configuration to Smart ID Identity Manager.

Expand/Collapse All

Prerequisites

 Prerequisites

The "ConfigZipSigner" descriptor of the sign and encrypt engine must be configured.

Step-by-step instruction

The settings described here are configured in system.properties, which is located in:

  • webapps/<ID_MANAGER_ADMIN-DIRECTORY>/WEB-INF/classes/  respective 
  • webapps/<ID_MANAGER-DIRECTORY>/WEB-INF/classes/.

The format used to sign the configuration is that of a signed JAR. Below is described what constitutes a valid signature in this case.

 Configure configuration signing

You can configure the Identity Manager operator UI and Identity Manager Admin to sign the configuration when it is exported. By default, signing is enabled.

To explicitly enable or disable the signing of the configuration:

  • Enable configuration signing:
    1. Open system.properties on either Identity Manager operator UI or Identity Manager Admin.
    2. Set zipPacker.signZip to true
    3. Restart the application server to apply the changes.
  • Disable configuration signing:
    1. Open system.properties on either Identity Manager operator UI or Identity Manager Admin.
    2. Set zipPacker.signZip to false
    3. Restart the application server to apply the changes.
 Configure configuration validation

Validation of the configuration consists of the following checks:

  • The signing certificates are valid.
  • The configuration contains no unsigned content.
  • No signed content was removed from the configuration.
  • The signed content was not altered.
JAR signing actually allows adding unsigned content or removing signed content to/from the archive, while Identity Manager prohibits that.

You can enable or disable the verification of the configuration when it is imported by the Identity Manager operator UI and Identity Manager Admin.

  • Enable configuration validation:
    1. Open system.properties on either Identity Manager operator UI or Identity Manager Admin.
    2. Set zipUnpacker.verifyZip to true
    3. Restart the application server to apply the changes.
  • Disable configuration validation:
    1. Open system.properties
    2. Set zipUnpacker.verifyZip to false
    3. Restart the application server to apply the changes.
 Configure configuration upload

You can configure whether the Identity Manager operator UI and Identity Manager Admin will allow importing a configuration based on the results of the validation.

To configure in what way a configuration can be uploaded:

  1. Open system.properties on either Identity Manager operator UI or Identity Manager Admin.
  2. Set uploadPopup.enableUploadButtonStrategyName to any of these:
    • enableUploadButtonStrategyStrict - Only signed configuration files that where successfully validated may be uploaded.
    • enableUploadButtonStrategyAllowUnsigned - Allow upload of
      • unsigned configuration files
      • signed configuration files that where successfully validated.
    • enableUploadButtonStrategyIgnoreSigning - Everything may be uploaded.
  3. Restart the application server to apply the changes.
 Manually remove the signature

For experts only: under very special circumstances it may be useful to remove the signature of the configuration file, thus making the configuration unsigned.

  1. Open the configuration zip file and remove the folder META-INF.

WARNING:

  • Removing the signature allows fraudulent modification of the configuration file.
  • If you do this, and if enableUploadButtonStrategyStrict is configured, this will prevent you from importing configuration files.
 Summary of relevant system.properties settings

As described, the behavior regarding signing, validation and upload of the configuration can be adapted to your needs by editing the file system.properties. Enabling these features is strongly recommended. Here's a summary of the recommended settings that were described above:

Example: system.properties
# CONFIGURATION/ZIP SIGNING AND VERIFICATION:
# How tolerant to be. Out of the box supported values are: "enableUploadButtonStrategyStrict", "enableUploadButtonStrategyAllowUnsigned" and "enableUploadButtonStrategyIgnoreSigning"
uploadPopup.enableUploadButtonStrategyName=enableUploadButtonStrategyStrict
#
# Sign ZIP archives and configuration?
zipPacker.signZip=true
#
# Verify ZIP archives and configuration?
zipUnpacker.verifyZip=true