- This line was added.
- This line was removed.
- Formatting was changed.
Smart ID Identity Manager offers support for HSM (Hardware Security Model) for several use cases:
- encrypting and decrypting of secrets in BPMN processes using the Identity Manager SecretFieldStore
- signing of Identity Manager configuration zip files
- signing of S/MIME emails with the Identity Manager MailTask
This is a more secure solution for signing and encryption than PKCS#12 files, which are files in the file system, only protected by a PIN code.
Prepare and install HSM
Configure Identity Manager
Identity Manager requires a native bridge DLL for the access to the HSM's PKCS#11 library, jpkcs11.dll/libjpkcs11.so
This section describes the engineSignEncrypt.xml valid from Identity Manager 3.12. For older versions, see Smart ID Identity Manager archive.
The following example is an extract showing four use cases configured for HSM (see also Sign and encrypt engine in Identity Manager for further use cases that can be configured in engineSignEncrypt.xml).
All four use different HSM certificates, see below in the
There is an issue with the iD2 security provider when you have two or more web clients, for example Identity Manager Operator and Identity Manager Admin, deployed in the same Tomcat that uses it to load a PKCS#11 keystore from the HSM.
If you do not handle this, errors like this can occur:
In addition, you may get a ClassNotFoundException for various BouncyCastle classes in crypto-related use-cases like softtoken requests, for example:
Make sure you avoid leftover JAR versions when upgrading.