Sign configuration file in Identity Manager

The configuration of Smart ID Identity Manager is defined with Identity Manager Admin and then synchronized to the installation where Identity Manager Operator is running.

To avoid any modification on the transport path, the configuration file can be signed. The signature will be verified when the configuration is read into the target system.

The keys and certificates used for signing and verification are configured in the encrypt and sign engine's configuration, in engineSignEncryptConfig.xml. The certificate used for signing and verifying the configuration file is specified in the key referenced by the descriptor "ConfigZipSigner". Read more in this article: Sign and encrypt engine in Identity Manager.

Also, read more in Transfer configuration to Smart ID Identity Manager.

Prerequisites

• The "ConfigZipSigner" descriptor of the sign and encrypt engine must be configured.

Step-by-step instruction

The settings described here are configured in system.properties, which is located in:

• webapps/<ID_MANAGER_ADMIN-DIRECTORY>/WEB-INF/classes/  respective 

• webapps/<ID_MANAGER-DIRECTORY>/WEB-INF/classes/.

The format used to sign the configuration is that of a signed JAR. Below is described what constitutes a valid signature in this case.

Configure configuration signing

You can configure Identity Manager Operator and Identity Manager Admin to sign the configuration when it is exported. By default, signing is enabled.

To explicitly enable or disable the signing of the configuration:

• Enable configuration signing:

  1. Open system.properties on either Identity Manager Operator or Identity Manager Admin.

  2. Set zipPacker.signZip to true

  3. Restart the application server to apply the changes.

• Disable configuration signing:

  1. Open system.properties on either Identity Manager Operator or Identity Manager Admin.

  2. Set zipPacker.signZip to false

  3. Restart the application server to apply the changes.

Configure configuration validation

Validation of the configuration consists of the following checks:

• The signing certificates are valid.

• The configuration contains no unsigned content.

• No signed content was removed from the configuration.

• The signed content was not altered.

JAR signing actually allows adding unsigned content or removing signed content to/from the archive, while Identity Manager prohibits that.

You can enable or disable the verification of the configuration when it is imported by Identity Manager Operator and Identity Manager Admin.

• Enable configuration validation:

  1. Open system.properties on either Identity Manager Operator or Identity Manager Admin.

  2. Set zipUnpacker.verifyZip to true

  3. Restart the application server to apply the changes.

• Disable configuration validation:

  1. Open system.properties

  2. Set zipUnpacker.verifyZip to false

  3. Restart the application server to apply the changes.

Configure configuration upload

You can configure whether Identity Manager Operator and Identity Manager Admin will allow importing a configuration based on the results of the validation.

To configure in what way a configuration can be uploaded:

1. Open system.properties on either Identity Manager Operator or Identity Manager Admin.

2. Set uploadPopup.enableUploadButtonStrategyName to any of these:

   • enableUploadButtonStrategyStrict - Only signed configuration files that where successfully validated may be uploaded.

   • enableUploadButtonStrategyAllowUnsigned - Allow upload of

     • unsigned configuration files

     • signed configuration files that where successfully validated.

   • enableUploadButtonStrategyIgnoreSigning - Everything may be uploaded.

3. Restart the application server to apply the changes.

Manually remove the signature

Under very special circumstances it may be useful to remove the signature of the configuration file, thus making the configuration unsigned.

• Open the configuration zip file and remove the folder META-INF.

WARNING:

• Removing the signature allows fraudulent modification of the configuration file.

• If you do this, and if enableUploadButtonStrategyStrict is configured, this will prevent you from importing configuration files.

Summary

The behavior regarding signing, validation, and upload of the configuration can be adapted to your needs by editing the file system.properties. Enabling these features is strongly recommended. Here's a summary of the recommended settings that were described above:

Example: system.properties

# CONFIGURATION/ZIP SIGNING AND VERIFICATION:
# How tolerant to be. Out of the box supported values are: "enableUploadButtonStrategyStrict", "enableUploadButtonStrategyAllowUnsigned" and "enableUploadButtonStrategyIgnoreSigning"
uploadPopup.enableUploadButtonStrategyName=enableUploadButtonStrategyStrict
#
# Sign ZIP archives and configuration?
zipPacker.signZip=true
#
# Verify ZIP archives and configuration?
zipUnpacker.verifyZip=true