Sign configuration file in Identity Manager
The configuration of Smart ID Identity Manager is defined with Identity Manager Admin and then synchronized to the installation where Identity Manager Operator is running.
To avoid any modification on the transport path, the configuration file can be signed. The signature will be verified when the configuration is read into the target system.
The keys and certificates used for signing and verification are configured in the encrypt and sign engine's configuration, in engineSignEncryptConfig.xml. The certificate used for signing and verifying the configuration file is specified in the key referenced by the descriptor "ConfigZipSigner". Read more in this article: Sign and encrypt engine in Identity Manager.
Also, read more in Transfer configuration to Smart ID Identity Manager.
Prerequisites
The "ConfigZipSigner" descriptor of the sign and encrypt engine must be configured.
Step-by-step instruction
The settings described here are configured in system.properties, which is located in:
webapps/<ID_MANAGER_ADMIN-DIRECTORY>/WEB-INF/classes/ respective
webapps/<ID_MANAGER-DIRECTORY>/WEB-INF/classes/.
The format used to sign the configuration is that of a signed JAR. Below is described what constitutes a valid signature in this case.
Configure configuration signing
You can configure Identity Manager Operator and Identity Manager Admin to sign the configuration when it is exported. By default, signing is enabled.
To explicitly enable or disable the signing of the configuration:
Enable configuration signing:
Open system.properties on either Identity Manager Operator or Identity Manager Admin.
Set
zipPacker.signZip
totrue
Restart the application server to apply the changes.
Disable configuration signing:
Open system.properties on either Identity Manager Operator or Identity Manager Admin.
Set
zipPacker.signZip
tofalse
Restart the application server to apply the changes.
Configure configuration validation
Validation of the configuration consists of the following checks:
The signing certificates are valid.
The configuration contains no unsigned content.
No signed content was removed from the configuration.
The signed content was not altered.
JAR signing actually allows adding unsigned content or removing signed content to/from the archive, while Identity Manager prohibits that.
You can enable or disable the verification of the configuration when it is imported by Identity Manager Operator and Identity Manager Admin.
Enable configuration validation:
Open system.properties on either Identity Manager Operator or Identity Manager Admin.
Set
zipUnpacker.verifyZip
totrue
Restart the application server to apply the changes.
Disable configuration validation:
Open system.properties
Set
zipUnpacker.verifyZip
tofalse
Restart the application server to apply the changes.
Configure configuration upload
You can configure whether Identity Manager Operator and Identity Manager Admin will allow importing a configuration based on the results of the validation.
To configure in what way a configuration can be uploaded:
Open system.properties on either Identity Manager Operator or Identity Manager Admin.
Set
uploadPopup.enableUploadButtonStrategyName
to any of these:enableUploadButtonStrategyStrict
- Only signed configuration files that where successfully validated may be uploaded.enableUploadButtonStrategyAllowUnsigned
- Allow upload ofunsigned configuration files
signed configuration files that where successfully validated.
enableUploadButtonStrategyIgnoreSigning
- Everything may be uploaded.
Restart the application server to apply the changes.
Manually remove the signature
Under very special circumstances it may be useful to remove the signature of the configuration file, thus making the configuration unsigned.
Open the configuration zip file and remove the folder META-INF.
WARNING:
Removing the signature allows fraudulent modification of the configuration file.
If you do this, and if
enableUploadButtonStrategyStrict
is configured, this will prevent you from importing configuration files.
Summary
The behavior regarding signing, validation, and upload of the configuration can be adapted to your needs by editing the file system.properties. Enabling these features is strongly recommended. Here's a summary of the recommended settings that were described above:
Example: system.properties
# CONFIGURATION/ZIP SIGNING AND VERIFICATION:
# How tolerant to be. Out of the box supported values are: "enableUploadButtonStrategyStrict", "enableUploadButtonStrategyAllowUnsigned" and "enableUploadButtonStrategyIgnoreSigning"
uploadPopup.enableUploadButtonStrategyName=enableUploadButtonStrategyStrict
#
# Sign ZIP archives and configuration?
zipPacker.signZip=true
#
# Verify ZIP archives and configuration?
zipUnpacker.verifyZip=true