Identity Manager allows you to add XMLDSIG-format signed approvals, including an RFC 3161-compliant digital timestamp, to the Identity Manager approval process. When you configure Identity Manager to use XMLDSIG signed approvals, no changes are visible to approvers unless they view the approval in the audit log. Only the format of the signed approval that is stored in the audit log record is changed.
As with previous signed approvals in Identity Manager, an applet is launched on the client machine and the approver is presented with the approval information for signing. They then choose a keystore and a key with which to sign the approval.
After the approver signs the approval, an XMLDSIG document containing the approval data is created. This document is returned to the server which validates the XMLDSIG signed document. If successful, and if RFC 3161 digital timestamps have been configured, a digital timestamp is also generated for this document. The timestamp retrieved from the timestamp authority (TSA) is checked for errors and its certificates are validated. Finally, if successful, Identity Manager generates an audit log record that includes the XMLDSIG-format signed approval object in the XML blob column.
The format for an XMLDSIG-format approval object is as follows:
<XMLSignedData signedContent="...base64 transaction text ..."> <XMLSignature> <TSATimestamp> ...The base64 encoded PKCS7 timestamp token returned by the TSA... </TSATimestamp <Signature> <SignedInfo>...XMLDSIG stuff...</SignedInfo> <SignatureValue>...base64 signature value</SignatureValue> <KeyInfo>...cert info for signer</KeyInfo> </Signature> </XMLSignature> </XMLSignedData>
The base64 approval data consists of the actual approval data text that is presented to the approver in the applet, encoded in base64 format.
The <TSATimestamp> element contains the base64 encoded PKCS7 timestamp response from the Timestamp Authority (TSA).
The entire <Signature> comprises the XMLDSIG signature data.
This XMLDSIG document that is stored in the XML column of the audit log approval record.
The installation and setup requirements for using XMLDSIG signed approvals are the same as those described in To Enable Server-Side Configuration for Signed Approvals, with one additional step. You must sign the xmlsec-1.4.2.jar file in addition to signing the ts2.jar file.
You can use system configuration attributes to:
Choose the SignedData format or the XMLSignedData format. Note that you can configure only one format at a time, although administrators can change this setting as needed.
Include a digital timestamp retrieved from a configured RFC 3161 Timestamp Authority (TSA).
Specify a URL, in HTTP only, from which to fetch this timestamp.
To edit these attributes, use the Identity Manager debug pages to edit the system configuration object. These attributes are all located under security.nonrepudiation, along with other signed approval attributes.
The XMLDSIG attributes include:
security.nonrepudiation.useXmlDigitalSignatures is a boolean value that enables XMLDSIG signatures.
security.nonrepudiation.timestampXmlDigitalSignatures is a boolean value that includes RFC 3161 digital timestamps in XMLDSIG signatures.
security.nonrepudiation.timestampServerURL is a string value where the URL points to the HTTP-based TSA from which to fetch timestamps.
You must first set the existing useSignedApprovals attribute to true for any of the preceding attributes to have an effect.
Identity Manager does not support multiple signatures on one approval or signed approvals for more general provisioning requests.