Identity Manager Configuration Parameters

The Configuration references for the Identity Manager Service are given below:

  • address: The host and port on which the service runs

  • database: See CENM Database Configuration

  • shell: (Optional) See Shell Configuration Parameters for more information. Note that we are planning to deprecate the shell and the recommended path for interacting with CENM services is the admin RPC interface detailed below.

  • localSigner: (Optional) Configuration of the local signer for the Identity Manager Service. Useful for debugging, testing or when Hardware Security Module (HSM) support is not available.

    • keyStore: Configuration for the key store containing the Identity Manager Service key pair.
      • file: Path to the key store file containing the signing keys for the Identity Manager Service.
      • password: Key store password.
      • keyAlias: Key alias under which the key can be found in the key store.
      • keyPassword: Password for the ‘keyAlias’ key entry within the key store.
    • signInterval: The frequency for triggering the signing process (defined in milliseconds).
    • timeout: (Optional) The maximum time allowed for executing the signing process (in milliseconds). Defaults to 30 seconds. If the timeout threshold is reached, then the signing process will abort and wait before retrying. The wait time after each failure is determined by an exponential backoff strategy.
  • crlDistributionUrl: (Optional) REST endpoint under which the certificate revocation list issued by the Identity Manager can be obtained. It is needed as this URL is encoded in certificates issued by the Identity Manager.

  • workflows:

    • workflow-id:

    • type: Either ISSUANCE or REVOCATION - see below for details.

    • enmListener: Information about the way the service will communicate with the rest of the CENM deployment.

      • port: The port that the service will bind to, and other CENM components it will connect to.

      • verbose: (Optional) Enables verbose logging for the socket layer.

      • reconnect: Determines if a client should attempt to reconnect if the connection is dropped.

      • ssl: See SSL Settings.

  • plugin:

    • pluginClass: The main class of the plugin being loaded.
    • pluginJar: (Optional) The absolute path to the JAR file of the workflow plugin.

    • config: (Optional) A free-form map that allows options to be passed to the plugin class.

  • “issuance workflow”:

    • updateInterval: Determines how often the Issuance Workflow Processor should synchronise Certificate Signing Request (CSR) statuses.
    • versionInfoValidation: (Optional) Configuration for the validation of node version info during CSR submission.
    • minimumPlatformVersion: (Optional - defaults to -1) The minimum platform version of Corda that a node needs to run on, in order to successfully submit Certificate Signing Requests. The platform version is an integer value that increments with each release where any of the public APIs of the entire Corda platform are changed. Setting this to a value lower than 1 disables this behaviour - in that case, the Identity Manager Service does not check whether that platform version is passed from the node.
    • newPKIOnly: (Optional - defaults to false) A boolean parameter that determines whether Certificate Signing Request (CSR) should be rejected for all nodes running an outdated version of Corda that does not support the new PKI structure (arbitrary length certificate chains).
  • “revocation workflow”:

    • crlCacheTimeout: The interval after which the Revocation Workflow Processor needs to synchronise Certificate Revocation Requests (CRR) statuses, as well as the duration after the CRL cache in Revocation Web Service is cleared.
    • crlFiles: A list of CRLs hosted by the Identity Manager Service, in addition to the CRLs hosted by node operators. This allows the Identity Manager Service to host the CRLs for node operators that will not host their own CRL infrastructure, at the cost of not being able to revoke TLS certificates issued by the node.
  • adminListener: A configuration property you must define in order to use the RPC API in the Identity Manager Service. You can add port, reconnect, and verbose. Also, this property has an SSL field - for more information, see SSL Settings.

    • port: Port number to listen to for Admin RPC connections.
    • verbose: (Optional) Enables verbose logging for the socket layer. Defaults to false.
    • reconnect: (Optional) Determines if a client should attempt to reconnect if the connection is dropped. Defaults to true.
    • ssl: See SSL Settings for details.
  • authServiceConfig: The admin RPC interface requires an Auth Service to verify requests, which must be configured below in a authServiceConfig block. Typically this is provided automatically by the Zone Service (via an Angel Service), however the parameters are detailed below for reference:
    • host: The hostname of the Auth Service. Required unless authentication is disabled.
    • port: The port number of the Auth Service. Required unless authentication is disabled.
    • trustStore: Trust store configuration for the SSL PKI root of trust.
      • location: The location in the file system of the keystore containing the Auth Service root of trust.
      • password: The password for the trust root keystore.
    • issuer: The "iss" claim in the JWT - you must set the same value as in the Auth Service’s configuration. Required unless authentication is disabled.
    • leeway: Defines the amount of time, in seconds, allowed when checking JSON Web Token (JWT) issuance and expiration times. Required unless authentication is disabled. R3 recommends a default time of 10 seconds.

To view the latest changes to the obfuscated configuration files, see Obfuscation configuration file changes.

The Identity Manager cannot be redirected. Only HTTP OK (response code 200) is supported - any other kind of response codes, including HTTP redirects (for example, response code 301), are NOT supported.

Was this page helpful?

Thanks for your feedback!

Chat with us

Chat with us on our #docs channel on slack. You can also join a lot of other slack channels there and have access to 1-on-1 communication with members of the R3 team and the online community.

Propose documentation improvements directly

Help us to improve the docs by contributing directly. It's simple - just fork this repository and raise a PR of your own - R3's Technical Writers will review it and apply the relevant suggestions.

We're sorry this page wasn't helpful. Let us know how we can make it better!

Chat with us

Chat with us on our #docs channel on slack. You can also join a lot of other slack channels there and have access to 1-on-1 communication with members of the R3 team and the online community.

Create an issue

Create a new GitHub issue in this repository - submit technical feedback, draw attention to a potential documentation bug, or share ideas for improvement and general feedback.

Propose documentation improvements directly

Help us to improve the docs by contributing directly. It's simple - just fork this repository and raise a PR of your own - R3's Technical Writers will review it and apply the relevant suggestions.