Hi Community,
We are hitting another hurtle in our migration from tfim (6.2.2) to ISAM9 federation.
When exporting the configuration from our current SPs (using the wsadmin tool) we find 6 different values:
- http://www.w3.org/2001/04/xmldsig-more#rsa-sha256
- http://www.w3.org/TR/2002/REC-xmlenc-core-20021210/Overview.html
- http://www.w3.org/2001/04/xmlenc#aes256-cbc
- http://www.w3.org/2001/04/xmlenc#rsa-1_5
- http://www.w3.org/2001/04/xmlenc#rsa-oaep-mgf1p
- http://www.w3.org/2009/xmlenc11#aes128-gcm
However, according to the documentation (
https://www.ibm.com/support/knowledgecenter/en/SSZSXU_6.2.2.6/com.ibm.tivoli.fim.doc_6226/admin/reference/ModuleKESSSTS.html), only 3 values are supported.
It is not clear where those other values are coming from, but we suspect the value of the encryptionAlgorithm from the metadata has been reused for the EncryptionKeyTransportAlgorithm.
On ISAM 9, only 2 values seem to be supported: 'Key transport algorithm used to encrypt and decrypt keys. Valid values are "RSA-v1.5" and "RSA-OAEP". If not provided, the default value is "RSA-OAEP".'
I found that info on
https://www.ibm.com/support/knowledgecenter/SSPREK_9.0.6/com.ibm.isam.doc/develop/rapi/index.html, choose "Secure: Federation > Manage > Federations > Create a new partner" and look for the documentation on
EncryptionSettingsData (encryptionKeyTransportAlgorithm).
We would like to keep configuration changes between TFIM and ISAM Federation as minimal as possible, but here we don't know how to configure ISAM9 to use any of the aes or the rsa-sha256 algorithms...
It would be greatly appreceated if someone could give some pointers in the right direction...
Kind regards,
------------------------------
Kristof Goossens
------------------------------