Package org.forgerock.opendj.security
KeyStore
service. The key store has the type "LDAP" and alias "OPENDJ" and can be created
using a number of approaches. Firstly, by directly calling one of the factory methods in OpenDjSecurityProvider
:
ConnectionFactory ldapServer = ...; Dn keyStoreBaseDn = Dn.valueOf("ou=key store,dc=example,dc=com"); Options options = Options.defaultOptions(); KeyStore ldapKeyStore = OpenDjSecurityProvider.newLdapKeyStore(ldapServer, keyStoreBaseDn, options);
Alternatively, if the OpenDJ security provider is registered with the JVM's JCA framework together with a suitable configuration file, then an LDAP key store can be created like this:
KeyStore ldapKeyStore = KeyStore.getInstance("LDAP"); ldapKeyStore.load(null);
The configuration file should be specified as the provider argument in the JVM's security configuration. It supports the following options:
# If this option is set then the LDAP key store will be LDIF file based. This is useful for testing. org.forgerock.opendj.security.ldif=/path/to/keystore.ldif # Otherwise use LDAP. Note that only a simple single-server configuration is supported for now since applications # are expected to configure directly using KeyStore.load(KeyStoreParameters). org.forgerock.opendj.security.host=localhost org.forgerock.opendj.security.port=1389 org.forgerock.opendj.security.bindDn=uid=admin org.forgerock.opendj.security.bindPassword=password # The base DN beneath which key store entries will be located. org.forgerock.opendj.security.keyStoreBaseDn=ou=key store,dc=example,dc=com
Interacting with an LDAP/LDIF key store using Java's "keytool" command is a little complicated if the OpenDJ provider is not configured in the JVM due to the need to specify the class-path:
# Generate an RSA private key entry: keytool -J-cp -J/path/to/opendj/server/lib/bootstrap-client.jar \ -providerName OpenDJ -providerClass org.forgerock.opendj.security.OpenDjSecurityProvider \ -providerArg /path/to/keystore.conf \ -storetype LDAP -keystore NONE -storepass changeit -keypass changeit \ -genkey -alias "private-key" -keyalg rsa \ -ext "san=dns:localhost.example.com" \ -dname "CN=localhost.example.com,O=Example Corp,C=FR" # Generate an AES secret key entry: keytool -J-cp -J/path/to/opendj/server/lib/bootstrap-client.jar \ -providerName OpenDJ -providerClass org.forgerock.opendj.security.OpenDjSecurityProvider \ -providerArg /path/to/keystore.conf \ -storetype LDAP -keystore NONE -storepass changeit -keypass changeit \ -genseckey -alias "secret-key" -keyalg AES -keysize 128 # Import a trusted certificate from raw ASN1 content: keytool -J-cp -J/path/to/opendj/server/lib/bootstrap-client.jar \ -providerName OpenDJ -providerClass org.forgerock.opendj.security.OpenDjSecurityProvider \ -providerArg /path/to/keystore.conf \ -storetype LDAP -keystore NONE -storepass changeit -keypass changeit \ -importcert -alias "trusted-cert" -file /path/to/cert.crt # Import a trusted certificate from PEM file: keytool -J-cp -J/path/to/opendj/server/lib/bootstrap-client.jar \ -providerName OpenDJ -providerClass org.forgerock.opendj.security.OpenDjSecurityProvider \ -providerArg /path/to/keystore.conf \ -storetype LDAP -keystore NONE -storepass changeit -keypass changeit \ -importcert -alias "trusted-cert" -file /path/to/cert.pem # List the contents of the key store: keytool -J-cp -J/path/to/opendj/server/lib/bootstrap-client.jar \ -providerName OpenDJ -providerClass org.forgerock.opendj.security.OpenDjSecurityProvider \ -providerArg /path/to/keystore.conf \ -storetype LDAP -keystore NONE -storepass changeit -keypass changeit \ -list -v
The LDAP key store will store objects in entries directly beneath the key store's base DN. The base DN entry is expected to already exist. Private key and secret key entries are protected by 128-bit AES symmetric key derived using PBKDF2 from the key's password, if provided, and the key store's global password, if provided. If both passwords are provided then the keys will be encrypted twice. This does not provide additional protection but does provide more control over access to a single key store. For example, multiple applications may be able to access a single key store, with each application protecting their sensitive data using their individual password.
The LDAP schema used for the key store is contained in this JAR as resource and can be obtained using OpenDjSecurityProviderSchema.getSchemaLdifResource()
. Alternatively, clients may build
a Schema
using the method
OpenDjSecurityProviderSchema.addOpenDjSecurityProviderSchema(org.forgerock.opendj.ldap.schema.SchemaBuilder)
.
-
Interface Summary Interface Description ExternalKeyWrappingStrategy A service provider interface for externalizing the strategy used for wrapping individual private/secret keys.KeyStoreObjectCache A service provider interface for implementing key store caches. -
Class Summary Class Description DeploymentId A deployment ID, together with its password, facilitates the generation of the cryptographic keys required to protect a deployment, such as a root CA key-pair for SSL/TLS and a master key-pair for protecting symmetric keys used for data encryption.DeploymentId.DeploymentIdParameters The deployment ID information to be displayed by the deployment ID tool.KeyManagers This class contains methods for creating common types of key manager.KeyStoreParameters The parameters which configure how the LDAP key store will be accessed.OpenDjSecurityProvider The OpenDJ LDAP security provider which exposes an LDAP/LDIF basedKeyStore
service, as well as providing utility methods facilitating construction of LDAP/LDIF based key stores.OpenDjSecurityProviderSchema Utility methods for accessing the LDAP schema elements required in order to support the OpenDJ security provider.ScramCredential The SCRAM credential data persisted in the server using the representation described in RFC 5803 which is a specialization of RFC 3112.ScramCredentialCallback Server-side callback for obtaining the stored SCRAM credential for a given user and mechanism.ScramMechanism SslOptions Encapsulates options for configuring SSL based security as well as providing methods for buildingSSLEngine
s.TrustManagers This class contains methods for creating common types of trust manager.X509CertificateBuilder A class for building X509 certificates as described in RFC 5280. -
Enum Summary Enum Description SslOptions.ClientAuthPolicy Represents the client authentication policy option.X509CertificateBuilder.ExtendedKeyUsage An enumeration of extended key usages.X509CertificateBuilder.KeyUsage An enumeration of key usages. -
Exception Summary Exception Description LocalizedKeyStoreException A localizedKeyStoreException
.