--- title: Configuring key and trust manager providers description: After you have a key store, configure a key manager provider to access it. component: pingdirectory version: 11.0 page_id: pingdirectory:pingdirectory_security_guide:pd_sec_config_key_trust_mgr canonical_url: https://docs.pingidentity.com/pingdirectory/11.0/pingdirectory_security_guide/pd_sec_config_key_trust_mgr.html revdate: September 13, 2023 section_ids: caching-key-and-trust-managers: Caching key and trust managers invalidating-the-cache: Invalidating the cache enabling-or-disabling-caching-optional: Enabling or disabling caching (optional) --- # Configuring key and trust manager providers After you have a key store, configure a key manager provider to access it. The server is preconfigured with key manager providers, `JKS` and `PKCS12`, that you can use with JKS or PKCS #12 key stores, respectively. In most cases, you can update the appropriate key manager provider to reference the key store that you plan to use, as shown in the following example: ``` dsconfig set-key-manager-provider-prop \ --provider-name JKS \ --set enabled:true \ --set key-store-file:config/keystore \ --set key-store-pin-file:config/keystore.pin ``` A similar change configures a trust manager provider to reference the appropriate trust store, as shown in the following example: ``` dsconfig set-trust-manager-provider-prop \ --provider-name JKS \ --set enabled:true \ --set include-jvm-default-issuers:true \ --set trust-store-file:config/truststore \ --set trust-store-pin-file:config/truststore.pin ``` | | | | - | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | | If all clients and servers use certificates that are signed by issuers and are included in the JVM's default trust store, you can use the `JVM-Default` trust manager provider to accomplish this task. | ## Caching key and trust managers When you create key and trust manager providers, caching is enabled by default, allowing the manager providers to avoid loading key store and trust store files from disk when establishing connections to process requests. ### Invalidating the cache The manager provider reloads files from the configured key store or trust store and refreshes the cache under any of the following conditions: * The cached manager for the configured store has a `null` value. * The path to the cached store doesn't match the path of the configured store. * The length of the cached store doesn't match the length of the configured store. * The last-updated time for the cached store doesn't match the last-updated time for the configured store. ### Enabling or disabling caching (optional) You can define whether caching is enabled by using the `enable-key-manager-caching` or `enable-trust-manager-caching` properties. Supply a value of `false` to disable caching, causing manager providers to load managers for each connection. Supply a value of `true` to re-enable caching. To create a key manager provider with caching disabled, supply the `enable-key-manager-caching` property with a value of `false`, as shown in the following example: ``` dsconfig create-key-manager-provider \ --provider-name JKS \ --type file-based \ --set enabled:true \ --set key-store-file:config/keystore \ --set key-store-type:JKS \ --set key-store-pin-file:config/keystore.pin \ --set enable-key-manager-caching:false ``` To create a trust manager provider with caching disabled, supply the `enable-trust-manager-caching` property with a value of `false`, as shown in the following example: ``` dsconfig create-trust-manager-provider \ --provider-name JKS \ --type file-based \ --set enabled:true \ --set trust-store-file:config/truststore \ --set trust-store-type:JKS \ --set enable-trust-manager-caching:false ``` To re-enable caching, set a value of `true` for the same caching property used to create the manager provider, as shown in the following example: ``` dsconfig set-trust-manager-provider-prop \ --provider-name JKS \ --set enable-trust-manager-caching:true ```