PingDirectory

Configuring key and trust manager providers

After you have a key store, configure a key manager provider to access it.

The server is preconfigured with key manager providers, JKS and PKCS12, that you can use with JKS or PKCS #12 key stores, respectively. In most cases, you can update the appropriate key manager provider to reference the key store that you plan to use, as shown in the following example:

dsconfig set-key-manager-provider-prop \
    --provider-name JKS \
    --set enabled:true \
    --set key-store-file:config/keystore \
    --set key-store-pin-file:config/keystore.pin

A similar change configures a trust manager provider to reference the appropriate trust store, as shown in the following example:

dsconfig set-trust-manager-provider-prop \
    --provider-name JKS \
    --set enabled:true \
    --set include-jvm-default-issuers:true \
    --set trust-store-file:config/truststore \
    --set trust-store-pin-file:config/truststore.pin

If all clients and servers use certificates that are signed by issuers and are included in the JVM’s default trust store, you can use the JVM-Default trust manager provider to accomplish this task.

Caching key and trust managers

When you create key and trust manager providers, caching is enabled by default, allowing the manager providers to avoid loading key store and trust store files from disk when establishing connections to process requests.

Invalidating the cache

The manager provider reloads files from the configured key store or trust store and refreshes the cache under any of the following conditions:

  • The cached manager for the configured store has a null value.

  • The path to the cached store doesn’t match the path of the configured store.

  • The length of the cached store doesn’t match the length of the configured store.

  • The last-updated time for the cached store doesn’t match the last-updated time for the configured store.

Enabling or disabling caching (optional)

You can define whether caching is enabled by using the enable-key-manager-caching or enable-trust-manager-caching properties. Supply a value of false to disable caching, causing manager providers to load managers for each connection. Supply a value of true to re-enable caching.

To create a key manager provider with caching disabled, supply the enable-key-manager-caching property with a value of false, as shown in the following example:

dsconfig create-key-manager-provider \
    --provider-name JKS \
    --type file-based \
    --set enabled:true \
    --set key-store-file:config/keystore \
    --set key-store-type:JKS \
    --set key-store-pin-file:config/keystore.pin \
    --set enable-key-manager-caching:false

To create a trust manager provider with caching disabled, supply the enable-trust-manager-caching property with a value of false, as shown in the following example:

dsconfig create-trust-manager-provider \
    --provider-name JKS \
    --type file-based \
    --set enabled:true \
    --set trust-store-file:config/truststore \
    --set trust-store-type:JKS \
    --set enable-trust-manager-caching:false

To re-enable caching, set a value of true for the same caching property used to create the manager provider, as shown in the following example:

dsconfig set-trust-manager-provider-prop \
    --provider-name JKS \
    --set enable-trust-manager-caching:true