Configure passphrase providers
Passphrase providers allow access to clear-text passphrases, application programming interface (API) keys, and other secrets through an extensible API that are needed for essential processing tasks.
These secrets can be used to:
-
Access external services. For example, the PingDirectoryProxy server can use a clear-text secret for accessing the credentials needed for authentication to backend directories, and the PingDataSync server can use a secret for authentication to the synchronization source and destination servers.
-
Access certificate key and trust stores.
-
Reversibly encrypt passwords stored in the LDAP changelog. This allows PingDataSync to decrypt these passwords and send the clear-text value to the destination server.
The PingDirectory server supports the following passphrase providers:
- Amazon Secrets Manager passphrase provider
-
Reads a passphrase from the Amazon AWS Secrets Manager service. The provider can only be used with string secrets, in which the Secrets Manager service returns the secret in the form of a JavaScript Object Notation (JSON) object, and not with secrets stored in binary form.
- Azure Key Vault passphrase provider
-
Reads a passphrase from the Microsoft Azure Key Vault service.
- Conjur passphrase provider
-
Reads a passphrase from a CyberArk Conjur instance.
- Environment Variable passphrase provider
-
Reads a passphrase from a specified environment variable.
- File-based passphrase provider
-
Reads a passphrase from a specified file. The contents of the file can be encrypted with a key from the server’s encryption settings database.
- Obscured-value passphrase provider
-
Reads a passphrase that is stored directly in the server configuration.
Although this passphrase is encrypted, the encryption uses a hard-coded key that an attacker can use to obtain the clear-text value. As a result, you should not depend solely on this provider’s obfuscation for keeping the passphrase secret. |
- Third-party passphrase provider
-
Reads a passphrase using a third-party implementation of the UnboundID server SDK. This provider supports the read-only
extension-class
property for specifying the Java class that extends or implements the SDK, and theextension-argument
property for customizing the provider’s behavior. - Vault passphrase provider
-
Reads a passphrase from a HashiCorp Vault instance.
For example, to create an Amazon Secrets Manager passphrase provider, define the new passphrase provider in the server configuration:
dsconfig create-passphrase-provider \ --provder-name "Amazon Secrets Manager" \ --type amazon-secrets-manager \ --set enabled:true \ --set aws-external-server:[AWS_EXTERNAL_SERVER_DN] \ --set secret-id:[AWS_SECRET_ID] \ --set secret-field-name:[SECRET_JSON_FIELD]
After you’ve created a passphrase provider, you must update the global configuration of the components that use the provider. For example, if you want to use the passphrase provider to obtain the PIN needed for accessing a certificate key store, you must set the key-store-pin-passphrase-provider
property in the key manager configuration.