Package org.forgerock.opendj.security

Class KeyStoreParameters

  • All Implemented Interfaces:
    KeyStore.LoadStoreParameter
    public final class KeyStoreParameters
extends Object
implements KeyStore.LoadStoreParameter
    The parameters which configure how the LDAP key store will be accessed. The connection factory should be configured to return connections which are already authenticated as a user having sufficient privileges to read and update LDAP key store entries. In addition, the factory should use connection pooling in order to avoid excessive reconnection when the key store is accessed frequently.

    • Field Detail

      • GLOBAL_PASSWORD

        public static final Option<Factory<char[]>> GLOBAL_PASSWORD
        The optional password which is used to protect all private and secret keys. Note that individual keys may be protected by a separate password. The default value for this option is a password factory which always returns null, indicating that there is no global password and that separate passwords should be used instead.

        Applications should provide a factory which always returns a new instance of the same password. The LDAP key store will destroy the contents of the returned password after each use. It is the responsibility of the factory to protect the in memory representation of the password between successive calls.

        See Also:
        OpenDjSecurityProvider.newClearTextPasswordFactory(char[])

      • PBKDF2_ITERATIONS

        public static final Option<Integer> PBKDF2_ITERATIONS
        The number of iterations to use when deriving encryption keys from passwords using PBKDF2. The default is 10000 as recommended by NIST.

      • PBKDF2_SALT_SIZE

        public static final Option<Integer> PBKDF2_SALT_SIZE
        The number of random bytes to use as the salt when deriving encryption keys from passwords using PBKDF2. The default is 16.

      • EXTERNAL_KEY_WRAPPING_STRATEGY

        public static final Option<ExternalKeyWrappingStrategy> EXTERNAL_KEY_WRAPPING_STRATEGY
        An alternative external mechanism for wrapping private and secret keys in the key store. By default, the key store will use its own mechanism based on PBKDF2 and a global password if provided.

    • Method Detail

      • newKeyStoreParameters

        public static KeyStoreParameters newKeyStoreParameters​(ConnectionFactory factory,
                                                       Dn baseDN)
        Creates a set of LDAP key store parameters with default options. See the class Javadoc for more information about the parameters.
        Parameters:
        factory - The LDAP connection factory.
        baseDN - The DN of the subtree containing the LDAP key store.
        Returns:
        The key store parameters.

      • newKeyStoreParameters

        public static KeyStoreParameters newKeyStoreParameters​(ConnectionFactory factory,
                                                       Dn baseDN,
                                                       Options options)
        Creates a set of LDAP key store parameters with custom options. See the class Javadoc for more information about the parameters.
        Parameters:
        factory - The LDAP connection factory.
        baseDN - The DN of the subtree containing the LDAP key store.
        options - The optional key store parameters, including the cache configuration, key store password, and crypto parameters. The supported options are defined in this class.
        Returns:
        The key store parameters.