Directory Services 7.3.5

Crypto Manager

The Crypto Manager provides a common interface for performing compression, decompression, hashing, encryption and other kinds of cryptographic operations.

Dependencies

Crypto Managers depend on the following objects:

Crypto Manager properties

You can use configuration expressions to set property values at startup time. For details, see Property value substitution.

Basic Properties Advanced Properties

key-manager-provider
key-wrapping-transformation
master-key-alias

cipher-key-length
cipher-transformation
digest-algorithm
key-wrapping-mode
mac-algorithm
mac-key-length

Basic properties

Use the --advanced option to access advanced properties.

key-manager-provider

Synopsis

The name of the key manager containing the master key-pair and any deprecated master key.

Description

The master key, which is identified using the "master-key-alias" property, will be used for encrypting secrets that are generated and distributed across the deployment. Master keys may be periodically rotated, but should never be removed from the referenced key manager because they may still be needed for decryption. The alias must correspond to a PrivateKeyEntry in the keystore and is typically an RSA key-pair.

Default value

None

Allowed values

The name of an existing key-manager-provider.

The referenced key manager provider must be enabled.

Multi-valued

No

Required

Yes

Admin action required

None

Advanced

No

Read-only

No

key-wrapping-transformation

Synopsis

The preferred key wrapping transformation for the directory server. This value must be the same for all server instances in a replication topology.

Default value

RSA/ECB/OAEPWITHSHA-256ANDMGF1PADDING

Allowed values

The key wrapping transformation.

Multi-valued

No

Required

No

Admin action required

None

Changes to this property will take effect immediately but will only affect cryptographic operations performed after the change.

Advanced

No

Read-only

No

master-key-alias

Synopsis

The alias of the master key-pair which should be used for encrypting secrets that are generated and distributed across the deployment.

Description

Master keys may be periodically rotated, but should never be removed from the referenced key manager because they may still be needed for decryption. The master key alias reference a PrivateKeyEntry in the keystore which is typically an RSA key-pair.

Default value

None

Allowed values

A string.

Multi-valued

No

Required

Yes

Admin action required

None

Advanced

No

Read-only

No

Advanced properties

Use the --advanced option to access advanced properties.

cipher-key-length

Synopsis

Specifies the key length in bits for the preferred cipher.

Default value

128

Allowed values

An integer.

Lower limit: 0.

Multi-valued

No

Required

No

Admin action required

None

Changes to this property take effect immediately but only affect cryptographic operations performed after the change.

Advanced

Yes

Read-only

No

cipher-transformation

Synopsis

Specifies the cipher for the directory server using the syntax algorithm/mode/padding.

Description

The full transformation is required: specifying only an algorithm and allowing the cipher provider to supply the default mode and padding is not supported, because there is no guarantee these default values are the same among different implementations. Some cipher algorithms do not have a mode or padding, hence the fields must be specified using NONE as mode and NoPadding as padding. For example, ChaCha20/NONE/NoPadding.

Default value

AES/CBC/PKCS5Padding

Allowed values

The cipher transformation.

Multi-valued

No

Required

No

Admin action required

None

Changes to this property take effect immediately but only affect cryptographic operations performed after the change.

Advanced

Yes

Read-only

No

digest-algorithm

Synopsis

Specifies the preferred message digest algorithm for the directory server.

Default value

SHA-256

Allowed values

A string.

Multi-valued

No

Required

No

Admin action required

None

Changes to this property take effect immediately and only affect cryptographic operations performed after the change.

Advanced

Yes

Read-only

No

key-wrapping-mode

Synopsis

Defines which crypto operation to use to wrap symmetric keys for storage.

Description

Symmetric keys are wrapped either by direct encryption or by using the wrap cipher mode, depending on the configured crypto provider capabilities or key type.

Default value

encrypt

Allowed values

  • encrypt: Use the cipher ENCRYPT mode to wrap symmetric keys

  • wrap: Use the cipher WRAP mode to wrap symmetric keys

Multi-valued

No

Required

No

Admin action required

None

Advanced

Yes

Read-only

No

mac-algorithm

Synopsis

Specifies the preferred MAC algorithm for the directory server.

Default value

HmacSHA256

Allowed values

A string.

Multi-valued

No

Required

No

Admin action required

None

Changes to this property take effect immediately but only affect cryptographic operations performed after the change.

Advanced

Yes

Read-only

No

mac-key-length

Synopsis

Specifies the key length in bits for the preferred MAC algorithm.

Default value

128

Allowed values

An integer.

Lower limit: 0.

Multi-valued

No

Required

No

Admin action required

None

Changes to this property take effect immediately but only affect cryptographic operations performed after the change.

Advanced

Yes

Read-only

No