Class KeyStoreParameters

java.lang.Object
org.forgerock.opendj.security.KeyStoreParameters
All Implemented Interfaces:
KeyStore.LoadStoreParameter

public final class KeyStoreParameters extends Object implements KeyStore.LoadStoreParameter
The parameters which configure how the LDAP key store will be accessed. The connection factory should be configured to return connections which are already authenticated as a user having sufficient privileges to read and update LDAP key store entries. In addition, the factory should use connection pooling in order to avoid excessive reconnection when the key store is accessed frequently.
  • Field Details

    • GLOBAL_PASSWORD

      public static final Option<Factory<char[]>> GLOBAL_PASSWORD
      The optional password which is used to protect all private and secret keys. Note that individual keys may be protected by a separate password. The default value for this option is a password factory which always returns null, indicating that there is no global password and that separate passwords should be used instead.

      Applications should provide a factory which always returns a new instance of the same password. The LDAP key store will destroy the contents of the returned password after each use. It is the responsibility of the factory to protect the in memory representation of the password between successive calls.

      See Also:
    • CACHE

      public static final Option<KeyStoreObjectCache> CACHE
      The caching mechanism that the key store will use. Caching can significantly increase performance by reducing interactions with the backend LDAP server(s), at the risk of returning stale key store objects for a period of time. By default caching is disabled.
      See Also:
    • PBKDF2_ITERATIONS

      public static final Option<Integer> PBKDF2_ITERATIONS
      The number of iterations to use when deriving encryption keys from passwords using PBKDF2. The default is 10000 as recommended by NIST.
    • PBKDF2_SALT_SIZE

      public static final Option<Integer> PBKDF2_SALT_SIZE
      The number of random bytes to use as the salt when deriving encryption keys from passwords using PBKDF2. The default is 16.
    • EXTERNAL_KEY_WRAPPING_STRATEGY

      public static final Option<ExternalKeyWrappingStrategy> EXTERNAL_KEY_WRAPPING_STRATEGY
      An alternative external mechanism for wrapping private and secret keys in the key store. By default, the key store will use its own mechanism based on PBKDF2 and a global password if provided.
  • Method Details

    • newKeyStoreParameters

      public static KeyStoreParameters newKeyStoreParameters(ConnectionFactory factory, Dn baseDN)
      Creates a set of LDAP key store parameters with default options. See the class Javadoc for more information about the parameters.
      Parameters:
      factory - The LDAP connection factory.
      baseDN - The DN of the subtree containing the LDAP key store.
      Returns:
      The key store parameters.
    • newKeyStoreParameters

      public static KeyStoreParameters newKeyStoreParameters(ConnectionFactory factory, Dn baseDN, Options options)
      Creates a set of LDAP key store parameters with custom options. See the class Javadoc for more information about the parameters.
      Parameters:
      factory - The LDAP connection factory.
      baseDN - The DN of the subtree containing the LDAP key store.
      options - The optional key store parameters, including the cache configuration, key store password, and crypto parameters. The supported options are defined in this class.
      Returns:
      The key store parameters.
    • getProtectionParameter

      public KeyStore.ProtectionParameter getProtectionParameter()
      Specified by:
      getProtectionParameter in interface KeyStore.LoadStoreParameter