Package org.opends.server.crypto

Class GetSymmetricKeyExtendedOperation

java.lang.Object
org.opends.server.api.ExtendedOperationHandler<GetSymmetricKeyExtendedOperationHandlerCfg>
org.opends.server.crypto.GetSymmetricKeyExtendedOperation
public final class GetSymmetricKeyExtendedOperation extends ExtendedOperationHandler<GetSymmetricKeyExtendedOperationHandlerCfg>
This class implements the get symmetric key extended operation, an OpenDS proprietary extension used for distribution of symmetric keys amongst servers.

Before 7.0 each server had its own instance key-pair. The public keys were published in cn=admin data. This is no longer the case in 7.0, since there is now a single instance key for the whole topology, which is referred to as the "master key" and stored in a local keystore.

A pure 7.0 topology should not need to use the GetSymmetricKey request because all servers have the same master key-pair, so they should all be able to decrypt symmetric keys. However, we still need to deal with migration (mixed topologies), where the 7.0 master public key should be pre-published in cn=admin data. There are two scenarios where the GetSymmetricKey will be used:

  • a 7.0 server encounters a symmetric key which has only been encrypted by <7.0 servers. In this case send a symmetric key request to a 6.5 servers. Their discovery information will have also been published in cn=admin data
  • a 6.5 server encounters a symmetric key which has only been encrypted by 7.0 servers. In this case the 6.5 server will need to send a symmetric key request to the 7.0 server. However, 7.0 servers do not publish discovery information in cn=admin data, so this scenario is not supported for the time being. In reality, this scenario should not happen in practice because a 7.0 server will automatically encrypt new symmetric keys with the public keys of all servers in the topology including 6.5 servers, since their public keys are published in cn=admin data.