Package org.forgerock.openig.secrets

Class HsmSecretStoreHeaplet

java.lang.Object

org.forgerock.openig.heap.GenericHeaplet

org.forgerock.openig.secrets.HsmSecretStoreHeaplet

All Implemented Interfaces:

Heaplet

public class HsmSecretStoreHeaplet
extends GenericHeaplet

This heaplet represents an instance of a HsmSecretStoreHeaplet.

 {
       "type": "HsmSecretStore",
       "config": {
         "providerName":          string                  [ REQUIRED - Pre-installed PKCS#11 Provider name. ]
         "storePasswordSecretId": secret ID               [ OPTIONAL - Secret ID used to retrieve the store password.]
         "secretsProvider":       Secrets Provider        [ REQUIRED - resolve HSM password.]
         "leaseExpiry":           expression<duration>    [ OPTIONAL - defaults to 5 minutes.]
         "mappings": [                                    [ REQUIRED - array of object.]
             {
              "secretId":              expression                 [ REQUIRED - ID of the secret.]
              "aliases":             [ expression  ]              [ REQUIRED - list of aliases corresponding to the
                                                                   above secret. Order matter here and the first is
                                                                   the active secret.]
            }
       }
    }
 

* One of file or providerName is required.

Example:

 {
       "type": "HsmSecretStore",
       "config": {
           "providerName": "SunPKCS11-SoftHSM",
           "storePasswordSecretId": "keystore.password.id",
           "secretsProvider": "mySecretsProvider",
           "mappings": [{
               "secretId": "global.pcookie.crypt",
               "aliases": [ "rsapair72", "rsapair72-inactive" ]
           }]
        }
    }
 

See Also:

• Oracle PKCS#11 Configuration Guide.
• HsmKeyStoreLoader

Field Summary

Fields inherited from class org.forgerock.openig.heap.GenericHeaplet

config, heap, name, object, qualified

Constructor Summary

Constructors

Constructor	Description
HsmSecretStoreHeaplet()

Method Summary

Modifier and Type	Method	Description
Object	create()	Called to request the heaplet create an object.
KeyStoreSecretStore	keyStore(SecretsProvider secretsProvider, Purpose<GenericSecret> storePasswordPurpose, Options options)	Instantiate the KeyStoreSecretStore.
protected static SecretReference<GenericSecret>	toSecretsReference(SecretsProvider secretsProvider, Purpose<GenericSecret> purpose)

Methods inherited from class org.forgerock.openig.heap.GenericHeaplet

create, destroy, endpointRegistry, evaluatedWithHeapProperties, expression, getConfig, getHeap, getType, initialBindings, meterRegistryHolder, start

Methods inherited from class java.lang.Object

clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

Constructor Details

HsmSecretStoreHeaplet

public HsmSecretStoreHeaplet()

Method Details

keyStore

public KeyStoreSecretStore keyStore(SecretsProvider secretsProvider,
 Purpose<GenericSecret> storePasswordPurpose,
 Options options)
                             throws HeapException

Instantiate the KeyStoreSecretStore.

Parameters:

secretsProvider - The SecretsProvider containing every secrets needed to unlock the underlying KeyStore

storePasswordPurpose - The main KeyStore password, may be null if unprotected.

options - Some options to pass to the keyStore.

Returns:

a new instance of a KeyStore.

Throws:

HeapException - if something went wrong.

create

public Object create()
              throws HeapException

Description copied from class: GenericHeaplet

Called to request the heaplet create an object. Called by Heaplet.create(Name, JsonValue, Heap) after initializing the protected field members. Implementations should parse configuration but not acquire resources, start threads, or log any initialization messages. These tasks should be performed by the GenericHeaplet.start() method.

Specified by:

create in class GenericHeaplet

Returns:

The created object.

Throws:

HeapException - if an exception occurred during creation of the heap object or any of its dependencies.

toSecretsReference

protected static SecretReference<GenericSecret> toSecretsReference(SecretsProvider secretsProvider,
 Purpose<GenericSecret> purpose)