Package org.forgerock.openig.secrets
Class HsmSecretStoreHeaplet
java.lang.Object
org.forgerock.openig.heap.GenericHeaplet
org.forgerock.openig.secrets.HsmSecretStoreHeaplet
- All Implemented Interfaces:
Heaplet
This heaplet represents an instance of a
HsmSecretStoreHeaplet.
{
"type": "HsmSecretStore",
"config": {
"providerName": string [ REQUIRED - Pre-installed PKCS#11 Provider name. ]
"storePasswordSecretId": secret ID [ OPTIONAL - Secret ID used to retrieve the store password.]
"secretsProvider": Secrets Provider [ REQUIRED - resolve HSM password.]
"leaseExpiry": expression<duration> [ OPTIONAL - defaults to 5 minutes.]
"mappings": [ [ REQUIRED - array of object.]
{
"secretId": expression [ REQUIRED - ID of the secret.]
"aliases": [ expression ] [ REQUIRED - list of aliases corresponding to the
above secret. Order matter here and the first is
the active secret.]
}
}
}
* One of file or providerName is required.
Example:
{
"type": "HsmSecretStore",
"config": {
"providerName": "SunPKCS11-SoftHSM",
"storePasswordSecretId": "keystore.password.id",
"secretsProvider": "mySecretsProvider",
"mappings": [{
"secretId": "global.pcookie.crypt",
"aliases": [ "rsapair72", "rsapair72-inactive" ]
}]
}
}
-
Field Summary
Fields -
Constructor Summary
Constructors -
Method Summary
Modifier and TypeMethodDescriptioncreate()Called to request the heaplet create an object.keyStore(SecretsProvider secretsProvider, Purpose<GenericSecret> storePasswordPurpose, Options options) Instantiate theKeyStoreSecretStore.protected static SecretReference<GenericSecret>toSecretsReference(SecretsProvider secretsProvider, Purpose<GenericSecret> purpose) Methods inherited from class org.forgerock.openig.heap.GenericHeaplet
create, destroy, endpointRegistry, evaluatedWithHeapProperties, expression, getConfig, getHeap, getType, initialBindings, meterRegistryHolder, start
-
Field Details
-
NAME
Public name used by resolver.- See Also:
-
-
Constructor Details
-
HsmSecretStoreHeaplet
public HsmSecretStoreHeaplet()
-
-
Method Details
-
keyStore
public KeyStoreSecretStore keyStore(SecretsProvider secretsProvider, Purpose<GenericSecret> storePasswordPurpose, Options options) throws HeapException Instantiate theKeyStoreSecretStore.- Parameters:
secretsProvider- TheSecretsProvidercontaining every secrets needed to unlock the underlying KeyStorestorePasswordPurpose- The main KeyStore password, may benullif unprotected.options- Some options to pass to the keyStore.- Returns:
- a new instance of a KeyStore.
- Throws:
HeapException- if something went wrong.
-
create
Description copied from class:GenericHeapletCalled to request the heaplet create an object. Called byHeaplet.create(Name, JsonValue, Heap)after initializing the protected field members. Implementations should parse configuration but not acquire resources, start threads, or log any initialization messages. These tasks should be performed by theGenericHeaplet.start()method.- Specified by:
createin classGenericHeaplet- Returns:
- The created object.
- Throws:
HeapException- if an exception occurred during creation of the heap object or any of its dependencies.
-
toSecretsReference
protected static SecretReference<GenericSecret> toSecretsReference(SecretsProvider secretsProvider, Purpose<GenericSecret> purpose)
-