Class KeyStoreSecretStoreHeaplet

java.lang.Object
org.forgerock.openig.heap.GenericHeaplet
org.forgerock.openig.secrets.KeyStoreSecretStoreHeaplet
All Implemented Interfaces:
Heaplet

public class KeyStoreSecretStoreHeaplet extends GenericHeaplet
This heaplet represents an instance of a KeyStoreSecretStore.
 {
       "type": "KeyStoreSecretStore",
       "config": {
         "file":                  expression             [REQUIRED - location of the KeyStore.]
         "storeType":             expression             [OPTIONAL - type of the store, default: "PKCS12". ]
         "storePasswordSecretId": expression             [OPTIONAL - Secret ID referring to the KeyStore password.
                                                                     when not set expect unprotected KeyStore]
         "entryPasswordSecretId": expression             [OPTIONAL - Secret ID referring to the entries' password.
                                                                     default to storePasswordSecretId. (1)]
         "secretsProvider":       Secrets Provider       [REQUIRED - resolve keystore passwords.]
         "leaseExpiry":           expression<duration>   [OPTIONAL - defaults to 5 minutes.]
         "securityProvider":      String                 [OPTIONAL - The security provider to use to load the keystore
                                                                     defaults to java usual mechanism.
         "mappings": [            array                  [REQUIRED - array of object.]
           {                      object
             "secretId":          expression             [REQUIRED - ID of the secret.]
             "aliases":           [ expression  ]        [OPTIONAL - list of aliases corresponding to the above
                                                                     secret. Order matters here and the first is the
                                                                     active secret. Required if 'aliasesMatching' not
                                                                     set.]
             "aliasesMatching":   [ expression  ]        [OPTIONAL - list of regular expressions matching the
                                                                     keystore aliases to map. Required if 'alias' not
                                                                     set.]
           }
         ]
         "autoRefresh": {         object                 [OPTIONAL - indicate if this KeyStoreSecretStore should be
                                                                     refreshed on keystore change (edit and delete).]
           "enabled":             expression<boolean>    [OPTIONAL - Configure with boolean expression resolving to
                                                                     'true' to enable, or 'false' to disable.
                                                                     Default is enabled.]
           "executor":            executor               [OPTIONAL - Executor to use in monitoring the keystore,
                                                                     defaults to heap-configured
                                                                     {@literal SCHEDULED_EXECUTOR_SERVICE_HEAP_KEY}.]
         }
       }
    }
 

Example:

 {
       "type": "KeyStoreSecretStore",
       "config": {
           "file": "/path/to/keystore.file",
           "storePasswordSecretId": "keystore.pass",
           "entryPasswordSecretId": "keystore.entries.pass",
           "secretsProvider": "mySecretsProvider",
           "mappings": [{
               "secretId": "global.pcookie.crypt",
               "aliases": [ "rsapair72", "rsapair72-inactive" ]
           }]
        }
    }
 
(1) Note that if the entryPasswordSecretId is used, it must be the same for all entries in the keystore. This said, it will not work with JKS having different password for their entries.

Example showing "autoRefresh" config, supporting keystore file monitoring and refresh:

 {
       "type": "KeyStoreSecretStore",
       "config": {
           "file": "/path/to/keystore.file",
           "storePasswordSecretId": "keystore.pass",
           "entryPasswordSecretId": "keystore.entries.pass",
           "secretsProvider": "mySecretsProvider",
           "mappings": [{
               "secretId": "global.pcookie.crypt",
               "aliases": [ "rsapair72", "rsapair72-inactive" ],
           }]
           "autoRefresh": {
               "enabled": "${my.boolean.property}",
               "executor": "#refreshExecutor"
           }
       }
    }
 
See Also: