Package org.forgerock.openig.secrets
Class KeyStoreSecretStoreHeaplet
java.lang.Object
org.forgerock.openig.heap.GenericHeaplet
org.forgerock.openig.secrets.KeyStoreSecretStoreHeaplet
- All Implemented Interfaces:
Heaplet
This heaplet represents an instance of a
KeyStoreSecretStore
.
{
"type": "KeyStoreSecretStore",
"config": {
"file": expression [REQUIRED - location of the KeyStore.]
"storeType": expression [OPTIONAL - type of the store, default: "PKCS12". ]
"storePasswordSecretId": expression [OPTIONAL - Secret ID referring to the KeyStore password.
when not set expect unprotected KeyStore]
"entryPasswordSecretId": expression [OPTIONAL - Secret ID referring to the entries' password.
default to storePasswordSecretId. (1)]
"secretsProvider": Secrets Provider [REQUIRED - resolve keystore passwords.]
"leaseExpiry": expression<duration> [OPTIONAL - defaults to 5 minutes.]
"securityProvider": String [OPTIONAL - The security provider to use to load the keystore
defaults to java usual mechanism.
"mappings": [ array [REQUIRED - array of object.]
{ object
"secretId": expression [REQUIRED - ID of the secret.]
"aliases": [ expression ] [OPTIONAL - list of aliases corresponding to the above
secret. Order matters here and the first is the
active secret. Required if 'aliasesMatching' not
set.]
"aliasesMatching": [ expression ] [OPTIONAL - list of regular expressions matching the
keystore aliases to map. Required if 'alias' not
set.]
}
]
"autoRefresh": { object [OPTIONAL - indicate if this KeyStoreSecretStore should be
refreshed on keystore change (edit and delete).]
"enabled": expression<boolean> [OPTIONAL - Configure with boolean expression resolving to
'true' to enable, or 'false' to disable.
Default is enabled.]
"executor": executor [OPTIONAL - Executor to use in monitoring the keystore,
defaults to heap-configured
{@literal SCHEDULED_EXECUTOR_SERVICE_HEAP_KEY}.]
}
}
}
Example:
{
"type": "KeyStoreSecretStore",
"config": {
"file": "/path/to/keystore.file",
"storePasswordSecretId": "keystore.pass",
"entryPasswordSecretId": "keystore.entries.pass",
"secretsProvider": "mySecretsProvider",
"mappings": [{
"secretId": "global.pcookie.crypt",
"aliases": [ "rsapair72", "rsapair72-inactive" ]
}]
}
}
(1) Note that if the entryPasswordSecretId is used, it must be the same for all entries in the keystore.
This said, it will not work with JKS having different password for their entries.
Example showing "autoRefresh" config, supporting keystore file monitoring and refresh:
{
"type": "KeyStoreSecretStore",
"config": {
"file": "/path/to/keystore.file",
"storePasswordSecretId": "keystore.pass",
"entryPasswordSecretId": "keystore.entries.pass",
"secretsProvider": "mySecretsProvider",
"mappings": [{
"secretId": "global.pcookie.crypt",
"aliases": [ "rsapair72", "rsapair72-inactive" ],
}]
"autoRefresh": {
"enabled": "${my.boolean.property}",
"executor": "#refreshExecutor"
}
}
}
- See Also:
-
Field Summary
-
Constructor Summary
-
Method Summary
Modifier and TypeMethodDescriptioncreate()
Called to request the heaplet create an object.void
destroy()
Called to indicate that the object created by the heaplet is going to be dereferenced.keyStore
(SecretsProvider secretsProvider, Purpose<GenericSecret> storePasswordPurpose, Options options) Instantiate theKeyStoreSecretStore
.protected static SecretReference<GenericSecret>
toSecretsReference
(SecretsProvider secretsProvider, Purpose<GenericSecret> purpose) Methods inherited from class org.forgerock.openig.heap.GenericHeaplet
create, endpointRegistry, evaluatedWithHeapProperties, expression, getConfig, getHeap, getType, initialBindings, meterRegistryHolder, start
-
Field Details
-
NAME
Public name used by resolver.- See Also:
-
-
Constructor Details
-
KeyStoreSecretStoreHeaplet
public KeyStoreSecretStoreHeaplet()
-
-
Method Details
-
keyStore
public KeyStoreSecretStore keyStore(SecretsProvider secretsProvider, Purpose<GenericSecret> storePasswordPurpose, Options options) throws HeapException Instantiate theKeyStoreSecretStore
.- Parameters:
secretsProvider
- TheSecretsProvider
containing every secrets needed to unlock the underlying KeyStorestorePasswordPurpose
- The main KeyStore password, may benull
if unprotected.options
- Some options to pass to the keyStore.- Returns:
- a new instance of a KeyStore.
- Throws:
HeapException
- if something went wrong.
-
destroy
public void destroy()Description copied from interface:Heaplet
Called to indicate that the object created by the heaplet is going to be dereferenced. This gives the heaplet an opportunity to free any resources that are being held prior to its dereference.- Specified by:
destroy
in interfaceHeaplet
- Overrides:
destroy
in classGenericHeaplet
-
create
Description copied from class:GenericHeaplet
Called to request the heaplet create an object. Called byHeaplet.create(Name, JsonValue, Heap)
after initializing the protected field members. Implementations should parse configuration but not acquire resources, start threads, or log any initialization messages. These tasks should be performed by theGenericHeaplet.start()
method.- Specified by:
create
in classGenericHeaplet
- Returns:
- The created object.
- Throws:
HeapException
- if an exception occurred during creation of the heap object or any of its dependencies.
-
toSecretsReference
protected static SecretReference<GenericSecret> toSecretsReference(SecretsProvider secretsProvider, Purpose<GenericSecret> purpose)
-