Package org.forgerock.openig.secrets
Class SecretsTrustManagerHeaplet
java.lang.Object
org.forgerock.openig.heap.GenericHeaplet
org.forgerock.openig.secrets.SecretsTrustManagerHeaplet
- All Implemented Interfaces:
Heaplet
A
SecretsTrustManagerHeaplet
acts as a factory of SecretsTrustManager
.
It is meant to be used when certificates that are to be trusted are available through the ForgeRock Secrets API
(when using KeyStoreSecretStore
for instance).
{
"type": "SecretsTrustManager",
"config": {
"verificationSecretId": secret-id [ REQUIRED - Secret ID used to retrieve
trusted certificates. (1)]
"certificateVerificationSecretId": secret-id [ REQUIRED - Secret ID used to retrieve
trusted CA certificates. (1)]
"secretsProvider" : Secrets Provider [ REQUIRED - Resolves trusted certificates. ]
"checkRevocation" : boolean [ OPTIONAL - Enable/Disable revocation check
(default to true) ]
}
}
(1) At least one of verificationSecretId or certificateVerificationSecretId is REQUIRED.
When to use these 2 attributes:
- verificationSecretId secrets will select certificates usable to verify signed data.
Certificates loaded from keystores must have the digitalSignature bit set, or no extension bit set at all (usual for self-signed and client certificates).
Certificates loaded from JWK/JWKSet must have use = sig or unset AND key_ops containing 'verify' or unset. - certificateVerificationSecretId secrets will select certificates usable to verify signed
certificate.
Certificates loaded from keystores must have the keyCertSign bit set, or no extension bit set at all (usual for CA certificates).
Certificates loaded from JWK/JWKSet must have both 'key_ops' and 'use' unset - Note that certificates loaded from PEM have no usage constraints and can be used for both verificationSecretId or certificateVerificationSecretId indistinctly.
Usage example with a keystore
Trusts a list of certificates found in a given keystore
{
"type": "SecretsTrustManager",
"config": {
"verificationSecretId": [ "trust.manager.secret.id" ],
"secretsProvider": {
"type": "KeyStoreSecretStore",
"config": {
"file": "&{ig.instance.dir}/certs/truststore.p12",
"storePassword": "keystore.pass",
"secretsProvider": "SecretsPasswords",
"mappings": [{
"secretId": "trust.manager.secret.id",
"aliases": [ "alias-of-trusted-cert-1", "alias-of-trusted-cert-2" ]
}]
}
}
}
}
Trusts certificates signed by certificate authorities whose certificate are found in a given keystore
{
"type": "SecretsTrustManager",
"config": {
"certificateVerificationSecretId": [ "ca.secret.id" ],
"secretsProvider": {
"type": "KeyStoreSecretStore",
"config": {
"file": "&{ig.instance.dir}/certs/truststore.p12",
"storePassword": "keystore.pass",
"secretsProvider": "SecretsPasswords",
"mappings": [{
"secretId": "ca.secret.id",
"aliases": [ "alias-of-trusted-cacert-1", "alias-of-trusted-cacert-2" ]
}]
}
}
}
}
-
Field Summary
-
Constructor Summary
-
Method Summary
Methods inherited from class org.forgerock.openig.heap.GenericHeaplet
create, destroy, endpointRegistry, evaluatedWithHeapProperties, expression, getConfig, getHeap, getType, initialBindings, meterRegistryHolder, start
-
Field Details
-
NAME
Public name used by resolver.- See Also:
-
-
Constructor Details
-
SecretsTrustManagerHeaplet
public SecretsTrustManagerHeaplet()
-
-
Method Details
-
create
Description copied from class:GenericHeaplet
Called to request the heaplet create an object. Called byHeaplet.create(Name, JsonValue, Heap)
after initializing the protected field members. Implementations should parse configuration but not acquire resources, start threads, or log any initialization messages. These tasks should be performed by theGenericHeaplet.start()
method.- Specified by:
create
in classGenericHeaplet
- Returns:
- The created object.
- Throws:
HeapException
- if an exception occurred during creation of the heap object or any of its dependencies.
-