IDM 7.3.1

Property-based secret stores

IDM servers can read keys and trusted certificates from properties that contain keys in Privacy-Enhanced Mail (PEM) format.

The following example configures a property-based secret store, and adds an RSA PEM secret whose purpose is to encrypt and decrypt managed user passwords:

  1. Add a PropertyBasedStore secret store definition to your conf/secrets.json file:

    {
        "name": "pemStore",
        "class": "org.forgerock.openidm.secrets.config.PropertyBasedStore",
        "config": {
            "format": "PEM",
            "algorithm": "RSA",
            "mappings": [
                {
                    "secretId": "idm.pem.purpose",
                    "types": [
                        "ENCRYPT",
                        "DECRYPT"
                    ]
                }
            ]
        }
    }
  2. Create an RSA PEM key:

    openssl genrsa -out private-key.pem 3072
  3. Display the private key. For example:

    more private-key.pem
    -----BEGIN RSA PRIVATE KEY-----
    MIIG4w…​lrDgao
    -----END RSA PRIVATE KEY-----
  4. Use a text editor to convert your certificate to a single line, replacing line breaks with newline characters (/n). For example, on UNIX systems:

    awk 'NF {sub(/\r/, ""); printf "%s\\n",$0;}' private-key.pem
    -----BEGIN RSA PRIVATE KEY-----\nMIIG4w…​lrDgao\n-----END RSA PRIVATE KEY-----\n%
  5. Copy the single-line private key and paste it into your resolver/boot.properties file, as a value of the secretId that you specified in Step 1. For example:

    idm.pem.purpose=-----BEGIN RSA PRIVATE KEY-----\nMIIG4w...lrDgao\n-----END RSA PRIVATE KEY-----\n%
  6. Modify the encryption purpose for the managed user password in your managed object configuration to use the PropertyBaseStore secret store that you created in Step 1:

    "password" : {
        "title" : "Password",
        "description" : "Password",
        "type" : "string",
        "viewable" : false,
        "searchable" : false,
        "userEditable" : true,
        "encryption" : {
            "purpose" : "idm.pem.purpose",
            "cipher" : "RSA/ECB/OAEPWithSHA-256AndMGF1Padding"
        }
        ...
    }

    IDM now encrypts and decrypts passwords with the RSA PEM key.