Filesystem secret stores
A filesystem secret store maps to a directory storing an arbitrary number of files that each contain one secret. When filesystem secret stores are used, IDM reads the contents of a file with a name matching the secretId field in the secret store’s mapping list.
Filesystem secret stores are useful to provide secrets from third-party secret stores like AWS Secrets Manager or Google Secrets Manager. They can also be used to separate your secrets from your configuration files.
Filesystem secret stores can be encoded with the following encoding schemes:
-
PLAIN
-
PEM
-
BASE64
-
BASE64URL
The following configuration is an example of a filesystem secret store which is configured to use the /secrets directory and contains a mapping for the idm.admin.password secret:
{
"name":"secretVolume",
"class": "org.forgerock.openidm.secrets.config.FileSystemStore",
"config": {
"format": "PLAIN",
"directory": "&{idm.install.dir}/secrets",
"mappings": [
{
"secretId": "idm.admin.password",
"types": [
"GENERIC"
]
}
]
}
}Configuring automatic encryption
You can add automatic encryption to the filesystem secret store by adding the encryptionKey field. The following example demonstrates encrypting the idm.admin.password secret with the idm.default encryption key:
{
"name": "fileSystemStore",
"class": "org.forgerock.openidm.secrets.config.FileSystemStore",
"config": {
"directory": "&{idm.install.dir}/secrets",
"format": "PLAIN",
"encryptionKey": "idm.default",
"mappings": [
{
"secretId": "idm.admin.password",
"types": [
"GENERIC"
]
}
]
}
}By default, IDM uses AES Key Wrap with a 128-bit key for JSON Web Token (JWT) key management and AES_128_CBC_HMAC_SHA_256 for content encryption. These can be configured by setting the encryptionAlgorithm and encryptionMethod fields on the store configuration respectively.
Example: Create a new user type
The following example creates a new type of static user, openidm-super, with the secret, idm.admin.password, kept in the filesystem secret store. To configure the user:
-
In
conf/authentication.json, add the following new user configuration:{ "name": "STATIC_USER", "properties": { "queryOnResource": "internal/user", "username": "openidm-super", "password": { "$purpose": { "name": "idm.admin.password" } }, "defaultUserRoles": [ "internal/role/openidm-authorized", "internal/role/openidm-admin" ], "enabled": true } } -
In
conf/secrets.json, use the existing mapping for theidm.admin.passwordsecret and optionally add theformatparameter:{ "secretId": "idm.admin.password", "format": "PLAIN", "types": [ "GENERIC" ] }Only use the optional formatparameter if the secret is encoded using a different scheme than the rest of the secret volume.
Configuring purpose versions
The filesystem secret store supports multiple versions of the same purpose. To configure this, specify the versionSuffix property in the store’s definition in conf/secrets.json. The following example adds the .v suffix to the idm.admin.password purpose:
{
"name": "pemStore",
"class": "org.forgerock.openidm.secrets.config.FileSystemStore",
"config": {
"format": "PEM",
"directory": "&{idm.install.dir}/secrets",
"versionSuffix": ".v",
"mappings": [
{
"secretId": "idm.admin.password",
"types": [
"GENERIC"
]
}
]
}
}After versionSuffix is defined, you can version your purpose files by adding it to the file name. Following the previous example, the files could be named idm.admin.password.v1, idm.admin.password.v2, and so on. The latest version number is the active secret.