These secrets can be used to:

  • Access external services. For example, the PingDirectoryProxy server can use a clear-text secret for accessing the credentials needed for authentication to backend directories, and the PingDataSync server can use a secret for authentication to the synchronization source and destination servers.
  • Access certificate key and trust stores.
  • Reversibly encrypt passwords stored in the LDAP changelog. This allows PingDataSync to decrypt these passwords and send the clear-text value to the destination server.

The PingDirectory server supports the following passphrase providers:

Amazon Secrets Manager passphrase provider
Reads a passphrase from the Amazon AWS Secrets Manager service. The provider can only be used with string secrets, in which the Secrets Manager service returns the secret in the form of a JSON object, and not with secrets stored in binary form.
Azure Key Vault passphrase provider
Reads a passphrase from the Microsoft Azure Key Vault service.
Conjur passphrase provider
Reads a passphrase from a CyberArk Conjur instance.
Environment Variable passphrase provider
Reads a passphrase from a specified environment variable.
File-based passphrase provider
Reads a passphrase from a specified file. The contents of the file can be encrypted with a key from the server's encryption settings database.
Obscured-value passphrase provider
Reads a passphrase that is stored directly in the server configuration.

Although this passphrase is encrypted, the encryption uses a hard-coded key that an attacker can use to obtain the clear-text value. As a result, you should not depend solely on this provider's obfuscation for keeping the passphrase secret.

Third-party passphrase provider
Reads a passphrase using a third-party implementation of the UnboundID server SDK. This provider supports the read-only extension-class property for specifying the Java class that extends or implements the SDK, and the extension-argument property for customizing the provider's behavior.
Vault passphrase provider
Reads a passphrase from a HashiCorp Vault instance.

For example, to create an Amazon Secrets Manager passphrase provider, define the new passphrase provider in the server configuration:

dsconfig create-passphrase-provider \
  --provder-name "Amazon Secrets Manager" \
  --type amazon-secrets-manager \
  --set enabled:true \
  --set aws-external-server:[AWS_EXTERNAL_SERVER_DN] \
  --set secret-id:[AWS_SECRET_ID] \
  --set secret-field-name:[SECRET_JSON_FIELD]

After you've created a passphrase provider, you must update the global configuration of the components that use the provider. For example, if you want to use the passphrase provider to obtain the PIN needed for accessing a certificate key store, you must set the key-store-pin-passphrase-provider property in the key manager configuration.