Passphrase providers allow access to clear-text passphrases,
These secrets can be used to:
- Access external services. For example, the PingDirectoryProxy server can use a clear-text secret for accessing the credentials needed for authentication to backend directories, and the PingDataSync server can use a secret for authentication to the synchronization source and destination servers.
- Access certificate key and trust stores.
- Reversibly encrypt passwords stored in the LDAP changelog. This allows PingDataSync to decrypt these passwords and send the clear-text value to the destination server.
The PingDirectory server supports the following passphrase providers:
- Amazon Secrets Manager passphrase provider
- Reads a passphrase from the Amazon AWS Secrets Manager service. The provider can
only be used with string secrets, in which the Secrets Manager service returns
the secret in the form of a
- Azure Key Vault passphrase provider
- Reads a passphrase from the Microsoft Azure Key Vault service.
- Conjur passphrase provider
- Reads a passphrase from a CyberArk Conjur instance.
- Environment Variable passphrase provider
- Reads a passphrase from a specified environment variable.
- File-based passphrase provider
- Reads a passphrase from a specified file. The contents of the file can be encrypted with a key from the server's encryption settings database.
- Obscured-value passphrase provider
- Reads a passphrase that is stored directly in the server configuration.Important:
Although this passphrase is encrypted, the encryption uses a hard-coded key that an attacker can use to obtain the clear-text value. As a result, you should not depend solely on this provider's obfuscation for keeping the passphrase secret.
- Third-party passphrase provider
- Reads a passphrase using a third-party implementation of the UnboundID server
SDK. This provider supports the read-only
extension-classproperty for specifying the Java class that extends or implements the SDK, and the
extension-argumentproperty for customizing the provider's behavior.
- Vault passphrase provider
- Reads a passphrase from a HashiCorp Vault instance.
For example, to create an Amazon Secrets Manager passphrase provider, define the new passphrase provider in the server configuration:
dsconfig create-passphrase-provider \ --provder-name "Amazon Secrets Manager" \ --type amazon-secrets-manager \ --set enabled:true \ --set aws-external-server:[AWS_EXTERNAL_SERVER_DN] \ --set secret-id:[AWS_SECRET_ID] \ --set secret-field-name:[SECRET_JSON_FIELD]
After you've created a passphrase provider, you must update the global configuration of
the components that use the provider. For example, if you want to use the passphrase
provider to obtain the PIN needed for accessing a certificate key store, you must set
key-store-pin-passphrase-provider property in the key manager