Crypto Manager
The Crypto Manager provides a common interface for performing compression, decompression, hashing, encryption and other kinds of cryptographic operations.
Crypto Manager properties
You can use configuration expressions to set property values at startup time. For details, see Property value substitution.
| Basic Properties | Advanced Properties |
|---|---|
key-manager-provider |
cipher-key-length |
key-manager-provider
Synopsis |
The name of the key manager containing the master key-pair and any deprecated master key. |
Description |
The master key, which is identified using the "master-key-alias" property, will be used for encrypting secrets that are generated and distributed across the deployment. Master keys may be periodically rotated, but should never be removed from the referenced key manager because they may still be needed for decryption. The alias must correspond to a PrivateKeyEntry in the keystore and is typically an RSA key-pair. |
Default value |
None |
Allowed values |
The name of an existing key-manager-provider. The referenced key manager provider must be enabled. |
Multi-valued |
No |
Required |
Yes |
Admin action required |
None |
Advanced |
No |
Read-only |
No |
key-wrapping-transformation
Synopsis |
The preferred key wrapping transformation for the directory server. This value must be the same for all server instances in a replication topology. |
Default value |
RSA/ECB/OAEPWITHSHA-256ANDMGF1PADDING |
Allowed values |
The key wrapping transformation. |
Multi-valued |
No |
Required |
No |
Admin action required |
None Changes to this property will take effect immediately but will only affect cryptographic operations performed after the change. |
Advanced |
No |
Read-only |
No |
master-key-alias
Synopsis |
The alias of the master key-pair which should be used for encrypting secrets that are generated and distributed across the deployment. |
Description |
Master keys may be periodically rotated, but should never be removed from the referenced key manager because they may still be needed for decryption. The master key alias reference a PrivateKeyEntry in the keystore which is typically an RSA key-pair. |
Default value |
None |
Allowed values |
A string. |
Multi-valued |
No |
Required |
Yes |
Admin action required |
None |
Advanced |
No |
Read-only |
No |
Advanced properties
Use the --advanced
option to access advanced properties.
cipher-key-length
Synopsis |
Specifies the key length in bits for the preferred cipher. |
Default value |
128 |
Allowed values |
An integer. Lower limit: 0. |
Multi-valued |
No |
Required |
No |
Admin action required |
None Changes to this property take effect immediately but only affect cryptographic operations performed after the change. |
Advanced |
Yes |
Read-only |
No |
cipher-transformation
Synopsis |
Specifies the cipher for the directory server using the syntax algorithm/mode/padding. |
Description |
The full transformation is required: specifying only an algorithm and allowing the cipher provider to supply the default mode and padding is not supported, because there is no guarantee these default values are the same among different implementations. Some cipher algorithms do not have a mode or padding, hence the fields must be specified using NONE as mode and NoPadding as padding. For example, ChaCha20/NONE/NoPadding. |
Default value |
AES/CBC/PKCS5Padding |
Allowed values |
The cipher transformation. |
Multi-valued |
No |
Required |
No |
Admin action required |
None Changes to this property take effect immediately but only affect cryptographic operations performed after the change. |
Advanced |
Yes |
Read-only |
No |
digest-algorithm
Synopsis |
Specifies the preferred message digest algorithm for the directory server. |
Default value |
SHA-256 |
Allowed values |
A string. |
Multi-valued |
No |
Required |
No |
Admin action required |
None Changes to this property take effect immediately and only affect cryptographic operations performed after the change. |
Advanced |
Yes |
Read-only |
No |
key-wrapping-mode
Synopsis |
Defines which crypto operation to use to wrap symmetric keys for storage. |
Description |
Symmetric keys are wrapped either by direct encryption or by using the wrap cipher mode, depending on the configured crypto provider capabilities or key type. |
Default value |
encrypt |
Allowed values |
|
Multi-valued |
No |
Required |
No |
Admin action required |
None |
Advanced |
Yes |
Read-only |
No |
mac-algorithm
Synopsis |
Specifies the preferred MAC algorithm for the directory server. |
Default value |
HmacSHA256 |
Allowed values |
A string. |
Multi-valued |
No |
Required |
No |
Admin action required |
None Changes to this property take effect immediately but only affect cryptographic operations performed after the change. |
Advanced |
Yes |
Read-only |
No |
mac-key-length
Synopsis |
Specifies the key length in bits for the preferred MAC algorithm. |
Default value |
128 |
Allowed values |
An integer. Lower limit: 0. |
Multi-valued |
No |
Required |
No |
Admin action required |
None Changes to this property take effect immediately but only affect cryptographic operations performed after the change. |
Advanced |
Yes |
Read-only |
No |