Crypto Manager
The Crypto Manager provides a common interface for performing compression, decompression, hashing, encryption and other kinds of cryptographic operations.
Crypto Manager Properties
You can use configuration expressions to set property values at startup time. For details, see Property Value Substitution.
Basic Properties | Advanced Properties | ||||||||
---|---|---|---|---|---|---|---|---|---|
|
|
Basic Properties
key-manager-provider
Synopsis | The name of the key manager containing the master key-pair and any deprecated master key. |
Description | The master key, which is identified using the "master-key-alias" property, will be used for encrypting secrets that are generated and distributed across the deployment. Master keys may be periodically rotated, but should never be removed from the referenced key manager because they may still be needed for decryption. The alias must correspond to a PrivateKeyEntry in the keystore and is typically an RSA key-pair. |
Default Value | None |
Allowed Values | The name of an existing Key Manager Provider . The referenced key manager provider must be enabled. |
Multi-valued | No |
Required | Yes |
Admin Action Required | None |
Advanced | No |
Read-Only | No |
key-wrapping-transformation
Synopsis | The preferred key wrapping transformation for the directory server. This value must be the same for all server instances in a replication topology. |
Default Value | RSA/ECB/OAEPWITHSHA-256ANDMGF1PADDING |
Allowed Values | A string. |
Multi-valued | No |
Required | No |
Admin Action Required | None Changes to this property will take effect immediately but will only affect cryptographic operations performed after the change. |
Advanced | No |
Read-Only | No |
master-key-alias
Synopsis | The alias of the master key-pair which should be used for encrypting secrets that are generated and distributed across the deployment. |
Description | Master keys may be periodically rotated, but should never be removed from the referenced key manager because they may still be needed for decryption. The master key alias reference a PrivateKeyEntry in the keystore which is typically an RSA key-pair. |
Default Value | None |
Allowed Values | A string. |
Multi-valued | No |
Required | Yes |
Admin Action Required | None |
Advanced | No |
Read-Only | No |
Advanced Properties
Use the --advanced
option to access advanced properties.
cipher-key-length
Synopsis | Specifies the key length in bits for the preferred cipher. |
Default Value | 128 |
Allowed Values | An integer. Lower limit: 0. |
Multi-valued | No |
Required | No |
Admin Action Required | None Changes to this property take effect immediately but only affect cryptographic operations performed after the change. |
Advanced | Yes |
Read-Only | No |
cipher-transformation
Synopsis | Specifies the cipher for the directory server using the syntax algorithm/mode/padding. |
Description | The full transformation is required: specifying only an algorithm and allowing the cipher provider to supply the default mode and padding is not supported, because there is no guarantee these default values are the same among different implementations. Some cipher algorithms, including RC4 and ARCFOUR, do not have a mode or padding, and hence must be specified using NONE for the mode field and NoPadding for the padding field. For example, RC4/NONE/NoPadding. |
Default Value | AES/CBC/PKCS5Padding |
Allowed Values | A string. |
Multi-valued | No |
Required | No |
Admin Action Required | None Changes to this property take effect immediately but only affect cryptographic operations performed after the change. |
Advanced | Yes |
Read-Only | No |
digest-algorithm
Synopsis | Specifies the preferred message digest algorithm for the directory server. |
Default Value | SHA-256 |
Allowed Values | A string. |
Multi-valued | No |
Required | No |
Admin Action Required | None Changes to this property take effect immediately and only affect cryptographic operations performed after the change. |
Advanced | Yes |
Read-Only | No |
mac-algorithm
Synopsis | Specifies the preferred MAC algorithm for the directory server. |
Default Value | HmacSHA256 |
Allowed Values | A string. |
Multi-valued | No |
Required | No |
Admin Action Required | None Changes to this property take effect immediately but only affect cryptographic operations performed after the change. |
Advanced | Yes |
Read-Only | No |
mac-key-length
Synopsis | Specifies the key length in bits for the preferred MAC algorithm. |
Default Value | 128 |
Allowed Values | An integer. Lower limit: 0. |
Multi-valued | No |
Required | No |
Admin Action Required | None Changes to this property take effect immediately but only affect cryptographic operations performed after the change. |
Advanced | Yes |
Read-Only | No |