Property-based secret stores
IDM servers can read keys and trusted certificates from properties that contain keys in Privacy-Enhanced Mail (PEM) format.
The following example configures a property-based secret store, and adds an RSA PEM secret whose purpose is to encrypt and decrypt managed user passwords:
-
Add a
PropertyBasedStoresecret store definition to yourconf/secrets.jsonfile:{ "name": "pemStore", "class": "org.forgerock.openidm.secrets.config.PropertyBasedStore", "config": { "format": "PEM", "algorithm": "RSA", "mappings": [ { "secretId": "idm.pem.purpose", "types": [ "ENCRYPT", "DECRYPT" ] } ] } } -
Create an RSA PEM key:
openssl genrsa -out private-key.pem 3072
-
Display the private key. For example:
more private-key.pem -----BEGIN RSA PRIVATE KEY----- MIIG4w…lrDgao -----END RSA PRIVATE KEY-----
-
Use a text editor to convert your certificate to a single line, replacing line breaks with newline characters (
/n). For example, on UNIX systems:awk 'NF {sub(/\r/, ""); printf "%s\\n",$0;}' private-key.pem -----BEGIN RSA PRIVATE KEY-----\nMIIG4w…lrDgao\n-----END RSA PRIVATE KEY-----\n% -
Copy the single-line private key and paste it into your
resolver/boot.propertiesfile, as a value of thesecretIdthat you specified in Step 1. For example:idm.pem.purpose=-----BEGIN RSA PRIVATE KEY-----\nMIIG4w...lrDgao\n-----END RSA PRIVATE KEY-----\n% -
Modify the encryption purpose for the managed user
passwordin your managed object configuration to use thePropertyBaseStoresecret store that you created in Step 1:"password" : { "title" : "Password", "description" : "Password", "type" : "string", "viewable" : false, "searchable" : false, "userEditable" : true, "encryption" : { "purpose" : "idm.pem.purpose", "cipher" : "RSA/ECB/OAEPWithSHA-256AndMGF1Padding" } ... }IDM now encrypts and decrypts passwords with the RSA PEM key.