PingIDM 7.5.0

Filesystem secret stores

A filesystem secret store maps to a directory storing an arbitrary number of files that each contain one secret. When filesystem secret stores are used, IDM reads the contents of a file with a name matching the secretId field in the secret store’s mapping list.

Filesystem secret stores are useful to provide secrets from third-party secret stores like AWS Secrets Manager or Google Secrets Manager. They can also be used to separate your secrets from your configuration files.

Filesystem secret stores may be encoded with the following encoding schemes:

  • PLAIN

  • PEM

  • BASE64

  • BASE64URL

The following configuration is an example of a filesystem secret store which is configured to use the /secrets directory and contains a mapping for the idm.admin.password secret:

{
    "name":"secretVolume",
    "class": "org.forgerock.openidm.secrets.config.FileSystemStore",
    "config": {
        "format": "PLAIN",
        "directory": "&{idm.install.dir}/secrets",
        "mappings": [
          {
            "secretId": "idm.admin.password",
            "types": [
              "GENERIC"
            ]
          }
        ]
    }
}

Example: Create a new user type

The following example creates a new type of static user, openidm-super, with a new secret, idm.super.password, kept in the filesystem secret store. To configure the user:

  1. In conf/authentication.json, add the following new user configuration:

    {
        "name": "STATIC_USER",
        "properties": {
            "queryOnResource": "internal/user",
            "username": "openidm-super",
            "password": {
                "$purpose": {
                    "name": "idm.super.password"
                }
            },
            "defaultUserRoles": [
                "internal/role/openidm-authorized",
                "internal/role/openidm-admin"
            ],
            "enabled": true
        }
    }
  2. In conf/secrets.json, add a new mapping for the idm.super.password secret:

    {
        "secretId": "idm.super.password",
        "format": "PLAIN",
        "types": [
            "GENERIC"
        ]
    }
    The format parameter is optional. It only needs to be used if the secret is encoded using a different scheme than the rest of the secret volume.
  3. In the directory that you have configured to be your filesystem secret store, create a file named idm.super.password and populate it with your secret data.

Configure purpose versions

The filesystem secret store supports multiple versions of the same purpose. To configure this, specify the versionSuffix property in the store’s definition in conf/secrets.json. The following example adds the .v suffix to a purpose called idm.pem.purpose:

{
  "name": "pemStore",
  "class": "org.forgerock.openidm.secrets.config.FileSystemStore",
  "config": {
    "format": "PEM",
    "directory": "&{idm.install.dir}/secrets",
    "versionSuffix": ".v",
    "mappings": [
      {
        "secretId": "idm.pem.purpose",
        "types": [
          "ENCRYPT",
          "DECRYPT"
        ]
      }
    ]
  }
}

Once versionSuffix is defined, you can version your purpose files by adding it to the file name. Following the example above, the files could be named idm.pem.purpose.v1, idm.pem.purpose.v2, and so on. The highest version number is the active secret.

Copyright © 2010-2024 ForgeRock, all rights reserved.