PingGateway 2024.6


Manage a store of secrets held in files, specified as follows:

  • Each file must contain only one secret.

  • The file must be in the directory specified by the property directory.

  • The filename must match the mappings property secretId.

  • The file content must match the mappings property format. For example, if the mapping specifies BASE64, the file content must be base64-encoded.

This Secret store can manage secrets of both GenericSecret and CryptoKey types when used with dedicated formats.

Secrets are read lazily from the filesystem.

The secrets provider queries the FileSystemSecretStore for a named secret, identified by the name of a file in the specified directory, without the prefix/suffix defined in the store configuration. The FileSystemSecretStore returns the secret that exactly matches the name.

The secrets provider builds the secret, checking that the secret’s constraints are met, and returns a unique secret. If the secret’s constraints are not met, the secrets provider cannot build the secret and the secret query fails.

For a description of how secrets are managed, refer to About secrets


  "name": string,
  "type": "FileSystemSecretStore",
  "config": {
    "directory": configuration expression<string>,
    "format": SecretPropertyFormat reference,
    "suffix": configuration expression<string>,
    "mappings": [ object, ... ],
    "leaseExpiry": configuration expression<duration>,
    "autoRefresh": object


"directory": configuration expression<string>, required

File path to a directory containing secret files. This object checks the specified directory, but not its subdirectories.

format: SecretPropertyFormat reference, optional

Format in which the secret is stored. Use one of the following values or formats:

Default: BASE64

"suffix": configuration expression<string>, optional

File suffix.

When set, the FileSystemSecretStore will append that suffix to the secret ID and try to find a file with the mapped name.

Default: None

"mappings": array of objects, optional

One or more mappings to define a secret:

secretId: configuration expression<secret-id>, required

The ID of the secret used in your configuration.

format: SecretPropertyFormat reference, required

The format and algorithm of the secret. Use SecretKeyPropertyFormat or PemPropertyFormat.

"leaseExpiry": configuration expression<duration>, optional

The amount of time that secrets produced by this store can be cached before they must be refreshed.

If the duration is zero or unlimited, PingGateway issues a warning, and uses the default value.

Default: 5 minutes

"autoRefresh": object, optional

Automatically reload the FileSystemSecretStore when a file is edited or deleted in the directory given by directory.

When autoRefresh is triggered, secrets and keys are refreshed even if the leaseExpiry has not expired. When autoRefresh is triggered, the leaseExpiry is reset.

  "enabled": configuration expression<boolean>,
  "executor": ScheduledExecutorService reference
enabled: configuration expression<boolean>, optional

Flag to enable or disable automatic reload:

  • true: Enable

  • false: Disable

Default: true

"executor": ScheduledExecutorService reference, optional

A ScheduledExecutorService to monitor the filesystem.

Default: The default ScheduledExecutorService in the heap

Log level

To facilitate debugging secrets for the FileSystemSecretStore, in logback.xml add a logger defined by the fully qualified package name of the property resolver. The following line in logback.xml sets the log level to ALL:

<logger name="org.forgerock.secrets.propertyresolver" level="ALL">


For an example that uses FileSystemSecretStore, refer to Pass runtime data in a JWT signed with a PEM.

Copyright © 2010-2024 ForgeRock, all rights reserved.