KeyManager
The configuration of a Java Secure Socket Extension KeyManager to manage private keys for IG. The configuration references the keystore that holds the keys.
When IG acts as a server, it uses a KeyManager to prove its identity to the client. When IG acts as a client, it uses a KeyManager to prove its identity to the server.
Usage
{
"name": string,
"type": "KeyManager",
"config": {
"keystore": KeyStore reference,
"passwordSecretId": configuration expression<secret-id>,
"alg": configuration expression<string>,
"secretsProvider": SecretsProvider reference
}
}
Properties
"keystore"
: KeyStore reference, required-
The KeyStore that references the store for key certificates. When
keystore
is used in a KeyManager, it queries for private keys; whenkeystore
is used in a TrustManager, it queries for certificates.Provide either the name of the KeyStore object defined in the heap, or an inline KeyStore configuration object.
In web container mode, when ClientHandler or ReverseProxyHandler use
keystore
, the keystore can be different to that used by the web container.See also KeyStore.
"passwordSecretId"
: configuration expression<secret-id>, required-
The secret ID of the password required to read private keys from the KeyStore.
"alg"
: configuration expression<string>, optional-
The certificate algorithm to use.
Default: the default for the platform, such as
SunX509
.See also Expressions.
"secretsProvider"
: SecretsProvider reference, optional-
The SecretsProvider to query for the keystore password. For more information, see SecretsProvider.
Default: The route’s default secret service. For more information, see Default Secrets Object.
Example
The following example configures a KeyManager that depends on a KeyStore configuration. The KeyManager and KeyStore passwords are provided by Java system properties or environment variables, and retrieved by the SystemAndEnvSecretStore. By default, the password values must be base64-encoded.
{
"name": "MyKeyManager",
"type": "KeyManager",
"config": {
"keystore": {
"type": "KeyStore",
"config": {
"url": "file://${env['HOME']}/keystore.jks",
"passwordSecretId": "keymanager.keystore.secret.id",
"secretsProvider": "SystemAndEnvSecretStore"
}
},
"passwordSecretId": "keymanager.secret.id",
"secretsProvider": "SystemAndEnvSecretStore"
}
}