KeyManager
The configuration of a Java Secure Socket Extension KeyManager to manage private keys for IG. The configuration references the keystore that holds the keys.
When IG acts as a server, it uses a KeyManager to prove its identity to the client. When IG acts as a client, it uses a KeyManager to prove its identity to the server.
Usage
{
"name": string,
"type": "KeyManager",
"config": {
"keystore": KeyStore reference,
"passwordSecretId": configuration expression<secret-id>,
"alg": configuration expression<string>,
"secretsProvider": SecretsProvider reference,
"password": string //deprecated
}
}
Properties
"keystore"
: KeyStore reference, required-
The KeyStore that references the store for key certificates. When
keystore
is used in a KeyManager, it queries for private keys; whenkeystore
is used in a TrustManager, it queries for certificates.Provide either the name of the KeyStore object defined in the heap, or an inline KeyStore configuration object.
When ClientHandler or ReverseProxyHandler use
keystore
in web container mode, the keystore can be different to that used by the web container.See also KeyStore.
"passwordSecretId"
: configuration expression<secret-id>, required-
The secret ID of the password required to read private keys from the KeyStore.
"alg"
: configuration expression<string>, optional-
The certificate algorithm to use.
Default: the default for the platform, such as
SunX509
.See also Expressions.
"secretsProvider"
: SecretsProvider reference, optional-
The SecretsProvider to query for the keystore password. For more information, see SecretsProvider.
Default: The route’s default secret service. For more information, see Default secrets object.
"password"
: string, required-
The use of this property is deprecated; use passwordSecretId
instead. For more information, refer to Deprecation.The password to read private keys from the keystore.
Example
The following example configures a KeyManager that depends on a KeyStore configuration. The KeyManager and KeyStore passwords are provided by Java system properties or environment variables, and retrieved by the SystemAndEnvSecretStore. By default, the password values must be base64-encoded.
{
"name": "MyKeyManager",
"type": "KeyManager",
"config": {
"keystore": {
"type": "KeyStore",
"config": {
"url": "file://${env['HOME']}/keystore.jks",
"passwordSecretId": "keymanager.keystore.secret.id",
"secretsProvider": "SystemAndEnvSecretStore"
}
},
"passwordSecretId": "keymanager.secret.id",
"secretsProvider": "SystemAndEnvSecretStore"
}
}