Base64EncodedSecretStore

Manage a repository of generic secrets, such as passwords or simple shared secrets, whose values are base64-encoded, and hard-coded in the route.

Secrets from Base64EncodedSecretStore never expire.

Important

Use Base64EncodedSecretStore for testing or evaluation only, to store passwords locally. In production, use an alternative secret store.

For a description of how secrets are managed, see About Secrets.

Usage

{
  "name": string,
  "type": "Base64EncodedSecretStore",
  "config": {
    "secrets": map
  }
}

Properties

"secrets": map, required

A list of one or more secret ID/string pairs:

{
  "secrets": {
    "secret-id": "string",
    ...
  }
}

Each pair has the form "secret-id": "string", where:

  • secret-id is the ID of a secret used in a route

  • string is the base64-encoded value of the secret

In the following example, Base64EncodedSecretStore configures two base64-encoded secrets:

{
  "type": "Base64EncodedSecretStore",
  "config": {
    "secrets": {
      "agent.password": "d2VsY29tZQ==",
      "crypto.header.key": "Y2hhbmdlaXQ="
    }
  }
}

In the following example, the values of the secrets are provided by a configuration token and a configuration expression, whose values are substituted when the route is loaded:

{
  "type": "Base64EncodedSecretStore",
  "config": {
    "secrets": {
      "agent.password": "&{secret.value|aGVsbG8=}",
      "crypto.header.key": "${readProperties('file.property')['b64.key.value']}"
    }
  }
}

For information about supported formats for secret-id, see secret-id.

Log Level

To facilitate debugging secrets for the Base64EncodedSecretStore, in logback.xml add a logger defined by the fully qualified package name of the Base64EncodedSecretStore. The following line in logback.xml sets the log level to ALL:

<logger name="org.forgerock.openig.secrets.Base64EncodedSecretStore" level="ALL">

Example

In the following example, an AmService acts on behalf of IG to authenticate with AM. IG uses the Base64EncodedSecretStore to retrieve the password for the AmService.

Retrieve a Secret From a Route

Before you start this tutorial:

  1. Set up AM

    1. (For AM 6.5.x and earlier versions) Select Identities > demo, and set the demo user password to Ch4ng31t.

    2. (For AM 6.5.3 and later versions) Select  Services > Add a Service, and add a Validation Service with the following Valid goto URL Resources:

      • http://openig.example.com:8080/*

      • http://openig.example.com:8080/*?*

    3. Select Applications > Agents > Identity Gateway, add an agent with the following values:

      • Agent ID: ig_agent

      • Password: password

      Leave all other values as default.

      For AM 6.5.x and earlier versions, set up an agent as described in "Set Up an IG Agent in AM 6.5 and Earlier".

      1. Select Applications > Agents > Java (or J2EE).

      2. Add an agent with the following values:

        • Agent ID: ig_agent

        • Agent URL: http://openig.example.com:8080/agentapp

        • Server URL: http://openam.example.com:8088/openam

        • Password: password

      3. On the Global tab, deselect Agent Configuration Change Notification.

        This option stops IG from being notified about agent configuration changes in AM, because they are not required by IG.

  2. Set up IG:

    1. Add the following route to IG, to serve .css and other static resources for the sample application:

      $HOME/.openig/config/routes/static-resources.json
      %appdata%\OpenIG\config\routes\static-resources.json
      {
        "name" : "sampleapp_resources",
        "baseURI" : "http://app.example.com:8081",
        "condition": "${matches(request.uri.path,'^/css')}",
        "handler": "ReverseProxyHandler"
      }
    2. Add the following route to IG:

      $HOME/.openig/config/routes/base64encodedsecret.json
      %appdata%\OpenIG\config\routes\base64encodedsecret.json
      {
        "heap": [
          {
            "name": "Base64EncodedSecretStore-1",
            "type": "Base64EncodedSecretStore",
            "config":  {
              "secrets": {
                "agent.secret.id": "cGFzc3dvcmQ="
              }
            }
          },
          {
            "name": "AmService-1",
            "type": "AmService",
            "config": {
              "url": "http://openam.example.com:8088/openam",
              "agent": {
                "username": "ig_agent",
                "passwordSecretId": "agent.secret.id"
              },
              "secretsProvider": "Base64EncodedSecretStore-1",
              "version": "7",
              "notifications": {
                "enabled": true
              }
            }
          }
        ],
        "handler": {
          "type": "Chain",
          "config": {
            "filters": [
              {
                "type": "SingleSignOnFilter",
                "config": {
                  "amService": "AmService-1"
                }
              }
            ],
            "handler": "ReverseProxyHandler"
          }
        },
        "condition": "${matches(request.uri.path, '/home/base64encodedsecret')}",
        "baseURI": "http://app.example.com:8081"
      }

      Notice the following features of the route:

      • The route matches requests to /home/base64encodedsecret.

      • The agent password for AmService is provided by the Base64EncodedSecretStore in the heap.

      • The SingleSignOnFilter manages redirects to AM for authentication, using the IG agent in AmService-1.

  3. Test the setup:

    1. If you are logged in to AM, log out.

    2. Go to http://openig.example.com:8080/home/base64encodedsecret.

      The SingleSignOnFilter redirects the request to AM for authentication.

    3. Log in to AM as user demo, password Ch4ng31t.

      When you have authenticated, the SingleSignOnFilter passes the request to the sample app, which returns the profile page.

Read a different version of :