KeyStoreSecretStore
Manages a secret store for cryptographic keys and certificates, based on a standard Java KeyStore.
The KeyStore is typically file-based PKCS12 KeyStore. Legacy proprietary formats such as JKS and JCEKS are supported, but implement weak encryption and integrity protection mechanisms. Consider not using them for new functionality.
Secrets from KeyStoreSecretStore have a non-configurable lease duration of five minutes. The secret can be used for five minutes before it is refreshed or discarded.
For a description of how secrets are managed, see About Secrets.
Usage
{
"name": string,
"type": "KeyStoreSecretStore",
"config": {
"file": configuration expression<string>,
"storeType": configuration expression<string>,
"storePassword": configuration expression<string>,
"keyEntryPassword": configuration expression<string>,
"secretsProvider": SecretsProvider reference,
"mappings": [ configuration object, ... ]
}
}Properties
"file": configuration expression<string>, requiredThe path to the KeyStore file.
"storeType": storeType reference, optionalThe KeyStore type. For a list of types, see KeyStore Types.
Default: When this property is not configured, the type is given by the keystore extension, as follows:
Extension Type .jksJKS.jceksJCEKS.p12,.pfx,.pkcs12, and all other extensionsPKCS12"storePassword": configuration expression<secret-id>, requiredThe secret ID of the password to access the KeyStore.
IG searches for the value of the password until it finds it, first locally, then in parent routes, then in
config.json.For information about supported formats for
secret-id, see secret-id."keyEntryPassword": configuration expression<secret-id>, optionalThe secret ID of the password to access entries in the KeyStore.
When this property is used, the password must be the same for all entries in the KeyStore. If JKS uses different password for entries,
keyEntryPassworddoesn't work.For information about supported formats for
secret-id, see secret-id.Default: The value of
storePassword"secretsProvider": SecretsProvider reference, optionalThe SecretsProvider object to query for the keystore password and key entry password. For more information, see "SecretsProvider".
Default: The route's default secret service. For more information, see "Default Secrets Object".
"mappings": array of objects, requiredOne or more mappings of one secret ID to one or more aliases. The secret store uses the mappings as follows:
When the secret is used to create signatures or encrypt values, the secret store uses the active secret, the first alias in the list.
When the secret is used to verify signatures or decrypt data, the secret store tries all of the mapped aliases in the list, starting with the first, and stopping when it finds a secret that can successfully verify signature or decrypt the data.
"mappings": [ { "secretId": "id.key.for.signing.jwt", "aliases": [ "SigningKeyAlias", "AnotherSigningKeyAlias" ] }, { "secretId": "id.key.for.encrypting.jwt", "aliases": ["EncryptionKeyAlias"] } ]secretId: configuration expression<secret-id>, requiredThe ID of the secret used in your configuration.
For information about supported formats for
secret-id, see secret-id.aliases: array of configuration expression<string>, requiredOne or more aliases for the secret ID.
Log Level
To facilitate debugging secrets for the KeyStoreSecretStore, in logback.xml add a logger defined by the fully qualified package name of the KeyStoreSecretStore. The following line in logback.xml sets the log level to ALL:
<logger name="org.forgerock.secrets.keystore" level="ALL">
Example
For examples of routes that use KeyStoreSecretStore, see the examples in "JwtBuilderFilter".