org.forgerock.opendj.security

Class KeyStoreParameters

java.lang.Object

org.forgerock.opendj.security.KeyStoreParameters

All Implemented Interfaces:

KeyStore.LoadStoreParameter

public final class KeyStoreParameters
extends Object
implements KeyStore.LoadStoreParameter

The parameters which configure how the LDAP key store will be accessed. The connection factory should be configured to return connections which are already authenticated as a user having sufficient privileges to read and update LDAP key store entries. In addition, the factory should use connection pooling in order to avoid excessive reconnection when the key store is accessed frequently.

Field Summary

Fields

Modifier and Type	Field and Description
static org.forgerock.util.Option<KeyStoreObjectCache>	CACHE The caching mechanism that the key store will use.
static org.forgerock.util.Option<ExternalKeyWrappingStrategy>	EXTERNAL_KEY_WRAPPING_STRATEGY An alternative external mechanism for wrapping private and secret keys in the key store.
static org.forgerock.util.Option<org.forgerock.util.Factory<char[]>>	GLOBAL_PASSWORD The optional password which is used to protect all private and secret keys.
static org.forgerock.util.Option<Integer>	PBKDF2_ITERATIONS The number of iterations to use when deriving encryption keys from passwords using PBKDF2.
static org.forgerock.util.Option<Integer>	PBKDF2_SALT_SIZE The number of random bytes to use as the salt when deriving encryption keys from passwords using PBKDF2.

Method Summary

Modifier and Type	Method and Description
KeyStore.ProtectionParameter	getProtectionParameter()
static KeyStoreParameters	newKeyStoreParameters(ConnectionFactory factory, DN baseDN) Creates a set of LDAP key store parameters with default options.
static KeyStoreParameters	newKeyStoreParameters(ConnectionFactory factory, DN baseDN, org.forgerock.util.Options options) Creates a set of LDAP key store parameters with custom options.

Methods inherited from class java.lang.Object

clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

Field Detail

GLOBAL_PASSWORD

public static final org.forgerock.util.Option<org.forgerock.util.Factory<char[]>> GLOBAL_PASSWORD

The optional password which is used to protect all private and secret keys. Note that individual keys may be protected by a separate password. The default value for this option is a password factory which always returns null, indicating that there is no global password and that separate passwords should be used instead.

Applications should provide a factory which always returns a new instance of the same password. The LDAP key store will destroy the contents of the returned password after each use. It is the responsibility of the factory to protect the in memory representation of the password between successive calls.

See Also:

OpenDJProvider.newClearTextPasswordFactory(char[])

CACHE

public static final org.forgerock.util.Option<KeyStoreObjectCache> CACHE

The caching mechanism that the key store will use. Caching can significantly increase performance by reducing interactions with the backend LDAP server(s), at the risk of returning stale key store objects for a period of time. By default caching is disabled.

See Also:

OpenDJProvider.newKeyStoreObjectCacheFromMap(java.util.Map)

PBKDF2_ITERATIONS

public static final org.forgerock.util.Option<Integer> PBKDF2_ITERATIONS

The number of iterations to use when deriving encryption keys from passwords using PBKDF2. The default is 10000 as recommended by NIST.

PBKDF2_SALT_SIZE

public static final org.forgerock.util.Option<Integer> PBKDF2_SALT_SIZE

The number of random bytes to use as the salt when deriving encryption keys from passwords using PBKDF2. The default is 16.

EXTERNAL_KEY_WRAPPING_STRATEGY

public static final org.forgerock.util.Option<ExternalKeyWrappingStrategy> EXTERNAL_KEY_WRAPPING_STRATEGY

An alternative external mechanism for wrapping private and secret keys in the key store. By default, the key store will use its own mechanism based on PBKDF2 and a global password if provided.

Method Detail

newKeyStoreParameters

public static KeyStoreParameters newKeyStoreParameters(ConnectionFactory factory,
                                                       DN baseDN)

Creates a set of LDAP key store parameters with default options. See the class Javadoc for more information about the parameters.

Parameters:

factory - The LDAP connection factory.

baseDN - The DN of the subtree containing the LDAP key store.

Returns:

The key store parameters.

newKeyStoreParameters

public static KeyStoreParameters newKeyStoreParameters(ConnectionFactory factory,
                                                       DN baseDN,
                                                       org.forgerock.util.Options options)

Creates a set of LDAP key store parameters with custom options. See the class Javadoc for more information about the parameters.

Parameters:

factory - The LDAP connection factory.

baseDN - The DN of the subtree containing the LDAP key store.

options - The optional key store parameters, including the cache configuration, key store password, and crypto parameters. The supported options are defined in this class.

Returns:

The key store parameters.

getProtectionParameter

public KeyStore.ProtectionParameter getProtectionParameter()

Specified by:

getProtectionParameter in interface KeyStore.LoadStoreParameter