Uploaded image for project: 'Commons'
  1. Commons
  2. COMMONS-227

Platform Secrets

    XMLWordPrintable

Details

    • Epic
    • Status: Closed
    • Blocker
    • Resolution: Unresolved
    • None
    • None
    • Secrets
    • None
    • Platform Secrets
    • Done
    • Medium
    • N/A

    Description

      Overview

      Design and implement secrets management across the ForgeRock platform. 

      Detailed requirements, MVP definition and background: https://wikis.forgerock.org/confluence/display/PM/Platform+Secrets+Management

      Types of Secrets

      1. Various system credentials such as ldap, database, smtp usernames & passwords, and API keys
      2. Cryptographic keys, e.g. for signing SAML assertions, or encrypting traffic between servers, SSH or TLS private keys
      3. OAuth2 / OIDC client credentials
      4. System-wide random pepper values used in password hashing
      5. Related metadata: usage restrictions, X.509 certificates, etc

      MVP

      1. MUST provide a way to attach secret objects to configuration
      2. MUST follow a documented and approved process for ensuring operational continuity in the event of key compromise, recovery or scheduled rotation. If the secret backend does key rotation, then the impact on the products must be minimal
      3. MUST integrate with HSMs
      4. MUST integrate with Vault
      5. MUST replace all secrets sourced from configuration with parameterized tokens
      6. MUST replace all OAuth2/OIDC agent credentials with parameterized tokens
      7. MUST provide secrets metadata to identify the type of secret backend in use
      8. MUST provide options for sourcing secrets from either file-based or environment variables 
      9. Secrets only visible within specific Docker containers MUST be passed in file-format (using Docker secrets)
      10. Every secret that can be supplied via environment variables MUST be able to be supplied via files as well

      Out of scope

      1. Dynamic secret generation for the duration of script execution

       

      Related:

      https://docs.google.com/document/d/1-bG4DMIU2xmZab4eHQ9h58wZNAKN4sygcj-3QI2iP40

       

      Attachments

        Issue Links

          Activity

            People

              neil.madden Neil Madden
              javed.shah Javed Shah [X] (Inactive)
              Votes:
              1 Vote for this issue
              Watchers:
              4 Start watching this issue

              Dates

                Created:
                Updated: