Uploaded image for project: 'OpenDJ'
  1. OpenDJ
  2. OPENDJ-6929

Support storing ads-certificate key-pair and other instance public keys in an HSM

    Details

    • Type: Improvement
    • Status: QA Backlog
    • Priority: Major
    • Resolution: Unresolved
    • Affects Version/s: 6.5.2
    • Fix Version/s: 6.5.3
    • Component/s: replication, security
    • Labels:
      None
    • Story Points:
      0.5
    • Support Ticket IDs:

      Description

      The trust store backend (db/ads-truststore) assumes a file based keystore is configured.A small patch would allow users to configure the trust store backend to use a PKCS11 instead.
      Once patched, the user just needs to configure the truststore backend's keystore type to "PKCS11", the keystore file to any existing file (although it will never be read), and the PIN to the HSM PIN. Some HSMs do not provide the ability to generate new key-pairs via PKCS11, so users will have to create the ads-certificate key-pair (RSA self signed cert with 2048 bits) themselves and import it into the HSM.

        Attachments

          Issue Links

            Activity

              People

              • Assignee:
                Unassigned
                Reporter:
                matthew Matthew Swift
                Dev Assignee:
                Chris Ridd
                QA Assignee:
                Ondrej Fuchsik
              • Votes:
                1 Vote for this issue
                Watchers:
                9 Start watching this issue

                Dates

                • Created:
                  Updated: