[OPENDJ-7073] PKCS#11 key and trust manager providers should allow custom keystore types - ForgeRock JIRA

Details

Type: Improvement
Status: QA Backlog
Priority: Critical
Resolution: Unresolved
Affects Version/s: 6.5.3, 7.0.0
Fix Version/s: 7.0.0
Component/s: security
Labels:
None

Epic Link:
Security model 7.0
Story Points:
2

Description

There are broadly speaking 2 types of keystore:

file-based: requiring a file, password and configurable keystore type
PKCS#11: no file, password and keystore type "PKCS#11".

However, it appears that some PKCS#11 providers use alternative keystore types (see ~~OPENAM-14783~~), so we should allow the keystore type to be configurable.

In addition, HSMs that don't implement the PKCS#11 interface fall into one of the two categories above, except that they obviously use a custom keystore type identifier like "CloudHSM". Therefore, allowing the keystore type to be configurable for PKCS#11 key/trust managers will allow us to support some non-PKCS#11 HSMs. With that in mind, we may want to consider renaming the PKCS#11 providers to "HsmXxxManagerProvider" instead.

Suggested fix:

add a new "key-store-type" configuration option to both the PKCS11 key and trust manager providers. The configuration options can be copied over from their file-based counterparts
consider renaming PKCS#11 key/trust manager providers to HSM key/trust manager providers. This will require an upgrade task.

Attachments

Issue Links

is backported by

OPENDJ-7084 Backport OPENDJ-7073: PKCS#11 key and trust manager providers should allow custom keystore types

Dev backlog

relates to

OPENAM-14783 PKCS11 KeyStore does not work on IBM JVM

Resolved

Activity

People

Assignee:

Ludovic Poitou

Reporter:

Matthew Swift

Dev Assignee:

Ludovic Poitou

Votes:

0 Vote for this issue

Watchers:

1 Start watching this issue

Dates

Created:

02/Apr/20 3:30 PM

Updated:

15/Apr/20 1:42 PM