This issue can be closed once DJ supports Google KMS as a trust manager provider. Using dsconfig it should be possible to configure a Google KMS trust manager provider and use it for obtaining public keys used for TLS. The config framework should provide the following configurable properties:
- the keyring, which is composed of project, location, and key ring name
- credentials: some investigation will be required to understand the form these should take
I this we should just stick with sensible defaults for the other parameters, although I'm not sure if this is possible for the key mappings.
- source code for the commons secrets Google KMS secret store: https://stash.forgerock.org/projects/COMMONS/repos/forgerock-commons/browse/secrets/secrets-backend-gcpkms/src/main/java/org/forgerock/secrets/gcpkms/GoogleKmsSecretStore.java
- source code for the commons secrets trust manager: https://stash.forgerock.org/projects/COMMONS/repos/forgerock-commons/browse/secrets/secrets-api/src/main/java/org/forgerock/secrets/SecretsTrustManager.java