[OPENIDM-11396] Create documentation for secrets.json and update keystore references Created: 26/Jul/18  Updated: 24/Aug/18  Resolved: 22/Aug/18

Status: Closed
Project: OpenIDM
Component/s: documentation
Affects Version/s: 6.5.0
Fix Version/s: 6.5.0

Type: Story Priority: Major
Reporter: Nabil Maynard Assignee: Mike Jang [X] (Inactive)
Resolution: Fixed Votes: 0
Labels: CLARK
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified

Issue Links:
depends on OPENIDM-9934 Create a SecretsProviderService Closed
depends on OPENIDM-11433 Make use of JsonEncryptor so that enc... Closed
relates to OPENIDM-11238 Address undocumented features in boot... Closed
relates to OPENIDM-11356 Failed to sync password changes from ... Closed
relates to OPENIDM-11262 Make purpose names more fine grained ... Closed
is related to OPENIDM-11422 Session JWT key usage is not clear Closed
is related to OPENIDM-11532 The validFrom date in secrets.json is... Closed
Target Version/s:
Story Points: 3
Sprint: OpenIDM Sprint 6.5-7


OPENIDM-9934 implements a new secrets provider service. The PR (here) lays out the new secrets.json file, which is a mixture of new implementation and existing secrets/keystore references moved out of boot.properties.

We need to:

  • Document the new secrets.json file and secrets provider service
  • Update existing references to truststore, keystore, and secrets to point to the correct files and locations.

Comment by Nabil Maynard [ 27/Jul/18 ]

OPENIDM-11262 also just landed, and includes some additional fields in secrets.json. (PR is here.)

Comment by Nabil Maynard [ 27/Jul/18 ]

OPENIDM-11356 (and this PR) makes a few additional tweaks to secrets.json. This appears to primarily be a bug fix, but thought I'd call it out in case this influences any examples displayed in the docs.

Comment by Mike Jang [X] (Inactive) [ 02/Aug/18 ]

May require change in this section too: https://ea.forgerock.com/docs/idm/integrators-guide/index.html#openidm-hsm-conf , based on this PR and likely others.

Comment by Mike Jang [X] (Inactive) [ 02/Aug/18 ]

Note how we're now set up for multiple keystores and truststores. in secrets.json, we'll now have a mainKeyStore and a mainTrustStore – for injecting keys during the IDM start process. Secondary keystores (I presume) would be supplements.

Comment by Mike Jang [X] (Inactive) [ 09/Aug/18 ]

Make sure to get all instances of openidm-sym-default – also protects passwords and client secrets

Comment by Mike Jang [X] (Inactive) [ 09/Aug/18 ]

Also incorporate intent of https://stash.forgerock.org/projects/OPENIDM/repos/openidm-docs/pull-requests/1966/overview

Note how the 6.0 docs now have corrected a mistake w/r/t openidm-selfservice-key

Andrew Potter Since we're implementing secrets.json for a lot of this, and you wrote OPENIDM-11422, I'm using this to remind myself to include you on the PR for this JIRA (for 6.5)

Comment by Mike Jang [X] (Inactive) [ 22/Aug/18 ]

PR: https://stash.forgerock.org/projects/OPENIDM/repos/openidm-docs/pull-requests/1971/overview

Doc change mostly here: (new section) https://ea.forgerock.com/docs/idm/integrators-guide/index.html#keystore-config

and revisions here: https://ea.forgerock.com/docs/idm/integrators-guide/index.html#openidm-hsm-conf

Comment by Laurent Bristiel [X] (Inactive) [ 24/Aug/18 ]

checked OK

Generated at Tue Oct 27 00:35:35 UTC 2020 using Jira 7.13.12#713012-sha1:6e07c38070d5191bbf7353952ed38f111754533a.