[OPENIDM-9934] Create a SecretsProviderService Created: 04/Jan/18  Updated: 09/Nov/18  Resolved: 19/Jul/18

Status: Closed
Project: OpenIDM
Component/s: Module - Cryptography
Affects Version/s: None
Fix Version/s: 6.5.0

Type: Story Priority: Major
Reporter: Jason Lemay Assignee: Whitney Hunter [X] (Inactive)
Resolution: Fixed Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified

Issue Links:
Depends
is required by OPENIDM-11396 Create documentation for secrets.json... Closed
Duplicate
is duplicated by OPENIDM-10351 Make boot property encryption pluggable Closed
Regression
caused OPENIDM-11449 Unable to find valid certification pa... Closed
Relates
relates to OPENIDM-9942 Samples should use commons configurat... Open
Target Version/s:
Verified Version/s:
Story Points: 3
Epic Link: Commons Secrets Integration

 Description   

A SecretsProvider contains the set of active and inactive SecretStores. IDM needs a service that contains a SecretsProvider instance that can be referenced by other IDM services.

The config for this service could look something like this:

{
   "activeStores":[
      {
         ... SecretStore configuration ...
      },{
         ... another SecretStore configuration ... 
      }
   ],
   "purposes":[
      "saml-signing",
      "oidc-signing",
      "hsm-pin",
      "other"
   ]
}

This config was borrowed from https://docs.google.com/document/d/1BkhAJwWDOAffKKyX-5v2wL-K1n71HWBjsLb4IkeX8P8/edit#. When designing this config we should consult other products so that our config looks similar for better platform understanding.

Acceptance Criteria

  • Must be able to configure the SecretStores IDM currently supports (HSM, and filebased keystores)
  • Should be able to define custom purposes beyond the default purposes available in the Purposes class
  • Must be able to retrieve named secrets, an active secret for a given purpose, and all valid secrets for a given purpose from the configured SecretStores
  • Must have an osgi service that can be referenced by other IDM services to access the SecretsApi
  • Should have unit tests to prove above functionality.


 Comments   
Comment by Laurent Bristiel [X] (Inactive) [ 20/Jul/18 ]

Commit for this ticket causes a regression raised in OPENIDM-11343 ("OpenIDM is not starting properly anymore on Windows")

Comment by Ladislav Folta [ 09/Nov/18 ]

Tested OK on OpenIDM: 6.5.0-SNAPSHOT 8cc76b7

Generated at Mon Nov 30 01:48:35 UTC 2020 using Jira 7.13.12#713012-sha1:6e07c38070d5191bbf7353952ed38f111754533a.