Technical information

By default, config secrets are stored in a JCEKS key store in the instance directory. The key store is automatically created using a random password.

JCEKS aliases

JCEKS key stores only support lower case aliases. Hence when using the default JCEKS key store implementation all aliases will be converted to lower case.

All information required by IAM is stored in two files:

A property file defining how to store the sensitive config values and what password to use:

cat instances/auth/sensitive-values.properties 

# This file has been created automatically. 
# Caution: changing this file may result in the loss 
# of the sensitive values stored for this instance.
sensitive-values-provider = com.airlock.iam.sensitivevalues.application.service.JceksSensitiveValuesProvider
jceks-keystore-path = instances/auth/sensitive-values.jceks
jceks-keystore-password = 9AxF5bhUDYYyNWVpQTgB26W7rtcyKvtN

The actual key store, e.g.:

instances/auth/sensitive-values.jceks

By providing another implementation for the property "sensitive-values-provider" you can store the secrets differently (e.g. in an HSM).
The IAM instance configuration (medusa-configuration.xml) references externally stored config secrets by ID only.

Example: Password for DB connection referenced in XML

<plugin class="com.airlock.iam.core.misc.impl.persistency.db.HikariCpDataSource" id="H2 Database Connection (Default Config)" uuid="f0d2a309-8eb4-4574-a622-503d6e5f47be">
    <property name="driverClass">org.h2.Driver</property>
    <property name="password" secureExternalStorageId="db-password"/>
    <property name="url">jdbc:h2:tcp://localhost:9001/medusadb</property>
    <property name="user">medusa</property>
  </plugin>