Technical information

  • By default, config secrets are stored in a JCEKS key store in the instance directory. The key store is automatically created using a random password.

JCEKS aliases

JCEKS key stores only support lower case aliases. Hence when using the default JCEKS key store implementation all aliases will be converted to lower case.

  • All information required by IAM is stored in two files:
    • A property file defining how to store the sensitive config values and what password to use:
    • cat instances/auth/ 
      # This file has been created automatically. 
      # Caution: changing this file may result in the loss 
      # of the sensitive values stored for this instance.
      sensitive-values-provider = com.airlock.iam.sensitivevalues.application.service.JceksSensitiveValuesProvider
      jceks-keystore-path = instances/auth/sensitive-values.jceks
      jceks-keystore-password = 9AxF5bhUDYYyNWVpQTgB26W7rtcyKvtN
    • The actual key store, e.g.:
    • instances/auth/sensitive-values.jceks
  • By providing another implementation for the property "sensitive-values-provider" you can store the secrets differently (e.g. in an HSM).
  • The IAM instance configuration (medusa-configuration.xml) references externally stored config secrets by ID only.

Example: Password for DB connection referenced in XML

<plugin class="com.airlock.iam.core.misc.impl.persistency.db.HikariCpDataSource" id="H2 Database Connection (Default Config)" uuid="f0d2a309-8eb4-4574-a622-503d6e5f47be">
    <property name="driverClass">org.h2.Driver</property>
    <property name="password" secureExternalStorageId="db-password"/>
    <property name="url">jdbc:h2:tcp://localhost:9001/medusadb</property>
    <property name="user">medusa</property>