Technical information
- By default, config secrets are stored in a JCEKS key store in the instance directory. The key store is automatically created using a random password.
Info
JCEKS aliases
JCEKS key stores only support lower case aliases. Hence when using the default JCEKS key store implementation all aliases will be converted to lower case.
- All information required by IAM is stored in two files:
- A property file defining how to store the sensitive config values and what password to use:
cat instances/auth/sensitive-values.properties # This file has been created automatically. # Caution: changing this file may result in the loss # of the sensitive values stored for this instance. sensitive-values-provider = com.airlock.iam.sensitivevalues.application.service.JceksSensitiveValuesProvider jceks-keystore-path = instances/auth/sensitive-values.jceks jceks-keystore-password = 9AxF5bhUDYYyNWVpQTgB26W7rtcyKvtN
- The actual key store, e.g.:
instances/auth/sensitive-values.jceks
- By providing another implementation for the property “
sensitive-values-provider” you can store the secrets differently (e.g. in an HSM). - The IAM instance configuration (
iam-config.yamlormedusa-configuration.xml) references externally stored config secrets by ID only.
Example
Example: Password for DB connection referenced in YAML
type: JdbcConnectionPool
id: h2DatabaseConnection
displayName: H2 Database Connection
properties:
driverClass: org.h2.Driver
password:
- value:
storageId: db-password
url: jdbc:h2:tcp://localhost:9001/iamdb
user: airlock
Example
Example: Password for DB connection referenced in XML
<plugin class="com.airlock.iam.core.misc.impl.persistency.db.HikariCpDataSource" id="H2 Database Connection (Default Config)" uuid="f0d2a309-8eb4-4574-a622-503d6e5f47be">
<property name="driverClass">org.h2.Driver</property>
<property name="password" secureExternalStorageId="db-password"/>
<property name="url">jdbc:h2:tcp://localhost:9001/iamdb</property>
<property name="user">medusa</property>
</plugin>