public interface MasterKeyEncryptor
An encryptor that can be used to encrypt PingFederate's master key file (pf.jwk).
The encryptor can return a key identifier (via its initialize method) which can be associated with the master key file. This allows PingFederate configuration archives to be transferred between different installations. Alternatively, a null key identifier can be returned if the encryptor chooses to manage its key identifier for certain deployment requirements, such as tying the key to the machine's MAC address.
If a master key file was previously unencrypted, it will be immediately encrypted after initialization. If a key identifier is returned and has changed, then the master key file be decrypted and then encrypted immediately after to allow the encryptor to apply the new key.
The key identifier is stored in the '<PF_INSTALL>/server/default/data/config-store/com.pingidentity.crypto.jwk.MasterKeySet.xml' file.
An encryptor implementation must be deployed to the directory '<PF_INSTALL>/server/default/deploy/' and declared for use in '<PF_INSTALL>/server/default/conf/META-INF/hivemodule.xml', in the MasterKeyEncryptor's create-instance class attribute. i.e.
<service-point id="MasterKeyEncryptor" interface="com.pingidentity.sdk.key.MasterKeyEncryptor">
<create-instance class="com.company.MyMasterKeyEncryptor"/>
</service-point>
Modifier and Type | Method and Description |
---|---|
byte[] |
decrypt(byte[] cipherText)
Decrypts the master key's cipher text.
|
byte[] |
encrypt(byte[] plainText)
Encrypts the data that will eventually be stored in the master key file.
|
String |
initialize(String keyId)
Initializes the
MasterKeyEncryptor allowing implementations
to perform any external key management operations, such as creating/loading
an external key. |
String initialize(String keyId) throws MasterKeyEncryptorException
Initializes the MasterKeyEncryptor
allowing implementations
to perform any external key management operations, such as creating/loading
an external key.
The key identifier that is used to encrypt/decrypt the master key file is
passed into the initialize method. The key identifier may be null if the
master key file was not previously encrypted, or if this MasterKeyEncryptor
doesn't need a key identifier and previously returned null in an earlier
initialization.
This method is called everytime a master key file is loaded. This can occur when PingFederate starts up or when a configuration archive is imported.
keyId
- The key identifier associated with the master key file. May be null.MasterKeyEncryptorException
- Thrown if failed to initialize.byte[] encrypt(byte[] plainText) throws MasterKeyEncryptorException
plainText
- The master key file's plain text content.MasterKeyEncryptorException
- Thrown if failed to encrypt.byte[] decrypt(byte[] cipherText) throws MasterKeyEncryptorException
cipherText
- The master key's cipher text.MasterKeyEncryptorException
- Thrown if failed to decrypt.Copyright 2019 Ping Identity Corp. All rights reserved.