Package com.pingidentity.sdk.key

Interface MasterKeyEncryptor

  • public interface MasterKeyEncryptor

    An encryptor that can be used to encrypt PingFederate's master key file (pf.jwk).

    The encryptor can return a key identifier (via its initialize method) which can be associated with the master key file. This allows PingFederate configuration archives to be transferred between different installations. Alternatively, a null key identifier can be returned if the encryptor chooses to manage its key identifier for certain deployment requirements, such as tying the key to the machine's MAC address.

    If a master key file was previously unencrypted, it will be immediately encrypted after initialization. If a key identifier is returned and has changed, then the master key file be decrypted and then encrypted immediately after to allow the encryptor to apply the new key.

    The key identifier is stored in the '<PF_INSTALL>/pingfederate/server/default/data/config-store/com.pingidentity.crypto.jwk.MasterKeySet.xml' file.

    An encryptor implementation must be deployed to the directory '<PF_INSTALL>/pingfederate/server/default/deploy/' and declared for use in '<PF_INSTALL>/pingfederate/server/default/conf/service-points.conf', by updating the value of master.key.encryptor. i.e. 

     
     master.key.encryptor=com.company.MyMasterKeyEncryptor

    Disabling Revocation Checking

    A circular initialization dependency can arise if revocation checking is enabled in PingFederate and a MasterKeyEncryptor implementation makes API calls to an external service. To avoid this risk, revocation checking should be disabled for any API calls made by the master key encryptor. The following code shows how a custom trust manager can be created that uses the trust anchors from Java's cacerts file and has revocation checking disabled. 

         private static TrustManager[] getCaCertsTrustManagers()
     {
         String javaHome = System.getProperty("java.home");
         if (javaHome == null)
         {
             throw new IllegalStateException("Expected java.home system property to be set");
         }

         Path cacerts = Paths.get(javaHome).resolve(Paths.get("lib/security/cacerts"));

         try (InputStream inputStream = Files.newInputStream(cacerts))
         {
             KeyStore ks = KeyStore.getInstance("JKS");
             ks.load(inputStream, null);

             TrustManagerFactory trustManagerFactory =
                     TrustManagerFactory.getInstance(TrustManagerFactory.getDefaultAlgorithm());

             PKIXBuilderParameters params = new PKIXBuilderParameters(ks, new X509CertSelector());
             params.setRevocationEnabled(false);
             trustManagerFactory.init(new CertPathTrustManagerParameters(params));

             return trustManagerFactory.getTrustManagers();
         }
         catch (IOException | GeneralSecurityException e)
         {
             throw new IllegalStateException("Failed to create trust manager", e);
         }
     }
    Since:
    8.0

    • Method Summary

      All Methods Instance Methods Abstract Methods 
      Modifier and Type Method Description
      byte[] decrypt​(byte[] cipherText)
      Decrypts the master key's cipher text.
      byte[] encrypt​(byte[] plainText)
      Encrypts the data that will eventually be stored in the master key file.
      String initialize​(String keyId)
      Initializes the MasterKeyEncryptor allowing implementations to perform any external key management operations, such as creating/loading an external key.

    • Method Detail

      • initialize

        String initialize​(String keyId)
           throws MasterKeyEncryptorException

        Initializes the MasterKeyEncryptor allowing implementations to perform any external key management operations, such as creating/loading an external key.

        The key identifier that is used to encrypt/decrypt the master key file is passed into the initialize method. The key identifier may be null if the master key file was not previously encrypted, or if this MasterKeyEncryptor doesn't need a key identifier and previously returned null in an earlier initialization.

        This method is called everytime a master key file is loaded. This can occur when PingFederate starts up or when a configuration archive is imported.

        Parameters:
        keyId - The key identifier associated with the master key file. May be null.
        Returns:
        The key identifier to associate with the master key file. Can be null.
        Throws:
        MasterKeyEncryptorException - Thrown if failed to initialize.

      • encrypt

        byte[] encrypt​(byte[] plainText)
        throws MasterKeyEncryptorException
        Encrypts the data that will eventually be stored in the master key file.
        Parameters:
        plainText - The master key file's plain text content.
        Returns:
        The cipher text that will be saved to the master key file.
        Throws:
        MasterKeyEncryptorException - Thrown if failed to encrypt.

      • decrypt

        byte[] decrypt​(byte[] cipherText)
        throws MasterKeyEncryptorException
        Decrypts the master key's cipher text.
        Parameters:
        cipherText - The master key's cipher text.
        Returns:
        The plain text contents of the master key file.
        Throws:
        MasterKeyEncryptorException - Thrown if failed to decrypt.