Uploaded image for project: 'JBoss Enterprise Application Platform'
  1. JBoss Enterprise Application Platform
  2. JBEAP-13461

Clarify FIPS 140-2 Compliant Credential Store

XMLWordPrintable

      1. For achieving FIPS credential store solution, concept of external credential storage is used. Document this concept, because this is essential for understanding configuration.

      2. document external credential store specific options. This is necessary, because these options are not described in model, as they are expected in general implementation-properties map:

      Good starting point is KeyStoreCredentialStore javadoc, but consult with developers as not everything is correct I would say.

      KeyStoreCredentialStore.java
       * The following configuration parameters are supported:
       * <ul>
       *     <li>{@code location}: specifies the location of the key store (none means, use an in-memory store and do not store changes)</li>
       *     <li>{@code modifiable}: specifies whether the credential store should be modifiable</li>
       *     <li>{@code create}: specifies to automatically create storage file for this credential store (defaults to {@code false}).
       *          <p>
       *          If {@code external} is true, the storage file will be created calling the {@link #flush} method. If {@code external} is false and the storage file does not exist yet,
       *          then an empty credential store is created when {@link #initialize} method is invoked.</li>
       *     <li>{@code keyStoreType}: specifies the key store type to use (defaults to {@link KeyStore#getDefaultType()})</li>
       *     <li>{@code keyAlias}: specifies the secret key alias within the key store to use for encrypt/decrypt of data in external storage (defaults to {@code cs_key})</li>
       *     <li>{@code external}: specifies whether to store data to external storage and encrypted by {@code keyAlias} key (defaults to {@code false})</li>
       *     <li>{@code externalPath}: specifies path to the external storage. It has to be used in conjunction with {@code external=true} and it defaults to value of {@code location} when {@code keyStoreType} is PKCS11.</li>
       *     <li>{@code cryptoAlg}: cryptographic algorithm name to be used to encrypt decrypt entries at external storage ({@code external} has to be set to {@code true})</li>
       * </ul>
      

      3. Do not document externalPath option because of https://issues.jboss.org/browse/JBEAP-13441
      4. Document which of FIPS CS are required and which are optional. Specify defaults of optional options.
      5. Use explicit location in example CLI command. Current example works because of

              rhn-support-chuffman Christian Huffman
              mchoma@redhat.com Martin Choma
              Votes:
              0 Vote for this issue
              Watchers:
              4 Start watching this issue

                Created:
                Updated:
                Resolved: