Note: this component is designated "advanced", which means that objects of this type are not expected to be created or altered in most environments. If you believe that such a change is necessary, you may want to contact support in order to understand the potential impact of that change.
The Amazon Secrets Manager Cipher Stream Provider is used to create a cipher stream provider that uses a passphrase obtained from the Amazon AWS Secrets Manager service to generate the encryption key for protecting the contents of the encryption settings database. It may only be used with string secrets (in which the Secrets Manager service returns the secret in the form of a JSON object) and not with secrets stored in a binary form.
When starting up, this cipher stream provider will check for the existence of the file specified by the encryption-metadata-file configuration property. If that file does not exist, then the provider will generate it with a set of metadata to use when deriving an encryption key from the passphrase retrieved from the Secrets Manager service.
The next time the cipher stream provider is started, that metadata file will be read and used in conjunction with the passphrase retrieved from the Secrets Manager service to derive the key needed to decrypt the contents of the encryption settings database.
Once it is created, this Amazon Secrets Manager Cipher Stream Provider should not be altered in any way. If you would like to change the cipher stream provider that the server uses, even to use a different secret (or a different version of the same secret) from the AWS Secrets Manager, you will need to create a new cipher stream provider configuration object and update the global configuration to activate that new provider. If this is done with the server online, then the encryption settings database will automatically be re-encrypted with the new cipher stream provider. However, as a safeguard against unexpected failures, it is still recommended that you export the encryption settings definitions before switching the active cipher stream provider.
The Amazon Secrets Manager Cipher Stream Provider component inherits from the Cipher Stream Provider
The following components have a direct aggregation relation from Amazon Secrets Manager Cipher Stream Providers:
The properties supported by this managed object are as follows:
| Basic Properties: | Advanced Properties: |
|---|---|
| description | None |
| enabled | |
| aws-external-server | |
| secret-id | |
| secret-field-name | |
| secret-version-id | |
| secret-version-stage | |
| encryption-metadata-file | |
| iteration-count |
| Description | A description for this Cipher Stream Provider |
| Default Value | None |
| Allowed Values | A string |
| Multi-Valued | No |
| Required | No |
| Admin Action Required | None. Modification requires no further action |
| Description | Indicates whether this Cipher Stream Provider is enabled for use in the Directory Server. |
| Default Value | None |
| Allowed Values | true false |
| Multi-Valued | No |
| Required | Yes |
| Admin Action Required | None. Modification requires no further action |
| Description | The external server with information to use when interacting with the AWS Secrets Manager. |
| Default Value | None |
| Allowed Values | The DN of any Amazon Aws External Server. |
| Multi-Valued | No |
| Required | Yes |
| Admin Action Required | None. Modification requires no further action |
| Description | The Amazon Resource Name (ARN) or the user-friendly name of the secret to be retrieved. |
| Default Value | None |
| Allowed Values | A string |
| Multi-Valued | No |
| Required | Yes |
| Admin Action Required | None. Modification requires no further action |
| Description | The name of the JSON field whose value is the passphrase that will be used to generate the encryption key for protecting the contents of the encryption settings database. |
| Default Value | None |
| Allowed Values | A string |
| Multi-Valued | No |
| Required | Yes |
| Admin Action Required | None. Modification requires no further action |
| Description | The unique identifier for the version of the secret to be retrieved. If this is provided, then its value will typically be in the form of a UUID. This property must not be provided if the secret-version-stage property is provided. If neither the secret-version-id property nor the secret-version-stage property is provided, then the current version of the secret will be used. |
| Default Value | None |
| Allowed Values | A string |
| Multi-Valued | No |
| Required | No |
| Admin Action Required | None. Modification requires no further action |
secret-version-stage (Read-Only)
| Description | The staging label for the version of the secret to be retrieved. If this is provided, then its value will typically be in the form of a UUID. This property must not be provided if the secret-version-id property is provided. If neither the secret-version-id property nor the secret-version-stage property is provided, then the current version of the secret will be used. |
| Default Value | None |
| Allowed Values | A string |
| Multi-Valued | No |
| Required | No |
| Admin Action Required | None. Modification requires no further action |
encryption-metadata-file (Read-Only)
| Description | The path to a file that will hold metadata about the encryption performed by this Amazon Secrets Manager Cipher Stream Provider. When initially configuring this cipher stream provider, the metadata file should not exist (although its parent directory must exist). The first time the provider is initialized and the secret is successfully retrieved from AWS Secrets Manager, a new metadata file will be generated with an appropriate set of properties for generating the cipher to use to interact with the encryption settings database. On subsequent uses, the existing metadata file will be read to determine these settings so that the existing encryption settings database can be opened. |
| Default Value | config/aws-secrets-manager-encryption-metadata.json |
| Allowed Values | A filesystem path |
| Multi-Valued | No |
| Required | Yes |
| Admin Action Required | None. Modification requires no further action |
| Description | The PBKDF2 iteration count that will be used when deriving the encryption key used to protect the encryption settings database. |
| Default Value | 600000 |
| Allowed Values | An integer value. Lower limit is 1000. |
| Multi-Valued | No |
| Required | No |
| Admin Action Required | None. Modification requires no further action |
To list the configured Cipher Stream Providers:
dsconfig list-cipher-stream-providers
[--property {propertyName}] ...
To view the configuration for an existing Cipher Stream Provider:
dsconfig get-cipher-stream-provider-prop
--provider-name {name}
[--tab-delimited]
[--script-friendly]
[--property {propertyName}] ...
To update the configuration for an existing Cipher Stream Provider:
dsconfig set-cipher-stream-provider-prop
--provider-name {name}
(--set|--add|--remove) {propertyName}:{propertyValue}
[(--set|--add|--remove) {propertyName}:{propertyValue}] ...
To create a new Amazon Secrets Manager Cipher Stream Provider:
dsconfig create-cipher-stream-provider
--provider-name {name}
--type amazon-secrets-manager
--set enabled:{propertyValue}
--set aws-external-server:{propertyValue}
--set secret-id:{propertyValue}
--set secret-field-name:{propertyValue}
[--set {propertyName}:{propertyValue}] ...
To delete an existing Cipher Stream Provider:
dsconfig delete-cipher-stream-provider
--provider-name {name}