Azure Key Vault Cipher Stream Provider

Note: this component is designated "advanced", which means that objects of this type are not expected to be created or altered in most environments. If you believe that such a change is necessary, you may want to contact support in order to understand the potential impact of that change.

The Azure Key Vault Cipher Stream Provider is used to obtain a passphrase from the Azure key Vault service. That passphrase will be used to generate the encryption key that will protect the contents of the encryption settings database.

When starting up, this cipher stream provider will check for the existence of the file specified by the encryption-metadata-file configuration property. If that file does not exist, then the provider will generate it with a set of metadata to use when deriving an encryption key from the passphrase retrieved from the Key Vault service.
The next time the cipher stream provider is started, that metadata file will be read and used in conjunction with the passphrase retrieved from the Key Vault service to derive the key needed to decrypt the contents of the encryption settings database.
Note that this Azure Key Vault Cipher Stream Provider will only interact with Azure Key Vault once when the server is started or when launching a tool that needs to access the encryption settings database. Upon retrieving the secret passphrase, an encryption key will be generated, and that key will be cached in memory so that it will not be necessary to retrieve the passphrase from Azure while the server or tool remains running.

Parent Component Relations from This Component Properties dsconfig Usage

Parent Component

The Azure Key Vault Cipher Stream Provider component inherits from the Cipher Stream Provider

Relations from This Component

The following components have a direct aggregation relation from Azure Key Vault Cipher Stream Providers:

Properties

The properties supported by this managed object are as follows:


Basic Properties: Advanced Properties:
 description  None
 enabled
 key-vault-uri
 azure-authentication-method
 http-proxy-external-server
 secret-name
 encryption-metadata-file
 iteration-count

Basic Properties

description

Description
A description for this Cipher Stream Provider
Default Value
None
Allowed Values
A string
Multi-Valued
No
Required
No
Admin Action Required
None. Modification requires no further action

enabled

Description
Indicates whether this Cipher Stream Provider is enabled for use in the Directory Server.
Default Value
None
Allowed Values
true
false
Multi-Valued
No
Required
Yes
Admin Action Required
None. Modification requires no further action

key-vault-uri

Description
The URI that identifies the Azure Key Vault from which the secret is to be retrieved.
Default Value
None
Allowed Values
An absolute URL, or a relative URL
Multi-Valued
No
Required
Yes
Admin Action Required
None. Modification requires no further action

azure-authentication-method

Description
The mechanism used to authenticate to the Azure service.
Default Value
None
Allowed Values
The DN of any Azure Authentication Method.
Multi-Valued
No
Required
Yes
Admin Action Required
None. Modification requires no further action

http-proxy-external-server

Description
A reference to an HTTP proxy server that should be used for requests sent to the Azure service.
Default Value
No HTTP proxy server will be used.
Allowed Values
The DN of any HTTP Proxy External Server.
Multi-Valued
No
Required
No
Admin Action Required
None. Modification requires no further action

secret-name (Read-Only)

Description
The name of the secret to retrieve.
Default Value
None
Allowed Values
A string
Multi-Valued
No
Required
Yes
Admin Action Required
None. Modification requires no further action

encryption-metadata-file (Read-Only)

Description
The path to a file that will hold metadata about the encryption performed by this Azure Key Vault Cipher Stream Provider. When initially configuring this cipher stream provider, the metadata file should not exist (although its parent directory must exist). The first time the provider is initialized and the secret key is successfully retrieved from Azure Key Vault, a new metadata file will be generated with an appropriate set of properties for generating the cipher to use to interact with the encryption settings database. On subsequent uses, the existing metadata file will be read to determine these settings so that the existing encryption settings database can be opened.
Default Value
config/azure-key-vault-encryption-metadata.json
Allowed Values
A filesystem path
Multi-Valued
No
Required
Yes
Admin Action Required
None. Modification requires no further action

iteration-count (Read-Only)

Description
The PBKDF2 iteration count that will be used when deriving the encryption key used to protect the encryption settings database.
Default Value
600000
Allowed Values
An integer value. Lower limit is 1000.
Multi-Valued
No
Required
No
Admin Action Required
None. Modification requires no further action


dsconfig Usage

To list the configured Cipher Stream Providers:

dsconfig list-cipher-stream-providers
     [--property {propertyName}] ...

To view the configuration for an existing Cipher Stream Provider:

dsconfig get-cipher-stream-provider-prop
     --provider-name {name}
     [--tab-delimited]
     [--script-friendly]
     [--property {propertyName}] ...

To update the configuration for an existing Cipher Stream Provider:

dsconfig set-cipher-stream-provider-prop
     --provider-name {name}
     (--set|--add|--remove) {propertyName}:{propertyValue}
     [(--set|--add|--remove) {propertyName}:{propertyValue}] ...

To create a new Azure Key Vault Cipher Stream Provider:

dsconfig create-cipher-stream-provider
     --provider-name {name}
     --type azure-key-vault
     --set enabled:{propertyValue}
     --set key-vault-uri:{propertyValue}
     --set azure-authentication-method:{propertyValue}
     --set secret-name:{propertyValue}
     [--set {propertyName}:{propertyValue}] ...

To delete an existing Cipher Stream Provider:

dsconfig delete-cipher-stream-provider
     --provider-name {name}