Note: this component is designated "advanced", which means that objects of this type are not expected to be created or altered in most environments. If you believe that such a change is necessary, you may want to contact support in order to understand the potential impact of that change.
The Conjur Cipher Stream Provider is used to obtain a passphrase from a CyberArk Conjur server. That passphrase will be used to generate the encryption key that will protect the contents of the encryption settings database.
When starting up, this cipher stream provider will check for the existence of the file specified by the encryption-metadata-file configuration property. If that file does not exist, then the provider will generate it with a set of metadata to use when deriving an encryption key from the passphrase retrieved from Conjur.
The next time the cipher stream provider is started, that metadata file will be read and used in conjunction with the passphrase retrieved from Conjur to derive the key needed to decrypt the contents of the encryption settings database.
Note that this Conjur Cipher Stream Provider will only interact with Conjur once when the server is started or when launching a tool that needs to access the encryption settings database. Upon retrieving the secret passphrase from Conjur, an encryption key will be generated, and that key will be cached in memory so that it will not be necessary to retrieve the passphrase from Conjur while the server or tool remains running.
The Conjur Cipher Stream Provider component inherits from the Cipher Stream Provider
The following components have a direct aggregation relation from Conjur Cipher Stream Providers:
The properties supported by this managed object are as follows:
Basic Properties: | Advanced Properties: |
---|---|
description | None |
enabled | |
conjur-external-server | |
conjur-secret-relative-path | |
encryption-metadata-file | |
iteration-count |
Description | A description for this Cipher Stream Provider |
Default Value | None |
Allowed Values | A string |
Multi-Valued | No |
Required | No |
Admin Action Required | None. Modification requires no further action |
Description | Indicates whether this Cipher Stream Provider is enabled for use in the Directory Server. |
Default Value | None |
Allowed Values | true false |
Multi-Valued | No |
Required | Yes |
Admin Action Required | None. Modification requires no further action |
Description | An external server definition with information needed to connect and authenticate to the Conjur server. |
Default Value | None |
Allowed Values | The DN of any Conjur External Server. |
Multi-Valued | No |
Required | Yes |
Admin Action Required | None. Modification requires no further action |
conjur-secret-relative-path (Read-Only)
Description | The portion of the path that follows the account name in the URI needed to obtain the secret passphrase to use to generate the encryption key. Any special characters in the path must be URL-encoded. For example, if the full URI used to retrieve the secret is https://conjur.example.com:8443/secrets/myAccount/variable/MyApp%2FmySecret then the conjur-secret-path value should be "variable/MyApp%2FmySecret". |
Default Value | None |
Allowed Values | A string |
Multi-Valued | No |
Required | Yes |
Admin Action Required | None. Modification requires no further action |
encryption-metadata-file (Read-Only)
Description | The path to a file that will hold metadata about the encryption performed by this Conjur Cipher Stream Provider. When initially configuring this cipher stream provider, the metadata file should not exist (although its parent directory must exist). The first time the provider is initialized and the secret key is successfully retrieved from Conjur, a new metadata file will be generated with an appropriate set of properties for generating the cipher to use to interact with the encryption settings database. On subsequent uses, the existing metadata file will be read to determine these settings so that the existing encryption settings database can be opened. |
Default Value | config/conjur-encryption-metadata.json |
Allowed Values | A filesystem path |
Multi-Valued | No |
Required | Yes |
Admin Action Required | None. Modification requires no further action |
Description | The PBKDF2 iteration count that will be used when deriving the encryption key used to protect the encryption settings database. |
Default Value | 600000 |
Allowed Values | An integer value. Lower limit is 1000. |
Multi-Valued | No |
Required | No |
Admin Action Required | None. Modification requires no further action |
To list the configured Cipher Stream Providers:
dsconfig list-cipher-stream-providers [--property {propertyName}] ...
To view the configuration for an existing Cipher Stream Provider:
dsconfig get-cipher-stream-provider-prop --provider-name {name} [--tab-delimited] [--script-friendly] [--property {propertyName}] ...
To update the configuration for an existing Cipher Stream Provider:
dsconfig set-cipher-stream-provider-prop --provider-name {name} (--set|--add|--remove) {propertyName}:{propertyValue} [(--set|--add|--remove) {propertyName}:{propertyValue}] ...
To create a new Conjur Cipher Stream Provider:
dsconfig create-cipher-stream-provider --provider-name {name} --type conjur --set enabled:{propertyValue} --set conjur-external-server:{propertyValue} --set conjur-secret-relative-path:{propertyValue} [--set {propertyName}:{propertyValue}] ...
To delete an existing Cipher Stream Provider:
dsconfig delete-cipher-stream-provider --provider-name {name}