Note: this component is designated "advanced", which means that objects of this type are not expected to be created or altered in most environments. If you believe that such a change is necessary, you may want to contact support in order to understand the potential impact of that change.
The File Based Cipher Stream Provider is used to read a specified file in order to obtain a password used to generate cipher streams for reading and writing encrypted data.
The File Based Cipher Stream Provider component inherits from the Cipher Stream Provider
The properties supported by this managed object are as follows:
| Basic Properties: | Advanced Properties: |
|---|---|
| description | None |
| enabled | |
| password-file | |
| wait-for-password-file | |
| encryption-metadata-file | |
| iteration-count |
| Description | A description for this Cipher Stream Provider |
| Default Value | None |
| Allowed Values | A string |
| Multi-Valued | No |
| Required | No |
| Admin Action Required | None. Modification requires no further action |
| Description | Indicates whether this Cipher Stream Provider is enabled for use in the Directory Server. |
| Default Value | None |
| Allowed Values | true false |
| Multi-Valued | No |
| Required | Yes |
| Admin Action Required | None. Modification requires no further action |
| Description | The path to the file containing the password to use when generating ciphers. Note that the file-based cipher stream provider caches the key in memory so that it is not necessary to read the password file each time the server needs to access the encryption settings database. Most of the time, it will only be necessary for the file to exist when the server is starting, when the cipher stream provider is being initially configured, or when running the encryption-settings tool. This allows for limiting the availability of this password file (e.g., by storing it on removable media that is inserted and mounted only when the password is needed). This can reduce the risk that the password will be exposed to an attacker who gains access to the server filesystem. |
| Default Value | None |
| Allowed Values | A filesystem path |
| Multi-Valued | No |
| Required | Yes |
| Admin Action Required | None. Modification requires no further action |
| Description | Indicates whether the server should wait for the password file to become available if it does not exist. This may be useful if the password file is usually absent from the filesystem (e.g., stored on removable media that is inserted and mounted only when the password is needed) to reduce the risk of its exposure, and it is not available whenever an operation requires the password (e.g., starting the server or using the encryption-settings tool). Note that the file-based cipher stream provider caches the key in memory so that it is not necessary to read the password file each time the server needs to access the encryption settings database. Most of the time, it will only be necessary for the file to exist when the server is starting, when the cipher stream provider is being initially configured, or when running the encryption-settings tool. |
| Default Value | true |
| Allowed Values | true false |
| Multi-Valued | No |
| Required | No |
| Admin Action Required | None. Modification requires no further action |
encryption-metadata-file (Read-Only)
| Description | The path to a file that will hold metadata about the encryption performed by this File Based Cipher Stream Provider. If specified, then the encryption metadata file will be generated the first time this cipher stream provider is created, and it will be read every subsequent time the cipher stream provider is loaded. The metadata file will contain a set of properties that will be used in conjunction with the password read from the password file to derive the secret key used to protect the encryption settings database. If no encryption metadata file is specified, then a default set of properties will be used to derive the secret key. |
| Default Value | None |
| Allowed Values | A filesystem path |
| Multi-Valued | No |
| Required | No |
| Admin Action Required | None. Modification requires no further action |
| Description | The PBKDF2 iteration count that will be used when deriving the encryption key used to protect the encryption settings database. This is optional, and it may only be specified when creating the cipher stream provider. If it is not specified, then a default iteration count will be used. |
| Default Value | None |
| Allowed Values | An integer value. Lower limit is 1000. |
| Multi-Valued | No |
| Required | No |
| Admin Action Required | None. Modification requires no further action |
To list the configured Cipher Stream Providers:
dsconfig list-cipher-stream-providers
[--property {propertyName}] ...
To view the configuration for an existing Cipher Stream Provider:
dsconfig get-cipher-stream-provider-prop
--provider-name {name}
[--tab-delimited]
[--script-friendly]
[--property {propertyName}] ...
To update the configuration for an existing Cipher Stream Provider:
dsconfig set-cipher-stream-provider-prop
--provider-name {name}
(--set|--add|--remove) {propertyName}:{propertyValue}
[(--set|--add|--remove) {propertyName}:{propertyValue}] ...
To create a new File Based Cipher Stream Provider:
dsconfig create-cipher-stream-provider
--provider-name {name}
--type file-based
--set enabled:{propertyValue}
--set password-file:{propertyValue}
[--set {propertyName}:{propertyValue}] ...
To delete an existing Cipher Stream Provider:
dsconfig delete-cipher-stream-provider
--provider-name {name}