public interface MasterKeyEncryptor
An encryptor that can be used to encrypt PingFederate's master key file (pf.jwk).
The encryptor can return a key identifier (via its initialize method) which can be associated with the master key file. This allows PingFederate configuration archives to be transferred between different installations. Alternatively, a null key identifier can be returned if the encryptor chooses to manage its key identifier for certain deployment requirements, such as tying the key to the machine's MAC address.
If a master key file was previously unencrypted, it will be immediately encrypted after initialization. If a key identifier is returned and has changed, then the master key file be decrypted and then encrypted immediately after to allow the encryptor to apply the new key.
The key identifier is stored in the '<PF_INSTALL>/server/default/data/config-store/com.pingidentity.crypto.jwk.MasterKeySet.xml' file.
An encryptor implementation must be deployed to the directory '<PF_INSTALL>/server/default/deploy/' and declared for use in '<PF_INSTALL>/server/default/conf/META-INF/hivemodule.xml', in the MasterKeyEncryptor's create-instance class attribute. i.e.
<service-point id="MasterKeyEncryptor" interface="com.pingidentity.sdk.key.MasterKeyEncryptor"> <create-instance class="com.company.MyMasterKeyEncryptor"/> </service-point>
|Modifier and Type||Method and Description|
Decrypts the master key's cipher text.
Encrypts the data that will eventually be stored in the master key file.
String initialize(String keyId) throws MasterKeyEncryptorException
MasterKeyEncryptor allowing implementations
to perform any external key management operations, such as creating/loading
an external key.
The key identifier that is used to encrypt/decrypt the master key file is
passed into the initialize method. The key identifier may be null if the
master key file was not previously encrypted, or if this
doesn't need a key identifier and previously returned null in an earlier
This method is called everytime a master key file is loaded. This can occur when PingFederate starts up or when a configuration archive is imported.
keyId- The key identifier associated with the master key file. May be null.
MasterKeyEncryptorException- Thrown if failed to initialize.
byte encrypt(byte plainText) throws MasterKeyEncryptorException
plainText- The master key file's plain text content.
MasterKeyEncryptorException- Thrown if failed to encrypt.
Copyright 2020 Ping Identity Corp. All rights reserved.