The Keystore provider holds the necessary configuration to access a Keystore. A Keystore is an object that can hold symmetric keys, private keys or public keys in the form of certificates. A Keystore is usually a binary file. It can also be implemented as a crypto module in hardware and accessed through Sun's PKCS11 provider. See nCipher Configuration for an example using the nCipher crypto module.
Keystore providers are usually referred to by name in other components, but you can also declare a default Keystore provider for SSL, and a (possibly different) Keystore provider for SMIME.
The Reload Period property tells the provider how often to check whether the Keystore should be reloaded. By default, the Keystore is loaded only once the first time the provider is accessed and will never be reloaded. When defined, the Reload Period is the minimum time to wait before a reload can occur. The check occurs only when the provider is accessed so there is no cost if there is no activity. The value 0 means the provider must check for a possible reload every time it is accessed. This is not as expensive as it may appear since the Keystore file will be reloaded only if the file was modified since the last check as determined by the file time stamp.
The Keystore provider is usually configured with the required password. The provider can also request the password at runtime if the application security requirements forbid storing the Keystore password in the configuration. This is done using a user-provided callback that queries for the password the first time the Keystore provider is accessed. This mechanism might be desirable for more secure Keystores implemented in hardware, such as an nCipher device.
The following class is a sample callback implementation. This callback can be enabled by setting the Callback Handler property to com.example.SampleCallbackHandler.
package com.example;
import javax.security.auth.callback.CallbackHandler;
public class SampleCallbackHandler implements CallbackHandler
{
public SampleCallbackHandler() {}
public void handle(Callback[] callbacks)
throws IOException, UnsupportedCallbackException
{
char[] password = …; // application specific
for (Callback cb : callbacks)
{
if (cb instanceof PasswordCallback)
{
((PasswordCallback)cb).setPassword(password);
}
}
}
}In iSM, a Keystore can also be used where a CertStore is expected. The corresponding Certstore contains the trusted certificate entries and the first certificate of each private key entries. For example, a Keystore can be used as TrustStore if it only contains the certificates of trusted CAs. A Keystore is not a general CertStore because it cannot contain a Certificate Revocation List.
The following table lists the Keystore Provider properties.
Property | Description |
|---|---|
Name * | The name of the Keystore definition to add. |
Description | A brief description of the use of this Keystore. |
Keystore * | Location of the Keystore file or "NONE" if using PKCS11. |
Keystore Password | The password used by the Keystore. |
Keystore Type * | Keystore Type, for example, JKS or PKCS12, and so on. |
Keystore JCE Provider | JCE Provider implementing this Keystore type. |
Callback Handler | The fully qualified class name of a Callback handler that will satisfy authentication callbacks for the Keystore. The callback handler must satisfy the javax.security.auth.callback. CallbackHandler interface and be available on the iSM classpath. |
Reload Period | Minimum time to wait before the provider checks if the Keystore needs to be reloaded. The format is [xxh][xxm]xx[s]. Enter 0 to check for reload every time the Keystore is requested. Leave the parameter empty to never reload the Keystore. A file based Keystore is reloaded only if the file was modified since last reload. |
| iWay Software |