/
KeyStore service type(tC)

KeyStore service type(tC)

The KeyStore service supports three types:

 

KeyStore service type none

 

This configuration means, that no keystore service is configured.

# (none|storage|pkcs12|pkcs_storage) - default: none <repoName>.keystoreservice.type = none

 

KeyStore service type pkcs12

 

Here the keystore is created outside the storage.

It can store configuration data encrypted and accessible by a secret, while as well ArchiveLink certificates (see ArchiveLink configuration (tC) | Security) respective CMIS certificates (see Authentication type "tokenseckey").

 

Example configuration in repository.cfg:

<repoName>.keystoreservice.type = pkcs12 <repoName>.keystoreservice.pkcs12.name = repo1-ks.p12 <repoName>.keystoreservice.pkcs12.path = c://cmis//tia_keystore

 

In case the ConfigDataService is of type filesystem (see https://kgs-software.atlassian.net/l/cp/KHQ67ZGk):

  • pathparameter defaults to the <repoName>.configdata.filesystem.root.

  • nameparameter defaults to common-ks.pkcs12.

 

When using templates in repository.cfg file, and setting <template>.keystoreservice.pkcs12.path to a keystore, all repositories sharing this setting will access the same keystore.

By this, pkcs12 is the only of the three keystore service types supporting certificate sharing between repositories.

 

KeyStore service type storage

 

The keystore is located inside the storage.

It can only store ArchiveLink certificates respective CMIS certificates, but not secrets for configuration data.

 

Example configuration in repository.cfg:

<repoName>.keystoreservice.type = storage

 

The keystore is store in the storage of the repository. So even if using templates for configuration, each repository is using its own keystore in the .kgs (base32 encoded: FZVWO4Y) folder structure.

Type storage requires the content service of the repository to be configured, that is not noop.

 

KeyStore service type pkcs12_storage

 

This keystore type combines type pkcs12 and storage by using two keystores per repository: One outside of the storage for configuration data, and one inside the storage for ArchiveLink certificates respective CMIS certificates.

 

Example configuration in repository.cfg:

<repoName>.keystoreservice.type = pkcs12_storage <repoName>.keystoreservice.pkcs12_storage.name = repo1-ks.p12 <repoName>.keystoreservice.pkcs12_storage.path = c://cmis//tia_keystore

 

It is easily possible to change the keystore service type from storage to pkcs12_storage: The keystore for the repository residing in the storage is continued to be used by the new service type, and certificates can still be used.

However, changing from pkcs12 to pkcs_storage results in a loss of the certificates as they are now in the keystore outside the storage. On the other hand the configuration data can still be accessed as before.

Type pkcs12_storage requires the content service of the repository to be configured, that is not noop.