Introduction
I would like to present some hight level user oriented requirements for new Vault implementation we are trying to create in project Elytron.
Let us know your questions or thoughts with regard Vault in discussion below.
We are proposing those requirements without any commitments. The design document will follow later based on discussion here.
Requirements
[VLT-01] Provide possibility for customer to have own Vault implementation
Customers can provide their own implementation of Vault through custom module.
[VLT-02] Vault password can be loaded from external source
Compatible with current methods of obtaining passwords from outside source. For current options see PicketBox methods (EXT/EXTC/CMD/CMDC/CLASS).
[VLT-03] Vault password masked using PBE
Compatible with EAP 6 vault password masking scheme.
[VLT-04] Vault storage can be removed after server starts up
Passwords have to stay encrypted in memory.
[VLT-05] Dynamical updates to vault stored attributes
Secured attributes stored in vault can be dynamically updated while server vault runs next query for the changed attribute has to return new value.
Domain mode?
[VLT-06] VaultTool compatibility
Vault tool will support same operations as EAP 6 except interactive mode.
[VLT-07] VaultTool: import legacy masked passwords as known from EAP 5
Import passwords from file (batch mode) and import password one by one.
[VLT-08] VaultTool: support callback to store sensitive attributes
Create support for adding custom callback to retrieve passwords from presently unknown or custom sources.
[VLT-09] Compatibility with previous versions
Import/transform during vault initialization to new version. Have an option to inhibit the behaviour.
It is questionable if we should enable automatic conversion of Vault during the server start up. What are your thoughts?
[VLT-10] VaultTool: Reasonable defaults for automatic vault creation
It needs write access to filesystem where the vault storage will be located, which might cause problems. It won’t create vault by default. One has to use command line option for that.
[VLT-11] Multiple vaults
Vaults will be assigned a name which will select the vault in time of request. It will require to change password strings or assign each vault which vault blocks it is serving.
[VLT-12] Wrapper for using old EAP 6 Vault (binary compatible)
Not all features of vault might be supported in this mode.
[VLT-13] FIPS 140-2 compliant vault
Requires:
- NSS DB as keystore + JSS
- SunPKCS11 module as bridge to NSS
We cannot make this out of the box, but we can make sure it is possible. Problem is how we can verify this by test.
[VLT-14] Centralized Vault in domain mode
it will probably require transfer of keystore through network, which IMO is not secure.
[VLT-15] Ability to obtain server or connection identity properly populated with credentials
RealmIdentity as defined in Elytron project
Comments