Security Vault Requirements

Version 3

    Introduction

    I would like to present some hight level user oriented requirements for new Vault implementation we are trying to create in project Elytron.

    Let us know your questions or thoughts with regard Vault in discussion below.

    We are proposing those requirements without any commitments. The design document will follow later based on discussion here.

     

    Requirements

     

    [VLT-01] Provide possibility for customer to have own Vault implementation

    Customers can provide their own implementation of Vault through custom module.

     

    [VLT-02] Vault password can be loaded from external source

    Compatible with current methods of obtaining passwords from outside source. For current options see PicketBox methods (EXT/EXTC/CMD/CMDC/CLASS).

     

    [VLT-03] Vault password masked using PBE

    Compatible with EAP 6 vault password masking scheme.

     

    [VLT-04] Vault storage can be removed after server starts up

    Passwords have to stay encrypted in memory.

     

    [VLT-05] Dynamical updates to vault stored attributes

    Secured attributes stored in vault can be dynamically updated while server vault runs next query for the changed attribute has to return new value.

    Domain mode?

     

    [VLT-06] VaultTool compatibility

    Vault tool will support same operations as EAP 6 except interactive mode.

     

    [VLT-07] VaultTool: import legacy masked passwords as known from EAP 5

    Import passwords from file (batch mode) and import password one by one.

     

    [VLT-08] VaultTool: support callback to store sensitive attributes

    Create support for adding custom callback to retrieve passwords from presently unknown or custom sources.

     

    [VLT-09] Compatibility with previous versions

    Import/transform during vault initialization to new version. Have an option to inhibit the behaviour.

    It is questionable if we should enable automatic conversion of Vault during the server start up. What are your thoughts?

     

    [VLT-10] VaultTool: Reasonable defaults for automatic vault creation

    It needs write access to filesystem where the vault storage will be located, which might cause problems. It won’t create vault by default. One has to use command line option for that.

     

    [VLT-11] Multiple vaults

    Vaults will be assigned a name which will select the vault in time of request. It will require to change password strings or assign each vault which vault blocks it is serving.

     

    [VLT-12] Wrapper for using old EAP 6 Vault (binary compatible)

    Not all features of vault might be supported in this mode.

     

    [VLT-13] FIPS 140-2 compliant vault

    Requires:

    • NSS DB as keystore + JSS
    • SunPKCS11 module as bridge to NSS

    We cannot make this out of the box, but we can make sure it is possible. Problem is how we can verify this by test.

     

    [VLT-14] Centralized Vault in domain mode

    it will probably require transfer of keystore through network, which IMO is not secure.

     

    [VLT-15] Ability to obtain server or connection identity properly populated with credentials

    RealmIdentity as defined in Elytron project