This is the recommended option. You can use it with any LDAP directory. To use this option, extend the schema to add an attribute to your user object on the LDAP directory that will encrypt and store the secrets.
When you use an LDAP directory to store the secrets, you need to enable the user store for the secrets. You select the LDAP directory, then specify an attribute. The attribute you specify is used to store an XML document that contains encrypted secret values. This attribute must be a single-valued case ignore string that you have defined and assigned to the user object in the schema.
To use an LDAP directory to store secrets, your network environment must conform to the following requirements:
The user class object must contain an attribute that can be used to store the secrets. This attribute must be a string attribute that is single valued and case ignore.
The user store must be configured to use secure connections (click Devices > Identity Servers > Edit > Local > User Stores > [User Store Name]. In the Server replicas section, ensure that Port is 636 and that Use SSL is enabled. If not, click the name of the replica and reconfigure it.
To configure the LDAP directory, perform the following steps:
Click Devices > Identity Servers > Edit > Liberty > Web Service Providers.
Click Credential Profile.
Scroll to the Local Storage of Secrets section and configure the following options:
Encryption Password Hash Key: (Required) Specifies the password that you want to use as a seed to create the encryption algorithm. To increase the security of the secrets, we recommend that you change the default password to a unique alphanumeric value.
Preferred Encryption Method: Specifies the preferred encryption method. Select the method that complies with your security model:
Password Based Encryption With MD5 and DES: MD5 is an algorithm that is used to verify data integrity. Data Encryption Standard (DES) is a widely used method of data encryption that uses a private key.
DES: Data Encryption Standard (DES) is a widely used method of data encryption that uses a private key. Like other private key cryptographic methods, both the sender and the receiver must know and use the same private key.
Triple DES: A variant of DES in which data is encrypted three times with standard DES, using two different keys.
IMPORTANT:Before using Access Manager to store and encrypt secrets, ensure to choose your Preferred Encryption Method and change the default Encryption Password Hash Key value. If any of these options are changed after secrets are stored, Access Manager cannot retrieve secrets.
Click New under Extended Schema User Store References and specify the following:
User Store: Select the user store where you want secret store enabled.
Attribute Name: Specify the LDAP attribute that you have created to store the secrets on the selected user store.
Click OK > OK.
On Identity Servers page, update Identity Server.
To create policies that use the stored secrets, see Creating and Managing Shared Secrets.
For troubleshooting information, see Troubleshooting Secrets Storage.