Database Reference
In-Depth Information
store. Such a credential is mapped by a predefined key name. The out-of-the-
box keys defined in the credential store are
sign-csf-key
and
enc-csf-
key
, used to sign and encrypt/decrypt messages. Custom
csf
keys can also be
added to the credential store to map to different aliases in the keystore. Another
important key is
keystore-csf-key
that holds the keystore alias and pass-
word used to open the keystore. When a policy is executed, it uses the user-
name and password belonging to either
sign-csf-key
or
enc-csf-key
to
retrieve the actual private key from the keystore to create a signature or encrypt
a message by using the username as an alias.
To establish a secured connection between the client and the server at runtime,
it is necessary to export a client's key from the client keystore and import to the
keystore of the server, and vice versa.
A credential store must not be confused with an identity store. A subtle and fun-
damental distinction is important to be made here—credentials and identities
are not the same thing. Simply put, in OPSS, identities are what authentication
requests are done against, while credentials are securely kept objects that are
somehow presented to authentication providers to be matched against identit-
ies.
Identity is what is authenticated, while a credential is the key
information to authenticate identity.