Configuring Crypto API

Crypto API is configured in the crypto_api section of the config.json file. You can configure it independently for each tenant. For more information on a tenant global configuration, see Configuring the Stormshield KMaaS.

The template for the crypto_api configuration block is as follows:

Copy


"crypto_api": {
  "enable": _IS_CRYPTO_API_ENABLE_,
  "authentication": [
   {
    "discovery_uri": "_CRYPTO_API_AUTHENTICATION_DISCOVERY_URI_",
    "client_id": "_CRYPTO_API_AUTHENTICATION_ISSUER_"
   },
   {
    "name": "_CRYPTO_API_AUTHENTICATION_API_KEY_NAME",
    "api_key": "_CRYPTO_API_AUTHENTICATION_API_KEY_VALUE"
   }
  ],
  "policy_enforcement": {
   "enable": false,
   "type": "_POLICY_ENFORCEMENT_TYPE_",
   "opa_server": {
    "url": "_URL_",
    "authentication": {
     "type": "basic",
     "user_id": "_USER_ID_",
     "password": "_PASSWORD_"
    }
   }
  }
 },    
}

Parameter	Description	Type	Optional/ mandatory
enable	Enables or disables the CryptoAPI feature, Crypto API.	Boolean	Mandatory to use the CryptoAPI feature.

Authentication parameter

JSON object containing the configuration that allows authenticating to Crypto API. There are two types of authentication: with OpenID and JWT tokens or API keys.

When using the first method, you must have configured the Identity Provider (IDP) to deliver JWT tokens with at least these fields: "iss", "aud", "exp", "iat". For more information, see Configuring the identity provider.

Parameter	Description	Type	Optional/ mandatory
discovery_uri	URL to the OpenID JSON configuration file for the OpenID authentication.	String	Mandatory to use OpenID authentication.
client_id	Recipient of the JWT authentication token (see RFC 7519). An entry must be added for each identity provider.	String	Mandatory to use OpenID authentication.
name	Name of the API key. The character ‘’:’’ is not allowed. See RFC 2617.	String	Mandatory to use API Key authentication.
api_key	Value of the API key. Must be a valid API key provided by Stormshield.	String	Mandatory to use API Key authentication.

policy_enforcement parameter

JSON object containing the configuration of the optional OPA enforcement feature for Crypto API. For more information, see Implementing the authorization rules with Open Policy Agent.

Parameter
enable	Enable the use of OPA rules for the feature.	Boolean	Mandatory for each feature enabled except the PKI.
type	Kind of OPA policy to use. The possible values are : opa_local: this mode uses local files policy.wasm and policy.data.json. The file names must be adapted according to the feature used. opa_server: this mode uses a remote OPA server.	String	Mandatory if policy_enforcement.enable is set to true
opa_server: JSON object describing the parameters required to access the OPA policy server. Stormshield guarantees compatibility with OPA version 1.2.0.
url	URL of data API exposed endpoints. For more information, see OPA documentation. Example: If your rego package is stormshield.kmaas and you have the allow variable in this package, your url will be: https://opa-server/v1/data/stormshield/kmaas/allow The authorized protocols are http and https. Stormshield strongly recommends https in production.	String	Mandatory if policy_enforcement.type is set to opa_server
authentication	JSON object describing the parameters required to authenticate to the OPA policy server. It includes the following fields: type: Type of authentication used to connect to the policy server. The prescribed value is "basic". user_id: Identifier of the user account used to connect to the policy server. Mandatory if authentication.type is set on "basic" password: Password of the user account used to connect to the policy server. Mandatory if authentication.type is set on "basic"	Object	Mandatory if type is set to opa_server