Merge pull request #5075 from vespa-engine/mortent/reapply-ckms

Refactor identityprovider. Add SiaIdentityProvider

21 files changed, 173 insertions, 294 deletions

diff --git a/athenz-identity-provider-service/pom.xml b/athenz-identity-provider-service/pom.xml
index bfd02d54d43..57339159e3d 100644
--- a/athenz-identity-provider-service/pom.xml
+++ b/athenz-identity-provider-service/pom.xml
@@ -14,67 +14,6 @@
         <relativePath>../parent/pom.xml</relativePath>
     </parent>
     <dependencies>
-        <!-- COMPILE -->
-        <dependency>
-            <groupId>com.yahoo.athenz</groupId>
-            <artifactId>athenz-zms-java-client</artifactId>
-            <scope>compile</scope>
-            <exclusions>
-                <!-- Provided by JDisc / container-dev -->
-                <exclusion>
-                    <groupId>org.slf4j</groupId>
-                    <artifactId>slf4j-api</artifactId>
-                </exclusion>
-                <!--Exclude all Jersey bundles provided by JDisc-->
-                <exclusion>
-                    <groupId>org.glassfish.jersey.core</groupId>
-                    <artifactId>jersey-client</artifactId>
-                </exclusion>
-                <exclusion>
-                    <groupId>org.glassfish.jersey.media</groupId>
-                    <artifactId>jersey-media-json-jackson</artifactId>
-                </exclusion>
-                <!--Exclude all Jackson bundles provided by JDisc -->
-                <exclusion>
-                    <groupId>com.fasterxml.jackson.core</groupId>
-                    <artifactId>jackson-core</artifactId>
-                </exclusion>
-                <exclusion>
-                    <groupId>com.fasterxml.jackson.core</groupId>
-                    <artifactId>jackson-databind</artifactId>
-                </exclusion>
-                <exclusion>
-                    <groupId>com.fasterxml.jackson.core</groupId>
-                    <artifactId>jackson-annotations</artifactId>
-                </exclusion>
-            </exclusions>
-        </dependency>
-        <dependency>
-            <groupId>com.yahoo.athenz</groupId>
-            <artifactId>athenz-zts-java-client</artifactId>
-            <scope>compile</scope>
-            <exclusions>
-                <!-- Provided by JDisc / container-dev -->
-                <exclusion>
-                    <groupId>org.slf4j</groupId>
-                    <artifactId>slf4j-api</artifactId>
-                </exclusion>
-                <!--Exclude all Jackson bundles provided by JDisc -->
-                <exclusion>
-                    <groupId>com.fasterxml.jackson.core</groupId>
-                    <artifactId>jackson-core</artifactId>
-                </exclusion>
-                <exclusion>
-                    <groupId>com.fasterxml.jackson.core</groupId>
-                    <artifactId>jackson-databind</artifactId>
-                </exclusion>
-                <exclusion>
-                    <groupId>com.fasterxml.jackson.core</groupId>
-                    <artifactId>jackson-annotations</artifactId>
-                </exclusion>
-            </exclusions>
-        </dependency>
-
         <!-- PROVIDED -->
         <dependency>
             <groupId>com.yahoo.vespa</groupId>
@@ -110,6 +49,30 @@
             <version>${project.version}</version>
             <scope>provided</scope>
         </dependency>
+        <dependency>
+            <groupId>com.yahoo.vespa</groupId>
+            <artifactId>vespa-athenz</artifactId>
+            <version>${project.version}</version>
+            <scope>provided</scope>
+        </dependency>
+        <dependency>
+            <groupId>org.apache.httpcomponents</groupId>
+            <artifactId>httpclient</artifactId>
+        </dependency>
+        <dependency>
+            <groupId>org.apache.httpcomponents</groupId>
+            <artifactId>httpcore</artifactId>
+        </dependency>
+        <dependency>
+            <groupId>org.bouncycastle</groupId>
+            <artifactId>bcpkix-jdk15on</artifactId>
+            <scope>compile</scope>
+        </dependency>
+        <dependency>
+            <groupId>org.bouncycastle</groupId>
+            <artifactId>bcprov-jdk15on</artifactId>
+            <scope>compile</scope>
+        </dependency>
 
         <!-- TEST -->
         <dependency>
@@ -130,18 +93,6 @@
             <scope>test</scope>
         </dependency>
         <dependency>
-            <groupId>org.apache.httpcomponents</groupId>
-            <artifactId>httpclient</artifactId>
-            <version>4.4.1</version>
-            <scope>test</scope>
-        </dependency>
-        <dependency>
-            <groupId>org.apache.httpcomponents</groupId>
-            <artifactId>httpcore</artifactId>
-            <version>4.4.1</version>
-            <scope>test</scope>
-        </dependency>
-        <dependency>
             <groupId>org.mockito</groupId>
             <artifactId>mockito-all</artifactId>
             <scope>test</scope>
diff --git a/container-disc/src/main/java/com/yahoo/container/jdisc/athenz/impl/AthenzCredentials.java b/athenz-identity-provider-service/src/main/java/com/yahoo/vespa/hosted/athenz/identityprovider/AthenzCredentials.java
index 790a7c54333..36c1aee49e0 100644
--- a/container-disc/src/main/java/com/yahoo/container/jdisc/athenz/impl/AthenzCredentials.java
+++ b/athenz-identity-provider-service/src/main/java/com/yahoo/vespa/hosted/athenz/identityprovider/AthenzCredentials.java
@@ -1,5 +1,5 @@
 // Copyright 2017 Yahoo Holdings. Licensed under the terms of the Apache 2.0 license. See LICENSE in the project root.
-package com.yahoo.container.jdisc.athenz.impl;
+package com.yahoo.vespa.hosted.athenz.identityprovider;
 
 import java.security.KeyPair;
 import java.security.cert.X509Certificate;
diff --git a/container-disc/src/main/java/com/yahoo/container/jdisc/athenz/impl/AthenzCredentialsService.java b/athenz-identity-provider-service/src/main/java/com/yahoo/vespa/hosted/athenz/identityprovider/AthenzCredentialsService.java
index 5786eb9e398..4072568d9d2 100644
--- a/container-disc/src/main/java/com/yahoo/container/jdisc/athenz/impl/AthenzCredentialsService.java
+++ b/athenz-identity-provider-service/src/main/java/com/yahoo/vespa/hosted/athenz/identityprovider/AthenzCredentialsService.java
@@ -1,5 +1,5 @@
 // Copyright 2017 Yahoo Holdings. Licensed under the terms of the Apache 2.0 license. See LICENSE in the project root.
-package com.yahoo.container.jdisc.athenz.impl;
+package com.yahoo.vespa.hosted.athenz.identityprovider;
 
 import com.fasterxml.jackson.databind.ObjectMapper;
 import com.yahoo.container.core.identity.IdentityConfig;
diff --git a/container-disc/src/main/java/com/yahoo/container/jdisc/athenz/impl/AthenzIdentityProviderImpl.java b/athenz-identity-provider-service/src/main/java/com/yahoo/vespa/hosted/athenz/identityprovider/AthenzIdentityProviderImpl.java
index 3b2b065fa8c..18f90ce545f 100644
--- a/container-disc/src/main/java/com/yahoo/container/jdisc/athenz/impl/AthenzIdentityProviderImpl.java
+++ b/athenz-identity-provider-service/src/main/java/com/yahoo/vespa/hosted/athenz/identityprovider/AthenzIdentityProviderImpl.java
@@ -1,5 +1,5 @@
 // Copyright 2017 Yahoo Holdings. Licensed under the terms of the Apache 2.0 license. See LICENSE in the project root.
-package com.yahoo.container.jdisc.athenz.impl;
+package com.yahoo.vespa.hosted.athenz.identityprovider;
 
 import com.google.inject.Inject;
 import com.yahoo.component.AbstractComponent;
@@ -9,21 +9,11 @@ import com.yahoo.container.jdisc.athenz.AthenzIdentityProviderException;
 import com.yahoo.jdisc.Metric;
 import com.yahoo.log.LogLevel;
 import com.yahoo.vespa.defaults.Defaults;
+import com.yahoo.vespa.athenz.api.AthenzIdentityCertificate;
+import com.yahoo.vespa.athenz.tls.AthenzSslContextBuilder;
 
-import javax.net.ssl.KeyManager;
-import javax.net.ssl.KeyManagerFactory;
 import javax.net.ssl.SSLContext;
-import javax.net.ssl.TrustManager;
-import javax.net.ssl.TrustManagerFactory;
-import java.io.FileInputStream;
-import java.io.IOException;
-import java.security.KeyManagementException;
-import java.security.KeyStore;
-import java.security.KeyStoreException;
-import java.security.NoSuchAlgorithmException;
-import java.security.UnrecoverableKeyException;
-import java.security.cert.Certificate;
-import java.security.cert.CertificateException;
+import java.io.File;
 import java.time.Clock;
 import java.time.Duration;
 import java.time.Instant;
@@ -63,9 +53,8 @@ public final class AthenzIdentityProviderImpl extends AbstractComponent implemen
     static final String METRICS_UPDATER_TAG = "metrics-updater";
 
 
-    private final AtomicReference<AthenzCredentials> credentials = new AtomicReference<>();
+    private volatile AthenzCredentials credentials;
     private final AtomicReference<Throwable> lastThrowable = new AtomicReference<>();
-    private final CountDownLatch credentialsRetrievedSignal = new CountDownLatch(1);
     private final AthenzCredentialsService athenzCredentialsService;
     private final Scheduler scheduler;
     private final Clock clock;
@@ -97,26 +86,17 @@ public final class AthenzIdentityProviderImpl extends AbstractComponent implemen
         this.clock = clock;
         this.domain = config.domain();
         this.service = config.service();
-        scheduler.submit(new RegisterInstanceTask());
-        scheduler.schedule(new TimeoutInitialWaitTask(), INITIAL_WAIT_NTOKEN);
-
         metricUpdater = new CertificateExpiryMetricUpdater(metric);
+        registerInstance();
     }
 
-    @Override
-    public String getNToken() {
+    private void registerInstance() {
         try {
-            credentialsRetrievedSignal.await();
-            AthenzCredentials credentialsSnapshot = credentials.get();
-            if (credentialsSnapshot == null) {
-                throw new AthenzIdentityProviderException("Could not retrieve Athenz credentials", lastThrowable.get());
-            }
-            if (isExpired(credentialsSnapshot)) {
-                throw new AthenzIdentityProviderException("Athenz credentials are expired", lastThrowable.get());
-            }
-            return credentialsSnapshot.getNToken();
-        } catch (InterruptedException e) {
-            throw new AthenzIdentityProviderException("Failed to register instance credentials", lastThrowable.get());
+            credentials = athenzCredentialsService.registerInstance();
+            scheduler.schedule(new UpdateCredentialsTask(), UPDATE_PERIOD);
+            scheduler.submit(metricUpdater);
+        } catch (Throwable t) {
+            throw new AthenzIdentityProviderException("Could not retrieve Athenz credentials", t);
         }
     }
 
@@ -131,49 +111,13 @@ public final class AthenzIdentityProviderImpl extends AbstractComponent implemen
     }
 
     @Override
-    public SSLContext getSslContext() {
-        try {
-            SSLContext sslContext = SSLContext.getInstance("TLSv1.2");
-            sslContext.init(createKeyManagersWithServiceCertificate(),
-                        createTrustManagersWithAthenzCa(),
-                        null);
-            return sslContext;
-        } catch (NoSuchAlgorithmException | KeyManagementException e) {
-            throw new RuntimeException(e);
-        }
-    }
-
-    private KeyManager[] createKeyManagersWithServiceCertificate() {
-        try {
-            credentialsRetrievedSignal.await();
-            KeyStore keyStore = KeyStore.getInstance("JKS");
-            keyStore.load(null);
-            keyStore.setKeyEntry("instance-key",
-                                 credentials.get().getKeyPair().getPrivate(),
-                                 new char[0],
-                                 new Certificate[]{credentials.get().getCertificate()});
-            KeyManagerFactory keyManagerFactory = KeyManagerFactory.getInstance(KeyManagerFactory.getDefaultAlgorithm());
-            keyManagerFactory.init(keyStore, new char[0]);
-            return keyManagerFactory.getKeyManagers();
-        } catch (KeyStoreException | NoSuchAlgorithmException | UnrecoverableKeyException | CertificateException | IOException e) {
-            throw new RuntimeException(e);
-        } catch (InterruptedException e) {
-            throw new AthenzIdentityProviderException("Failed to register instance credentials", lastThrowable.get());
-        }
-    }
-
-    private static TrustManager[] createTrustManagersWithAthenzCa() {
-        try {
-            KeyStore trustStore = KeyStore.getInstance("JKS");
-            try (FileInputStream in = new FileInputStream(Defaults.getDefaults().underVespaHome("share/ssl/certs/yahoo_certificate_bundle.jks"))) {
-                trustStore.load(in, null);
-            }
-            TrustManagerFactory trustManagerFactory = TrustManagerFactory.getInstance(TrustManagerFactory.getDefaultAlgorithm());
-            trustManagerFactory.init(trustStore);
-            return trustManagerFactory.getTrustManagers();
-        } catch (CertificateException | IOException | KeyStoreException | NoSuchAlgorithmException e) {
-            throw new RuntimeException(e);
-        }
+    public SSLContext getIdentitySslContext() {
+        return new AthenzSslContextBuilder()
+                .withIdentityCertificate(new AthenzIdentityCertificate(
+                        credentials.getCertificate(),
+                        credentials.getKeyPair().getPrivate()))
+                .withTrustStore(new File(Defaults.getDefaults().underVespaHome("share/ssl/certs/yahoo_certificate_bundle.jks")), "JKS")
+                .build();
     }
 
     @Override
@@ -189,56 +133,19 @@ public final class AthenzIdentityProviderImpl extends AbstractComponent implemen
         return credentials.getCreatedAt().plus(EXPIRES_AFTER).minus(EXPIRATION_MARGIN);
     }
 
-    private class RegisterInstanceTask implements RunnableWithTag {
-
-        private final Duration backoffDelay;
-
-        RegisterInstanceTask() {
-            this(INITIAL_BACKOFF_DELAY);
-        }
-
-        RegisterInstanceTask(Duration backoffDelay) {
-            this.backoffDelay = backoffDelay;
-        }
-
-        @Override
-        public void run() {
-            try {
-                credentials.set(athenzCredentialsService.registerInstance());
-                credentialsRetrievedSignal.countDown();
-                scheduler.schedule(new UpdateCredentialsTask(), UPDATE_PERIOD);
-                scheduler.submit(metricUpdater);
-            } catch (Throwable t) {
-                log.log(LogLevel.ERROR, "Failed to register instance: " + t.getMessage(), t);
-                lastThrowable.set(t);
-                Duration nextBackoffDelay = backoffDelay.multipliedBy(BACKOFF_DELAY_MULTIPLIER);
-                if (nextBackoffDelay.compareTo(MAX_REGISTER_BACKOFF_DELAY) > 0) {
-                    nextBackoffDelay = MAX_REGISTER_BACKOFF_DELAY;
-                }
-                scheduler.schedule(new RegisterInstanceTask(nextBackoffDelay), backoffDelay);
-            }
-        }
-
-        @Override
-        public String tag() {
-            return REGISTER_INSTANCE_TAG;
-        }
-    }
-
     private class UpdateCredentialsTask implements RunnableWithTag {
         @Override
         public void run() {
-            AthenzCredentials currentCredentials = credentials.get();
             try {
-                AthenzCredentials newCredentials = isExpired(currentCredentials)
+                AthenzCredentials newCredentials = isExpired(credentials)
                         ? athenzCredentialsService.registerInstance()
-                        : athenzCredentialsService.updateCredentials(currentCredentials);
-                credentials.set(newCredentials);
+                        : athenzCredentialsService.updateCredentials(credentials);
+                credentials = newCredentials;
                 scheduler.schedule(new UpdateCredentialsTask(), UPDATE_PERIOD);
             } catch (Throwable t) {
                 log.log(LogLevel.WARNING, "Failed to update credentials: " + t.getMessage(), t);
                 lastThrowable.set(t);
-                Duration timeToExpiration = Duration.between(clock.instant(), getExpirationTime(currentCredentials));
+                Duration timeToExpiration = Duration.between(clock.instant(), getExpirationTime(credentials));
                 // NOTE: Update period might be after timeToExpiration, still we do not want to DDoS Athenz.
                 Duration updatePeriod =
                         timeToExpiration.compareTo(UPDATE_PERIOD) > 0 ? UPDATE_PERIOD : REDUCED_UPDATE_PERIOD;
@@ -261,7 +168,7 @@ public final class AthenzIdentityProviderImpl extends AbstractComponent implemen
 
         @Override
         public void run() {
-            Instant expirationTime = getExpirationTime(credentials.get());
+            Instant expirationTime = getExpirationTime(credentials);
             Duration remainingLifetime = Duration.between(clock.instant(), expirationTime);
             metric.set(CERTIFICATE_EXPIRY_METRIC_NAME, remainingLifetime.getSeconds(), null);
             scheduler.schedule(this, CERTIFICATE_EXPIRY_METRIC_UPDATE_PERIOD);
@@ -273,18 +180,6 @@ public final class AthenzIdentityProviderImpl extends AbstractComponent implemen
         }
     }
 
-    private class TimeoutInitialWaitTask implements RunnableWithTag {
-        @Override
-        public void run() {
-            credentialsRetrievedSignal.countDown();
-        }
-
-        @Override
-        public String tag() {
-            return TIMEOUT_INITIAL_WAIT_TAG;
-        }
-    }
-
     private static class ThreadPoolScheduler implements Scheduler {
 
         private static final Logger log = Logger.getLogger(ThreadPoolScheduler.class.getName());
diff --git a/container-disc/src/main/java/com/yahoo/container/jdisc/athenz/impl/AthenzService.java b/athenz-identity-provider-service/src/main/java/com/yahoo/vespa/hosted/athenz/identityprovider/AthenzService.java
index 898f90e3438..c9e3809ea96 100644
--- a/container-disc/src/main/java/com/yahoo/container/jdisc/athenz/impl/AthenzService.java
+++ b/athenz-identity-provider-service/src/main/java/com/yahoo/vespa/hosted/athenz/identityprovider/AthenzService.java
@@ -1,5 +1,5 @@
 // Copyright 2017 Yahoo Holdings. Licensed under the terms of the Apache 2.0 license. See LICENSE in the project root.
-package com.yahoo.container.jdisc.athenz.impl;
+package com.yahoo.vespa.hosted.athenz.identityprovider;
 
 import com.fasterxml.jackson.core.JsonProcessingException;
 import com.fasterxml.jackson.databind.ObjectMapper;
diff --git a/container-disc/src/main/java/com/yahoo/container/jdisc/athenz/impl/CryptoUtils.java b/athenz-identity-provider-service/src/main/java/com/yahoo/vespa/hosted/athenz/identityprovider/CryptoUtils.java
index 388b40a1fe0..6a766e7c49d 100644
--- a/container-disc/src/main/java/com/yahoo/container/jdisc/athenz/impl/CryptoUtils.java
+++ b/athenz-identity-provider-service/src/main/java/com/yahoo/vespa/hosted/athenz/identityprovider/CryptoUtils.java
@@ -1,5 +1,5 @@
 // Copyright 2017 Yahoo Holdings. Licensed under the terms of the Apache 2.0 license. See LICENSE in the project root.
-package com.yahoo.container.jdisc.athenz.impl;
+package com.yahoo.vespa.hosted.athenz.identityprovider;
 
 import org.bouncycastle.asn1.pkcs.PKCSObjectIdentifiers;
 import org.bouncycastle.asn1.x509.Extension;
diff --git a/container-disc/src/main/java/com/yahoo/container/jdisc/athenz/impl/IdentityDocumentService.java b/athenz-identity-provider-service/src/main/java/com/yahoo/vespa/hosted/athenz/identityprovider/IdentityDocumentService.java
index 7878400964a..8a9137a491d 100644
--- a/container-disc/src/main/java/com/yahoo/container/jdisc/athenz/impl/IdentityDocumentService.java
+++ b/athenz-identity-provider-service/src/main/java/com/yahoo/vespa/hosted/athenz/identityprovider/IdentityDocumentService.java
@@ -1,5 +1,5 @@
 // Copyright 2017 Yahoo Holdings. Licensed under the terms of the Apache 2.0 license. See LICENSE in the project root.
-package com.yahoo.container.jdisc.athenz.impl;
+package com.yahoo.vespa.hosted.athenz.identityprovider;
 
 import com.yahoo.vespa.defaults.Defaults;
 import org.apache.http.client.methods.CloseableHttpResponse;
diff --git a/container-disc/src/main/java/com/yahoo/container/jdisc/athenz/impl/InstanceIdentity.java b/athenz-identity-provider-service/src/main/java/com/yahoo/vespa/hosted/athenz/identityprovider/InstanceIdentity.java
index 20bbb2aa67e..d6e986959cb 100644
--- a/container-disc/src/main/java/com/yahoo/container/jdisc/athenz/impl/InstanceIdentity.java
+++ b/athenz-identity-provider-service/src/main/java/com/yahoo/vespa/hosted/athenz/identityprovider/InstanceIdentity.java
@@ -1,5 +1,5 @@
 // Copyright 2017 Yahoo Holdings. Licensed under the terms of the Apache 2.0 license. See LICENSE in the project root.
-package com.yahoo.container.jdisc.athenz.impl;
+package com.yahoo.vespa.hosted.athenz.identityprovider;
 
 import com.fasterxml.jackson.annotation.JsonIgnoreProperties;
 import com.fasterxml.jackson.annotation.JsonInclude;
diff --git a/container-disc/src/main/java/com/yahoo/container/jdisc/athenz/impl/InstanceRefreshInformation.java b/athenz-identity-provider-service/src/main/java/com/yahoo/vespa/hosted/athenz/identityprovider/InstanceRefreshInformation.java
index dd893cb3143..d0c22d1d0d2 100644
--- a/container-disc/src/main/java/com/yahoo/container/jdisc/athenz/impl/InstanceRefreshInformation.java
+++ b/athenz-identity-provider-service/src/main/java/com/yahoo/vespa/hosted/athenz/identityprovider/InstanceRefreshInformation.java
@@ -1,5 +1,5 @@
 // Copyright 2017 Yahoo Holdings. Licensed under the terms of the Apache 2.0 license. See LICENSE in the project root.
-package com.yahoo.container.jdisc.athenz.impl;
+package com.yahoo.vespa.hosted.athenz.identityprovider;
 
 import com.fasterxml.jackson.annotation.JsonIgnoreProperties;
 import com.fasterxml.jackson.annotation.JsonInclude;
diff --git a/container-disc/src/main/java/com/yahoo/container/jdisc/athenz/impl/InstanceRegisterInformation.java b/athenz-identity-provider-service/src/main/java/com/yahoo/vespa/hosted/athenz/identityprovider/InstanceRegisterInformation.java
index e2355cb7a2d..dd9f164fef1 100644
--- a/container-disc/src/main/java/com/yahoo/container/jdisc/athenz/impl/InstanceRegisterInformation.java
+++ b/athenz-identity-provider-service/src/main/java/com/yahoo/vespa/hosted/athenz/identityprovider/InstanceRegisterInformation.java
@@ -1,5 +1,5 @@
 // Copyright 2017 Yahoo Holdings. Licensed under the terms of the Apache 2.0 license. See LICENSE in the project root.
-package com.yahoo.container.jdisc.athenz.impl;
+package com.yahoo.vespa.hosted.athenz.identityprovider;
 
 import com.fasterxml.jackson.annotation.JsonIgnoreProperties;
 import com.fasterxml.jackson.annotation.JsonInclude;
diff --git a/container-disc/src/main/java/com/yahoo/container/jdisc/athenz/impl/SignedIdentityDocument.java b/athenz-identity-provider-service/src/main/java/com/yahoo/vespa/hosted/athenz/identityprovider/SignedIdentityDocument.java
index 5d5b5430859..7bbd49c953f 100644
--- a/container-disc/src/main/java/com/yahoo/container/jdisc/athenz/impl/SignedIdentityDocument.java
+++ b/athenz-identity-provider-service/src/main/java/com/yahoo/vespa/hosted/athenz/identityprovider/SignedIdentityDocument.java
@@ -1,5 +1,5 @@
 // Copyright 2017 Yahoo Holdings. Licensed under the terms of the Apache 2.0 license. See LICENSE in the project root.
-package com.yahoo.container.jdisc.athenz.impl;
+package com.yahoo.vespa.hosted.athenz.identityprovider;
 
 import com.fasterxml.jackson.annotation.JsonIgnoreProperties;
 import com.fasterxml.jackson.annotation.JsonInclude;
diff --git a/container-disc/src/main/java/com/yahoo/container/jdisc/athenz/impl/package-info.java b/athenz-identity-provider-service/src/main/java/com/yahoo/vespa/hosted/athenz/identityprovider/package-info.java
index 2d7cbbb6315..1b4842327dd 100644
--- a/container-disc/src/main/java/com/yahoo/container/jdisc/athenz/impl/package-info.java
+++ b/athenz-identity-provider-service/src/main/java/com/yahoo/vespa/hosted/athenz/identityprovider/package-info.java
@@ -3,6 +3,6 @@
  * @author mortent
  */
 @ExportPackage
-package com.yahoo.container.jdisc.athenz.impl;
+package com.yahoo.vespa.hosted.athenz.identityprovider;
 
 import com.yahoo.osgi.annotation.ExportPackage;
\ No newline at end of file
diff --git a/container-disc/src/test/java/com/yahoo/container/jdisc/athenz/impl/AthenzIdentityProviderImplTest.java b/athenz-identity-provider-service/src/test/java/com/yahoo/vespa/hosted/athenz/identityprovider/AthenzIdentityProviderImplTest.java
index 1ee23334a16..3a506a39c43 100644
--- a/container-disc/src/test/java/com/yahoo/container/jdisc/athenz/impl/AthenzIdentityProviderImplTest.java
+++ b/athenz-identity-provider-service/src/test/java/com/yahoo/vespa/hosted/athenz/identityprovider/AthenzIdentityProviderImplTest.java
@@ -1,14 +1,16 @@
 // Copyright 2017 Yahoo Holdings. Licensed under the terms of the Apache 2.0 license. See LICENSE in the project root.
-package com.yahoo.container.jdisc.athenz.impl;
+package com.yahoo.vespa.hosted.athenz.identityprovider;
 
 import com.yahoo.container.core.identity.IdentityConfig;
 import com.yahoo.container.jdisc.athenz.AthenzIdentityProvider;
-import com.yahoo.container.jdisc.athenz.impl.AthenzIdentityProviderImpl.RunnableWithTag;
-import com.yahoo.container.jdisc.athenz.impl.AthenzIdentityProviderImpl.Scheduler;
+import com.yahoo.container.jdisc.athenz.AthenzIdentityProviderException;
+import com.yahoo.vespa.hosted.athenz.identityprovider.AthenzIdentityProviderImpl.RunnableWithTag;
+import com.yahoo.vespa.hosted.athenz.identityprovider.AthenzIdentityProviderImpl.Scheduler;
 import com.yahoo.jdisc.Metric;
 import com.yahoo.test.ManualClock;
 import org.junit.Test;
 
+import java.security.cert.X509Certificate;
 import java.time.Duration;
 import java.time.Instant;
 import java.util.ArrayList;
@@ -23,15 +25,15 @@ import java.util.function.Predicate;
 import java.util.stream.Collectors;
 import java.util.stream.Stream;
 
-import static com.yahoo.container.jdisc.athenz.impl.AthenzIdentityProviderImpl.INITIAL_BACKOFF_DELAY;
-import static com.yahoo.container.jdisc.athenz.impl.AthenzIdentityProviderImpl.INITIAL_WAIT_NTOKEN;
-import static com.yahoo.container.jdisc.athenz.impl.AthenzIdentityProviderImpl.MAX_REGISTER_BACKOFF_DELAY;
-import static com.yahoo.container.jdisc.athenz.impl.AthenzIdentityProviderImpl.METRICS_UPDATER_TAG;
-import static com.yahoo.container.jdisc.athenz.impl.AthenzIdentityProviderImpl.REDUCED_UPDATE_PERIOD;
-import static com.yahoo.container.jdisc.athenz.impl.AthenzIdentityProviderImpl.REGISTER_INSTANCE_TAG;
-import static com.yahoo.container.jdisc.athenz.impl.AthenzIdentityProviderImpl.TIMEOUT_INITIAL_WAIT_TAG;
-import static com.yahoo.container.jdisc.athenz.impl.AthenzIdentityProviderImpl.UPDATE_CREDENTIALS_TAG;
-import static com.yahoo.container.jdisc.athenz.impl.AthenzIdentityProviderImpl.UPDATE_PERIOD;
+import static com.yahoo.vespa.hosted.athenz.identityprovider.AthenzIdentityProviderImpl.INITIAL_BACKOFF_DELAY;
+import static com.yahoo.vespa.hosted.athenz.identityprovider.AthenzIdentityProviderImpl.INITIAL_WAIT_NTOKEN;
+import static com.yahoo.vespa.hosted.athenz.identityprovider.AthenzIdentityProviderImpl.MAX_REGISTER_BACKOFF_DELAY;
+import static com.yahoo.vespa.hosted.athenz.identityprovider.AthenzIdentityProviderImpl.METRICS_UPDATER_TAG;
+import static com.yahoo.vespa.hosted.athenz.identityprovider.AthenzIdentityProviderImpl.REDUCED_UPDATE_PERIOD;
+import static com.yahoo.vespa.hosted.athenz.identityprovider.AthenzIdentityProviderImpl.REGISTER_INSTANCE_TAG;
+import static com.yahoo.vespa.hosted.athenz.identityprovider.AthenzIdentityProviderImpl.TIMEOUT_INITIAL_WAIT_TAG;
+import static com.yahoo.vespa.hosted.athenz.identityprovider.AthenzIdentityProviderImpl.UPDATE_CREDENTIALS_TAG;
+import static com.yahoo.vespa.hosted.athenz.identityprovider.AthenzIdentityProviderImpl.UPDATE_PERIOD;
 import static org.junit.Assert.assertEquals;
 import static org.mockito.Matchers.any;
 import static org.mockito.Matchers.anyString;
@@ -46,77 +48,33 @@ public class AthenzIdentityProviderImplTest {
 
     private static final Metric DUMMY_METRIC = new Metric() {
         @Override
-        public void set(String s, Number number, Context context) {}
+        public void set(String s, Number number, Context context) {
+        }
+
         @Override
-        public void add(String s, Number number, Context context) {}
+        public void add(String s, Number number, Context context) {
+        }
+
         @Override
-        public Context createContext(Map<String, ?> stringMap) { return null; }
+        public Context createContext(Map<String, ?> stringMap) {
+            return null;
+        }
     };
 
     private static final IdentityConfig IDENTITY_CONFIG =
             new IdentityConfig(new IdentityConfig.Builder()
                                        .service("tenantService").domain("tenantDomain").loadBalancerAddress("cfg"));
 
-    private final Set<String> IGNORED_TASKS = Stream.of(UPDATE_CREDENTIALS_TAG, METRICS_UPDATER_TAG)
-            .collect(Collectors.toSet());
-
-    @Test
-    public void athenz_credentials_are_retrieved_after_component_contruction_completed() {
-        IdentityDocumentService identityDocumentService = mock(IdentityDocumentService.class);
-        AthenzService athenzService = mock(AthenzService.class);
-        ManualClock clock = new ManualClock(Instant.EPOCH);
-        MockScheduler scheduler = new MockScheduler(clock);
-
-        when(identityDocumentService.getSignedIdentityDocument()).thenReturn(getIdentityDocument());
-        when(athenzService.sendInstanceRegisterRequest(any(), any())).thenReturn(
-                new InstanceIdentity(null, "TOKEN"));
-        AthenzCredentialsService credentialService =
-                new AthenzCredentialsService(IDENTITY_CONFIG, identityDocumentService, athenzService, clock);
-
-        AthenzIdentityProvider identityProvider =
-                new AthenzIdentityProviderImpl(IDENTITY_CONFIG, DUMMY_METRIC, credentialService, scheduler, clock);
-
-        List<MockScheduler.CompletedTask> expectedTasks =
-                Arrays.asList(
-                        new MockScheduler.CompletedTask(REGISTER_INSTANCE_TAG, Duration.ZERO),
-                        new MockScheduler.CompletedTask(TIMEOUT_INITIAL_WAIT_TAG, INITIAL_WAIT_NTOKEN));
-        // Don't run update credential tasks, otherwise infinite loop
-        List<MockScheduler.CompletedTask> completedTasks =
-                scheduler.runAllTasks(task -> !IGNORED_TASKS.contains(task.tag()));
-        assertEquals(expectedTasks, completedTasks);
-        assertEquals("TOKEN", identityProvider.getNToken());
-    }
-
-    @Test
-    public void register_instance_uses_exponential_backoff() {
+    @Test (expected = AthenzIdentityProviderException.class)
+    public void component_creation_fails_when_credentials_not_found() {
         AthenzCredentialsService credentialService = mock(AthenzCredentialsService.class);
         when(credentialService.registerInstance())
-                .thenThrow(new RuntimeException("#1"))
-                .thenThrow(new RuntimeException("#2"))
-                .thenThrow(new RuntimeException("#3"))
-                .thenThrow(new RuntimeException("#4"))
-                .thenThrow(new RuntimeException("#5"))
-                .thenReturn(new AthenzCredentials("TOKEN", null, null, null, Instant.now()));
+                .thenThrow(new RuntimeException("athenz unavailable"));
 
         ManualClock clock = new ManualClock(Instant.EPOCH);
         MockScheduler scheduler = new MockScheduler(clock);
         AthenzIdentityProvider identityProvider =
                 new AthenzIdentityProviderImpl(IDENTITY_CONFIG, DUMMY_METRIC, credentialService, scheduler, clock);
-
-        List<MockScheduler.CompletedTask> expectedTasks =
-                Arrays.asList(
-                        new MockScheduler.CompletedTask(REGISTER_INSTANCE_TAG, Duration.ZERO),
-                        new MockScheduler.CompletedTask(REGISTER_INSTANCE_TAG, INITIAL_BACKOFF_DELAY),
-                        new MockScheduler.CompletedTask(TIMEOUT_INITIAL_WAIT_TAG, INITIAL_WAIT_NTOKEN),
-                        new MockScheduler.CompletedTask(REGISTER_INSTANCE_TAG, INITIAL_BACKOFF_DELAY.multipliedBy(2)),
-                        new MockScheduler.CompletedTask(REGISTER_INSTANCE_TAG, INITIAL_BACKOFF_DELAY.multipliedBy(4)),
-                        new MockScheduler.CompletedTask(REGISTER_INSTANCE_TAG, INITIAL_BACKOFF_DELAY.multipliedBy(8)),
-                        new MockScheduler.CompletedTask(REGISTER_INSTANCE_TAG, MAX_REGISTER_BACKOFF_DELAY));
-        // Don't run update credential tasks, otherwise infinite loop
-        List<MockScheduler.CompletedTask> completedTasks =
-                scheduler.runAllTasks(task -> !IGNORED_TASKS.contains(task.tag()));
-        assertEquals(expectedTasks, completedTasks);
-        assertEquals("TOKEN", identityProvider.getNToken());
     }
 
     @Test
@@ -125,6 +83,7 @@ public class AthenzIdentityProviderImplTest {
         AthenzService athenzService = mock(AthenzService.class);
         ManualClock clock = new ManualClock(Instant.EPOCH);
         MockScheduler scheduler = new MockScheduler(clock);
+        X509Certificate x509Certificate = mock(X509Certificate.class);
 
         when(identityDocumentService.getSignedIdentityDocument()).thenReturn(getIdentityDocument());
         when(athenzService.sendInstanceRegisterRequest(any(), any())).thenReturn(
@@ -143,8 +102,6 @@ public class AthenzIdentityProviderImplTest {
 
         List<MockScheduler.CompletedTask> expectedTasks =
                 Arrays.asList(
-                        new MockScheduler.CompletedTask(REGISTER_INSTANCE_TAG, Duration.ZERO),
-                        new MockScheduler.CompletedTask(TIMEOUT_INITIAL_WAIT_TAG, INITIAL_WAIT_NTOKEN),
                         new MockScheduler.CompletedTask(UPDATE_CREDENTIALS_TAG, UPDATE_PERIOD),
                         new MockScheduler.CompletedTask(UPDATE_CREDENTIALS_TAG, UPDATE_PERIOD),
                         new MockScheduler.CompletedTask(UPDATE_CREDENTIALS_TAG, REDUCED_UPDATE_PERIOD),
@@ -153,9 +110,8 @@ public class AthenzIdentityProviderImplTest {
         AtomicInteger counter = new AtomicInteger(0);
         List<MockScheduler.CompletedTask> completedTasks =
                 scheduler.runAllTasks(task -> !task.tag().equals(METRICS_UPDATER_TAG) &&
-                        counter.getAndIncrement() < expectedTasks.size());
+                                              counter.getAndIncrement() < expectedTasks.size());
         assertEquals(expectedTasks, completedTasks);
-        assertEquals("TOKEN", identityProvider.getNToken());
     }
 
     private static String getIdentityDocument() {
@@ -232,7 +188,7 @@ public class AthenzIdentityProviderImplTest {
                 if (o == null || getClass() != o.getClass()) return false;
                 CompletedTask that = (CompletedTask) o;
                 return Objects.equals(tag, that.tag) &&
-                        Objects.equals(delay, that.delay);
+                       Objects.equals(delay, that.delay);
             }
 
             @Override
@@ -243,9 +199,9 @@ public class AthenzIdentityProviderImplTest {
             @Override
             public String toString() {
                 return "CompletedTask{" +
-                        "tag='" + tag + '\'' +
-                        ", delay=" + delay +
-                        '}';
+                       "tag='" + tag + '\'' +
+                       ", delay=" + delay +
+                       '}';
             }
         }
     }
diff --git a/container-disc/src/test/java/com/yahoo/container/jdisc/athenz/impl/CryptoUtilsTest.java b/athenz-identity-provider-service/src/test/java/com/yahoo/vespa/hosted/athenz/identityprovider/CryptoUtilsTest.java
index dc9690355e8..0412b9071dd 100644
--- a/container-disc/src/test/java/com/yahoo/container/jdisc/athenz/impl/CryptoUtilsTest.java
+++ b/athenz-identity-provider-service/src/test/java/com/yahoo/vespa/hosted/athenz/identityprovider/CryptoUtilsTest.java
@@ -1,5 +1,5 @@
 // Copyright 2018 Yahoo Holdings. Licensed under the terms of the Apache 2.0 license. See LICENSE in the project root.
-package com.yahoo.container.jdisc.athenz.impl;
+package com.yahoo.vespa.hosted.athenz.identityprovider;
 
 import org.bouncycastle.pkcs.PKCS10CertificationRequest;
 import org.junit.Test;
diff --git a/config-model/src/main/java/com/yahoo/vespa/model/container/IdentityProvider.java b/config-model/src/main/java/com/yahoo/vespa/model/container/IdentityProvider.java
index 0368f7eaf3e..640a85d9b50 100644
--- a/config-model/src/main/java/com/yahoo/vespa/model/container/IdentityProvider.java
+++ b/config-model/src/main/java/com/yahoo/vespa/model/container/IdentityProvider.java
@@ -5,14 +5,13 @@ import com.yahoo.config.provision.AthenzDomain;
 import com.yahoo.config.provision.AthenzService;
 import com.yahoo.config.provision.HostName;
 import com.yahoo.container.core.identity.IdentityConfig;
-import com.yahoo.container.jdisc.athenz.impl.AthenzIdentityProviderImpl;
 import com.yahoo.vespa.model.container.component.SimpleComponent;
 
 /**
  * @author mortent
  */
 public class IdentityProvider extends SimpleComponent implements IdentityConfig.Producer {
-    public static final String CLASS = AthenzIdentityProviderImpl.class.getName();
+    public static final String CLASS = "com.yahoo.vespa.hosted.athenz.identityprovider.AthenzIdentityProviderImpl";
 
     private final AthenzDomain domain;
     private final AthenzService service;
diff --git a/container-disc/src/main/java/com/yahoo/container/jdisc/Ckms.java b/container-disc/src/main/java/com/yahoo/container/jdisc/Ckms.java
new file mode 100644
index 00000000000..26c71686a82
--- /dev/null
+++ b/container-disc/src/main/java/com/yahoo/container/jdisc/Ckms.java
@@ -0,0 +1,14 @@
+// Copyright 2018 Yahoo Holdings. Licensed under the terms of the Apache 2.0 license. See LICENSE in the project root.
+
+package com.yahoo.container.jdisc;
+
+/**
+ * @author mortent
+ */
+public interface Ckms {
+    /** Returns the secret for this key */
+    String getSecret(String key);
+
+    /** Returns the secret for this key and version */
+    String getSecret(String key, int version);
+}
diff --git a/container-disc/src/main/java/com/yahoo/container/jdisc/athenz/AthenzIdentityProvider.java b/container-disc/src/main/java/com/yahoo/container/jdisc/athenz/AthenzIdentityProvider.java
index c4c57f4bc47..b7190927d11 100644
--- a/container-disc/src/main/java/com/yahoo/container/jdisc/athenz/AthenzIdentityProvider.java
+++ b/container-disc/src/main/java/com/yahoo/container/jdisc/athenz/AthenzIdentityProvider.java
@@ -7,8 +7,7 @@ import javax.net.ssl.SSLContext;
  * @author mortent
  */
 public interface AthenzIdentityProvider {
-    String getNToken() throws AthenzIdentityProviderException;
     String getDomain();
     String getService();
-    SSLContext getSslContext();
+    SSLContext getIdentitySslContext();
 }
diff --git a/parent/pom.xml b/parent/pom.xml
index ccbe34841fc..cbcc218b27d 100644
--- a/parent/pom.xml
+++ b/parent/pom.xml
@@ -707,7 +707,7 @@
         <aries.util.version>1.0.0</aries.util.version>
         <asm-debug-all.version>5.0.3</asm-debug-all.version>
         <!-- Athenz dependencies. Make sure these dependencies matches those in Vespa's internal repositories -->
-        <athenz.version>1.7.41</athenz.version>
+        <athenz.version>1.7.43</athenz.version>
         <bouncycastle.version>1.58</bouncycastle.version>
         <commons-lang.version>2.6</commons-lang.version>
         <!-- WARNING: If you change curator version, you also need to update
diff --git a/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/identity/SiaIdentityProvider.java b/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/identity/SiaIdentityProvider.java
new file mode 100644
index 00000000000..c050ddce2c6
--- /dev/null
+++ b/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/identity/SiaIdentityProvider.java
@@ -0,0 +1,51 @@
+// Copyright 2018 Yahoo Holdings. Licensed under the terms of the Apache 2.0 license. See LICENSE in the project root.
+package com.yahoo.vespa.athenz.identity;
+
+import com.yahoo.athenz.auth.util.Crypto;
+import com.yahoo.container.jdisc.athenz.AthenzIdentityProvider;
+import com.yahoo.vespa.athenz.api.AthenzDomain;
+import com.yahoo.vespa.athenz.api.AthenzIdentityCertificate;
+import com.yahoo.vespa.athenz.api.AthenzService;
+import com.yahoo.vespa.athenz.tls.AthenzSslContextBuilder;
+
+import javax.net.ssl.SSLContext;
+import java.io.File;
+import java.nio.file.Paths;
+import java.security.PrivateKey;
+import java.security.cert.X509Certificate;
+
+/**
+ * @author mortent
+ */
+public class SiaIdentityProvider implements AthenzIdentityProvider {
+
+    private final AthenzDomain domain;
+    private final AthenzService service;
+    private final String path;
+
+    public SiaIdentityProvider(SiaProviderConfig siaProviderConfig) {
+        this.domain = new AthenzDomain(siaProviderConfig.athenzDomain());
+        this.service = new AthenzService(domain, siaProviderConfig.athenzService());
+        this.path = siaProviderConfig.keyPathPrefix();
+    }
+
+    @Override
+    public String getDomain() {
+        return domain.getName();
+    }
+
+    @Override
+    public String getService() {
+        return service.getName();
+    }
+
+    @Override
+    public SSLContext getIdentitySslContext() {
+        X509Certificate certificate = Crypto.loadX509Certificate(Paths.get(path, "certs", String.format("%s.%s.cert.pem", getDomain(),getService())).toFile());
+        PrivateKey privateKey = Crypto.loadPrivateKey(Paths.get(path, "keys", String.format("%s.%s.key.pem", getDomain(),getService())).toFile());
+
+        return new AthenzSslContextBuilder()
+                .withIdentityCertificate(new AthenzIdentityCertificate(certificate, privateKey))
+                .build();
+    }
+}
diff --git a/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/identity/package-info.java b/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/identity/package-info.java
new file mode 100644
index 00000000000..da31e72a1fa
--- /dev/null
+++ b/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/identity/package-info.java
@@ -0,0 +1,8 @@
+// Copyright 2018 Yahoo Holdings. Licensed under the terms of the Apache 2.0 license. See LICENSE in the project root.
+/**
+ * @author mortent
+ */
+@ExportPackage
+package com.yahoo.vespa.athenz.identity;
+
+import com.yahoo.osgi.annotation.ExportPackage;
\ No newline at end of file
diff --git a/vespa-athenz/src/main/resources/configdefinitions/sia-provider.def b/vespa-athenz/src/main/resources/configdefinitions/sia-provider.def
new file mode 100644
index 00000000000..f668ef544f7
--- /dev/null
+++ b/vespa-athenz/src/main/resources/configdefinitions/sia-provider.def
@@ -0,0 +1,6 @@
+# Copyright 2018 Yahoo Holdings. Licensed under the terms of the Apache 2.0 license. See LICENSE in the project root.
+namespace=vespa.athenz.identity
+
+athenzDomain string
+athenzService string
+keyPathPrefix string