PingAccess

Adding an AWS CloudHSM provider

Add an Amazon Web Services (AWS) CloudHSM provider to begin using hardware security module (HSM)-stored key pairs in PingAccess.

Before you begin

  • Configure your hardware security module. For more information, see the Amazon documentation.

  • Download the AWS CloudHSM software library for Java version 3.1.2, install it, and move the Cloudhsm-3.1.2.jar file from the /opt/cloudhsm/java/ directory to the deploy directory on the PingAccess system. For more information, see the Install and Use the AWS CloudHSM Software Library for Java procedure. If 3.1.2 is not the latest version of CloudHSM, you can download it from the Client and Software Version History.

  • Verify that you are using Oracle Java SE Runtime Environment (Server JRE) 8.

  • Verify that your PingAccess deployment is running in the same AWS EC2 instance as the CloudHSM client.

Steps

  1. Click Security and then go to HSM Providers.

  2. Click Add HSM Provider.

  3. In the Name field, enter a name for the HSM provider.

  4. From the Type list, select AWS CloudHSM Provider.

  5. In the User field, enter a user name for connecting to the HSM provider.

  6. In the Password field, enter a password for connecting to the HSM provider.

  7. Optional: In the Partition field, enter the partition to use on the HSM provider.

  8. Click Save.

  9. Restart PingAccess.

    The following are known issues:

    • RSASSA-PSS signing algorithms fail with Java8u261 or later. HSM vendors and core Java use different naming conventions for the RSASSA-PSS algorithm.

    • PingAccess Cloud HSM functionality works in FIPS mode but not in regular mode for Java8u261 and later.

    To bypass the known issues, a user can edit the additional.security.jdk.tls.disabledAlgorithms in the run.properties file. For more information, see the following example:

    additional.security.jdk.tls.disabledAlgorithms=RSASSA-PSS, TLSv1.3