Setting up a new installation of AWS CloudHSM
Before you begin
-
Configure your hardware security module. You must have a AWS CloudHSM cluster to complete step 3. For more information, see the Amazon documentation.
-
Ensure that Java 8 or 11 is installed on the PingAccess server. For more information on how to set up a Java Runtime Environment (JRE), see Installing PingAccess on your system. Make sure that you use a non-Oracle version of Java (such as Corretto), and if you use JDK 11, make sure that you use 11.0.16 or later.
-
PingAccess must be deployed on an operating system that AWS CloudHSM supports. See System requirements in the PingAccess documentation and Supported platforms for the client SDKs in the AWS CloudHSM documentation for a list of mutually supported operating systems.
About this task
To set up a new installation of AWS CloudHSM Client SDK 5 and integrate it with PingAccess:
Steps
-
Request a crypto user (CU) account from your AWS CloudHSM administrator.
You will need to reference your username and password for this account during steps 4-5 of Adding an AWS CloudHSM provider. PingAccess uses this information to establish a connection with AWS CloudHSM.
-
Install and configure the AWS CloudHSM Java Cryptography Extension (JCE) provider for Client SDK 5.
For more information, see Install and use the AWS CloudHSM JCE provider for Client SDK 5 in the AWS CloudHSM documentation.
You can’t install the JCE provider if you already have the AWS CloudHSM client installed because of the structural changes made to the client between 3.x and 5.x. If you are upgrading from PingAccess 7.2 or earlier, you must remove any existing CloudHSM client software.
-
Connect the Client SDK to the AWS CloudHSM cluster.
For more information on how to connect the Client SDK, see .aws.amazon.com/cloudhsm/latest/userguide/cluster-connect.html//[Bootstrap the Client SDK] in the AWS CloudHSM documentation. Use the JCE provider tab.
-
Run the appropriate command for your operating system to ensure that keys are available to use.
You must complete this step even if you don’t plan to use a cluster containing multiple HSMs.
Choose from:
-
On Linux operating systems, run the
sudo /opt/cloudhsm/bin/configure-jce --disable-key-availability-check
command. -
On Windows operating systems, run the
C:\Program Files\Amazon\CloudHSM\bin\configure-jce.exe --disable-key-availability-check
command.
-
-
If you plan to use elliptic curve (EC) keys for decryption, run the appropriate command for your operating system.
Choose from:
-
On Linux operating systems, run the
sudo /opt/cloudhsm/bin/configure-jce --enable-ecdh-without-kdf
command. -
On Windows operating systems, run the
C:\Program Files\Amazon\CloudHSM\bin\configure-jce.exe --enable-ecdh-without-kdf
command.
-
-
Configure a new PingAccess installation on the network interconnected to the HSM.
For more information on how to install PingAccess, see Installing PingAccess on your system.
To integrate an existing PingAccess installation with your HSM, skip this step and proceed to step 7 instead.
-
To enable the Java interface and PingAccess integration, copy the
cloudhsm-jce-5.x.0.jar
file to thepingaccess/deploy
directory.-
On Linux operating systems, the file location is
/opt/cloudhsm/java/cloudhsm-jce-5.x.0.jar
. -
On Windows operating systems, the file location is
C:\Program Files\Amazon\CloudHSM\java\cloudhsm-jce-5.x.0.jar
.
-
Next steps
Return to Adding an AWS CloudHSM provider to finish setting up an AWS CloudHSM provider in the administrative console.