--- title: Adding an AWS CloudHSM provider description: To use hardware security module (HSM)-stored key pairs in PingAccess, add an Amazon Web Services (AWS) CloudHSM provider in the PingAccess administrative console. component: pingaccess version: 9.0 page_id: pingaccess:pingaccess_user_interface_reference_guide:pa_adding_an_aws_cloudhsm_provider canonical_url: https://docs.pingidentity.com/pingaccess/9.0/pingaccess_user_interface_reference_guide/pa_adding_an_aws_cloudhsm_provider.html revdate: June 16, 2023 section_ids: before-you-begin: Before you begin about-this-task: About this task steps: Steps troubleshooting: Troubleshooting next-steps: Next steps setting-up-a-new-installation-of-aws-cloudhsm: Setting up a new installation of AWS CloudHSM before-you-begin-2: Before you begin steps-2: Steps choose-from: Choose from: choose-from-2: Choose from: next-steps-2: Next steps upgrading-from-client-sdk-3-to-client-sdk-5: Upgrading from Client SDK 3 to Client SDK 5 about-this-task-2: About this task steps-3: Steps result: Result --- # Adding an AWS CloudHSM provider To use hardware security module (HSM) *(tooltip: \
\

A dedicated cryptographic processor designed to manage and protect digital keys. HSMs act as trust anchors that protect the cryptographic key lifecycle by securely managing, processing, and storing cryptographic keys inside a hardened, tamper-resistant device.\

\
)*-stored key pairs in PingAccess, add an Amazon Web Services (AWS) *(tooltip: \
\

An Amazon subsidiary providing cloud computing platforms.\

\
)* CloudHSM provider in the PingAccess administrative console. ## Before you begin PingAccess 7.3 and later no longer support AWS CloudHSM Client SDK 3. * If you're upgrading the CloudHSM Client SDK from 3.x to 5.x, see [Upgrading from Client SDK 3 to Client SDK 5](pa_upgrading_from_sdk3_to_sdk5.html) before trying to add a CloudHSM provider in the PingAccess administrative console. * If you are creating a new installation of AWS CloudHSM Client SDK 5, see [Setting up a new installation of AWS CloudHSM](pa_installing_cloudhsm_initially.html) before trying to add a CloudHSM provider in the PingAccess administrative console. | | | | - | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ | | | Follow these steps to set up Client SDK 5 and integrate it with PingAccess even if you're just upgrading the Client SDK from 3.x to 5.x. Client SDK 5 no longer uses a client daemon. This changes the steps necessary to set up an AWS CloudHSM provider because the client process doesn't run separately from PingAccess anymore. | ## About this task To add an AWS CloudHSM provider in the PingAccess administrative console: ## Steps 1. In PingAccess, go to **Security → HSM Providers**, and click **[icon: plus, set=fa]Add HSM Provider**. 2. In the **Name** field, enter a name for the HSM provider. 3. In the **Type** list, select **AWS CloudHSM Provider**. 4. In the **User** field, enter a username used to connect to the HSM provider. 5. In the **Password** field, enter a password used to connect to the HSM provider. 6. **Optional:** In the **Partition** field, enter the partition to use on the HSM provider. 7. Click **Save**. 8. Restart PingAccess. ## Troubleshooting PingAccess 7.3 and later contain a workaround to bypass the following known issues by default: 1. `RSASSA-PSS` signing algorithms fail with `Java8u261` or later. HSM vendors and core Java use different naming conventions for the `RSASSA-PSS` algorithm. 2. PingAccess Cloud HSM functionality works in FIPS mode but not in regular mode for `Java8u261` and later. If you experience either of these known issues, you can edit the `additional.security.jdk.tls.disabledAlgorithms` property in the `run.properties` file to bypass them. For more information, see the following example: ``` additional.security.jdk.tls.disabledAlgorithms=RSASSA-PSS, TLSv1.3 ``` ## Next steps Begin creating and assigning [key pairs](pa_key_pairs.html). For more information on creating key pairs, see [Generating new key pairs](pa_generating_new_key_pairs.html) or [Importing existing key pairs](pa_importing_existing_key_pairs.html). ## Setting up a new installation of AWS CloudHSM ### Before you begin * Configure your hardware security module. You must have a AWS CloudHSM cluster to complete step 3. Learn more in the [Amazon documentation](https://docs.aws.amazon.com/cloudhsm/latest/userguide/getting-started.html). * Ensure that a supported Java version is installed on the PingAccess server. You can find more information on how to set up a Java Runtime Environment (JRE) *(tooltip: \
\

A software layer that provides the class libraries and resources needed for a Java program to run.\

\
)* in [Installing PingAccess on your system](../installing_and_uninstalling_pingaccess/pa_installing_pa_on_your_system.html). Make sure that you use a non-Oracle version of Java (such as Corretto). * You must deploy PingAccess on an operating system that AWS CloudHSM supports. You can find mutually supported operating systems by referring to [System requirements](../installing_and_uninstalling_pingaccess/pa_installation_requirements.html#system-reqs) in the PingAccess documentation and [Supported platforms for the client SDKs](https://docs.aws.amazon.com/cloudhsm/latest/userguide/client-supported-platforms.html) in the AWS CloudHSM documentation. To set up a new installation of AWS CloudHSM Client SDK 5 and integrate it with PingAccess: ### Steps 1. Request a crypto user (CU) account from your AWS CloudHSM administrator. | | | | - | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ | | | You will need to reference your username and password for this account during steps 4 - 5 of [Adding an AWS CloudHSM provider](pa_adding_an_aws_cloudhsm_provider.html). PingAccess uses this information to establish a connection with AWS CloudHSM. | 2. Install and configure the AWS CloudHSM Java Cryptography Extension (JCE) provider for Client SDK 5. Learn more in [Install and use the AWS CloudHSM JCE provider for Client SDK 5](https://docs.aws.amazon.com/cloudhsm/latest/userguide/java-library-install_5.html) in the AWS CloudHSM documentation. | | | | - | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | | You can't install the JCE provider if you already have the AWS CloudHSM client installed because of the structural changes made to the client between 3.x and 5.x. If you're upgrading from PingAccess 7.2 or earlier, you must remove any existing CloudHSM client software. | 3. Connect the Client SDK to the AWS CloudHSM cluster. You can find more information on how to connect the Client SDK in [Bootstrap the Client SDK](https://docs.aws.amazon.com/cloudhsm/latest/userguide/cluster-connect.html#connect-how-to) in the AWS CloudHSM documentation. Use the **JCE provider** tab. 4. Run the appropriate command for your operating system to ensure that keys are available to use. | | | | - | --------------------------------------------------------------------------------------------- | | | You must complete this step even if you don't plan to use a cluster containing multiple HSMs. | #### Choose from: * On Linux operating systems, run the `sudo /opt/cloudhsm/bin/configure-jce --disable-key-availability-check` command. * On Windows operating systems, run the `C:\Program Files\Amazon\CloudHSM\bin\configure-jce.exe --disable-key-availability-check` command. 5. If you plan to use elliptic curve (EC) keys for decryption, run the appropriate command for your operating system. #### Choose from: * On Linux operating systems, run the `sudo /opt/cloudhsm/bin/configure-jce --enable-ecdh-without-kdf` command. * On Windows operating systems, run the `C:\Program Files\Amazon\CloudHSM\bin\configure-jce.exe --enable-ecdh-without-kdf` command. 6. Configure a new PingAccess installation on the network interconnected to the HSM. You can find more information on how to install PingAccess in [Installing PingAccess on your system](../installing_and_uninstalling_pingaccess/pa_installing_pa_on_your_system.html). | | | | - | ------------------------------------------------------------------------------------------------------------- | | | To integrate an existing PingAccess installation with your HSM, skip this step and proceed to step 7 instead. | 7. To enable the Java interface and PingAccess integration, copy the `cloudhsm-jce-5.x.0.jar` file to the `pingaccess/deploy` directory. | | | | - | --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | | * On Linux operating systems, the file location is `/opt/cloudhsm/java/cloudhsm-jce-5.x.0.jar`. * On Windows operating systems, the file location is `C:\Program Files\Amazon\CloudHSM\java\cloudhsm-jce-5.x.0.jar`. | ### Next steps Return to [Adding an AWS CloudHSM provider](pa_adding_an_aws_cloudhsm_provider.html) to finish setting up an AWS CloudHSM provider in the admin console. ## Upgrading from Client SDK 3 to Client SDK 5 ### About this task Upgrading from Client SDK 3 to Client SDK 5 requires you to have a source version of PingAccess that you plan to upgrade to or past a target version of PingAccess 7.3 or later. To upgrade the AWS CloudHSM Client SDK from 3.x to 5.x to integrate it with a target version of PingAccess 7.3 or later: ### Steps 1. Ensure that the source version of PingAccess that you plan to upgrade to or past version 7.3 is running. | | | | - | ----------------------------------------------------------- | | | Do not stop this source version of PingAccess until step 7. | 2. Stop the CloudHSM 3 standalone client with the `sudo service cloudhsm-client stop` command. 3. Move or delete the `/opt/cloudhsm` file. | | | | - | --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | | You can't complete step 4 if you already have the AWS CloudHSM client installed because of the structural changes made to the client between 3.x and 5.x. If you are upgrading from PingAccess 7.2 or earlier, you must remove any existing CloudHSM client software. | 4. Install the JCE 5 client. For more information, see [Install and use the AWS CloudHSM JCE provider for Client SDK 5](https://docs.aws.amazon.com/cloudhsm/latest/userguide/java-library-install_5.html) in the AWS CloudHSM documentation. 5. Copy the `cloudhsm-5.x.0.jar` file into the `pingaccess/deploy` directory of the target version of PingAccess that you plan to upgrade to. 6. Run the PingAccess upgrade. For more information, see [Upgrading PingAccess](../upgrading_pingaccess/pa_upgrading_pa_landing_topic.html). 7. Stop the source version of PingAccess. For more information, see [Stopping PingAccess](../installing_and_uninstalling_pingaccess/pa_stopping_pa.html). ### Result You have upgraded to your target version of PingAccess and integrated AWS CloudHSM Client SDK 5 with it.