PingAccess

Adding an AWS CloudHSM provider

To use hardware security module (HSM)-stored key pairs in PingAccess, add an Amazon Web Services (AWS) CloudHSM provider in the PingAccess administrative console.

Before you begin

PingAccess 7.3 and later no longer support AWS CloudHSM Client SDK 3.

Follow these steps to set up Client SDK 5 and integrate it with PingAccess even if you’re just upgrading the Client SDK from 3.x to 5.x. Client SDK 5 no longer uses a client daemon. This changes the steps necessary to set up an AWS CloudHSM provider because the client process doesn’t run separately from PingAccess anymore.

About this task

To add an AWS CloudHSM provider in the PingAccess administrative console:

Steps

  1. In PingAccess, go to Security → HSM Providers, and click Add HSM Provider.

  2. In the Name field, enter a name for the HSM provider.

  3. In the Type list, select AWS CloudHSM Provider.

  4. In the User field, enter a username used to connect to the HSM provider.

  5. In the Password field, enter a password used to connect to the HSM provider.

  6. Optional: In the Partition field, enter the partition to use on the HSM provider.

  7. Click Save.

  8. Restart PingAccess.

Troubleshooting

PingAccess 7.3 and later contain a workaround to bypass the following known issues by default:

  1. RSASSA-PSS signing algorithms fail with Java8u261 or later. HSM vendors and core Java use different naming conventions for the RSASSA-PSS algorithm.

  2. PingAccess Cloud HSM functionality works in FIPS mode but not in regular mode for Java8u261 and later.

If you experience either of these known issues, you can edit the additional.security.jdk.tls.disabledAlgorithms property in the run.properties file to bypass them. For more information, see the following example:

additional.security.jdk.tls.disabledAlgorithms=RSASSA-PSS, TLSv1.3

Next steps

Begin creating and assigning key pairs. For more information on creating key pairs, see Generating new key pairs or Importing existing key pairs.

Setting up a new installation of AWS CloudHSM

Before you begin

  • Configure your hardware security module. You must have a AWS CloudHSM cluster to complete step 3. For more information, see the Amazon documentation.

  • Ensure that Java 8 or 11 is installed on the PingAccess server. For more information on how to set up a Java Runtime Environment (JRE), see Installing PingAccess on your system. Make sure that you use a non-Oracle version of Java (such as Corretto), and if you use JDK 11, make sure that you use 11.0.16 or later.

  • PingAccess must be deployed on an operating system that AWS CloudHSM supports. See System requirements in the PingAccess documentation and Supported platforms for the client SDKs in the AWS CloudHSM documentation for a list of mutually supported operating systems.

About this task

To set up a new installation of AWS CloudHSM Client SDK 5 and integrate it with PingAccess:

Steps

  1. Request a crypto user (CU) account from your AWS CloudHSM administrator.

    You will need to reference your username and password for this account during steps 4-5 of Adding an AWS CloudHSM provider. PingAccess uses this information to establish a connection with AWS CloudHSM.

  2. Install and configure the AWS CloudHSM Java Cryptography Extension (JCE) provider for Client SDK 5.

    For more information, see Install and use the AWS CloudHSM JCE provider for Client SDK 5 in the AWS CloudHSM documentation.

    You can’t install the JCE provider if you already have the AWS CloudHSM client installed because of the structural changes made to the client between 3.x and 5.x. If you are upgrading from PingAccess 7.2 or earlier, you must remove any existing CloudHSM client software.

  3. Connect the Client SDK to the AWS CloudHSM cluster.

    For more information on how to connect the Client SDK, see Bootstrap the Client SDK in the AWS CloudHSM documentation. Use the JCE provider tab.

  4. Run the appropriate command for your operating system to ensure that keys are available to use.

    You must complete this step even if you don’t plan to use a cluster containing multiple HSMs.

    Choose from:

    • On Linux operating systems, run the sudo /opt/cloudhsm/bin/configure-jce --disable-key-availability-check command.

    • On Windows operating systems, run the C:\Program Files\Amazon\CloudHSM\bin\configure-jce.exe --disable-key-availability-check command.

  5. If you plan to use elliptic curve (EC) keys for decryption, run the appropriate command for your operating system.

    Choose from:

    • On Linux operating systems, run the sudo /opt/cloudhsm/bin/configure-jce --enable-ecdh-without-kdf command.

    • On Windows operating systems, run the C:\Program Files\Amazon\CloudHSM\bin\configure-jce.exe --enable-ecdh-without-kdf command.

  6. Configure a new PingAccess installation on the network interconnected to the HSM.

    For more information on how to install PingAccess, see Installing PingAccess on your system.

    To integrate an existing PingAccess installation with your HSM, skip this step and proceed to step 7 instead.

  7. To enable the Java interface and PingAccess integration, copy the cloudhsm-jce-5.x.0.jar file to the pingaccess/deploy directory.

    • On Linux operating systems, the file location is /opt/cloudhsm/java/cloudhsm-jce-5.x.0.jar.

    • On Windows operating systems, the file location is C:\Program Files\Amazon\CloudHSM\java\cloudhsm-jce-5.x.0.jar.

Next steps

Return to Adding an AWS CloudHSM provider to finish setting up an AWS CloudHSM provider in the administrative console.

Upgrading from Client SDK 3 to Client SDK 5

About this task

Upgrading from Client SDK 3 to Client SDK 5 requires you to have a source version of PingAccess that you plan to upgrade to or past a target version of PingAccess 7.3 or later.

To upgrade the AWS CloudHSM Client SDK from 3.x to 5.x to integrate it with a target version of PingAccess 7.3 or later:

Steps

  1. Ensure that the source version of PingAccess that you plan to upgrade to or past version 7.3 is running.

    Do not stop this source version of PingAccess until step 7.

  2. Stop the CloudHSM 3 standalone client with the sudo service cloudhsm-client stop command.

  3. Move or delete the /opt/cloudhsm file.

    You can’t complete step 4 if you already have the AWS CloudHSM client installed because of the structural changes made to the client between 3.x and 5.x. If you are upgrading from PingAccess 7.2 or earlier, you must remove any existing CloudHSM client software.

  4. Install the JCE 5 client.

    For more information, see Install and use the AWS CloudHSM JCE provider for Client SDK 5 in the AWS CloudHSM documentation.

  5. Copy the cloudhsm-5.x.0.jar file into the pingaccess/deploy directory of the target version of PingAccess that you plan to upgrade to.

  6. Run the PingAccess upgrade.

    For more information, see Upgrading PingAccess.

  7. Stop the source version of PingAccess.

    For more information, see Stopping PingAccess.

Result

You have upgraded to your target version of PingAccess and integrated AWS CloudHSM Client SDK 5 with it.