Adding an AWS CloudHSM provider
To use hardware security module (HSM)-stored key pairs in PingAccess, add an Amazon Web Services (AWS) CloudHSM provider in the PingAccess administrative console.
Before you begin
PingAccess 7.3 and later no longer support AWS CloudHSM Client SDK 3.
-
If you’re upgrading the CloudHSM Client SDK from 3.x to 5.x, see Upgrading from Client SDK 3 to Client SDK 5 before trying to add a CloudHSM provider in the PingAccess administrative console.
-
If you are creating a new installation of AWS CloudHSM Client SDK 5, see Setting up a new installation of AWS CloudHSM before trying to add a CloudHSM provider in the PingAccess administrative console.
Follow these steps to set up Client SDK 5 and integrate it with PingAccess even if you’re just upgrading the Client SDK from 3.x to 5.x. Client SDK 5 no longer uses a client daemon. This changes the steps necessary to set up an AWS CloudHSM provider because the client process doesn’t run separately from PingAccess anymore. |
About this task
To add an AWS CloudHSM provider in the PingAccess administrative console:
Steps
-
In PingAccess, go to Security → HSM Providers, and click Add HSM Provider.
-
In the Name field, enter a name for the HSM provider.
-
In the Type list, select AWS CloudHSM Provider.
-
In the User field, enter a username used to connect to the HSM provider.
-
In the Password field, enter a password used to connect to the HSM provider.
-
Optional: In the Partition field, enter the partition to use on the HSM provider.
-
Click Save.
-
Restart PingAccess.
Troubleshooting
PingAccess 7.3 and later contain a workaround to bypass the following known issues by default:
-
RSASSA-PSS
signing algorithms fail withJava8u261
or later. HSM vendors and core Java use different naming conventions for theRSASSA-PSS
algorithm. -
PingAccess Cloud HSM functionality works in FIPS mode but not in regular mode for
Java8u261
and later.
If you experience either of these known issues, you can edit the additional.security.jdk.tls.disabledAlgorithms
property in the run.properties
file to bypass them. For more information, see the following example:
additional.security.jdk.tls.disabledAlgorithms=RSASSA-PSS, TLSv1.3
Next steps
Begin creating and assigning key pairs. For more information on creating key pairs, see Generating new key pairs or Importing existing key pairs.
Setting up a new installation of AWS CloudHSM
Before you begin
-
Configure your hardware security module. You must have a AWS CloudHSM cluster to complete step 3. For more information, see the Amazon documentation.
-
Ensure that Java 8 or 11 is installed on the PingAccess server. For more information on how to set up a Java Runtime Environment (JRE), see Installing PingAccess on your system. Make sure that you use a non-Oracle version of Java (such as Corretto), and if you use JDK 11, make sure that you use 11.0.16 or later.
-
PingAccess must be deployed on an operating system that AWS CloudHSM supports. See System requirements in the PingAccess documentation and Supported platforms for the client SDKs in the AWS CloudHSM documentation for a list of mutually supported operating systems.
About this task
To set up a new installation of AWS CloudHSM Client SDK 5 and integrate it with PingAccess:
Steps
-
Request a crypto user (CU) account from your AWS CloudHSM administrator.
You will need to reference your username and password for this account during steps 4-5 of Adding an AWS CloudHSM provider. PingAccess uses this information to establish a connection with AWS CloudHSM.
-
Install and configure the AWS CloudHSM Java Cryptography Extension (JCE) provider for Client SDK 5.
For more information, see Install and use the AWS CloudHSM JCE provider for Client SDK 5 in the AWS CloudHSM documentation.
You can’t install the JCE provider if you already have the AWS CloudHSM client installed because of the structural changes made to the client between 3.x and 5.x. If you are upgrading from PingAccess 7.2 or earlier, you must remove any existing CloudHSM client software.
-
Connect the Client SDK to the AWS CloudHSM cluster.
For more information on how to connect the Client SDK, see Bootstrap the Client SDK in the AWS CloudHSM documentation. Use the JCE provider tab.
-
Run the appropriate command for your operating system to ensure that keys are available to use.
You must complete this step even if you don’t plan to use a cluster containing multiple HSMs.
Choose from:
-
On Linux operating systems, run the
sudo /opt/cloudhsm/bin/configure-jce --disable-key-availability-check
command. -
On Windows operating systems, run the
C:\Program Files\Amazon\CloudHSM\bin\configure-jce.exe --disable-key-availability-check
command.
-
-
If you plan to use elliptic curve (EC) keys for decryption, run the appropriate command for your operating system.
Choose from:
-
On Linux operating systems, run the
sudo /opt/cloudhsm/bin/configure-jce --enable-ecdh-without-kdf
command. -
On Windows operating systems, run the
C:\Program Files\Amazon\CloudHSM\bin\configure-jce.exe --enable-ecdh-without-kdf
command.
-
-
Configure a new PingAccess installation on the network interconnected to the HSM.
For more information on how to install PingAccess, see Installing PingAccess on your system.
To integrate an existing PingAccess installation with your HSM, skip this step and proceed to step 7 instead.
-
To enable the Java interface and PingAccess integration, copy the
cloudhsm-jce-5.x.0.jar
file to thepingaccess/deploy
directory.-
On Linux operating systems, the file location is
/opt/cloudhsm/java/cloudhsm-jce-5.x.0.jar
. -
On Windows operating systems, the file location is
C:\Program Files\Amazon\CloudHSM\java\cloudhsm-jce-5.x.0.jar
.
-
Next steps
Return to Adding an AWS CloudHSM provider to finish setting up an AWS CloudHSM provider in the administrative console.
Upgrading from Client SDK 3 to Client SDK 5
About this task
Upgrading from Client SDK 3 to Client SDK 5 requires you to have a source version of PingAccess that you plan to upgrade to or past a target version of PingAccess 7.3 or later.
To upgrade the AWS CloudHSM Client SDK from 3.x to 5.x to integrate it with a target version of PingAccess 7.3 or later:
Steps
-
Ensure that the source version of PingAccess that you plan to upgrade to or past version 7.3 is running.
Do not stop this source version of PingAccess until step 7.
-
Stop the CloudHSM 3 standalone client with the
sudo service cloudhsm-client stop
command. -
Move or delete the
/opt/cloudhsm
file.You can’t complete step 4 if you already have the AWS CloudHSM client installed because of the structural changes made to the client between 3.x and 5.x. If you are upgrading from PingAccess 7.2 or earlier, you must remove any existing CloudHSM client software.
-
Install the JCE 5 client.
For more information, see Install and use the AWS CloudHSM JCE provider for Client SDK 5 in the AWS CloudHSM documentation.
-
Copy the
cloudhsm-5.x.0.jar
file into thepingaccess/deploy
directory of the target version of PingAccess that you plan to upgrade to. -
Run the PingAccess upgrade.
For more information, see Upgrading PingAccess.
-
Stop the source version of PingAccess.
For more information, see Stopping PingAccess.
Result
You have upgraded to your target version of PingAccess and integrated AWS CloudHSM Client SDK 5 with it.