nShield Connect HSM operational notes
Some restrictions apply to PingFederate when using a hardware security module (HSM).
-
PingFederate requires Oracle Server JRE (Java SE Runtime Environment) 8 or Amazon Corretto 8 for deployment.
-
When integrating PingFederate with Entrust nShield Connect on a platform with Oracle Server JRE 8u102, runtime errors might occur when handling certificates with a signing algorithm of RSA SHA256, SHA384, or SHA512. To resolve these runtime errors, upgrade to Oracle Server JRE 8u112.
-
PingFederate only supports Operator Card Set (OCS) protected keys. If you use a standard, non-persistent OCS, removing the card from the smart card reader causes the HSM to remove the protected keys from its memory. Requests will likely fail because almost all requests require cryptographic processing. To resume operations, insert the card into the smart card reader and then restart PingFederate.
Alternatively, use a persistent OCS so that protected keys remain in memory even after the card is removed from the smart card reader. PingFederate will continue to process requests and to load keys and certificates from the HSM as needed. Until the card is inserted back into the HSM, the HSM will not support new key and certificate creation and storage. However, using a persistent OCS does not require a restart of PingFederate in this situation. For more information about persistent OCS, consult your HSM vendor.
-
As an OpenID Provider, PingFederate can use static or dynamically-rotating keys to sign ID tokens, JSON web tokens (JWTs) for client authentication, and OpenID Connect request objects. When using dynamically-rotating keys as part of the default configuration, the memory, not the HSM, stores short-term keys. The HSM can store static keys.
-
Private keys are not exportable. When configured for use with the HSM, PingFederate disables administrative-console options for this feature. Only the public portion of generated keys is exportable.
-
When running in FIPS 140-2 level 3 compliance, also called strict FIPS mode, private keys cannot be imported. In this mode, administrative-console options for this feature are disabled.
-
When using the Configuration Archive feature, any keys, certificates, or objects generated and stored on the HSM prior to saving a configuration archive must continue to exist unaltered when the archive is restored. In other words, the PingFederate user interface must execute any deletion or creation of objects on the HSM for proper operation.
For example, you create and save objects A, B, and C to the HSM and create a data archive that contains references to those objects. If you delete object C and attempt to recover it through the data archive, PingFederate fails. Because the data archive contains a reference to the object and the object has been deleted from the HSM, you cannot use that data archive again.
-
PingFederate limits cipher suites to those listed in the
<pf_install>/pingfederate/server/default/data/config-store/com.pingidentity.crypto.NcipherJCEManager.xml
file.