PingFederate Server

Supported hardware security modules

PingFederate supports multiple configurations for secure material storage and processing.

When configuring a fresh setup of a PingFederate cluster with active and passive admin nodes and hardware security modules (HSM), you must designate one of the console nodes as the default active console. You can do this in the cluster-admin-nodes-sync.conf file of the node you want to make the default active by setting default.admin.console.role=active.

Configure the default active console first, and start it up before starting any passive consoles. This allows the passive consoles to synchronize their configurations with the default active console, which contains the necessary default SSL server certificate generated by the active console at its start-up.

If you fail to configure a default active console, the passive console’s server.log will return the following error:

Default active server cert is not present on node. This is a passive console node and HSM is configured so the cert will not be generated as that will strand an unused key on the HSM. Instead the configuration data needs to be retrieved from the active console. Ensure the active console is started before starting this passive console.

PingFederate supports the following modules:

  • AWS CloudHSM

  • Thales Luna Network HSM

  • Entrust nShield Connect HSM