Administrators may enable the HSM hybrid mode, which provides the choice to store each relevant key and certificate on a hardware security module (HSM) or the PingFederate-managed local trust store. This capability allows organizations to transition the storage of keys and certificates to a supported HSM to meet security requirements without the need to deploy a new PingFederate environment and to mirror the setup.
PingFederate supports the following HSMs:
- AWS CloudHSM (stores private keys only)
- Gemalto SafeNet Luna Network HSM (stores private keys only)
- nCipher nShield Connect HSM (stores both certificates and private keys)
Once the HSM hybrid mode is disabled, for keys and certificates that should be stored on an HSM, PingFederate will only access those keys and certificates from the HSM, regardless of whether such keys and certificates exist on the local trust store.