Adding an AWS CloudHSM provider - PingAccess - 7.2

PingAccess
bundle
pingaccess-72
ft:publication_title
PingAccess
Product_Version_ce
PingAccess 7.2
category
Product
pa-72
pingaccess
ContentType_ce

Add an Amazon Web Services (AWS)Amazon Web Services (AWS)AWS An Amazon subsidiary providing cloud computing platforms. CloudHSM provider to begin using hardware security module (HSM)hardware security module (HSM)HSM A dedicated cryptographic processor designed to manage and protect digital keys. HSMs act as trust anchors that protect the cryptographic key lifecycle by securely managing, processing, and storing cryptographic keys inside a hardened, tamper-resistant device.-stored key pairs in PingAccess.

  • Configure your hardware security module. For more information, see the Amazon documentation.
  • Download the AWS CloudHSM software library for Java version 3.1.2, install it, and move the Cloudhsm-3.1.2.jar file from the /opt/cloudhsm/java/ directory to the deploy directory on the PingAccess system. For more information, see the Install and Use the AWS CloudHSM Software Library for Java procedure. If 3.1.2 is not the latest version of CloudHSM, you can download it from the Client and Software Version History.
  • Verify that you are using Oracle Java SE Runtime Environment (Server JRE) 8.
  • Verify that your PingAccess deployment is running in the same AWS EC2 instance as the CloudHSM client.
  1. Click Security and then go to HSM Providers.
  2. Click + Add HSM Provider.
  3. In the Name field, enter a name for the HSM provider.
  4. From the Type list, select AWS CloudHSM Provider.
  5. In the User field, enter a user name for connecting to the HSM provider.
  6. In the Password field, enter a password for connecting to the HSM provider.
  7. Optional: In the Partition field, enter the partition to use on the HSM provider.
  8. Click Save.
  9. Restart PingAccess.
    Note:

    The following are known issues:

    • RSASSA-PSS signing algorithms fail with Java8u261 or later. HSM vendors and core Java use different naming conventions for the RSASSA-PSS algorithm.
    • PingAccess Cloud HSM functionality works in FIPS mode but not in regular mode for Java8u261 and later.

    To bypass the known issues, a user can edit the additional.security.jdk.tls.disabledAlgorithms in the run.properties file. For more information, see the following example:

    additional.security.jdk.tls.disabledAlgorithms=RSASSA-PSS, TLSv1.3