Add an Amazon Web Services (AWS)
An Amazon subsidiary providing cloud computing platforms. CloudHSM provider to begin using
hardware security module (HSM)
A dedicated cryptographic processor designed to manage and protect digital keys. HSMs act as
trust anchors that protect the cryptographic key lifecycle by securely managing,
processing, and storing cryptographic keys inside a hardened, tamper-resistant
device.-stored key pairs in PingAccess.
- Configure your hardware security module. For more information, see the Amazon documentation.
- Download the AWS CloudHSM software library for Java version 3.1.2, install it,
and move the
Cloudhsm-3.1.2.jar
file from the
/opt/cloudhsm/java/ directory to the
deploy directory on the PingAccess system. For more
information, see the Install and Use
the AWS CloudHSM Software Library for Java procedure. If 3.1.2 is not
the latest version of CloudHSM, you can download it from the Client and Software Version
History.
- Verify that you are using Oracle Java SE Runtime Environment (Server JRE)
8.
- Verify that your PingAccess deployment is running in the same AWS EC2 instance
as the CloudHSM client.
-
Click Security and then go to .
-
Click + Add HSM Provider.
-
In the Name field, enter a name for the HSM
provider.
-
From the Type list, select AWS CloudHSM
Provider.
-
In the User field, enter a user name for connecting to
the HSM provider.
-
In the Password field, enter a password for connecting
to the HSM provider.
- Optional:
In the Partition field, enter the partition to use on
the HSM provider.
-
Click Save.
-
Restart PingAccess.
Note:
The following are known issues:
RSASSA-PSS
signing algorithms fail with
Java8u261
or later. HSM vendors and core Java
use different naming conventions for the RSASSA-PSS
algorithm.
- PingAccess
Cloud HSM functionality works in FIPS mode but not in regular mode
for
Java8u261
and later.
To bypass the known issues, a user can edit the
additional.security.jdk.tls.disabledAlgorithms
in
the run.properties file. For more information, see
the following example:
additional.security.jdk.tls.disabledAlgorithms=RSASSA-PSS, TLSv1.3