PingAccess 7.3 and later no longer support AWS CloudHSM Client SDK 3.

Important:

Follow these steps to set up Client SDK 5 and integrate it with PingAccess even if you're just upgrading the Client SDK from 3.x to 5.x. Client SDK 5 no longer uses a client daemon. This changes the steps necessary to set up an AWS CloudHSM provider because the client process doesn't run separately from PingAccess anymore.

To add an AWS CloudHSM provider in the PingAccess administrative console:

  1. In PingAccess, go to Security > HSM Providers, and click + Add HSM Provider.
  2. In the Name field, enter a name for the HSM provider.
  3. In the Type list, select AWS CloudHSM Provider.
  4. In the User field, enter a username used to connect to the HSM provider.
  5. In the Password field, enter a password used to connect to the HSM provider.
  6. Optional: In the Partition field, enter the partition to use on the HSM provider.
  7. Click Save.
  8. Restart PingAccess.

PingAccess 7.3 and later contain a workaround to bypass the following known issues by default:

  1. RSASSA-PSS signing algorithms fail with Java8u261 or later. HSM vendors and core Java use different naming conventions for the RSASSA-PSS algorithm.
  2. PingAccess Cloud HSM functionality works in FIPS mode but not in regular mode for Java8u261 and later.

If you experience either of these known issues, you can edit the additional.security.jdk.tls.disabledAlgorithms property in the run.properties file to bypass them. For more information, see the following example:

additional.security.jdk.tls.disabledAlgorithms=RSASSA-PSS, TLSv1.3

Begin creating and assigning key pairs. For more information on creating key pairs, see Generating new key pairs or Importing existing key pairs.