To use hardware security module (HSM)-stored key pairs in PingAccess, add an Amazon Web Services (AWS) CloudHSM provider in the PingAccess administrative console.
PingAccess 7.3 and later no longer support AWS CloudHSM Client SDK 3.
- If you're upgrading the CloudHSM Client SDK from 3.x to 5.x, see Upgrading from Client SDK 3 to Client SDK 5 before trying to add a CloudHSM provider in the PingAccess administrative console.
- If you are creating a new installation of AWS CloudHSM Client SDK 5, see Setting up a new installation of AWS CloudHSM before trying to add a CloudHSM provider in the PingAccess administrative console.
Follow these steps to set up Client SDK 5 and integrate it with PingAccess even if you're just upgrading the Client SDK from 3.x to 5.x. Client SDK 5 no longer uses a client daemon. This changes the steps necessary to set up an AWS CloudHSM provider because the client process doesn't run separately from PingAccess anymore.
To add an AWS CloudHSM provider in the PingAccess administrative console:
- In PingAccess, go to , and click + Add HSM Provider.
- In the Name field, enter a name for the HSM provider.
- In the Type list, select AWS CloudHSM Provider.
- In the User field, enter a username used to connect to the HSM provider.
- In the Password field, enter a password used to connect to the HSM provider.
- Optional: In the Partition field, enter the partition to use on the HSM provider.
- Click Save.
- Restart PingAccess.
PingAccess 7.3 and later contain a workaround to bypass the following known issues by default:
RSASSA-PSS
signing algorithms fail withJava8u261
or later. HSM vendors and core Java use different naming conventions for theRSASSA-PSS
algorithm.- PingAccess Cloud HSM
functionality works in FIPS mode but not in regular mode for
Java8u261
and later.
If you experience either of these known issues, you can edit the
additional.security.jdk.tls.disabledAlgorithms
property in the
run.properties file to bypass them. For more information,
see the following example:
additional.security.jdk.tls.disabledAlgorithms=RSASSA-PSS, TLSv1.3
Begin creating and assigning key pairs. For more information on creating key pairs, see Generating new key pairs or Importing existing key pairs.