Setting up a new installation of AWS CloudHSM - PingAccess

Setting up a new installation of AWS CloudHSM - PingAccess - 8.0

PingAccess

bundle

pingaccess-80

ft:publication_title

PingAccess

Product_Version_ce

PingAccess 8.0 (Latest)

category

Product

pa-80

pingaccess

ContentType_ce

Configure your hardware security module. You must have a AWS CloudHSM cluster to complete step 3. For more information, see the Amazon documentation.
Ensure that Java 8 or 11 is installed on the PingAccess server. For more information on how to set up a Java Runtime Environment (JRE), see Installing PingAccess on your system. Make sure that you use a non-Oracle version of Java (such as Corretto), and if you use JDK 11, make sure that you use 11.0.16 or later.
PingAccess must be deployed on an operating system that AWS CloudHSM supports. See System requirements in the PingAccess documentation and Supported platforms for the client SDKs in the AWS CloudHSM documentation for a list of mutually supported operating systems.

To set up a new installation of AWS CloudHSM Client SDK 5 and integrate it with PingAccess:

Request a crypto user (CU) account from your AWS CloudHSM administrator.

Remember:
You will need to reference your username and password for this account during steps 4-5 of Adding an AWS CloudHSM provider. PingAccess uses this information to establish a connection with AWS CloudHSM.
Install and configure the AWS CloudHSM Java Cryptography Extension (JCE) provider for Client SDK 5.

For more information, see Install and use the AWS CloudHSM JCE provider for Client SDK 5 in the AWS CloudHSM documentation.

Important:
You can't install the JCE provider if you already have the AWS CloudHSM client installed because of the structural changes made to the client between 3.x and 5.x. If you are upgrading from PingAccess 7.2 or earlier, you must remove any existing CloudHSM client software.
Connect the Client SDK to the AWS CloudHSM cluster.

For more information on how to connect the Client SDK, see Bootstrap the Client SDK in the AWS CloudHSM documentation. Use the JCE provider tab.
Run the appropriate command for your operating system to ensure that keys are available to use.

Note:
You must complete this step even if you don't plan to use a cluster containing multiple HSMs.
- On Linux operating systems, run the sudo /opt/cloudhsm/bin/configure-jce --disable-key-availability-check command.
- On Windows operating systems, run the C:\Program Files\Amazon\CloudHSM\bin\configure-jce.exe --disable-key-availability-check command.
If you plan to use elliptic curve (EC) keys for decryption, run the appropriate command for your operating system.
- On Linux operating systems, run the sudo /opt/cloudhsm/bin/configure-jce --enable-ecdh-without-kdf command.
- On Windows operating systems, run the C:\Program Files\Amazon\CloudHSM\bin\configure-jce.exe --enable-ecdh-without-kdf command.
Configure a new PingAccess installation on the network interconnected to the HSM.

For more information on how to install PingAccess, see Installing PingAccess on your system.

Note:
To integrate an existing PingAccess installation with your HSM, skip this step and proceed to step 7 instead.
To enable the Java interface and PingAccess integration, copy the cloudhsm-jce-5.x.0.jar file to the pingaccess/deploy directory.
Note:
- On Linux operating systems, the file location is /opt/cloudhsm/java/cloudhsm-jce-5.x.0.jar.
- On Windows operating systems, the file location is C:\Program Files\Amazon\CloudHSM\java\cloudhsm-jce-5.x.0.jar.

Return to Adding an AWS CloudHSM provider to finish setting up an AWS CloudHSM provider in the administrative console.