Configuring PingAccess to use Amazon Key Management Services - PingAccess - 8.0

PingAccess

bundle
pingaccess-80
ft:publication_title
PingAccess
Product_Version_ce
PingAccess 8.0 (Latest)
category
Product
pa-80
pingaccess
ContentType_ce

During initial startup, PingAccess automatically generates a randomized master key, which by default is not encrypted. If you are running in Amazon Web Services (AWS)Amazon Web Services (AWS)AWS An Amazon subsidiary providing cloud computing platforms., you can configure PingAccess to use Amazon Key Management Services (KMS) to encrypt the master key.

  • Make sure that you have an active connection to AWS.
  • Use AWS KMS to generate a key to use for the PingAccess master key encryption.
Note:

For more information about managing access rights to your keys using key policies or AWS Identity and Access Management (IAM), see AWS Key Management Service.

To configure the encryption of the PingAccess master key, modify the pa.jwk.properties file found in <PA_HOME>/conf.

  1. Stop PingAccess.
  2. In a text editor, open <PA_HOME>/conf/pa.jwk.properties.
  3. Locate the pa.hostkey.masterKeyEncryptor property .
  4. Enable master key encryption.
    1. Change com.pingidentity.pa.crypto.NoOpMasterKeyEncryptor to the AWS KMS master key encryptor class name com.pingidentity.pingcommons.aws.key.AwsKmsMasterKeyEncryptor.
    2. Locate the ID for the key that you generated using AWS KMS.
    3. If this is not the first time starting PingAccess, prefix the key ID with “ENCRYPT:”.
    After making changes, the properties file should look similar to the following:
    pa.hostkey.masterKeyEncryptor=com.pingidentity.pingcommons.aws.key.AwsKmsMasterKeyEncryptor
    
pa.hostkey.keyId=ENCRYPT:d4e6adab-e20c-4339-ba76-e4cb1348713f

  5. Save and close the updated pa.jwk.properties file.
  6. Restart PingAccess.

    The PingAccess master file pa.jwk is encrypted using Amazon KMS.