Some restrictions apply to PingFederate operations when using an HSM:
- PingFederate must be deployed with Oracle Server JRE (Java SE Runtime Environment) 8.
- PingFederate does not store public certificates (for the purposes of signature verification, encryption, and back-channel authentication) on the hardware module. In this case, certificates are stored in the local trust store located on the file system.
- As an OpenID Provider, PingFederate can use static or dynamically rotating keys to sign ID tokens, JWTs for client authentication, and OpenID Connect request objects. When dynamically rotating keys are used (the default configuration), the short-term keys are stored in memory, not on the HSM. (If static keys are used, they can be stored on HSM.)
- Private keys are not exportable. When configured for use with the HSM, administrative-console options for this feature are disabled. Only the public portion of generated keys is exportable.
- When using the Configuration Archive feature, any keys,
certificates, or objects generated and stored on the HSM prior to saving a configuration
archive must continue to exist unaltered when the archive is restored. In other words, any
deletion or creation of objects on the HSM not executed via the PingFederate user interface
will not be recognized or operational.
For example, during the course of normal PingFederate operation you create and save objects A, B, and C to the HSM and create a data archive that contains references to those objects. If you then delete object C and attempt to recover it via the data archive, PingFederate fails, producing various exceptions. Because the data archive contains a reference to the object and the object has been deleted from the HSM, it is not possible to use that data archive again.
- Not all cipher suites in a standard Java configuration are available. They are limited to those listed in the com.pingidentity.crypto.AWSCloudHSMJCEManager.xml file, located in the <pf_install>/pingfederate/server/default/data/config-store directory.