Some restrictions apply to PingFederate operations when using an HSM:
- PingFederate must be deployed with Oracle Server JRE (Java SE Runtime Environment) 8.
- When PingFederate is integrated with nCipher nShield Connect on a platform with Oracle Server JRE (Java SE Runtime Environment) 8u102, runtime errors may occur when handling certificates with a signing algorithm of RSA SHA256, SHA384, or SHA512. Upgrading to Oracle Server JRE (Java SE Runtime Environment) 8u112 resolves these runtime errors.
- PingFederate only supports Operator Card Set (OCS) protected keys. If you use a standard
(non-persistent) OCS, the HSM removes the protected keys from its memory when the card is
removed from the smart card reader. Requests will likely fail because almost all requests
require cryptographic processing. To resume operations, you must insert the card back to
the smart card reader and then restart PingFederate.
Alternatively, you may use a persistent OCS so that protected keys remain in memory even after the card is removed from the smart card reader. PingFederate will continue to process requests and to load keys and certificates from the HSM as needed. Note that no new keys and certificates can be created and stored on the HSM until the card is inserted back to the HSM. (No restart of PingFederate is required.) For more information about persistent OCS, please consult your HSM vendor.
- As an OpenID Provider, PingFederate can use static or dynamically rotating keys to sign ID tokens, JWTs for client authentication, and OpenID Connect request objects. When dynamically rotating keys are used (the default configuration), the short-term keys are stored in memory, not on the HSM. (If static keys are used, they can be stored on HSM.)
- Private keys are not exportable. When configured for use with the HSM, administrative-console options for this feature are disabled. Only the public portion of generated keys is exportable.
- When running in FIPS 140-2 level 3 compliance (also known as strict FIPS mode) private keys can not be imported. In this case administrative-console options for this feature are disabled.
- When using the Configuration Archive feature, any keys,
certificates, or objects generated and stored on the HSM prior to saving a configuration
archive must continue to exist unaltered when the archive is restored. In other words, any
deletion or creation of objects on the HSM not executed via the PingFederate user interface
will not be recognized or operational.
For example, during the course of normal PingFederate operation you create and save objects A, B, and C to the HSM and create a data archive that contains references to those objects. If you then delete object C and attempt to recover it via the data archive, PingFederate fails, producing various exceptions. Because the data archive contains a reference to the object and the object has been deleted from the HSM, it is not possible to use that data archive again.
- Not all cipher suites in a standard Java configuration are available. They are limited to those listed in the com.pingidentity.crypto.NcipherJCEManager.xml file, located in the <pf_install>/pingfederate/server/default/data/config-store directory.