Use the PingFederate administrator functionality to determine whether to store keys and certificates on a hardware security module (HSM) or a local trust store.
Administrators can enable the HSM hybrid mode, which provides the choice to store each relevant key and certificate on an HSM or the PingFederate-managed local trust store. This capability allows organizations to transition the storage of keys and certificates to a supported HSM to meet security requirements without the need to deploy a new PingFederate environment and mirror the setup.
The following images illustrate some general interactions between PingFederate and an HSM. Those interactions depend on whether you configure the HSM in hybrid mode.
For a list of supported HSMs, see the "Hardware security modules" section under "Third-party cryptographic solutions" in System requirements.
After the HSM hybrid mode is disabled, for keys and certificates that should be stored on an HSM, PingFederate will only access those keys and certificates from the HSM, regardless of whether such keys and certificates exist on the local trust store.