Use the PingFederate administrator functionality to determine whether to store keys and certificates on a hardware security module (HSM) or a local trust store.
Administrators can enable the HSM hybrid mode, which provides the choice to store each relevant key and certificate on an HSM or the PingFederate-managed local trust store. This capability allows organizations to transition the storage of keys and certificates to a supported HSM to meet security requirements without the need to deploy a new PingFederate environment and mirror the setup.
The following images illustrate some general interactions between PingFederate and an HSM. Those interactions depend on whether you configure the HSM in hybrid mode.
PingFederate supports the following HSMs:
- AWS CloudHSM (stores private keys only)
- Gemalto SafeNet Luna Network HSM (stores private keys only)
- nCipher nShield Connect HSM (stores both certificates and private keys)
Once the HSM hybrid mode is disabled, for keys and certificates that should be stored on an HSM, PingFederate will only access those keys and certificates from the HSM, regardless of whether such keys and certificates exist on the local trust store.