This topic has 2 replies, 2 voices, and was last updated 2 years, 3 months ago by 
-
Posts
-
Can the IG keystore be configured to use a HSM instead of a keystore file?
The current config appears to only allow a “url” as a file path to a jks file, is there an option to specify a hsm config file instead?
Yes, you can do this – using the Oracle/Sun PKCS#11 provider at least. The only tricky part is that the PKCS#11 provider wants the keystore source to be null, but IG’s configuration will disallow that. You can work around this by enabling the keyStoreCompatibilityMode (undocumented) configuration option in the SunPKCS11 provider configuration file, which will allow you to pass in any file (e.g., /dev/null) for the keystore and it will be ignored. For instance:
$ cat ~/hsm.conf name = NitrokeyHSM description = SunPKCS11 with Nitrokey HSM library = /usr/local/opt/opensc/lib/opensc-pkcs11.so slot = 0 keyStoreCompatibilityMode = trueThen configure your HSM in the JVM java.security (or use -Djava.security.properties= on startup):
security.provider.11=sun.security.pkcs11.SunPKCS11 /Users/neil/hsm.confYou can then configure the HSM in IG’s config.json and use it to supply key-pairs, e.g. for the JwtSession or for configuring SSL:
{ "name": "HSM", "type": "KeyStore", "config": { "url": "file:/dev/null", "type": "PKCS11", "password": "${hsm.pin}" } }, { "name": "JwtSession", "type": "JwtSession", "config": { "keystore": "HSM", "alias": "rsaKeyPair", "password": "", "sharedSecret": "GWPdOSTntki4wVeGhht53rSFiZtfTtxP910D5kUZsfs=" } },Edit: note that I set the key password to “”, because my particular HSM does not allow setting per-key passwords so that will pass in an empty character array, which is what it expects.
You must be logged in to reply to this topic.
