Is HSM supported as KeyStore?

Tagged: , ,

This topic contains 2 replies, has 2 voices, and was last updated by  handat 12 months ago.

  • Author
    Posts
  • #20060
     handat 
    Participant

    Can the IG keystore be configured to use a HSM instead of a keystore file?

    The current config appears to only allow a “url” as a file path to a jks file, is there an option to specify a hsm config file instead?

    #20073
     Neil Madden 
    Participant

    Yes, you can do this – using the Oracle/Sun PKCS#11 provider at least. The only tricky part is that the PKCS#11 provider wants the keystore source to be null, but IG’s configuration will disallow that. You can work around this by enabling the keyStoreCompatibilityMode (undocumented) configuration option in the SunPKCS11 provider configuration file, which will allow you to pass in any file (e.g., /dev/null) for the keystore and it will be ignored. For instance:

    
    $ cat ~/hsm.conf 
    name = NitrokeyHSM
    description = SunPKCS11 with Nitrokey HSM
    library = /usr/local/opt/opensc/lib/opensc-pkcs11.so
    slot = 0
    keyStoreCompatibilityMode = true
    

    Then configure your HSM in the JVM java.security (or use -Djava.security.properties= on startup):

    
    security.provider.11=sun.security.pkcs11.SunPKCS11 /Users/neil/hsm.conf
    

    You can then configure the HSM in IG’s config.json and use it to supply key-pairs, e.g. for the JwtSession or for configuring SSL:

    
                {
                    "name": "HSM",
                    "type": "KeyStore",
                    "config": {
                        "url": "file:/dev/null",
                        "type": "PKCS11",
                        "password": "${hsm.pin}"
                    }
                },
                {
    		    "name": "JwtSession",
    		    "type": "JwtSession",
                        "config": {
                            "keystore": "HSM",
                            "alias": "rsaKeyPair",
                            "password": "",
                            "sharedSecret": "GWPdOSTntki4wVeGhht53rSFiZtfTtxP910D5kUZsfs="
                        }
    	    },
    

    Edit: note that I set the key password to “”, because my particular HSM does not allow setting per-key passwords so that will pass in an empty character array, which is what it expects.

    • This reply was modified 12 months ago by  Neil Madden.
    • This reply was modified 12 months ago by  Neil Madden.
    #20099
     handat 
    Participant

    Thanks Neil, that makes it crystal clear.

Viewing 3 posts - 1 through 3 (of 3 total)

You must be logged in to reply to this topic.

©2018 ForgeRock - we provide an identity and access platform to secure every online relationship for the enterprise market, educational sector and even entire countries. Click to view our privacy policy and terms of use.

Log in with your credentials

Forgot your details?