Is HSM supported as KeyStore?

Tagged: , ,

This topic has 2 replies, 2 voices, and was last updated 4 years, 11 months ago by handat.

  • Author
  • #20060

    Can the IG keystore be configured to use a HSM instead of a keystore file?

    The current config appears to only allow a “url” as a file path to a jks file, is there an option to specify a hsm config file instead?

     Neil Madden

    Yes, you can do this – using the Oracle/Sun PKCS#11 provider at least. The only tricky part is that the PKCS#11 provider wants the keystore source to be null, but IG’s configuration will disallow that. You can work around this by enabling the keyStoreCompatibilityMode (undocumented) configuration option in the SunPKCS11 provider configuration file, which will allow you to pass in any file (e.g., /dev/null) for the keystore and it will be ignored. For instance:

    $ cat ~/hsm.conf 
    name = NitrokeyHSM
    description = SunPKCS11 with Nitrokey HSM
    library = /usr/local/opt/opensc/lib/
    slot = 0
    keyStoreCompatibilityMode = true

    Then configure your HSM in the JVM (or use on startup):

    You can then configure the HSM in IG’s config.json and use it to supply key-pairs, e.g. for the JwtSession or for configuring SSL:

                    "name": "HSM",
                    "type": "KeyStore",
                    "config": {
                        "url": "file:/dev/null",
                        "type": "PKCS11",
                        "password": "${}"
    		    "name": "JwtSession",
    		    "type": "JwtSession",
                        "config": {
                            "keystore": "HSM",
                            "alias": "rsaKeyPair",
                            "password": "",
                            "sharedSecret": "GWPdOSTntki4wVeGhht53rSFiZtfTtxP910D5kUZsfs="

    Edit: note that I set the key password to “”, because my particular HSM does not allow setting per-key passwords so that will pass in an empty character array, which is what it expects.

    • This reply was modified 4 years, 11 months ago by Neil Madden.
    • This reply was modified 4 years, 11 months ago by Neil Madden.

    Thanks Neil, that makes it crystal clear.

Viewing 3 posts - 1 through 3 (of 3 total)

You must be logged in to reply to this topic.

©2022 ForgeRock - we provide an identity and access platform to secure every online relationship for the enterprise market, educational sector and even entire countries. Click to view our privacy policy and terms of use.

Log in with your credentials

Forgot your details?