Use keystores in Hardware Security Module (HSM)
PhenixID server has the ability to use keystores stored in a HSM. This article describes how to configure PhenixID server to use HSM keys.
Prerequisites
- Installation and configuration of the HSM. This is out-of-scope for this document. Consult your HSM supplier documentation.
- Keys imported into HSM
- Alias of key to use must be known
Configuring module
Open the Advaced tab in Configuration Manager.
Open Modules nodes. Locate the crypto module. If not present, create. If created make sure to update the appropriate node "module_refs" property with the module id.
{
"module": "com.phenixidentity~phenix-crypto",
"enabled": "true",
"config": {
"crypto_mode": "hsm", //This must be set to "hsm"
"hsmprovider": "<path to the provider file>", //The file path to the hsm conf file.
"hsm_password": "my super secret passwors" //The hsm password
}
}
Note that switching to HSM after using internal certificates will require re configuration.
Using key from hsm
Open the Configuration tab in Configuration Manager.
Locate Keystores.
Open Keystores. Configure key to use by simply adding:
{
"id": "bhull",
"certificateAlias": "bhull"
}
Example of total Keystores configuration:
[
{
"id": "bhull",
"certificateAlias": "bhull"
},
{
"id": "samlsigner",
"certificateAlias": "samlsigner"
}
]