Affects Version/s: 6.5.0
As described in
COMMONS-366, the JWT library currently cannot be used with a HSM key to sign with HMAC unless the key is marked as extractable and non-sensitive (not best practice). When the commons bug is fixed the following places in the AM source code will also need a minor fix to ensure compatibility:
That is, for signing tokens used in USS and for integration with IDM during authentication.
- Buy an HSM that supports HMAC-SHA256
- Configure self-service and/or IDM integration to use a key from the HSM for HMAC signing
- See if it works
It doesn't work.
Make your HSM keys extractable. (NB: this is not best practice).
In each case, the code creates a HmacSigningHandler from the key by calling key.getEncoded() to get the raw bytes. For a non-extractable HSM key this will return null. Instead the Key object should be passed to the signing handler directly.