Uploaded image for project: 'OpenIDM'
  1. OpenIDM
  2. OPENIDM-10780

IDM does not work with a Luna HSM keystore provider

    Details

    • Support Ticket IDs:

      Description

      This is preventing the customer from upgrading to 5.5.x.

      See http://leifj.people.sunet.se/007-011136-007_lunasa_5-4-1_docs_revC/Content/Home_sa.htm for details about the luna software. The problem is with the jwt session module, requiring the signing key to be extractable. The customer reports that this is not feasible to achieve with the luna software, the problem stated is this:

      We did some research on SafeNet implementation, and seems like the only way to extract the HMAC key from HSM is to use SafeNet PKCS11 Java Wrapper library (which is NOT a PKCS11 impl library).
      http://leifj.people.sunet.se/007-011136-007_lunasa_5-4-1_docs_revC/Content/sdk/java/jcprov.htm
      For that reason, implementing an extractable HMAC key might not be a feasible solution.

      A possible workaround for the customer would be to allow reading the signing key from a separate keystore. The JWT session authentication configuration does allow to specify a keystore that is different from the main IDM keystore, however the signing key is still be retrieved from the main IDM keystore. This is addressed in CAF-262.

        Attachments

          Issue Links

            Activity

              People

              • Assignee:
                mark.offutt Mark Offutt [X] (Inactive)
                Reporter:
                matthias.grabiak Matthias Grabiak
              • Votes:
                0 Vote for this issue
                Watchers:
                3 Start watching this issue

                Dates

                • Created:
                  Updated:
                  Resolved: