Using the PKCS #11 security provider
When launching Airlock IAM the path to the java.security file must be specified in JAVA_OPTS.
#in instances/<instance-name>/instance.properties use (or add to existing Java options) iam.java.opts = -Djava.security.properties=/opt/airlock/java.security
Configuring PKCS #11
Supported Use-Cases
PKCS #11 is supported in for two use cases:
- Encrypting password hashes
- Password end-to-end encryption
HSM Keystore plugin configuration
The HSM Keystore plugin is used where the HSM is involved. The most important settings are:
Property | Example | Description |
|---|---|---|
Security Provider Name | SunPKCS11-Luna | If a SunPKCS11 security provider is used, the provider is SunPKCS11-<Token Name>, where <Token Name> is the name given in the configuration file in step 1. |
Keystore Type | PKCS11 | PKCS11 is the type used if the SunPKCS11 security provider is used. If another provider is used, check the documentation of the provider for the keystore type. |
Keystore Password | The password (if needed) to login to the HSM slot. If a connection was already established another way on the system, this can be empty. |
The key store password can't be changed once the configuration is activated. The JVM caches the security provider until restart.
Thus, even configuration validation will also not reflect the password change. If the key store password has to be changed, a restart of IAM is required.
Further information and links
- Password hash encryption with HSM
- Configuration in the Loginapp UI: In the Password Repository of the Username Password Authentication Step of the affected authentication flow, use the Encrypted Password Hash plugin.
- Password end-to-end encryption with HSM
- Configuration in the Loginapp REST API: Follow the instructions in Password end-to-end encryption and use a HSM Keystore plugin.