HSM support

Airlock IAM REST API supports HSM (hardware security modules) with a PKCS #11 interface for the following use cases:

• Encrypt password hashes before storing them in the user database.
• Password end-to-end encryption.

For this guide, the following assumptions are made:

• A Hardware Security Module (HSM) is deployed on the network
• The required key material is provisioned on the HSM. Use the HSM interface to manage the keys.
• • For end-to-end encryption: The HSM has to provide the appropriate key (usually a certificate containing an RSA key) for the alias configured in IAM.
  • For the encrypted hash function feature: The HSM has to provide the appropriate secret key entry (e.g. an AES key) for the alias and key type configured in IAM.
• A connection is established between the system running Airlock IAM and the HSM.
• The PKCS #11 native extensions of the HSM are installed on the system running Airlock IAM.
• TCP keep-alive should be enabled on both the HSM and the client.

• If the connection is killed on either side, the Sun PKCS #11 Provider will throw an exception with “java.security.ProviderException: Token has been removed”.

• End-to-End Encryption of passwords
• Java PCKS #11 Documentation
• [PDF] OASIS PKCS#11 Cryptographic Token Interface Current Mechanisms Specification Version 2.40