Integration with AWS CloudHSM
Inside SSO Connect's data folder there are several files. Two of the files contain secret keys generated on the server that must be protected and are utilized to encrypt and decrypt the end-user's auto-generated master passwords. There is also a .sql file which contains a local cache of encrypted data. It is critical that access to this data folder is restricted.
On non-Windows machines the data folder is under the SSO Connect install folder, typically $HOME/sso_connect/data.
On Windows machines the data folder is in C:\ProgramData\Keeper SSO Connect\data\ since v14.1. Prior to v14.1 it was in C:\Program Files\Keeper Security\SSO Connect\data\.
You can add an extra layer of security by utilizing an HSM (Hardware Security Module) as described below. When an HSM is available, an encryption key is generated for each SSO Connect instance and stored securely in the HSM. The encryption key is used to encrypt the critical property files in the data/ folder.
Amazon currently allows only CloudHsmV2 for new HSM deployments; Keeper supports this version. a. Legacy Cloud HSM v1 hardware is not supported by Keeper.
Amazon HSM software currently supports Linux or Windows installations.
Port TCP/443 open, stateful outbound from Keeper SSO Connect to www.keepersecurity.com
Port TCP/2223 open, bidirectional from the SSO Connect machine to the HSM hardware
Port TCP/2225 open, bidirectional from the SSO Connect machine to the HSM hardware
Port TCP/8080 open, inbound from a Keeper Admin workstation to Keeper SSO Connect for admin GUI access (optional)
$ telnet www.keepersecurity.com 443Trying 52.204.60.27Connected to www.keepersecurity.com.Escape character is '^]'.
Provision your Amazon HSM cluster and install the HSM software on the SSO Connect machine as described in:
​https://docs.aws.amazon.com/cloudhsm/latest/userguide/install-and-configure-client-linux.html​
or
​https://docs.aws.amazon.com/cloudhsm/latest/userguide/install-and-configure-client-win.html​
You will need the Java libraries. On Linux the software is installed in /opt/cloudhsm.
Ensure that the cloudhsm_client service is running in the background:
$ ps aux | grep cloudIf cloudhsm_client is not running:$ sudo service cloudhsm-client start$ ps aux | grep cloud... /opt/cloudhsm/bin/cloudhsm_client ...
$ sudo /opt/cloudhsm/bin/cloudhsm_mgmt_util /opt/cloudhsm/etc/cloudhsm_mgmt_util.cfgaws-cloudhsm>listUsersaws-cloudhsm>loginHSM CU <hsm_user> <hsm_password>aws-cloudhsm>listUsersaws-cloudhsm>getHSMInfoaws-cloudhsm>quit
Install SSO Connect as usual.
NOTE: The Amazon HSM Java software is supposed to recognize a file named HsmCredentials.properties on the Java Classpath.
However, this may not work for some reason. Instead you may need to set HSM_USER, HSM_PASSWORD, and HSM_PARTITION environment variables. For testing, you will probably have to set the shell variables.
Test the HSM connection:
$ java -Djava.library.path=/opt/cloudhsm/lib/ -classpath ~/sso_connect/SSOConnect.jar com.keepersecurity.util.AmazonKeyStoreExampleRunner
It should print the keys in the HSM.
Configure SSO Connect as usual via the command line or in the admin interface at http://localhost:8080/config
a. Set the "Advertised Hostname", a. Add the SSL certificate, a. Add the SAML XML metadata file.
In the admin interface, the HSM configuration section is at the bottom of the Configuration page.
a. Select "Amazon CloudHsmV2" as the type, a. Some properties will appear in the box below. You probably don't need to change them. i. An exception would be if the certificate to be used to talk to the HSM is not the same certificate used for SSL in SSO Connect. i. You may need to enter a password for the certificate file (usually the same one used for the SSL certificate file). a. Click the Enabled/Disabled box, a. Click Save
SSO Connect should now restart and connect to the HSM. If the status page shows that HSM is enabled, it worked. In rare situations when startup is very slow you may need to click on the Status command again so that it updates the status.
If it didn't work, check the SSO Connect error log. The most common error is that it can't find the HSM credentials. Set the credentials as environment variables to ensure that they are available.
If it didn't work, check the error log. The most common error is that it can't find the HSM credentials. Set the credentials as environment variables to ensure that they are available.
Verify that SSOconnect is installed on the machine.
Usually there is a folder called
sso_connect,KeeperSSO, or some similar name. The folder will contain many jar files.
Verify that the HSM device is accessible.
SSOconnect has a built-in test program copied from the Amazon test libraries:
$ java -Djava.library.path=/opt/cloudhsm/lib/ -classpath ~/sso_connect/SSOConnect.jar com.keepersecurity.util.AmazonKeyStoreExampleRunnerIt should print the keys stored in the HSM.
Check the log file for errors. The Secure Key Storage subsystem of SSOconnect will print an ERROR line to the log if it encounters a problem.
$ more logs/ssoconnect.logThe error will be a variation of "Unable to use Secure Key Storage". This indicates one of the following problems:
a. Network problem accessing the HSM- Ensure that ports 2223 and 2225 are open.​b. data/sks.properties is missing- if data/sks.properties is missing you will need to re-configure SSOConnect.​c. The encrypted property files are missing- Check for data/instance.encp and data/shared.encp.​d. The encryption key is missing from the HSM- Did somebody clear the HSM partition? You will need to re-configure SSOConnect.​e. The server may be out of disk space- clear some disk space.​f. The encryption algorithm used is not supported on the HSM- The algorithm is AES/GCM/NoPadding. Check with the device provider.​g. The file data/sso-keystore.jks is missing- The program cannot store a key in the HSM without the certificate chain from the sso_keystore.jks file.Find the file and ensure that it is in the data folder.
The data folder contains the SSO Connect configuration files. At a minimum it should be backed up after initial configuration and each time the configuration is modified. In addition to the configuration files, there are data files in data but they will automatically be refreshed if they get out of synch with the Keeper server. Thus, regular periodic backups can be used but are not necessary. The data folder on each SSO Connect instance needs to be backed up independently because not all of the configuration settings are shared among instances.
On non-Windows machines the data folder is under the SSO Connect install folder, typically $HOME/sso_connect/data.
On Windows machines the data folder is in C:\ProgramData\Keeper SSO Connect\data\ since v14.1. Prior to v14.1 it was in C:\Program Files\Keeper Security\SSO Connect\data\.
If the SSO Connect server dies you will need to reinstall Amazon HSM and SSO Connect on the replacement machine using the standard installation instructions above.
If you have backed up the data folder as described above, restore it before starting SSO Connect. If a data folder already exists (because you started SSO Connect), stop SSO Connect, remove all files in the data folder, copy the files from the backed-up data folder, and restart SSO Connect. SSO Connect should start successfully.
If you did not backup the data folder or if the backup is out-of-date you will need to configure the replacement instance as if it were a new installation. Please follow the SSO Connect installation guide.
When using an HSM, the HSM stores the encryption key used to decrypt the configuration files in the data folder. The HSM is accessed once, when SSO Connect starts, and also any time the configuration is changed. If the configuration files are encrypted and the encryption key stored on the HSM is lost or inaccessible the SSO Connect instance will need to be configured again in order to create new, unencrypted configuration files. Delete the contents of the data folder and configure SSO Connect from scratch again.
You can disable HSM/SKS use by entering 'no' to the "Enable SKS?" configuration question, or by using the -disableSKS command-line option.
