Hardware Security Module (PKCS#11) support in Connect2id server 6.3

Posted 2017-01-30

HSM device

The Connect2id server can now utilise Hardware Security Modules (HSM) for signing issued identity and access tokens. By performing the cryptographic operations on a dedicated external device, and with no logical access to the private keys, the HSM provides an excellent security guarantee against key theft. This makes HSMs indispensable in applications which require a high degree of security, such as national eID schemes and in payments.

The HSM is accessed from the Connect2id server via a PKCS#11 interface, which has been the established standard for such devices since 1995.

You can find out more about HSM configuration in the Connect2id server manual. RSA as well as EC keys are supported. Roll-over of the signing keys is done automatically, based on the validity window of their X.509 certificates.

Check the release notes below to find out what else has been updated in Connect2id server v6.3.


To download a ZIP package of Connect2id server 6.3:


(SHA-1: 14fca0357036a322a85d9442c55e96ca269f37f3)

As WAR package only:


(SHA-1: 4b6a57f384df93b3d801c76643e211167bcf4b0c)


Get in touch Connect2id support, we’ll be delighted to help out.

Release notes

6.3 (2017-01-30)


  • Adds comprehensive support for signing issued ID and self-contained access tokens with RSA and EC keys stored in a PKCS#11 compliant Hardware Security Module (HSM). Supports automatic key rollover based on the not-before and not-after dates specified in the X.509 certificate of each PKCS#11 based RSA and EC key intended for signing.


  • /WEB-INF/jose.properties

    • Introduces new optional configuration file for loading RSA and EC signing JSON Web Keys (JWK) from a PKCS#11 compliant HSM.
  • /WEB-INF/hsm.cfg

    • Adds sample configuration file for the Java SUN PKCS#11 security provider (to enable loading of a PKCS#11 compliant HSM).
  • /WEB-INF/web.xml
    • Adds com.nimbusds.jose.jwk.loader.JWKSetLoader listener.


  • No changes


  • Logs a detailed message at level "INFO" for a token request with JWT client authentication (client_secret_jwt, private_key_jwt) where the JWT has expired or the claims validation failed (issue sdk/204).

Bug fixes

  • Outputs a proper OAuth 2.0 invalid_client error if a token request includes multiple client authentication methods (issue sdk/203).

  • Fixes a bug which caused the BouncyCastle JCA provider to be loaded if "none"
    is detected among the supported ID token JWS algorithms (non-critical).


  • Upgrades to com.nimbusds:oauth2-oidc-sdk:5.21

  • Upgrades to com.nimbusds:nimbus-jose-jwt:4.34.1

  • Upgrades to com.nimbusds:oauth2-authz-store:5.11.1

  • Upgrades to com.nimbusds:oidc-session-store:4.14.3

  • Adds new com.nimbusds:nimbus-jwkset-loader:1.2.2 dependency.

  • Upgrades to org.bouncycastle:bcprov-jdk15on:1.56

  • Upgrades to org.bouncycastle:bcpkix-jdk15on:1.56

  • Upgrades to Infinispan 8.2.6.Final

  • Upgrades to JAX-RS Jersey 2.25.1

  • Upgrades to Log4j 2.8

comments powered by Disqus