Release Notes

Introduction

These release notes apply to version 2.2.2 of the nShield Cloud Integration Option Pack (CIOP) for Security World Software. They contain information specific to this release such as new features, defect fixes, and known issues.

This document may be updated with issues that have become known after this release has been made available. Check https://nshieldsupport.entrust.com/hc/en-us/sections/360001115837-Release-Notes for the most up to date version of this document.

Access to the Entrust nShield Help Center is available to customers under maintenance. Contact Entrust nShield Technical Support at nshield.support@entrust.com to request an account.

Purpose of this release

CIOP provides users of cloud services the ability to generate keys in their own environment and export them for use in the cloud while having:

Confidence that their key has been generated securely using a strong entropy source.
Confidence that the long-term storage of their key is protected by a FIPS-certified Hardware Security Module (HSM).

The following cloud services are supported:

Amazon Web Services (AWS)
Google Compute Engine
Google Cloud Key Management (Google KMS)
Microsoft Azure
Salesforce

Features of nShield Cloud Integration Option Pack v2.2.2

Updated HSM and Security World Software support

CIOP now supports the nShield 5s and nShield 5c hardware security module (HSM) variants, as well as the latest released version of nShield Security World Software. See Compatibility for the list of HSM variants and Security World Software versions supported.

Updated operating systems support

The operating systems supported by CIOP have been revised to reflect support for the latest released version of Security World Software.

The following operating systems are now supported:

Microsoft Windows 11 x64
Microsoft Windows Server 2022 x64
Microsoft Windows Server 2022 Core x64
Red Hat Enterprise Linux 8 x64
Red Hat Enterprise Linux 9 x64
Oracle Enterprise Linux 8 x64

The following have been deprecated:

Microsoft Windows Server 2012 R2 x64
Red Hat Enterprise Linux AS/ES 6 x86/x64
Oracle Enterprise Linux 6.10 x64

See Compatibility for the list of operating systems supported.

RSAES_OAEP_SHA_256 wrapping algorithm support for Google KMS

It is now possible to specify RSAES_OAEP_SHA_256 as the wrapping algorithm for Google KMS. The supported wrapAlg values for Google KMS are: RSAES_OAEP_SHA_1 and RSAES_OAEP_SHA_256. See the User Guide for more information on how to use CIOP with Google KMS.

cssadmin is now cloud_integration_tool

cssadmin, the tool for securely generating, wrapping and exporting keys to a cloud service provider, has been renamed to cloud_integration_tool.

User documentation

The CIOP user documentation has been moved from the software package to https://nshielddocs.entrust.com.

Release notes and user documentation for recent releases are publicly available at https://nshielddocs.entrust.com.
PDF versions of all supported release notes and user documents are available in the Entrust nShield Help Center at https://nshieldsupport.entrust.com/hc/en-us/categories/360000473317-Documents-Manuals. Access to the Entrust nShield Help Center is available to customers under maintenance. Contact Entrust nShield Technical Support at nshield.support@entrust.com to request an account.

Important information

Before deploying the nShield Cloud Integration Option Pack, the following should be considered:

That an existing Security World software installation is required before installing the nShield Cloud Integration Option Pack.
That a usable Security World is required.
If using the Salesforce provider, that nShield Firmware version 12.70 is required.
CIOP requires the python module asn1crypto to be installed for nfast python. This will be carried out by the CIOP installation process.
When using multiple modules, cloud_integration_tool defaults to the first usable module. To change this, the –m option within cloud_integration_tool should be used to specify a module.
The nShield Cloud Integration Option Pack expects Security World keys to be created with an appropriate set of permissions, therefore, only Security World keys created by cloud_integration_tool can be exported.
If using nfkmverify to verify the generated Security World key the following message may be displayed (where <key name> is the name given during execution of cloud_integration_tool):
```
DISCREPANCY: ACL of application key simple <key name> not of expected form:

unexpected derivekey mechanism RawEncrypt
```

This is expected behavior and does not indicate a problem with the generated key.

Compatibility

Supported hardware

This release is targeted at deployments with any combination of the following nShield HSMs:

nShield 5s (Base, Mid, High)
nShield 5c (Base, Mid, High)
nShield Solo XC (Base, Mid, High)
nShield Solo PCI Express (500+, and 6000+)
nShield Connect (500+, 1500+, and 6000+)
nShield Connect XC (Base, Mid, High, Serial Console)
nShield Edge

Supported operating systems

This release has been tested for compatibility with the following operating systems:

Microsoft Windows 10 x64
Microsoft Windows 11 x64
Microsoft Windows Server 2016 x64
Microsoft Windows Server 2019 x64
Microsoft Windows Server 2019 Core x64
Microsoft Windows Server 2022 x64
Microsoft Windows Server 2022 Core x64
Red Hat Enterprise Linux 7 x64
Red Hat Enterprise Linux 8 x64
Red Hat Enterprise Linux 9 x64
SUSE Enterprise Linux 12 x64
SUSE Enterprise Linux 15 x64
Oracle Enterprise Linux 7 x64
Oracle Enterprise Linux 8 x64

Supported Security World versions

This release can be used with the following nShield Security World Software installations:

Security World v13.4
Security World v13.3
Security World v12.71

Supported Firmware versions

This release can be used with the following nShield Firmware versions:

nShield Firmware v12.60 or higher if using the aws, google-compute-engine, microsoft-azure, or google-cloud-key-management providers
nShield Firmware v12.70 or higher if using the salesforce provider

Cloud Service Provider integration

This table shows which Cloud Service Provider is supported in each version of CIOP.

		CIOP v2.0.0	CIOP v2.1.0	CIOP v2.2.2	Minimum Required Security World
Cloud Service Provider	Amazon Web Services	✓	✓	✓	v12.60
Google Compute Engine	✓	✓	✓	v12.60
Google Cloud Key Management	x	x	✓	v12.60
Microsoft Azure	✓	✓	✓	v12.60
Salesforce	x	✓	✓	v12.70

CIOP v2.0.0

CIOP v2.1.0

CIOP v2.2.2

Minimum Required Security World

Cloud Service Provider

Amazon Web Services

✓

v12.60

Google Compute Engine

✓

v12.60

Google Cloud Key Management

✓

v12.60

Microsoft Azure

✓

v12.60

Salesforce

✓

v12.70

Note that some of the providers were available in CIOP v1.0 and v1.1 releases but these Release Notes only detail compatibility from CIOP v2.0 onwards. Refer to the Release Notes for those versions if required.

Terminology

Target Key	The key to transfer from an nShield HSM to a Cloud hosted HSM.
Wrapping Key	The key obtained from the Cloud Service Provider which is used to protect the target key in transit.
Wrapping Algorithm	The algorithm used to wrap the target key with the wrapping key.

Amazon Web Services

Support for Amazon Web Services has been available from CIOP v2.0.0. Using this provider requires a minimum of Security World and Firmware v12.60.

The following table shows the supported target and wrapping key combinations supported for AWS.

At time of release, the only wrapping key type supported by AWS is 2048-bit RSA and there is no choice of target key type.

		Wrapping Algorithm
		RSAES_OAEP_SHA_1	RSAES_OAEP_SHA_256	RSAES_PKCS1_V1_5
Target Key Type	AES 256	✓	✓	✓
Supported by AWS	✓	✓	✓
Supported in a v3 FIPS 140-2 Level 3 Security World*	✓	✓	x

Wrapping Algorithm

RSAES_OAEP_SHA_1

RSAES_OAEP_SHA_256

RSAES_PKCS1_V1_5

Target Key Type

AES 256

✓

Supported by AWS

✓

Supported in a v3 FIPS 140-2 Level 3 Security World*

✓

* RSAES_OAEP_SHA_1 was made available in FIPS Security Worlds from Security World v12.70, prior to that it was disabled.

Google Compute Engine

Support for Google Compute Engine has been available from CIOP v2.0.0. Using this provider requires a minimum of Security World and Firmware v12.60.

The following table shows the supported target and wrapping key combinations supported for Google Compute Engine.

At time of release, the only wrapping key supported by Google is the RSA public key certificate maintained by Compute Engine. There is no choice of target key type.

Note that some of the wrapping algorithms that CIOP supports are not currently compatible with Google Compute Engine.

		Wrapping Algorithm
		RSAES_OAEP_SHA_1	RSAES_OAEP_SHA_256	RSAES_PKCS1_V1_5
Target Key Type	AES 256	✓	✓	✓
Supported by Google Compute Engine	✓	x	x
Supported in a v3 FIPS 140-2 Level 3 Security World	✓*	✓	x

Wrapping Algorithm

RSAES_OAEP_SHA_1

RSAES_OAEP_SHA_256

RSAES_PKCS1_V1_5

Target Key Type

AES 256

✓

Supported by Google Compute Engine

✓

Supported in a v3 FIPS 140-2 Level 3 Security World

✓*

✓

* RSAES_OAEP_SHA_1 was made available in FIPS Security Worlds from Security World v12.70 and prior to that it was disabled.

Google Cloud Key Management

Support for Google Cloud Key Management has been available from CIOP v2.2.1. Using this provider requires a minimum of Security World and Firmware v12.60.

The following table shows the supported target and wrapping key combinations supported for Google Cloud Key Management.

The only supported wrapping algorithm for Google KMS is CKM_RSA_AES_KEY_WRAP.

		Google KMS Wrapping Key (Import Job)	Supported by Google KMS	Supported in a v3 FIPS 140-2 Level 3 Security World *
		RSA-3072	RSA-4096
Target Key Type	RSA-2048	✓	✓	✓	✓
RSA‑3072	✓	✓	✓	✓
RSA‑4096	✓	✓	✓	✓
EC‑NISTP256	✓	✓	✓	✓
EC‑NISTP384	✓	✓	✓	✓
AES‑256	✓	✓	✓	✓

Google KMS Wrapping Key
(Import Job)

Supported by Google KMS

Supported in a v3 FIPS 140-2 Level 3 Security World *

RSA-3072

RSA-4096

Target Key Type

RSA-2048

✓

RSA‑3072

✓

RSA‑4096

✓

EC‑NISTP256

✓

EC‑NISTP384

✓

AES‑256

✓

* CKM_RSA_AES_KEY_WRAP was made available in FIPS Security Worlds from Security World Version v12.70. If you are using v12.60, this mechanism will be disabled in a FIPS Security World.

Microsoft Azure

Support for Microsoft Azure has been available from CIOP v2.0.0. Using this provider requires a minimum of Security World and Firmware v12.60.

The following table shows the supported target and wrapping key combinations supported for Microsoft Azure.

The only supported wrapping algorithm for Azure is CKM_RSA_AES_KEY_WRAP.

		Azure Wrapping Key (Key Exchange Key)	Supported by Azure	Supported in a v3 FIPS 140-2 Level 3 Security World *
		RSA-2048	RSA-3072	RSA-4096
Target Key Type	RSA-2048	✓	✓	✓	✓	✓
RSA‑3072	✓	✓	✓	✓	✓
RSA‑4096	✓	✓	✓	✓	✓
EC‑NISTP256	✓	✓	✓	✓	✓
EC‑NISTP384	✓	✓	✓	✓	✓
EC‑NISTP521	✓	✓	✓	✓	✓
EC-SECP256K1	✓	✓	✓	x	x

Azure Wrapping Key
(Key Exchange Key)

Supported by Azure

Supported in a v3 FIPS 140-2 Level 3 Security World *

RSA-2048

RSA-3072

RSA-4096

Target Key Type

RSA-2048

✓

RSA‑3072

✓

RSA‑4096

✓

EC‑NISTP256

✓

EC‑NISTP384

✓

EC‑NISTP521

✓

EC-SECP256K1

✓

* CKM_RSA_AES_KEY_WRAP was made available in FIPS Security Worlds from Security World Version v12.70. If you are using v12.60, this mechanism will be disabled in a FIPS Security World.

Salesforce

Support for Salesforce has been available from CIOP v2.1.0.

Using this provider requires a minimum of Security World and Firmware v12.70.

The following table shows the supported target and wrapping key combinations supported for Salesforce.

At time of release, the only wrapping key type supported by Salesforce is 4096-bit RSA and there is no choice of target key type.

Note that some of the wrapping algorithms that CIOP supports are not currently compatible with Salesforce.

		Wrapping Algorithm
		RSAES_OAEP_SHA_1	RSAES_OAEP_SHA_256	RSAES_PKCS1_V1_5
Target Key Type	AES 256	✓	✓	✓
Supported by Salesforce	✓	x	x
Supported in a v3 FIPS 140-2 Level 3 Security World	✓	✓	x

Wrapping Algorithm

RSAES_OAEP_SHA_1

RSAES_OAEP_SHA_256

RSAES_PKCS1_V1_5

Target Key Type

AES 256

✓

Supported by Salesforce

✓

Supported in a v3 FIPS 140-2 Level 3 Security World

✓

Fixed issues from previous release

Reference Description

Reference	Description
NSE-57821	CIOP release notes claim that EC-SECP256K1 is supported by Azure when it is not.
NSE-55109	CIOP now supports `RSAES_OAEP_SHA_256` for Google KMS.
NSE-48209	A warning is no longer displayed when specifying `managedhsm` for `--azure-kek`.

NSE-57821

CIOP release notes claim that EC-SECP256K1 is supported by Azure when it is not.

NSE-55109

CIOP now supports RSAES_OAEP_SHA_256 for Google KMS.

NSE-48209

A warning is no longer displayed when specifying managedhsm for --azure-kek.

Known issues

Known issues in CIOP v2.2.2

Reference	Description
NSE-41286	If you want to provide FIPS Authorization using an OCS or ACS presented via Remote Administration you will need to remap the relevant Dynamic Slot to Slot 0.

Reference

Description

NSE-41286

If you want to provide FIPS Authorization using an OCS or ACS presented via Remote Administration you will need to remap the relevant Dynamic Slot to Slot 0.

Known issues in Security World v12.71

Some known issues relevant to operating CIOP are listed below. Refer to the Release Notes for the Security World version you are using for the full list of known issues.

Reference	Description
	No known issues in Security World software identified at this time.

Reference

Description

No known issues in Security World software identified at this time.