Introduction
This guide describes how to integrate an nShield HSM with the Apache HTTP Server using mod_ssl
to serve HTTPS websites.
The integration process uses the Public-Key Cryptography Standards (PKCS #11) interface.
The HSM stores the Apache Server’s SSL private key within its FIPS 140 Level 3 validated hardware.
After the integration is complete, you can deploy this integration in a Kubernetes environment.
Throughout this guide, the term HSM refers to nShield Solo and nShield Connect units.
Product configurations
Entrust has successfully tested nShield HSM integration with the Apache server in the following configurations:
Product | Version |
---|---|
Operating System |
Red Hat Enterprise Linux 8 X86-64 |
Apache version |
2.4.37 |
OpenSSL version |
openssl-1:1.1.1k-7 |
OpenSSL PKCS #11 version |
openssl-pkcs11-0.4.10-2 |
RedHat Openshift (for Kubernetes Integration only) |
4.11.20 |
nCOP (for Kubernetes Integration only) |
1.1.1 |
Supported nShield features
Entrust has successfully tested nShield HSM integration with the following features:
Feature | Support |
---|---|
Softcards |
Yes |
Module-only key |
Yes |
OCS cards |
Yes |
nSaaS |
Not tested |
Requirements
Ensure that you have supported versions of the nShield, Apache, and third-party products. See Product configurations.
Consult the security team in your organization for a suitable setting of the SE Linux policy to allow the web server read access to the files in /opt/nfast
.
To perform the integration tasks, you must have:
-
root
access on the operating system. -
Access to
nfast
andhttpd
accounts.
Before starting the integration process, familiarize yourself with:
-
The documentation for the HSM.
-
The documentation and setup process for the Apache HTTP Server.
Before using the nShield software, you need to know:
-
The number and quorum of Administrator Cards in the Administrator Card Set (ACS), and the policy for managing these cards.
-
Whether the application keys are protected by the module, an Operator Card Set (OCS) or a Softcard with or without a pass phrase.
-
The number and quorum of Operator Cards in the OCS, and the policy for managing these cards.
-
Whether the Security World should be compliant with FIPS 140 Level 3.
Entrust recommends that you allow only unprivileged connections unless you are performing administrative tasks. |
For more information, refer to the User Guide and Installation Guide for the HSM.
More information
For more information about OS support, contact your Apache HTTP Server sales representative or Entrust nShield Support, https://nshieldsupport.entrust.com.
Access to the Entrust nShield Support Portal is available to customers under maintenance. To request an account, contact nshield.support@entrust.com. |