Introduction

This guide describes how to integrate an nShield HSM with the Apache HTTP Server using mod_ssl to serve HTTPS websites. The integration process uses the Public-Key Cryptography Standards (PKCS #11) interface. The HSM stores the Apache Server’s SSL private key within its FIPS 140 Level 3 validated hardware. After the integration is complete, you can deploy this integration in a Kubernetes environment.

Throughout this guide, the term HSM refers to nShield Solo and nShield Connect units.

Product configurations

Entrust has successfully tested nShield HSM integration with the Apache server in the following configurations:

Product	Version
Operating System	Red Hat Enterprise Linux 8 X86-64
Apache version	2.4.37
OpenSSL version	openssl-1:1.1.1k-7
OpenSSL PKCS #11 version	openssl-pkcs11-0.4.10-2
RedHat Openshift (for Kubernetes Integration only)	4.11.20
nCOP (for Kubernetes Integration only)	1.1.1

Product

Version

Operating System

Red Hat Enterprise Linux 8 X86-64

Apache version

2.4.37

OpenSSL version

openssl-1:1.1.1k-7

OpenSSL PKCS #11 version

openssl-pkcs11-0.4.10-2

RedHat Openshift (for Kubernetes Integration only)

4.11.20

nCOP (for Kubernetes Integration only)

1.1.1

Supported nShield features

Entrust has successfully tested nShield HSM integration with the following features:

Feature	Support
Softcards	Yes
Module-only key	Yes
OCS cards	Yes
nSaaS	Not tested

Feature

Support

Softcards

Yes

Module-only key

Yes

OCS cards

Yes

nSaaS

Not tested

Supported nShield hardware and software versions

Entrust has successfully tested with the following nShield hardware and software versions:

Connect XC

Security World Software	Firmware	Image	OCS	Softcard	Module	FIPS Level 3
12.80.4 & 13.4.4	12.50.11 (FIPS 140-2 certified)	12.80.4	✓	✓	✓
12.80.4 & 13.4.4	12.72.1 (FIPS 140-2 certified)	12.80.5	✓	✓	✓	✓

Security World Software

Firmware

Image

OCS

Softcard

Module

FIPS Level 3

12.80.4 & 13.4.4

12.50.11 (FIPS 140-2 certified)

12.80.4

✓

12.80.4 & 13.4.4

12.72.1 (FIPS 140-2 certified)

12.80.5

✓

nShield 5

Security World Software	Firmware	Image	OCS	Softcard	Module	FIPS Level 3
13.2.2	13.2.2	13.2.2	✓	✓	✓
13.4.4	13.2.2	13.3.2	✓	✓	✓

Requirements

Ensure that you have supported versions of the nShield, Apache, and third-party products. See Product configurations.

Consult the security team in your organization for a suitable setting of the SE Linux policy to allow the web server read access to the files in /opt/nfast.

To perform the integration tasks, you must have:

root access on the operating system.
Access to nfast and httpd accounts.

Before starting the integration process, familiarize yourself with:

The documentation for the HSM.
The documentation and setup process for the Apache HTTP Server.

Before using the nShield software, you need to know:

The number and quorum of Administrator Cards in the Administrator Card Set (ACS), and the policy for managing these cards.
Whether the application keys are protected by the module, an Operator Card Set (OCS) or a Softcard with or without a pass phrase.
The number and quorum of Operator Cards in the OCS, and the policy for managing these cards.
Whether the Security World should be compliant with FIPS 140 Level 3.

Entrust recommends that you allow only unprivileged connections unless you are performing administrative tasks.

For more information, refer to the User Guide and Installation Guide for the HSM.

More information

For more information about OS support, contact your Apache HTTP Server sales representative or Entrust nShield Support, https://nshieldsupport.entrust.com.

Access to the Entrust nShield Support Portal is available to customers under maintenance. To request an account, contact nshield.support@entrust.com.