Introduction
The Apache HTTP Server 2.4.6 integrates with the Entrust nShield® Hardware Security Module (HSM) to provide a secure web server solution. The nShield HSMs are hardened, tamper-resistant cards which perform encryption, digital signing and key generation on behalf of an extensive range of commercial and custom-built applications, including certificate authorities, and code signing.
The benefits of using an nShield Hardware Security Module (HSM) with the Apache HTTP Server include:
-
Secure storage of the private key.
-
FIPS 140 Level 3 validated hardware.
-
Improved server performance by offloading the cryptographic processing.
-
Full life cycle management of the keys.
-
Failover support.
-
Load balancing between HSMs.
| Throughout this guide, the term HSM refers to nShield Solo and nShield Connect units. (nShield Solo products were formerly known as nShield). |
This guide describes how to use the nShield Cryptographic Hardware Interface Library (CHIL) interface to integrate the HSM and Apache HTTP Server.
Product configurations
We have successfully tested nShield HSM integration with the server in the following configurations:
| Operating System | Apache version | OpenSSL version | Security World Software version | nShield Solo support | nShield Connect support |
|---|---|---|---|---|---|
Red Hat Enterprise Linux 7 x 64-bit |
2.4.6 |
1.0.2k-fips |
12.60.3 * |
Yes |
Yes |
* The nShield 12.40 Compatibility Package is required for the Cryptographic Hardware Interface Library (CHIL) plugin. To obtain the package, contact contact Entrust nShield Support, https://nshieldsupport.entrust.com.
| Access to the Entrust nShield Support Portal is available to customers under maintenance. To request an account, contact nshield.support@entrust.com. |
Supported nShield functionality
| Feature | Support | Feature | Support | Feature | Support |
|---|---|---|---|---|---|
Key Generation |
Yes |
1-of-N Operator Card Set |
Yes |
FIPS 140 Level 3 Support |
Yes |
Key Management |
Yes |
K-of-N Operator Card Set |
Yes |
Load Sharing |
Yes |
Key Import |
Yes |
Softcards |
Yes |
Fail Over |
Yes |
Key Recovery |
Yes |
Module-only Key |
Yes |
Requirements
Ensure that you have supported versions of the nShield, Apache, and third-party products. See Product configurations.
Consult the security team in your organization for a suitable setting of the SE Linux policy to allow the web server read access to the files in /opt/nfast.
To perform the integration tasks, you must have:
-
rootaccess on the operating system. -
Access to
nfastandhttpdaccounts.
Before starting the integration process, familiarize yourself with:
-
The documentation for the HSM.
-
The documentation and setup process for the Apache HTTP server.
Before using the nShield software, you need to know:
-
The number and quorum of Administrator Cards in the Administrator Card Set (ACS), and the policy for managing these cards.
-
Whether the application keys are protected by the module or an Operator Card Set (OCS) with or without a pass phrase.
-
The number and quorum of Operator Cards in the OCS, and the policy for managing these cards.
-
Whether the security world should be compliant with FIPS 140 Level 3.
| Entrust recommends that you allow only unprivileged connections unless you are performing administrative tasks. |
For more information, refer to the User Guide and Installation Guide for the HSM.
More information
For more information about OS support, contact your Apache HTTP Server sales representative or Entrust nShield Support, https://nshieldsupport.entrust.com.
| Access to the Entrust nShield Support Portal is available to customers under maintenance. To request an account, contact nshield.support@entrust.com. |