Introduction

The Apache HTTP Server 2.4.6 integrates with the Entrust nShield® Hardware Security Module (HSM) to provide a secure web server solution. The nShield HSMs are hardened, tamper-resistant cards which perform encryption, digital signing and key generation on behalf of an extensive range of commercial and custom-built applications, including certificate authorities, and code signing.

The benefits of using an nShield Hardware Security Module (HSM) with the Apache HTTP Server include:

  • Secure storage of the private key.

  • FIPS 140 Level 3 validated hardware.

  • Improved server performance by offloading the cryptographic processing.

  • Full life cycle management of the keys.

  • Failover support.

  • Load balancing between HSMs.

Throughout this guide, the term HSM refers to nShield Solo and nShield Connect units. (nShield Solo products were formerly known as nShield).

This guide describes how to use the nShield Cryptographic Hardware Interface Library (CHIL) interface to integrate the HSM and Apache HTTP Server.

Product configurations

We have successfully tested nShield HSM integration with the server in the following configurations:

Operating System Apache version OpenSSL version Security World Software version nShield Solo support nShield Connect support

Red Hat Enterprise Linux 7 x 64-bit

2.4.6

1.0.2k-fips

12.60.3 *

Yes

Yes

* The nShield 12.40 Compatibility Package is required for the Cryptographic Hardware Interface Library (CHIL) plugin. To obtain the package, contact contact Entrust nShield Support, https://nshieldsupport.entrust.com.

Access to the Entrust nShield Support Portal is available to customers under maintenance. To request an account, contact nshield.support@entrust.com.

Supported nShield functionality

Feature Support Feature Support Feature Support

Key Generation

Yes            

1-of-N Operator Card Set

Yes            

FIPS 140 Level 3 Support

Yes            

Key Management

Yes

K-of-N Operator Card Set

Yes

Load Sharing

Yes

Key Import

Yes

Softcards

Yes

Fail Over

Yes

Key Recovery

Yes

Module-only Key

Yes

Requirements

Ensure that you have supported versions of the nShield, Apache, and third-party products. See Product configurations.

Consult the security team in your organization for a suitable setting of the SE Linux policy to allow the web server read access to the files in /opt/nfast.

To perform the integration tasks, you must have:

  • root access on the operating system.

  • Access to nfast and httpd accounts.

Before starting the integration process, familiarize yourself with:

  • The documentation for the HSM.

  • The documentation and setup process for the Apache HTTP server.

Before using the nShield software, you need to know:

  • The number and quorum of Administrator Cards in the Administrator Card Set (ACS), and the policy for managing these cards.

  • Whether the application keys are protected by the module or an Operator Card Set (OCS) with or without a pass phrase.

  • The number and quorum of Operator Cards in the OCS, and the policy for managing these cards.

  • Whether the security world should be compliant with FIPS 140 Level 3.

Entrust recommends that you allow only unprivileged connections unless you are performing administrative tasks.

For more information, refer to the User Guide and Installation Guide for the HSM.

More information

For more information about OS support, contact your Apache HTTP Server sales representative or Entrust nShield Support, https://nshieldsupport.entrust.com.

Access to the Entrust nShield Support Portal is available to customers under maintenance. To request an account, contact nshield.support@entrust.com.