Introduction

The Axway Validation Authority (VA) Server is an Online Certificate Status Protocol (OCSP) server for distribution of certificate revocation information for certificates issued by any certification authority (CA). The VA Server provides integrity and validity for online transactions by validating, in real-time, digital certificates issued by a CA. The Entrust nShield Hardware Security Module (HSM) integrates with the Axway VA responder server through the nShield PKCS #11 cryptographic API to securely generate and store the OCSP response signing keys. The following image shows such an integration:

Requirements

The Axway VA installation requires either Microsoft Windows Server or Red Hat Enterprise Linux as the base operating system. Conceptually, a CentOS platform will work the same way. Obtain the installation package for Windows or Linux from Axway Support.

Reference the Axway Validation Authority Administrators Guide for product specific requirements.

Before starting this integration, review:

The documentation for the nShield Connect HSM.
The documentation and configuration process for Axway VA.

Before using nShield products:

When creating a Security World, identify custodians of the administrator card set (ACS).
Obtain enough blank smart cards to create the ACS.
Define the Security World parameters. For details of the security implications of the choices, see the nShield Security Manual.

Entrust recommends that you allow only unprivileged connections unless you are performing administrative tasks.

Licensing

Configuring Axway VA requires importing a license text file into the Axway VA administration web UI. Obtain the license file to configure Axway VA.

Product configurations

Entrust tested nShield HSM integration with Axway VA in the following configurations:

Product	Version
Axway Validation Authority	v5.2 BN31823 UP202206
Windows	Windows Server 2022
Red Hat Enterprise Linux	release 8.8
HSM Hardware	Connect XC and nShield 5C

Product

Version

Axway Validation Authority

v5.2 BN31823 UP202206

Windows

Windows Server 2022

Red Hat Enterprise Linux

release 8.8

HSM Hardware

Connect XC and nShield 5C

Supported features

Entrust tested nShield HSM integration with the following features:

Softcard	Module	OCS	nSaaS
Yes	Yes	Yes	Not Tested

Softcard

Module

OCS

nSaaS

Yes

Not Tested

Supported nShield hardware and software versions

Entrust tested with the following nShield hardware and software versions:

nShield Hardware	nShield HSM Firmware	Security World Software
Connect XC	12.50.11 (FIPS 140-2 certified)	13.3.2
Connect XC	12.72.1 (FIPS 140-2 certified)	13.3.2
nShield 5c	13.2.2	13.3.2

Supported nShield functionality

Feature	Support
Key Generation	Yes
Key Management	Yes
Key Import	No
Key Recovery	Yes
FIPS 140 Level 3 mode support for Connect XC	Yes
FIPS 140 Level 3 mode support for nShield 5c	Yes
Common Criteria mode support	N/A
1-of-N Operator Card Set	Yes
K-of-N Operator Card Set	Yes
Softcards	Yes
Module-only keys	Yes
Load Sharing	Yes
Failover	Yes

Feature

Support

Key Generation

Yes

Key Management

Yes

Key Import

Key Recovery

Yes

FIPS 140 Level 3 mode support for Connect XC

Yes

FIPS 140 Level 3 mode support for nShield 5c

Yes

Common Criteria mode support

N/A

1-of-N Operator Card Set

Yes

K-of-N Operator Card Set

Yes

Softcards

Yes

Module-only keys

Yes

Load Sharing

Yes

Failover

Yes