Introduction

Delinea Secret Server (Secret Server) includes support for the Entrust nShield Hardware Security Module (HSM). The nShield HSM brings an additional layer of security by protecting the Delinea Secret Server encryption key. This document describes the procedure to integrate Delinea Secret Server with the nShield HSM.

Product configurations

Entrust has successfully tested nShield HSM integration in the following configurations:

Product	Version
Delinea Secret Server	11.8.000001
SQL Server 2022	16.0.1000 Express Edition
SQL Server Management Studio 21	21.1.3
IIS	10.0.20348.1
Base OS	Microsoft Windows Server 2022

Product

Version

Delinea Secret Server

11.8.000001

SQL Server 2022

16.0.1000 Express Edition

SQL Server Management Studio 21

21.1.3

IIS

10.0.20348.1

Base OS

Microsoft Windows Server 2022

Supported nShield hardware and software versions

Entrust has successfully tested with the following nShield hardware and software versions:

HSM	Security World Software	Firmware	Netimage
Connect 5c	13.6.11	13.4.5 (FIPS 140-3 certified)	13.6.11
nShield XC	13.6.11	12.72.3 (FIPS 140-2 certified)	13.6.7

Supported nShield features

Entrust has successfully tested nShield HSM integration with the following features:

Feature	CNG Cryptography Provider	PKCS #11 API
Softcards	No	Yes
Module Only Key	Yes	Yes
Operator Card Set (OCS)	Yes but without a passphrase	Yes
nSaaS	Supported but not tested	Supported but not tested

Feature

CNG Cryptography Provider

PKCS #11 API

Softcards

Yes

Module Only Key

Yes

Operator Card Set (OCS)

Yes but without a passphrase

Yes

nSaaS

Supported but not tested

Requirements

Access to Delinea Secret Server license from your Delinea sales representative.
Access to the Entrust TrustedCare Portal.
An Entrust nShield HSM.
A dedicated Windows server.
Network environment with usable ports 9004 and 9005 for the HSM.

Familiarize yourself with the nShield Documentation.

The importance of a correct quorum for the Administrator Card Set (ACS).
Whether Operator Card Set (OCS) protection or Softcard protection is required.
If OCS protection is to be used, a 1-of-N quorum must be used.
Whether your Security World must comply with FIPS 140 Level 3 or Common Criteria standards. If using FIPS 140 Level 3, it is advisable to create an OCS for FIPS authorization. For more information see FIPS 140 Level 3 compliance.
Whether to instantiate the Security World as recoverable or not.