Introduction

Delinea Secret Server (Secret Server) includes support for the Entrust nShield Hardware Security Module (HSM). The nShield HSM brings an additional layer of security by protecting the Delinea Secret Server encryption key. This document describes the procedure to integrate Delinea Secret Server with the nShield HSM.

Product configurations

Entrust has successfully tested nShield HSM integration in the following configurations:

Product Version

Delinea Secret Server

11.8.000001

SQL Server 2022

16.0.1000 Express Edition

SQL Server Management Studio 21

21.1.3

IIS

10.0.20348.1

Base OS

Microsoft Windows Server 2022

Supported nShield hardware and software versions

Entrust has successfully tested with the following nShield hardware and software versions:

HSM Security World Software Firmware Netimage

Connect 5c

13.6.11

13.4.5 (FIPS 140-3 certified)

13.6.11

nShield XC

13.6.11

12.72.3 (FIPS 140-2 certified)

13.6.7

Supported nShield features

Entrust has successfully tested nShield HSM integration with the following features:

Feature CNG Cryptography Provider PKCS #11 API

Softcards

No

Yes

Module Only Key

Yes

Yes

Operator Card Set (OCS)

Yes but without a passphrase

Yes

nSaaS

Supported but not tested

Supported but not tested

Requirements

  • Access to Delinea Secret Server license from your Delinea sales representative.

  • Access to the Entrust TrustedCare Portal.

  • An Entrust nShield HSM.

  • A dedicated Windows server.

  • Network environment with usable ports 9004 and 9005 for the HSM.

Familiarize yourself with the nShield Documentation.

  • The importance of a correct quorum for the Administrator Card Set (ACS).

  • Whether Operator Card Set (OCS) protection or Softcard protection is required.

  • If OCS protection is to be used, a 1-of-N quorum must be used.

  • Whether your Security World must comply with FIPS 140 Level 3 or Common Criteria standards. If using FIPS 140 Level 3, it is advisable to create an OCS for FIPS authorization. For more information see FIPS 140 Level 3 compliance.

  • Whether to instantiate the Security World as recoverable or not.