Introduction
Delinea Secret Server (Secret Server) includes support for the Entrust nShield Hardware Security Module (HSM). The nShield HSM brings an additional layer of security by protecting the Delinea Secret Server encryption key. This document describes the procedure to integrate Delinea Secret Server with the nShield HSM.
Product configurations
Entrust has successfully tested nShield HSM integration in the following configurations:
Product | Version |
---|---|
Delinea Secret Server |
11.8.000001 |
SQL Server 2022 |
16.0.1000 Express Edition |
SQL Server Management Studio 21 |
21.1.3 |
IIS |
10.0.20348.1 |
Base OS |
Microsoft Windows Server 2022 |
Supported nShield hardware and software versions
Entrust has successfully tested with the following nShield hardware and software versions:
HSM | Security World Software | Firmware | Netimage |
---|---|---|---|
Connect 5c |
13.6.11 |
13.6.11 |
|
nShield XC |
13.6.11 |
13.6.7 |
Supported nShield features
Entrust has successfully tested nShield HSM integration with the following features:
Feature | CNG Cryptography Provider | PKCS #11 API |
---|---|---|
Softcards |
No |
Yes |
Module Only Key |
Yes |
Yes |
Operator Card Set (OCS) |
Yes but without a passphrase |
Yes |
nSaaS |
Supported but not tested |
Supported but not tested |
Requirements
-
Access to Delinea Secret Server license from your Delinea sales representative.
-
Access to the Entrust TrustedCare Portal.
-
An Entrust nShield HSM.
-
A dedicated Windows server.
-
Network environment with usable ports 9004 and 9005 for the HSM.
Familiarize yourself with the nShield Documentation.
-
The importance of a correct quorum for the Administrator Card Set (ACS).
-
Whether Operator Card Set (OCS) protection or Softcard protection is required.
-
If OCS protection is to be used, a 1-of-N quorum must be used.
-
Whether your Security World must comply with FIPS 140 Level 3 or Common Criteria standards. If using FIPS 140 Level 3, it is advisable to create an OCS for FIPS authorization. For more information see FIPS 140 Level 3 compliance.
-
Whether to instantiate the Security World as recoverable or not.