Introduction

The Entrust Authority Security Manager is a Public-Key Infrastructure (PKI) solution. The Entrust nShield Hardware Security Module (HSM) securely store and manage encryption keys. This document describes how to integrate both for added security of your PKI.

The HSM is available as an appliance or nShield as a service (nSaaS). Throughout this guide, the term HSM refers to nShield Solo, nShield Connect, and nShield Edge products.

Product configuration

The integration between the HSM and Security Manager has been successfully tested in the following configurations:

Product	Version
Entrust Security Manager	v10.0.30
Operating System	Windows Server 2022
PostgreSQL Database	11.7.30

Product

Version

Entrust Security Manager

v10.0.30

Operating System

Windows Server 2022

PostgreSQL Database

11.7.30

Supported nShield hardware and software versions

Entrust successfully tested with the following nShield hardware and software versions:

nShield

Product	Security World Software	Firmware	Netimage	OCS	Softcard
nSaaS	13.3.2	12.72.1 (FIPS 140-2 certified)	12.80.5	✓	✓
Connect XC	13.3.2	12.50.11 (FIPS 140-2 certified) & 12.72.1 (FIPS 140-2 certified), 13.3.1	12.80.4, 12.80.5, 13.4.3	✓	✓
Solo XC	13.3.2	12.72.0 (FIPS 140-2 certified)		✓	✓
nShield 5c	13.3.2	13.2.2	13.3.2	✓	✓
nShield Edge	13.3.2	12.72.0 (FIPS 140-2 certified)		✓	✓

Product

Security World Software

Firmware

Netimage

OCS

Softcard

Module

nSaaS

13.3.2

12.72.1 (FIPS 140-2 certified)

12.80.5

✓

Connect XC

13.3.2

12.50.11 (FIPS 140-2 certified) & 12.72.1 (FIPS 140-2 certified), 13.3.1

12.80.4, 12.80.5, 13.4.3

✓

Solo XC

13.3.2

12.72.0 (FIPS 140-2 certified)

✓

nShield 5c

13.3.2

13.2.2

13.3.2

✓

nShield Edge

13.3.2

12.72.0 (FIPS 140-2 certified)

✓

Module Protected keys are no longer supported in Entrust Security Manager v10.0 and above.

Support for the nShield 5s is in the roadmap for a future release.

Requirements

To integrate the HSM and Security Manager, you need the following server to be set up as follows:

The following software needs to be installed:

nShield Security World software.
A directory service installed and running according to the Entrust Authority Security Manager 10.0 Directory Configuration Guide.
PostgreSQL Server.
Security Manager 10.

Access to TrustedCare Portal (to download Software) https://trustedcare.Entrust.com/.

Familiarize yourself with:

The Entrust Security Manager (https://www.entrust.com/digital-security).
The nShield HSM: Installation Guide and User Guide.
Your organizational certificate policy and certificate practice statement, and a security policy or procedure in place covering administration of the PKI and HSM:
- The number and quorum of administrator cards in the administrator card set (ACS), and the policy for managing these cards.
- The number and quorum of operator cards in the operator card set (OCS), and the policy for managing these cards.
- The keys protection method: module, softcard, or OCS.
- The level of compliance for the Security World, FIPS 140 Level 3.
- Key attributes such as key size, time-out, or need for auditing key usage.

Entrust recommends that you allow only unprivileged connections unless you are performing administrative tasks.