Introduction
This document describes how to integrate Entrust Identity Enterprise with the Entrust nShield hardware security module (HSM) as a Root of Trust for storage encryption, to protect the master keys and meet FIPS 140-2 Level 2 or Level 3.
Entrust Identity Enterprise has two master keys that are used to encrypt and sign sensitive information in the Entrust Identity Enterprise repository. Entrust Identity Enterprise has three master users.
Additionally, you can store credentials for the XAP, PIV and SCEP administrator accounts in the HSM instead of storing them in Entrust profiles (.EPF).
Product configurations
Entrust has successfully tested nShield HSM integration with Entrust Identity Enterprise in the following configurations:
Product | Version |
---|---|
Entrust Identity Enterprise Virtual Appliance |
13.0 |
Supported nShield hardware and software versions
Supported nShield HSM functionality
Feature | Support |
---|---|
Module-only key |
Yes |
OCS cards |
Yes |
Softcards |
Yes |
nSaaS |
Yes |
FIPS 140-2 Level 3 |
Yes |
Requirements
Familiarize yourself with:
-
Entrust Identity Enterprise documentation (https://trustedcare.entrust.com/).
-
The nShield HSM: Installation Guide and User Guide.
-
Your organizational Certificate Policy and Certificate Practice Statement, and a Security Policy or Procedure in place covering administration of the PKI and HSM:
-
The number and quorum of Administrator Cards in the Administrator Card Set (ACS), and the policy for managing these cards.
-
The number and quorum of Operator Cards in the Operator Card Set (OCS), and the policy for managing these cards.
-
The keys protection method: Module, Softcard, or OCS.
-
The level of compliance for the Security World, FIPS 140-2 Level 3.
-
Key attributes such as key size, time-out, or need for auditing key usage.
-
Entrust recommends that you allow only unprivileged connections unless you are performing administrative tasks. |
About the HSM and Entrust Identity Enterprise
You must decide whether you want to use an HSM before you initialize Entrust Identity Enterprise Server because the HSM can be specified only during initialization. You cannot add an HSM after initialization.
If you use an HSM, the HSM must be available at all times, or Entrust Identity Enterprise will stop working.
You cannot have some servers in a replicated system with HSMs and others without. Either all Entrust Identity Enterprise servers use HSMs, or none of them do.
Only a single HSM can be configured within Identity Enterprise.