Introduction

This document describes how to integrate Entrust Identity Enterprise with the Entrust nShield hardware security module (HSM) as a Root of Trust for storage encryption, to protect the master keys and meet FIPS 140-2 Level 2 or Level 3.

Entrust Identity Enterprise has two master keys that are used to encrypt and sign sensitive information in the Entrust Identity Enterprise repository. Entrust Identity Enterprise has three master users.

Additionally, you can store credentials for the XAP, PIV and SCEP administrator accounts in the HSM instead of storing them in Entrust profiles (.EPF).

Product configurations

Entrust has successfully tested nShield HSM integration with Entrust Identity Enterprise in the following configurations:

Product Version

Entrust Identity Enterprise Virtual Appliance

13.0

Supported nShield hardware and software versions

Entrust has successfully tested with the following nShield hardware and software versions:

Connect XC

Security World Software Firmware Image OCS Softcard Module

13.3.2

12.72.1 (FIPS 140-2 certified)

12.80.5

nShield 5c

Security World Software Firmware Image OCS Softcard Module

13.3.2

13.2.2

13.3.2

Supported nShield HSM functionality

Feature Support

Module-only key

Yes

OCS cards

Yes

Softcards

Yes

nSaaS

Yes

FIPS 140-2 Level 3

Yes

Requirements

Familiarize yourself with:

  • Entrust Identity Enterprise documentation (https://trustedcare.entrust.com/).

  • The nShield HSM: Installation Guide and User Guide.

  • Your organizational Certificate Policy and Certificate Practice Statement, and a Security Policy or Procedure in place covering administration of the PKI and HSM:

    • The number and quorum of Administrator Cards in the Administrator Card Set (ACS), and the policy for managing these cards.

    • The number and quorum of Operator Cards in the Operator Card Set (OCS), and the policy for managing these cards.

    • The keys protection method: Module, Softcard, or OCS.

    • The level of compliance for the Security World, FIPS 140-2 Level 3.

    • Key attributes such as key size, time-out, or need for auditing key usage.

Entrust recommends that you allow only unprivileged connections unless you are performing administrative tasks.

About the HSM and Entrust Identity Enterprise

You must decide whether you want to use an HSM before you initialize Entrust Identity Enterprise Server because the HSM can be specified only during initialization. You cannot add an HSM after initialization.

If you use an HSM, the HSM must be available at all times, or Entrust Identity Enterprise will stop working.

You cannot have some servers in a replicated system with HSMs and others without. Either all Entrust Identity Enterprise servers use HSMs, or none of them do.

Only a single HSM can be configured within Identity Enterprise.