Introduction

This guide describes:

The procedure to install and configure KeyControl as a KMIP server.
The procedure to integrate Entrust KeyControl and Entrust nShield HSM for establishing a hardware root of trust for all encryption keys.
The procedure to protect the KeyControl Admin Key in the HSM.

When all of these procedures are performed, the combined solution facilitates regulatory compliance with a FIPS 140 Level 3 and Common Criteria EAL4+ root of trust.

Entrust recommends that you allow only unprivileged connections unless you are performing administrative tasks.
Until and including v13.4.5 firmware, all nShield HSMs require specific activation to utilize the elliptic curve features. See the nShield Security World documentation at nShield Product Documentation website.

Product configuration

Entrust has successfully tested nShield HSM integration with KeyControl in the following configurations:

Product	Version
KeyControl	10.0
nShield HSM hardware	Connect XC

Product

Version

KeyControl

10.0

nShield HSM hardware

Connect XC

Supported features

Entrust has successfully tested nShield HSM integration with the following features:

Feature	Support
Softcards	Yes
Module-only key	Not Supported
OCS cards	For FIPS Authorization Only
nSaaS	Not tested

Feature

Support

Softcards

Yes

Module-only key

Not Supported

OCS cards

For FIPS Authorization Only

nSaaS

Not tested

Supported nShield hardware and software versions

Entrust has successfully tested with the following nShield hardware and software versions:

Connect XC

Tested configurations:

Security World Software	Firmware	Image	FIPS 140 Level 3
12.80.4	12.50.11 (FIPS Certified)	12.80.4	No
12.80.4	12.72.1 (FIPS Certified)	12.80.5	Yes