Introduction

The nShield Hardware Security Module (HSM) can generate and store a Root of Trust that protects security objects used by F5 Big-IP LTM to safeguard users' keys and credentials. The HSM in FIPS 140-2 Level 2 or Level 3 mode meets compliance requirements.

More than one HSM can enroll to a F5 BIG-IP machine if all HSMs are in the same Security World.

Product configurations

Entrust has successfully tested nShield HSM integration with F5 BIG-IP in the following configurations. Before you use the latest Entrust tested versions, confirm compatilibity against the interoperability matrix.

Software	Version
BIG-IP - Virtual Edition	16.0.1.1, 17.0.0.1

Software

Version

BIG-IP - Virtual Edition

16.0.1.1, 17.0.0.1

Supported nShield hardware and software versions

Entrust has successfully tested with the following nShield hardware and software versions:

Connect XC

Security World Software	Firmware	Image	OCS	Softcard	Module
12.60.11	12.50.11 (FIPS 140-2 certified)	12.60.10	✓	✓	✓
12.80.4	12.50.11 (FIPS 140-2 certified)	12.80.4	✓	✓	✓
12.80.4	12.72.1 (FIPS 140-2 certified)	12.80.5	✓	✓	✓

Security World Software

Firmware

Image

OCS

Softcard

Module

12.60.11

12.50.11 (FIPS 140-2 certified)

12.60.10

✓

12.80.4

12.50.11 (FIPS 140-2 certified)

12.80.4

✓

12.80.4

12.72.1 (FIPS 140-2 certified)

12.80.5

✓

nShield 5c

Security World Software	Firmware	Image	OCS	Softcard	Module
13.2.2	13.2.2	13.2.2	✓	✓	✓

Security World Software

Firmware

Image

OCS

Softcard

Module

13.2.2

✓

Hotfix TAC_955 is required for the nShield 5c configuration. A FIPS 140 Level 2 Security World may be used without the need for a hotfix.

Supported nShield HSM functionality

Feature	Support
Module-Only key	Yes
OCS cards	Yes
Softcards	Yes
nSaaS	Yes
FIPS 140-2 Level 3	Yes ^*

Feature

Support

Module-Only key

Yes

OCS cards

Yes

Softcards

Yes

nSaaS

Yes

FIPS 140-2 Level 3

Yes ^*

^* F5 BIG-IP SSL profile implementations requiring TLS 1.2 are only supported in Entrust nShield firmware v12.50.11. Please contact F5 or Entrust for details on TLS 1.3 support.

Requirements

Before installing these products, read the associated documentation:

For the nShield HSM: Installation Guide and User Guide.
If nShield Remote Administration is to be used: nShield Remote Administration User Guide.
F5 BIG-IP documentation (https://techdocs.f5.com/en-us/bigip-16-0-0/big-ip-system-and-ncipher-hsm-implementation.html).

In addition, the integration between nShield HSMs and F5 BIG-IP requires:

PKCS #11 support in the HSM.
A correct quorum for the Administrator Card Set (ACS).
Operator Card Set (OCS), Softcard, or Module-Only protection.
- If OCS protection is to be used, a 1-of-N quorum must be used.
Firewall configuration with usable ports:
- 9004 for the HSM (hardserver).

Furthermore, the following design decisions have an impact on how the HSM is installed and configured:

Whether your Security World must comply with FIPS 140-2 Level 3 standards.
- If using FIPS 140-2 Level 3, it is advisable to create an OCS for FIPS authorization. The OCS can also provide key protection for the Vault master key. For information about limitations on FIPS authorization, see the Installation Guide of the nShield HSM.
Whether to instantiate the Security World as recoverable or not.

Entrust recommends that you allow only unprivileged connections unless you are performing administrative tasks.

More information

For more information about OS support, contact your F5 sales representative or Entrust nShield Support, https://nshieldsupport.entrust.com.

Access to the Entrust nShield Support Portal is available to customers under maintenance. To request an account, contact nshield.support@entrust.com.