Introduction

The nShield Hardware Security Module (HSM) is a Root of Trust used by HID Global Validation Authority to protect cryptographic material. A HID Validation Authority integration with an Entrust nShield HSM provides FIPS 140-3 or FIPS 140-2 protection to meet strict compliance requirements.

Product configurations

This integration guide is intended solely to demonstrate the integration process and does not represent best practices. For guidance on optimal implementation, consult your organization’s IT security team or engage Entrust Professional Services.

Entrust has tested nShield HSM integration with HID Validation Authority in the following configurations:

Product	Version
Operating System	Windows Server 2022
HID ActivID VA	7.4
Database	Microsoft SQL Server 2025
Java	jdk-11 or higher (windows-x64)

Product

Version

Operating System

Windows Server 2022

HID ActivID VA

7.4

Database

Microsoft SQL Server 2025

Java

jdk-11 or higher (windows-x64)

Supported nShield hardware and software versions

Entrust has tested the integrations with OCS and with the following nShield hardware and software versions:

Product	Security World Software	Firmware	Image
Connect XC	13.6.11	12.72.1 (FIPS 140-2 certified)	13.6.7
nShield 5c	13.6.11	13.4.5 (FIPS 140-3 certified)	13.6.7

Supported nShield HSM functionality

Feature	Support
Module-only key	No
OCS cards	Yes
Softcards	No
nSaaS	Yes
FIPS 140 Level 3	Yes

Feature

Support

Module-only key

OCS cards

Yes

Softcards

nSaaS

Yes

FIPS 140 Level 3

Yes

Requirements

Before installing these products, read the associated documentation:

For the HSM: Installation Guide and User Guide at the nShield user documentation site.
For Remote Administration (if used): nShield Remote Administration User Guide at the nShield user documentation site.
HID Global documentation: ActivID® Validation Authority Installation and Configuration Guide at the HID documentation portal.

The integration between nShield HSMs and HID VA requires:

nCipherKM JCA/JCE CSP support in the HSM.
A correct quorum for the Administrator Card Set (ACS).
An Operator Card Set (OCS).
- A 1-of-N quorum must be used.
Firewall configuration with usable ports:
- 9004 for the HSM (hardserver).
- 3501 for HID VA HTTP Port (default port number).
- 3601 for HID VA HTTPS Port (default port number).

In addition, the following design decisions have an impact on how the HSM is installed and configured:

Whether your Security World must comply withFIPS 140-3 or 140-2 standards.

If you are using FIPS 140-3 or 140-2, it is advisable to create an OCS for FIPS authorization. It will be needed during the Validation Authority Configuration. For information about limitations on FIPS authorization, see the Installation Guide for the HSM.
Whether to instantiate the Security World as recoverable or not.

Entrust recommends that you allow only unprivileged connections unless you are performing administrative tasks.

More information

For more information about OS support, contact your HID Global sales representative or Entrust nShield Support, https://nshieldsupport.entrust.com.

Access to the Entrust Support Portal is available to customers under maintenance. To request an account, contact nshield.support@entrust.com.