Introduction

The nShield Hardware Security Module (HSM) can generate and store a Root of Trust that protects security objects used by HID Global Validation Authority to safeguard user keys and credentials. You can use the HSM in FIPS 140 Level 2 or Level 3 mode to meet compliance requirements.

Product configurations

Entrust has tested nShield HSM integration with HID Validation Authority in the following configurations:

Product	Version
Operating System	Windows Server 2019
HID ActivID VA	7.2 and 7.3
Database	Microsoft SQL Server 2019
Java	jdk-8u361-windows-x64

Product

Version

Operating System

Windows Server 2019

HID ActivID VA

7.2 and 7.3

Database

Microsoft SQL Server 2019

Java

jdk-8u361-windows-x64

Supported nShield hardware and software versions

Entrust has tested the integrations with the following nShield hardware and software versions:

Product	Security World Software	Firmware	Image	OCS
Connect XC	12.80.4	12.50.11 (FIPS 140-2 certified)	12.80.4	✓
Connect XC	12.80.4	12.72.1 (FIPS 140-2 certified)	12.80.5	✓
Connect XC	13.3.2	12.72.1 (FIPS 140-2 certified)	12.80.5	✓
nShield 5c	13.3.2	13.2.2	13.3.2	✓

Supported nShield HSM functionality

Feature	Support
Module-only key	No
OCS cards	Yes
Softcards	No
nSaaS	Yes
FIPS 140 Level 3	Yes

Feature

Support

Module-only key

OCS cards

Yes

Softcards

nSaaS

Yes

FIPS 140 Level 3

Yes

Requirements

Before installing these products, read the associated documentation:

For the HSM: Installation Guide and User Guide.
For Remote Administration (if used): nShield Remote Administration User Guide.
HID Global documentation: ActivID® Validation Authority Installation and Configuration Guide.

The integration between nShield HSMs and HID VA requires:

nCipherKM JCA/JCE CSP support in the HSM.
A correct quorum for the Administrator Card Set (ACS).
An Operator Card Set (OCS).
- A 1-of-N quorum must be used.
Firewall configuration with usable ports:
- 9004 for the HSM (hardserver).
- 3501 for HID VA HTTP Port (default port number).
- 3601 for HID VA HTTPS Port (default port number).

In addition, the following design decisions have an impact on how the HSM is installed and configured:

Whether your Security World must comply with FIPS 140 Level 3 standards.

If you are using FIPS 140 Level 3, it is advisable to create an OCS for FIPS authorization. It will be needed during the Validation Authority Configuration. For information about limitations on FIPS authorization, see the Installation Guide for the HSM.
Whether to instantiate the Security World as recoverable or not.

Entrust recommends that you allow only unprivileged connections unless you are performing administrative tasks.

More information

For more information about OS support, contact your HID Global sales representative or Entrust nShield Support, https://nshieldsupport.entrust.com.

Access to the Entrust Support Portal is available to customers under maintenance. To request an account, contact nshield.support@entrust.com.