Introduction
This document describes how to integrate Hyperledger Fabric with the Entrust nShield Container Option Pack (nCOP). The integration uses an Entrust nShield hardware security module as the root of trust for storage encryption to protect the private keys and meet FIPS 140 Level 2 and 3 criteria.
Product configurations
Entrust has successfully tested nShield HSM integration with Hyperledger Fabric in the following configurations:
| Product | Version |
|---|---|
Hyperledger Fabric |
2.5 |
Security World |
13.6.3 |
nCOP |
1.1.2 |
Docker |
27.3.1 |
Go |
1.23.2 |
Host OS |
Red Hat Enterprise Linux 9 |
Container OS |
Ubuntu |
Supported nShield hardware and software versions
Entrust has successfully tested with the following nShield hardware and software versions:
Connect XC
| Security World Software | Firmware | Image | OCS | Softcard | Module | FIPS Level 3 |
|---|---|---|---|---|---|---|
13.6.3 |
13.4.5 |
✓ |
✓ |
✓ |
✓ |
Supported nShield HSM functionality
| Feature | Support |
|---|---|
Module-only key |
Yes |
OCS cards |
Yes |
Softcards |
Yes |
nSaaS |
Yes |
FIPS 140 Level 3 |
Yes |
Requirements
Familiarize yourself with:
-
Hyperledger Fabric documentation: Hyperledger Fabric CA User’s Guide.
-
The nShield HSM: Installation Guide and User Guide.
-
Your organizational Certificate Policy and Certificate Practice Statement, and a Security Policy or Procedure in place covering administration of the PKI and HSM:
-
The number and quorum of administrator cards in the Administrator Card Set (ACS), and the policy for managing these cards.
-
The number and quorum of operator cards in the Operator Card Set (OCS), and the policy for managing these cards.
-
The keys protection method: Module, Softcard, or OCS.
-
The level of compliance for the Security World, FIPS 140 Level 3.
-
Key attributes such as key size, time-out, or need for auditing key usage.
-
| Entrust recommends that you allow only unprivileged connections unless you are performing administrative tasks. |