Introduction

IBM Blockchain Platform integrates with the Entrust nShield® Hardware Security Module (HSM) to generate and store the private keys used by its Certificate Authority (CA), Peer, and Orderer nodes. This guide demonstrates using an HSM On Demand service’s PKCS #11 API to securely store Blockchain CA, Peer, and Orderer private keys. When an HSM generates the signing keys for Blockchain Identities, the cryptographic operations are offloaded to the HSM. This provides protects and manages the keys with its FIPS 140 Level 3 certified hardware.

This guide describes how to perform and validate the integration. It does not necessarily describe the best practices for the implementation.

Product configurations

Entrust has successfully tested nShield HSM integration in the following configurations:

Product	Version
IBM Blockchain Platform	2.5.2-132, 2.5.3-11
OpenShift Container Platform (Client)	4.8.43
OpenShift Container Platform (Server)	4.8.43
Kubernetes Version	v1.21.11+6b3cbdd
Base OS (Image Building machine)	Red Hat Enterprise Linux release 8.5 (Ootpa)
OS for NFS server	CentOS Linux release 7.9.2009 (Core)
nShield HSM	12.50.11 (FIPS 140-2 certified) - Image 12.80.4
HSM Protection Methods Used.	Module, Softcard. OCS not tested.
nShield Security World	12.80.4
nShield Container Option Pack (nCOP)	1.1.1
VMware	ESXi 7.0.1 on a Dell PowerEdge R740
Docker	Docker version 20.10.17, build 100c701
Podman	3.2.3

Product

Version

IBM Blockchain Platform

2.5.2-132, 2.5.3-11

OpenShift Container Platform (Client)

4.8.43

OpenShift Container Platform (Server)

4.8.43

Kubernetes Version

v1.21.11+6b3cbdd

Base OS (Image Building machine)

Red Hat Enterprise Linux release 8.5 (Ootpa)

OS for NFS server

CentOS Linux release 7.9.2009 (Core)

nShield HSM

12.50.11 (FIPS 140-2 certified) - Image 12.80.4

HSM Protection Methods Used.

Module, Softcard. OCS not tested.

nShield Security World

12.80.4

nShield Container Option Pack (nCOP)

1.1.1

VMware

ESXi 7.0.1 on a Dell PowerEdge R740

Docker

Docker version 20.10.17, build 100c701

Podman

3.2.3

Requirements

Ensure that you have supported versions and entitlements of the Entrust nShield, IBM Blockchain Platform, and third-party products. See Product configurations.

To perform the integration tasks, you must have:

root access on the operating system.
Access to nfast.

Before starting the integration process, familiarize yourself with:

The documentation for the HSM.
The documentation and setup process for Docker or Podman.

Before using the nShield software, you need to know:

Whether the application keys are protected by the module, or a Softcard with or without a pass phrase.
Whether the Security World should be compliant with FIPS 140 Level 3.

Entrust recommends that you allow only unprivileged connections unless you are performing administrative tasks.

For more information on configuring and managing nShield HSMs, Security Worlds, and Remote File Systems, see the User Guide and Installation Guide for your HSM(s).