Introduction

This guide describes the steps to integrate the nShield Container Option Pack (nCOP) with Mirantis Kubernetes Engine. The nCOP provides application developers, within a container-based Mirantis Kubernetes Engine environment, the ability to access the cryptographic functionality of an nShield Hardware Security Module (HSM).

Product configurations

We have successfully tested nShield HSM integration with Mirantis Kubernetes Engine in the following configurations:

Software	Version
nCOP	1.1.2
Operating System	Red Hat Enterprise Linux release 9.4 (Plow)
Mirantis Kubernetes Engine	3.7.4
Mirantis Container Runtime	23.0.14

Software

Version

nCOP

1.1.2

Operating System

Red Hat Enterprise Linux release 9.4 (Plow)

Mirantis Kubernetes Engine

3.7.4

Mirantis Container Runtime

23.0.14

Supported nShield hardware and software versions

We have successfully tested with the following nShield hardware and software versions:

Connect XC

Security World Software	Firmware	Image	OCS	Softcard	Module
13.6.3	12.72.1 (FIPS 140-2 certified)	13.4.5	✓	✓	✓

Security World Software

Firmware

Image

OCS

Softcard

Module

13.6.3

12.72.1 (FIPS 140-2 certified)

13.4.5

✓

nShield 5C

Security World Software	Firmware	Image	OCS	Softcard	Module
13.6.3	13.2.4 (FIPS 140-3 certified)	13.6.1	✓	✓	✓

Security World Software

Firmware

Image

OCS

Softcard

Module

13.6.3

13.2.4 (FIPS 140-3 certified)

13.6.1

✓

Supported nShield HSM functionality

Feature	Support
Module-only key	Yes
OCS cards	Yes
Softcards	Yes
nSaaS	Yes
FIPS 140 Level 3	Yes

Feature

Support

Module-only key

Yes

OCS cards

Yes

Softcards

Yes

nSaaS

Yes

FIPS 140 Level 3

Yes

Requirements

Before installing these products, read the associated documentation:

For the nShield HSM: Installation Guide and User Guide.
If nShield Remote Administration is to be used: nShield Remote Administration User Guide.
nShield Container Option Pack User Guide.
MCR documentation (https://docs.mirantis.com/mcr/23.0/overview.html)
MKE documentation (https://docs.mirantis.com/mke/3.7/overview.html).
kubectl documentation (https://kubernetes.io/docs/tasks/tools/install-kubectl-linux/)

Furthermore, the following design decisions have an impact on how the HSM is installed and configured:

Whether your Security World must comply with FIPS 140 Level 3 standards.
- If using FIPS 140 Level 3, it is advisable to create an OCS for FIPS authorization. For information about limitations on FIPS authorization, see the Installation Guide of the nShield HSM.
Whether to instantiate the Security World as recoverable or not.

Entrust recommends that you allow only unprivileged connections unless you are performing administrative tasks.

More information

For more information about OS support, contact your Mirantis sales representative or Entrust nShield Support, https://nshieldsupport.entrust.com.

Access to the Entrust nShield Support Portal is available to customers under maintenance. To request an account, contact nshield.support@entrust.com.