Introduction

You can integrate the Entrust nShield HSMs with NGINX to generate 2048-bit RSA key pairs for SSL and protect the private keys within a FIPS 140 certified Hardware Security Module (HSM). This integration uses the PKCS #11 interface to integrate the HSM and NGINX Server.

The benefits of using an nShield HSM with the NGINX Server include:

Secure storage of the private key.
FIPS 140 Level 3 validated hardware.
Improved server performance by offloading the cryptographic processing.
Full life cycle management of the keys.
Failover support.
Load balancing between HSMs.

Product configurations

Entrust tested nShield HSM integration with the NGINX server in the following configurations:

Product	Version
Operating System	Red Hat Enterprise Linux 8.9 X86-64
F5 NGINX Plus	nginx/1.25.1 (nginx-plus-r30-p1)
OpenSSL	openssl-libs-1:1.1.1k-9
OpenSSL PKCS #11	openssl-pkcs11-0.4.10-3

Product

Version

Operating System

Red Hat Enterprise Linux 8.9 X86-64

F5 NGINX Plus

nginx/1.25.1 (nginx-plus-r30-p1)

OpenSSL

openssl-libs-1:1.1.1k-9

OpenSSL PKCS #11

openssl-pkcs11-0.4.10-3

Supported nShield features

Entrust tested nShield HSM integration with the following features:

Feature	Support
Softcards	Yes
Module-only key	Yes
OCS cards	Yes
nSaaS	Yes

Feature

Support

Softcards

Yes

Module-only key

Yes

OCS cards

Yes

nSaaS

Yes

Supported nShield hardware and software versions

Entrust tested with the following nShield hardware and software versions:

Connect XC

Security World Software	Firmware	Image	OCS	Softcard	Module
13.4.4	12.50.11 (FIPS 140-2 certified)	12.80.4	✓	✓	✓
13.4.4	12.72.1 (FIPS 140-2 certified)	12.80.5	✓	✓	✓

Security World Software

Firmware

Image

OCS

Softcard

Module

13.4.4

12.50.11 (FIPS 140-2 certified)

12.80.4

✓

13.4.4

12.72.1 (FIPS 140-2 certified)

12.80.5

✓

nShield 5c

Security World Software	Firmware	Image	OCS	Softcard	Module
13.4.4	13.2.2	13.2.2	✓	✓	✓

Security World Software

Firmware

Image

OCS

Softcard

Module

13.4.4

13.2.2

✓

Requirements

Ensure that you have supported versions of the Entrust, NGINX, and third-party products.

Consult the security team in your organization for a suitable setting of the following:

The SE Linux policy to allow the web server read access to the files in /opt/nfast.
The firewall.

To perform the integration tasks, you must have:

root access on the operating system.
Access to nfast.

Before starting the integration process, familiarize yourself with:

The documentation for the HSM.
The documentation and setup process for the NGINX Server.

Before using the nShield software, you need to know:

The number and quorum of Administrator cards in the Administrator Card Set (ACS) and the policy for managing these cards.
Whether the application keys are protected by the module, an Operator Card Set (OCS) or a Softcard with or without a pass phrase.
The number and quorum of Operator cards in the OCS and the policy for managing these cards.
Whether the Security World should be compliant with FIPS 140 Level 3.

Entrust recommends that you allow only unprivileged connections unless you are performing administrative tasks.

For more information, refer to the User Guide and Installation Guide for the HSM.

More information

For more information about OS support, contact your NGINX Server sales representative or Entrust nShield Support, https://nshieldsupport.entrust.com.

Access to the Entrust nShield Support Portal is available to customers under maintenance. To request an account, contact nshield.support@entrust.com.