Introduction
The nShield Hardware Security Module (HSM) can be used to generate and store a Root of Trust (RoT) that protects security objects used by Oracle Key Vault to safeguard users' keys and credentials. The HSM can be used in FIPS 140 Level 2 or Level 3 mode to meet compliance requirements. An Oracle Key Vault cluster node can have multiple HSMs enrolled, as long as the HSMs are in the same Security World.
| An existing Oracle Key Vault deployment cannot be migrated to use an HSM as a RoT. |
| Oracle Key Vault can function only if the RoT stored in the HSM is available. |
| To restart or restore Key Vault in HSM mode when Operator Card Set (OCS) protection is used, the OCS for the HSM must be in slot 0 of the HSM. |
Product configurations
We have successfully tested nShield HSM integration with Oracle Key Vault in the following configurations:
| Product | Version |
|---|---|
Operating System |
Oracle Linux 7 64-bit |
Oracle Key Vault Version |
18.6 |
Supported nShield hardware and software versions
We have successfully tested with the following nShield hardware and software versions:
Supported nShield functionality
| Feature | Support | Feature | Support | Feature | Support |
|---|---|---|---|---|---|
Key generation |
Yes |
1-of-N Operator Card Set |
Yes |
FIPS 140 Level 3 support |
Yes |
Key management |
Yes |
k-of-N Operator Card Set |
No |
Common Criteria support |
Yes |
Key import |
Yes |
Softcards |
Yes |
Load sharing |
Yes |
Key recovery |
Yes |
Module-Only key |
Yes |
Fail over |
Yes |
Requirements
Before installing these products, read the associated documentation:
-
For the nShield HSM: Installation Guide and User Guide.
-
If nShield Remote Administration is to be used: nShield Remote Administration User Guide.
-
Oracle Key Vault documentation (https://docs.oracle.com/en/database/oracle/key-vault).
In addition, the integration between nShield HSMs and Oracle Key Vault requires:
-
A separate non-HSM machine on the network to use as the Remote File System for the HSM. The RFS machine can also be used as a client to the HSM, to allow presentation of Java Cards using nShield Remote Administration. See the nShield Remote Administration User Guide.
-
PKCS #11 support in the HSM.
-
A correct quorum for the Administrator Card Set (ACS).
-
Operator Card Set (OCS), Softcard, or Module-Only protection.
-
If OCS protection is to be used, a 1-of-N quorum must be used.
-
-
Firewall configuration with usable ports:
-
9004 for the HSM (hardserver).
-
8200 for Key Vault.
-
Furthermore, the following design decisions have an impact on how the HSM is installed and configured:
-
Whether your Security World must comply with FIPS 140 Level 3 standards.
-
If using FIPS 140 Level 3, it is advisable to create an OCS for FIPS authorization. The OCS can also provide key protection for the Vault master key. For information about limitations on FIPS authorization, see the Installation Guide of the nShield HSM.
-
-
Whether to instantiate the Security World as recoverable or not.
| Entrust recommends that you allow only unprivileged connections unless you are performing administrative tasks. |
More information
For more information about OS support, contact your Oracle Key Vault sales representative or Entrust nShield Support, https://nshieldsupport.entrust.com.
| Access to the Entrust nShield Support Portal is available to customers under maintenance. To request an account, contact nshield.support@entrust.com. |