Introduction
This guide describes how to integrate Entrust nShield Hardware Security Module (HSM) with Oracle Key Vault.
The HSM generates and stores a Root of Trust which protects the security objects used by Oracle Key Vault to safeguard user keys and credentials. The HSM can be used in FIPS 140 Level 2 or Level 3 mode to meet compliance requirements.
Note that:
-
Oracle Key Vault cluster nodes can connect to individual HSMs, or share the same user account in one HSM, or have individual user accounts in one HSM.
-
An existing Oracle Key Vault deployment can be migrated to use an HSM as a Root of Trust.
-
Oracle Key Vault can function only if the RoT stored in the HSM is available.
-
To restart or restore Key Vault in HSM mode when Operator Card Set (OCS) protection is used, the OCS for the HSM must be in slot 0 of the HSM.
Product configurations
Entrust has successfully tested nShield HSM integration with Oracle Key Vault in the following configurations:
Product | Version |
---|---|
Oracle Key Vault |
21.5 |
Supported nShield hardware and software versions
Supported nShield functionality
Feature | Support |
---|---|
Key generation |
Yes |
1-of-N Operator Card Set |
Yes |
FIPS 140 Level 3 support |
Yes |
Key management |
Yes |
k-of-N Operator Card Set |
No |
Common Criteria support |
Yes |
Key import |
Yes |
Softcards |
Yes |
Load sharing |
Yes |
Key recovery |
Yes |
Module-Only key |
Yes |
Fail over |
Yes |
Requirements
Before installing these products, read the associated documentation:
-
For the nShield HSM: Installation Guide and User Guide.
-
If nShield Remote Administration is to be used: nShield Remote Administration User Guide_.
-
Oracle Key Vault documentation (https://docs.oracle.com/en/database/oracle/key-vault).
In addition, the integration between nShield HSMs and Oracle Key Vault requires:
-
A separate non-HSM machine on the network to use as the Remote File System for the HSM. The RFS machine can also be used as a client to the HSM, to allow presentation of Java Cards using nShield Remote Administration. See the nShield Remote Administration User Guide_.
-
PKCS #11 support in the HSM.
-
A correct quorum for the Administrator Card Set (ACS).
-
Operator Card Set (OCS), Softcard, or Module-Only protection.
If OCS protection is to be used, a 1-of-N quorum must be used.
-
Firewall configuration with usable ports:
-
9004 for the HSM (hardserver).
-
8200 for Key Vault.
-
Furthermore, the following design decisions impact how the HSM is installed and configured:
-
Whether your Security World must comply with FIPS 140 Level 3 standards.
If using FIPS 140 Level 3, it is advisable to create an OCS for FIPS authorization. The OCS can also provide key protection for the Vault master key. For information about limitations on FIPS authorization, see the Installation Guide of the nShield HSM.
-
Whether to instantiate the Security World as recoverable or not.
Entrust recommends that you allow only unprivileged connections unless you are performing administrative tasks. |
More information
For more information about OS support, contact your Oracle Key Vault sales representative or Entrust nShield Support, https://nshieldsupport.entrust.com.
Access to the Entrust nShield Support Portal is available to customers under maintenance. To request an account, contact nshield.support@entrust.com. |