Introduction

This guide describes how to integrate Entrust nShield Hardware Security Module (HSM) with Oracle Key Vault.

The HSM generates and stores a Root of Trust which protects the security objects used by Oracle Key Vault to safeguard user keys and credentials. The HSM can be used in FIPS 140 Level 2 or Level 3 mode to meet compliance requirements.

Note that:

  • Oracle Key Vault cluster nodes can connect to individual HSMs, or share the same user account in one HSM, or have individual user accounts in one HSM.

  • An existing Oracle Key Vault deployment can be migrated to use an HSM as a Root of Trust.

  • Oracle Key Vault can function only if the RoT stored in the HSM is available.

  • To restart or restore Key Vault in HSM mode when Operator Card Set (OCS) protection is used, the OCS for the HSM must be in slot 0 of the HSM.

Product configurations

Entrust has successfully tested nShield HSM integration with Oracle Key Vault in the following configurations:

Product Version

Oracle Key Vault

21.5

Supported nShield hardware and software versions

Entrust has successfully tested with the following nShield hardware and software versions:

Connect XC

Security World Software Firmware Image OCS Softcard Module

12.60.11

12.50.11 (FIPS 140-2 certified)

12.60.10

12.80.4

12.50.11 (FIPS 140-2 certified)

12.80.4

12.80.4

12.72.1 (FIPS 140-2 certified)

12.80.5

13.3.2

12.72.1 (FIPS 140-2 certified)

12.80.5

nShield 5c

Security World Software Firmware Image OCS Softcard Module

13.3.2

13.2.2

13.3.2

Supported nShield functionality

Feature Support

Key generation

Yes

1-of-N Operator Card Set

Yes

FIPS 140 Level 3 support

Yes

Key management

Yes

k-of-N Operator Card Set

No

Common Criteria support

Yes

Key import

Yes

Softcards

Yes

Load sharing

Yes

Key recovery

Yes

Module-Only key

Yes

Fail over

Yes

Requirements

Before installing these products, read the associated documentation:

In addition, the integration between nShield HSMs and Oracle Key Vault requires:

  • A separate non-HSM machine on the network to use as the Remote File System for the HSM. The RFS machine can also be used as a client to the HSM, to allow presentation of Java Cards using nShield Remote Administration. See the nShield Remote Administration User Guide_.

  • PKCS #11 support in the HSM.

  • A correct quorum for the Administrator Card Set (ACS).

  • Operator Card Set (OCS), Softcard, or Module-Only protection.

    If OCS protection is to be used, a 1-of-N quorum must be used.

  • Firewall configuration with usable ports:

    • 9004 for the HSM (hardserver).

    • 8200 for Key Vault.

Furthermore, the following design decisions impact how the HSM is installed and configured:

  • Whether your Security World must comply with FIPS 140 Level 3 standards.

    If using FIPS 140 Level 3, it is advisable to create an OCS for FIPS authorization. The OCS can also provide key protection for the Vault master key. For information about limitations on FIPS authorization, see the Installation Guide of the nShield HSM.

  • Whether to instantiate the Security World as recoverable or not.

Entrust recommends that you allow only unprivileged connections unless you are performing administrative tasks.

More information

For more information about OS support, contact your Oracle Key Vault sales representative or Entrust nShield Support, https://nshieldsupport.entrust.com.

Access to the Entrust nShield Support Portal is available to customers under maintenance. To request an account, contact nshield.support@entrust.com.