Appendix

Security worlds, key protection, and failure recovery

This section highlights some considerations when choosing security world and key protection options for use with the Entrust nShield Security World software. It focuses on recovery of security world authorization where a system has temporarily failed (for instance after a power outage) and is then returned to operation. This does not apply to other failure recovery functions. These considerations are applicable to security worlds, key protection and failure recovery for both standalone systems and database clusters. For more information on security worlds and key protection, see the User Guide for your HSM.

In the event of a temporary failure of the security world, there may be a consequent loss of:

Credential authorization.
Authorization if you are using a FIPS 140 Level 3 security world.

A credential authorization can be granted using either a Softcard or an OCS card, with passphrase. In the case of an OCS, a card must be always available in a valid HSM card reader in order to grant reauthorization after a failure, and permit automatic recovery.

Where FIPS authorization is required, this can be granted either by using an OCS card specifically for this purpose, or through an OCS card that is also used for credential authorization. A card from the OCS must be always available in a valid HSM card reader in order to grant reauthorization after a failure, and permit automatic recovery.

If you are using OCS cards through a RA secure channel, then if the secure channel is lost it must be reestablished before recovery using the OCS cards can begin. There is no automatic mechanism to reestablish the secure channel, which would have to be re-established manually, or through a user-defined script. For this reason, Entrust recommends that RA is not used for systems requiring automatic recovery.

Oracle auto-login facilities need to be set up to implement automatic recovery in the event of a temporary failure.

Never use ACS cards for FIPS authorization, because they do not support automatic recovery. Softcards or OCS must be members of the same security world.

The following table describes the authorization recovery behavior of the security world after a temporary outage.

security world type	Protection/ Credential	Stand-alone system	Database cluster
FIPS level 2	Module	Recovers automatically	Recovers automatically
	Softcard	Recovers automatically	Recovers automatically
	OCS	Use OCS for credential authorization: (1) Use 1/N quorum. Same passphrase for all cards (2) Leave an OCS card in HSM slot. Recovers automatically.	Use OCS for credential authorization: (1) Use 1/N quorum. Same passphrase for all cards (2) Leave an OCS card in slot of every HSM in cluster. Recovers automatically.
FIPS level 3	Module	Use OCS for FIPS authorization (only): Leave an OCS card in HSM slot. Recovers automatically	Use OCS for FIPS authorization (only): Leave an OCS card in slot of every HSM in cluster. Recovers automatically
	Softcard	Use OCS for FIPS authorization (only): Leave an OCS card in HSM slot. Recovers automatically	Use OCS for FIPS authorization (only): Leave an OCS card in slot of every HSM in cluster. Recovers automatically
	OCS	Use OCS for both credential and FIPS authorization: (1) Use 1/N quorum. Same passphrase for all cards. (2) Leave an OCS card in HSM slot. Recovers automatically.	Use OCS for both credential and FIPS authorization: (1) Use 1/N quorum. Same passphrase for all cards. (2) Leave an OCS card in slot of every HSM in cluster. Recovers automatically.

security world type

Protection/ Credential

Stand-alone system

Database cluster

FIPS level 2

Module

Recovers automatically

Softcard

Recovers automatically

OCS

Use OCS for credential authorization: (1) Use 1/N quorum. Same passphrase for all cards (2) Leave an OCS card in HSM slot. Recovers automatically.

Use OCS for credential authorization: (1) Use 1/N quorum. Same passphrase for all cards (2) Leave an OCS card in slot of every HSM in cluster. Recovers automatically.

FIPS level 3

Module

Use OCS for FIPS authorization (only): Leave an OCS card in HSM slot. Recovers automatically

Use OCS for FIPS authorization (only): Leave an OCS card in slot of every HSM in cluster. Recovers automatically

Softcard

Use OCS for FIPS authorization (only): Leave an OCS card in HSM slot. Recovers automatically

Use OCS for FIPS authorization (only): Leave an OCS card in slot of every HSM in cluster. Recovers automatically

OCS

Use OCS for both credential and FIPS authorization: (1) Use 1/N quorum. Same passphrase for all cards. (2) Leave an OCS card in HSM slot. Recovers automatically.

Use OCS for both credential and FIPS authorization: (1) Use 1/N quorum. Same passphrase for all cards. (2) Leave an OCS card in slot of every HSM in cluster. Recovers automatically.

If you are using an OCS to facilitate automatic recovery of the security world:

If you are using the OCS for credential authorization, all must be members of the same card set for the same credential, and the same passphrase must be assigned to every card in the set.
If you are using the OCS for FIPS authorization purposes only, the quorum automatically defaults to 1/N, and (any) passphrase is ignored.

Authorization acquired through a persistent operator card does not automatically reinstate itself after loss due to a temporary failure.

About the HSM credential

The protection methods available with the Entrust HSM are, in order of enhanced authentication:

Module: Encryption keys are protected by an security world protecting key in the HSM. This type of protection is not currently supported by WSOP PKCS#11 mechanism.
Softcard: Encryption keys are protected by a named Softcard (software based) token key, a passphrase, and security world protecting key in the HSM. You can have many different Softcards, but each is singular and works on its own.
OCS: Encryption keys are protected by the presence of a named physical token (OCS smartcard), an OCS token key, a passphrase, and security world protecting key in the HSM. OCS cards are usually part of a set of several OCS cards, or card set, and any member of the same card set protects the same encryption keys. You can have many different OCS card sets where each card set may protect different encryption keys. This type of protection is not currently supported by WSOP PKCS#11 mechanism.

The Softcard protection method must be set up within the Entrust HSM before they can be used by an Oracle database. See your HSM User Guide for details. Setting up the Softcard or OCS includes creating and naming the token(s), with a passphrase (see the User Guide for your HSM).

Within SQL scripts as used by Oracle, identify the protection method using a <credential>. WSOP only supports softcard protection:

Protection Type Credential or <credential>

Protection Type	Credential or <credential>
Softcard protection	`<softcard-passphrase>\|<softcard-name>`

Softcard protection

<softcard-passphrase>|<softcard-name>

Oracle documentation gives the ordering <credential-name>|<credential-passphrase>. However, tests showed that the ordering <credential-passphrase>|<credential-name>` works.

Oracle SQL uses the separator symbol | or : to divide the <credential-passphrase> and <credentialname>. Hence the total Oracle SQL string for a credential comprises:

Softcard protection: <credential-passphrase> + <separator> + <credential-name>.

In Entrust recommends the following restrictions on token names, or credentialname:

Maximum length of 254 characters.
ASCII 7-bit characters only, restricted to:

A-Z, a-z, 0-9, $ - _ (no white space).

Entrust places the following restrictions on passphrases, or credential- passphrases:

Maximum length of 254 characters.
ASCII 7-bit characters only:

A-Z, a-z, 0-9, ! @ # $ % ^ & * - _ + = [ ] { } | \ : ' , . ? / ` ~ " < > ( ) ; (no white space).

However, the Oracle SQL interface imposes further restrictions on top of the restrictions for what can comprise the string <credential-passphrase> + <separator> + <credential-name>, as follows:

The total string length, including separator, can be no more than 30 characters. This leaves 29 characters for the <credential-passphrase> + <credential-name>.
The symbols |, :, " and ' cannot be used within the <credential-passphrase> or <credential-name>.

From the Oracle side, if:

N is the length of the credential name.
P is the length of the credential passphrase, then 2 ⇐ (N+P) ⇐ 29, where 1 ⇐ N ⇐ 28, and 1 ⇐ P ⇐ 28, assuming a minimum of one character for passphrase and name.

Permitted symbols are:
<credential-passphrase>:

A-Z, a-z, 0-9, ! @ # $ % ^ & * - _ + = [ ] { } \ , . ? / ~ < > ( ) ; (no white space)
<credential-name>:

A-Z, a-z, 0-9, $ - _ (no white space).

Use a passphrase of sufficient length to meet your current security requirements.

Oracle (wallet manager) states “Passwords must have a minimum length of eight characters and contain alphabetic characters combined with numbers or special characters".

When you are using the Softcard, an SQL script that uses the credential must get the <credential-passphrase> and <credential-name> exactly correct. After creating encryption keys or rekeying, then immediately use the Use the Entrust WSOP cklist-dynamic utility to check that your encryption keys have been created in the WSOP server before proceeding.

In the examples shown in this guide, credentials may be given descriptive names to make it clear what they are used for, such as <keystore-credential>. In practice, replace the descriptive names with the actual credential passphrases and names you are using.