Introduction
This guide explains how to configure a Red Hat Certificate System (RHCS) installation with an Entrust nShield Hardware Security Module (HSM). The integration between the HSM and Red Hat Certificate System uses the PKCS #11 cryptographic API.
The basic architecture of an RHCS deployment is shown in the diagram below:
| This guide does not cover every step in the process of setting up all software. Some packages require that other packages are already configured, initialized, and running before they can be installed successfully. |
Requirements
For an RHCS installation, you need to set up a Red Hat Enterprise Linux system. Conceptually, a CentOS platform will work in an identical manner, however the core RHCS packages may not be as up-to-date as those provided by Red Hat.
This guide does not cover the installation and configuration of the nShield Security World client software. For those instructions, see the Installation Guide for your HSM.
Requirements for the Red Hat Enterprise Linux server:
| Component | Minimum Requirements | Recommended Requirements |
|---|---|---|
Memory |
2 GB |
4 GB or more |
Processor |
1 CPU |
1 CPU or more |
Processor Cores |
2 |
4 or more, AES-NI support |
Hard Disk |
20 GB |
80 GB or more |
CD/DVD |
Optional |
Optional |
Network Adapter |
1 |
1 |
USB Controller |
Only required for nShield Remote Administration |
|
Display |
Standard configuration |
|
Components required for installation:
-
Security World software v12.60.11, v12.80.4, or v13.3.2.
-
Red Hat Enterprise Linux v7.8 or later.
-
Linux firewall (
firewalld). -
Static IP address.
-
Mozilla Firefox.
Versions of Mozilla Firefox after v31.6.0 do not support client-side (web browser) initiated key generation functions. -
OpenJDK 64-bit.
-
Red Hat Directory Server (RHDS) v10 or later.
Any LDAP-compliant database should be compatible with the integration.
-
Red Hat Certificate System (RHCS) v9 or later.
Licensing
There is no licensing that is imported into the product after installation. Contact Red Hat for appropriate licensing to purchase RHCS product support and RHN channel access.
Product configurations
RHCS v9.6 has been tested with the following nShield HSM configurations:
| Software | Firmware | Netimage | Security World | Ciphersuite |
|---|---|---|---|---|
12.60.11 |
12.60.10 |
FIPS-140 Level 3 |
DLf3072s256mAEScSP800131Ar1 |
RHCS v10.2 has been tested with the following nShield HSM configurations:
| Software | Firmware | Netimage | Security World | Ciphersuite |
|---|---|---|---|---|
12.80.4 |
12.60.10 |
FIPS-140 Level 3 |
DLf3072s256mAEScSP800131Ar1 |
|
12.80.4 |
12.80.5 |
FIPS-140 Level 3 |
DLf3072s256mAEScSP800131Ar1 |
RHCS v10.4 has been tested with the following nShield 5c HSM configurations:
| Software | Firmware | Netimage | Security World | Ciphersuite |
|---|---|---|---|---|
13.3.2 |
13.2.2 |
13.3.2 |
FIPS-140 Level 3 |
DLf3072s256mAEScSP800131Ar1 |
RHCS v10 Common Criteria edition is being tested by Red Hat using an Entrust nShield Connect XC HSM configured with the following settings:
| Software | Firmware | Netimage | Security World | Ciphersuite |
|---|---|---|---|---|
12.71 |
12.80.5 |
FIPS-140 Level 3 |
DLf3072s256mAEScSP800131Ar1 |
Supported nShield functionality
| Red Hat Certificate System does not support module-protected keys. When you are enabling the use of an HSM, RHCS requires a token name, for which module protected keys have none. Using "accelerator" does not work. |
| Feature | Support | Feature | Support |
|---|---|---|---|
Key Generation |
Yes |
Module-only keys |
No |
Key Management |
Yes |
FIPS 140 Level 3 mode support |
Yes |
1-of-N Operator Card Set |
Yes |
Common Criteria mode support |
N/A |
K-of-N Operator Card Set |
Yes |
Load Sharing |
Yes |
Softcards |
Yes |
Failover |
Yes |
Policy requirements
Entrust recommends that your organization operates its PKI using an approved organizational Certificate Policy, Certificate Practices Statement, and any other policy/procedure guidance necessary to govern the administration of the PKI and associated HSM(s). In particular, these documents should specify the following aspects of HSM administration:
-
The number and quorum of Administrator Cards in the Administrator Card Set (ACS), and the policy for managing these cards.
-
Whether application keys are to be protected by Operator Card Set (OCS), Softcard, or module key protection mechanisms.
-
The number and quorum of Operator Cards in the OCS (if OCS key protection is used), and the policy for managing these cards.
-
Whether the security world should be compliant with FIPS 140 Level 3, FIPS 140 Level 2, or Common Criteria.
Entrust recommends that you allow only unprivileged connections unless you are performing administrative tasks. See the User Guide for your HSM and the nShield Security Manual for more recommendations, or contact your local Entrust nShield Account Manager to arrange a technical discussion on architecture and best practices specific to your environment.
Compliance with US government security standards
It may be important for your organization to configure your RHEL OS in compliance with applicable standards such as FIPS.
-
US Government Security Standards for Red Hat products, see https://access.redhat.com/articles/2918071.
-
Information on enabling FIPS mode for RHEL v7, see https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/security_guide/chap-federal_standards_and_regulations#sect-Federal_Information_Processing_Standard.
-
Information on enabling FIPS mode for RHEL v8, see https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/html/security_hardening/using-the-system-wide-cryptographic-policies_security-hardening.