Introduction

This guide explains how to configure a Red Hat Certificate System (RHCS) installation with an Entrust nShield Hardware Security Module (HSM). The integration between the HSM and Red Hat Certificate System uses the PKCS #11 cryptographic API.

The basic architecture of an RHCS deployment is shown in the diagram below:

Red Hat Certificate System deployment
This guide does not cover every step in the process of setting up all software. Some packages require that other packages are already configured, initialized, and running before they can be installed successfully.

Requirements

For an RHCS installation, you need to set up a Red Hat Enterprise Linux system. Conceptually, a CentOS platform will work in an identical manner, however the core RHCS packages may not be as up-to-date as those provided by Red Hat.

This guide does not cover the installation and configuration of the nShield Security World client software. For those instructions, see the Installation Guide for your HSM.

Requirements for the Red Hat Enterprise Linux server:

Component Minimum Requirements Recommended Requirements

Memory

2 GB

4 GB or more

Processor

1 CPU

1 CPU or more

Processor Cores

2

4 or more, AES-NI support

Hard Disk

20 GB

80 GB or more

CD/DVD

Optional

Optional

Network Adapter

1

1

USB Controller

Only required for nShield Remote Administration

Display

Standard configuration

Components required for installation:

  • Security World software v12.60.11, v12.80.4, or v13.3.2.

  • Red Hat Enterprise Linux v7.8 or later.

  • Linux firewall (firewalld).

  • Static IP address.

  • Mozilla Firefox.

    Versions of Mozilla Firefox after v31.6.0 do not support client-side (web browser) initiated key generation functions.
  • OpenJDK 64-bit.

  • Red Hat Directory Server (RHDS) v10 or later.

    Any LDAP-compliant database should be compatible with the integration.

  • Red Hat Certificate System (RHCS) v9 or later.

Licensing

There is no licensing that is imported into the product after installation. Contact Red Hat for appropriate licensing to purchase RHCS product support and RHN channel access.

Product configurations

RHCS v9.6 has been tested with the following nShield HSM configurations:

Software Firmware Netimage Security World Ciphersuite

12.60.11

12.50.11 (FIPS 140-2 certified)

12.60.10

FIPS-140 Level 3

DLf3072s256mAEScSP800131Ar1

RHCS v10.2 has been tested with the following nShield HSM configurations:

Software Firmware Netimage Security World Ciphersuite

12.80.4

12.50.11 (FIPS 140-2 certified)

12.60.10

FIPS-140 Level 3

DLf3072s256mAEScSP800131Ar1

12.80.4

12.72.1 (FIPS 140-2 certified)

12.80.5

FIPS-140 Level 3

DLf3072s256mAEScSP800131Ar1

RHCS v10.4 has been tested with the following nShield 5c HSM configurations:

Software Firmware Netimage Security World Ciphersuite

13.3.2

13.2.2

13.3.2

FIPS-140 Level 3

DLf3072s256mAEScSP800131Ar1

RHCS v10 Common Criteria edition is being tested by Red Hat using an Entrust nShield Connect XC HSM configured with the following settings:

Software Firmware Netimage Security World Ciphersuite

12.71

12.72.1 (FIPS 140-2 certified)

12.80.5

FIPS-140 Level 3

DLf3072s256mAEScSP800131Ar1

Supported nShield functionality

Red Hat Certificate System does not support module-protected keys. When you are enabling the use of an HSM, RHCS requires a token name, for which module protected keys have none. Using "accelerator" does not work.
Feature Support Feature Support

Key Generation

Yes

Module-only keys

No

Key Management

Yes

FIPS 140 Level 3 mode support

Yes

1-of-N Operator Card Set

Yes

Common Criteria mode support

N/A

K-of-N Operator Card Set

Yes

Load Sharing

Yes

Softcards

Yes

Failover

Yes

Policy requirements

Entrust recommends that your organization operates its PKI using an approved organizational Certificate Policy, Certificate Practices Statement, and any other policy/procedure guidance necessary to govern the administration of the PKI and associated HSM(s). In particular, these documents should specify the following aspects of HSM administration:

  • The number and quorum of Administrator Cards in the Administrator Card Set (ACS), and the policy for managing these cards.

  • Whether application keys are to be protected by Operator Card Set (OCS), Softcard, or module key protection mechanisms.

  • The number and quorum of Operator Cards in the OCS (if OCS key protection is used), and the policy for managing these cards.

  • Whether the security world should be compliant with FIPS 140 Level 3, FIPS 140 Level 2, or Common Criteria.

    Entrust recommends that you allow only unprivileged connections unless you are performing administrative tasks.

    See the User Guide for your HSM and the nShield Security Manual for more recommendations, or contact your local Entrust nShield Account Manager to arrange a technical discussion on architecture and best practices specific to your environment.

Compliance with US government security standards

It may be important for your organization to configure your RHEL OS in compliance with applicable standards such as FIPS.