Introduction

This guide describes how to integrate a Red Hat OpenShift cluster with an Entrust nShield Hardware Security Module (HSM), using the nShield Container Option Pack (nCOP).

OpenShift is an application hosting platform by Red Hat. It makes it easy for developers to quickly build, launch, and scale container-based web applications in a public cloud environment. nCOP allows application developers, in the container-based environment of OpenShift, to access the cryptographic functionality of an HSM.

Integration architecture

OpenShift cluster and HSM

In this integration, a Red Hat OpenShift cluster is deployed on a VMware vSphere instance. Container images are used from a third-party cloud registry.

Container images

Two container images were created for the purpose of this integration: a hardserver container, and one application container. These images are stored in an external registry to be deployed to OpenShift:

  • cv-nshield-hwsp-container

    A hardserver container image that controls communication between the HSM(s) and the application containers. One or more hardserver containers are required per deployment, depending on the number of HSMs and the number and types of application containers.

    Entrust recommends that you allow only unprivileged connections unless you are performing administrative tasks.
  • cv-nshield-app-container

    Application container image to run nShield commands. It is a Ubuntu Universal Base Image container, in which Security World software is installed.

You can also create containers that contain your application. For instructions, see the nShield Container Option Pack User Guide.

Product configurations

Entrust has successfully tested the integration of an nShield HSM with Red Hat OpenShift in the following configurations:

Product Version

Base OS

RHEL 8.9

OpenShift

4.14.7

VMware

vSphere 8.0.0.10200

Security World Software

13.4.4

nCOP

1.1.2

Supported nShield hardware and software versions

Entrust tested with the following nShield hardware and software versions:

Connect XC

Security World Software Firmware Image OCS Softcard Module FIPS Level 3

13.4.4

12.50.11 (FIPS 140-2 certified)

12.80.4

No

13.4.4

12.72.1 (FIPS 140-2 certified)

12.80.5

Yes

nShield 5c

Security World Software Firmware Image OCS Softcard Module FIPS Level 3

13.4.4

13.2.2

13.2.2

Yes

13.4.4

13.4.3

13.4.3

Yes

Requirements

Before starting the integration process

Familiarize yourself with:

  • The documentation for the nShield HSM.

  • The nShield Container Option Pack User Guide.

  • The documentation and setup process for Red Hat OpenShift.