Introduction

This document describes how to integrate the Venafi TLS Protect Datacenter with the Entrust nShield hardware security module (HSM) as a Root of Trust for storage encryption, to protect the private keys and meet FIPS 140 Level 2 or Level 3.

Product configurations

Entrust has successfully tested nShield HSM integration with Venafi TLS Protect Datacenter in the following configurations:

Product	Version
Venafi TLS Protect Datacenter	24.3.1.2989
Base OS	Windows Server 2022

Product

Version

Venafi TLS Protect Datacenter

24.3.1.2989

Base OS

Windows Server 2022

Supported nShield hardware and software versions

Entrust has successfully tested with the following nShield hardware and software versions.

Module, OCS and softcard protection was tested in all configurations.

HSM	Security World Software	Firmware	Image
nShield Connect	13.6.5	12.72.1 and 12.72.3 (FIPS 140-2 certified)	13.6.5
nShield 5c	13.6.5	13.4.5 (FIPS 140-3 certified)	13.6.5

Supported nShield HSM functionality

Feature	Support
Module-only key	Yes
OCS cards	Yes
Softcards	Yes
nSaaS	Yes
FIPS 140 Level 3	Yes ¹

Feature

Support

Module-only key

Yes

OCS cards

Yes

Softcards

Yes

nSaaS

Yes

FIPS 140 Level 3

Yes ¹

¹ Keys cannot be exported when using FIPS Level 3 Security World. As a result, some Venafi integration functionality (such as HSM Central Private Key Generation) will only be supported on FIPS Level 2 Security Worlds.

Requirements

Familiarize yourself with:

Venafi TLS Protect Datacenter documentation (https://docs.venafi.com).
The nShield HSM: Installation Guide and User Guide.
Your organizational Certificate Policy and Certificate Practice Statement, and a Security Policy or Procedure in place covering administration of the PKI and HSM:
- The number and quorum of Administrator Cards in the Administrator Card Set (ACS), and the policy for managing these cards.
- The number and quorum of Operator Cards in the Operator Card Set (OCS), and the policy for managing these cards.
- The keys protection method: Module, Softcard, or OCS.
- The level of compliance for the Security World, FIPS 140 Level 3.
- Key attributes such as key size, time-out, or need for auditing key usage.

Entrust recommends that you allow only unprivileged connections unless you are performing administrative tasks.