Introduction
This document describes how to integrate the Venafi TLS Protect Datacenter with the Entrust nShield hardware security module (HSM) as a Root of Trust for storage encryption, to protect the private keys and meet FIPS 140 Level 2 or Level 3.
Product configurations
Entrust has successfully tested nShield HSM integration with Venafi TLS Protect Datacenter in the following configurations:
| Product | Version |
|---|---|
Venafi TLS Protect Datacenter |
23.3.0.3410 |
Base OS |
Windows Server 2016 |
Supported nShield hardware and software versions
Supported nShield HSM functionality
| Feature | Support |
|---|---|
Module-only key |
Yes |
OCS cards |
Yes |
Softcards |
Yes |
nSaaS |
Yes |
FIPS 140 Level 3 |
Yes 1 |
1 Keys cannot be exported when using FIPS Level 3 Security World. As a result, some Venafi integration functionality (such as HSM Central Private Key Generation) will only be supported on FIPS Level 2 Security Worlds.
Requirements
Familiarize yourself with:
-
Venafi TLS Protect Datacenter documentation (https://docs.venafi.com).
-
The nShield HSM: Installation Guide and User Guide.
-
Your organizational Certificate Policy and Certificate Practice Statement, and a Security Policy or Procedure in place covering administration of the PKI and HSM:
-
The number and quorum of Administrator Cards in the Administrator Card Set (ACS), and the policy for managing these cards.
-
The number and quorum of Operator Cards in the Operator Card Set (OCS), and the policy for managing these cards.
-
The keys protection method: Module, Softcard, or OCS.
-
The level of compliance for the Security World, FIPS 140 Level 3.
-
Key attributes such as key size, time-out, or need for auditing key usage.
-
| Entrust recommends that you allow only unprivileged connections unless you are performing administrative tasks. |