Introduction

This document describes how to integrate the Venafi TLS Protect Datacenter with the Entrust nShield hardware security module (HSM) as a Root of Trust for storage encryption, to protect the private keys and meet FIPS 140 Level 2 or Level 3.

Product configurations

Entrust has successfully tested nShield HSM integration with Venafi TLS Protect Datacenter in the following configurations:

Product Version

Venafi TLS Protect Datacenter

23.3.0.3410

Base OS

Windows Server 2016

Supported nShield hardware and software versions

Entrust has successfully tested with the following nShield hardware and software versions:

Connect XC

Security World Software Firmware Image OCS Softcard Module

12.80.4

12.50.11 (FIPS 140-2 certified)

12.80.4

12.80.4

12.72.1 (FIPS 140-2 certified)

12.80.5

13.3.2

12.72.1 (FIPS 140-2 certified)

12.80.5

nShield 5c

Security World Software Firmware Image OCS Softcard Module

13.3.2

13.2.2

13.3.2

Supported nShield HSM functionality

Feature Support

Module-only key

Yes

OCS cards

Yes

Softcards

Yes

nSaaS

Yes

FIPS 140 Level 3

Yes 1

1 Keys cannot be exported when using FIPS Level 3 Security World. As a result, some Venafi integration functionality (such as HSM Central Private Key Generation) will only be supported on FIPS Level 2 Security Worlds.

Requirements

Familiarize yourself with:

  • Venafi TLS Protect Datacenter documentation (https://docs.venafi.com).

  • The nShield HSM: Installation Guide and User Guide.

  • Your organizational Certificate Policy and Certificate Practice Statement, and a Security Policy or Procedure in place covering administration of the PKI and HSM:

    • The number and quorum of Administrator Cards in the Administrator Card Set (ACS), and the policy for managing these cards.

    • The number and quorum of Operator Cards in the Operator Card Set (OCS), and the policy for managing these cards.

    • The keys protection method: Module, Softcard, or OCS.

    • The level of compliance for the Security World, FIPS 140 Level 3.

    • Key attributes such as key size, time-out, or need for auditing key usage.

Entrust recommends that you allow only unprivileged connections unless you are performing administrative tasks.