nShield v14.1.1 Service Provider User Guide

Introduction

The nShield Service Provider User Guide provides useful information about how to use your nShield HSM to provision VCMs for your tenants.

Read this guide if …​

Read this guide if you need to configure or manage an Entrust Hardware Security Module (HSM) for use in multi-tenancy.

Before using this guide you should have:

Terminology

Term Description

Service Provider

A person or organisation that manages VCMs for use by tenants. The service provider has physical access to the HSM.

Tenant

A person or organisation that makes use of a VCM to provide cryptographic services.

VCM

A cryptographic module implemented as a share of a physical HSM that provides all the cryptographic services of an HSM and is securely separated from any other VCMs implemented on the same physical HSM.

After installation

If your HSM was a new installation or, if your HSM was upgraded from a firmware version earlier than v14.1.1 then, once the hardware and software have been successfully installed, the HSM will be running a number of platform services but there will be no VCMs running and therefore no tenant services, see Platform services (nShield 5 HSMs).

If you have not purchased a multi-tenancy license you will be restricted to creating and running a single VCM. In this case you can automatically create, start and enroll a single VCM by use of the command hsmadmin vcm single-setup.

Entrust only recommend use of hsmadmin vcm single-setup in situations where you intend to have only a single VCM. This is because the command automatically sets a number of options and makes networking choices that may not be appropriate when creating subsequent VCMs.

In order to create more than one VCM you must purchase a licence from Entrust Sales. See Maximum number of concurrently active VCMs feature. Then create VCMs for your tenants by following the instructions at providing VCMs for your tenants.