Security: Configuring an Entrust nShield Connect HSM

You can configure a Hardware Security Module (HSM) to store and protect your cryptographic keys, or optionally use the SoftHSM software-based implementation for demonstration or testing purposes.

The following covers how to configure an Entrust nShield Connect HSM for the Software Appliance. For more information on the Entrust nShield Connect HSM, refer to the Entrust product documentation that you received with your purchase of the HSM. Note that we are using Version 12.80.4 of Entrust’s software package Security World. 

Configuring an HSM for the Software Appliance is irrevocable. To change an HSM configuration, you need to reset the Software Appliance.

To configure an Entrust nShield Connect HSM for your Software Appliance, follow the steps below.

If you run into issues after the configuration, you can get HSM specific log messages from a HSM Support Package. For further information please refer to Create an HSM Log.

Supported Entrust HSM features

The Software Appliance supports the following Entrust nShield Connect features:

• Softcards
• Operator card sets with a 1/N quorum
• Module Protected Keys.

Not supported are all setups that need the preload command.

Connect the Software Appliance with the Entrust nShield Connect HSM

To connect the Software Appliance with the HSM:

1. Log in to your Software Appliance and open the Security page.

2. In the HSM Configuration section, select Entrust nShield Connect to access the Configuration fields:
   

   
   
   
   

   Overview HSM Entrust

3. nShield HSM Devices
   
   Click Add HSM Device.

   
   
   

   nShield HSM Devices

4. The form Edit HSM Device opens.
   Enter the Connection Settings.
   Enter the Device Information.

   
   

   Edit HSM Device

5. Confirm your entries with Add HSM Configuration.

   

   A warning appears to inform you that after saving HSM configuration you can no longer switch to a different HSM.

   To change the HSM configuration, you need to reset your EJBCA Software Appliance. Proceed by clicking Activate.

   

6. Remote File System Settings
   
   

   • RFS Mode: Select the appropriate option. Recommended: Read and Write
     Readonly: (default)
     Local changes will not be synchronized with the RFS server. External changes will be loaded by the RFS server every 2 minutes.
     Read and Write:
     Local changes will be detected every 3 seconds and, if necessary, transmitted to the RFS server. External changes will be loaded by the RFS server every 2 minutes.
     

   • RFS IP Address and RFS Port: Enter the IP address and the port of the RFS server.
     
     

     
     
     
     

     Remote File System Settings

7. Logging Settings
   
   

   • Library Log Level: Select the appropriate log level option of the PKCS#11 library.
     

   • Hardserver Log Level: Select the appropriate log level option of the hardserver.

   • Click Save HSM Configuration to confirm.
     
     

     
     

     Logging Settings
     

     Another warning appears to inform you that changing the configuration of your HSM will restart all applications on your Software Appliance.

     Click Save to confirm.
     

     
     

8. Client Authentication Information
   
   

   • Software-based Key Hash: The software-based key hash will appear automatically once you added at least 1 HSM and provided info about the RFS (Remote File System). The value displayed here can be used to register the Software Appliance to the HSM using the software-based authentication.
     

     

     Optional!
     Enable: Allow nShield HSMs to fetch software-based key hash.
     This opens port 9004 on the Software Appliance to allow the Software Appliance to be registered as an nShield client with software-based authentication.
     
     This step is only required if you want to further secure the connection between the Software Appliance and the Entrust nShield Connect HSM.

     
     
     
     

     Client Authentication Information

     
     

9.  Register the Software Appliance as a client to the Entrust nShield Connect HSM.
   

   

   If you have performed the optional additional authentication by means of software-based key hash it is recommended to disable this function now. 

   
   

10. The status of the HSM Driver Status on the Security page of the Software Application will change from Not Connected to Connected once the configuration is complete.

    
    
    
    

    HSM Driver Status

    Furthermore, the connection is now also listed on the Security page of the Software Application. Here you can now preform actions such as Edit Device or Remove Device.

    
    
    
    

    nShield HSM Devices

    On the Overview page of the Software Appliance, the status in the HSM Overview will change as well to Connected. While the configuration process is active the appliance status is Restarting. During that time it will be unavailable.
    
    

To achieve Load Sharing, just add an additional or multiple HSMs with the Add HSM Device operation.

Once the Software Appliance is running again, you can proceed with adding a crypto token.

Add a Crypto Token in EJBCA

To create a crypto token:

1. In the Overview page of the Software Appliance , click Admin Web for EJBCA.
   
2. In EJBCA, select the Crypto Tokens menu option and click Next.
3. On the Manage Crypto Tokens page, click Create New Crypto Token to add a crypto token.