Entrust nShield Hardware Security Module
An HSM appliance is a hardware device that safeguards and manages digital cryptography keys for strong authentication and provides cryptographic processing functionality. A cloud-based HSM service provides cost-effective, on-demand key management services using a graphical user interface. Password Safe can use HSMs to manage encryption keys for stored credentials. The HSM takes over the key management, encryption, and decryption functionality for the stored credentials.
Password Safe communicates with HSMs using a commonly supported API called PKCS#11. HSMs include a PKCS#11 driver with their client software installation. This allows applications to use the device without requiring specific knowledge of the make, model, or configuration of the HSM.
The Password Safe integration with an HSM treats the HSM as an external API that only requires credentials. Advanced configurations and features, such as high-availability implementations, are typically transparent in Password Safe. For example, the client software might allow a group of multiple HSMs to be presented as a single token in a single slot. In this case, Password Safe accesses the group the same way it accesses a single HSM. Configuring the group and synchronizing key data is outside the scope of the Password Safe software and must be performed according to the guidelines for the specific hardware. If necessary, seek assistance from the HSM vendor.
Password Safe HSM credential usage
- Password Safe uses only one set of HSM credentials to encrypt any stored credential at a given time.
- Password Safe always encrypts new or edited credentials using the latest stored set of HSM credentials.
- Password Safe supports legacy HSM credentials. Credentials that were encrypted using an older set of HSM credentials are still accessible if the HSM credential used to encrypt them has not been deleted manually.
- Archived HSM credentials remain in the Password Safe database until they are manually deleted.
Supported product configurations
| Operating System / Software / Hardware | Version |
|---|---|
| Database | Microsoft SQL Server 2019 |
| Password Safe | 21.3 and later releases |
| Entrust HSM | nShield HSM or nShield as a Service |
| Connect XC Firmware / Image | 12.50.11 / 12.60.2 |
| Connect + Firmware / Image | 12.50.8 / 12.60.10 |
| Security World Software | 12.70.4 |
Note
Both Softcards and Module Only Keys are supported.
Install and Configure nShield HSM
The HSM must be installed and configured using the tools provided as part of the HSM client software suite. Install the nShield HSM before configuring the Security World Software with your BeyondInsight server, following the instructions in the Installation Guide provided by Entrust. Take note of the following values, as they are used during the client configuration step:
- : The IP address given to your nShield Connect
- : The serial number of your nShield Connect
- : The HKNETI of your nShield Connect
- : The IP address of the client hosting the Remote File System (RFS)
Install Security World software and create Security World
Note
The BeyondInsight server firewall does not allow incoming connections. Therefore, remote administration and RFS facilities are not available from this server.
Note
We recommend uninstalling any existing nShield software before installing the new nShield software.
- On your BeyondInsight server, install the latest version of the Security World Software as described in Entrust's Installation Guide for the HSM.
- Create the Security World as described in Entrust's User Guide for the HSM.
- Create the ACS and Softcards you require.
- Configure the cknfastrc environment variables:
- Open the C:\Program Files (x86)\nCipher\nfast\cknfastrc file.
- Add the following environment variables to the file:
CKNFAST_FAKE_ACCELERATOR_LOGIN=1 CKNFAST_NO_ACCELERATOR_SLOPTS=0 CKNFAST_LOADSHARING=1
- Update the cardlist file:
- Go to the C:\ProgramData\nCipher\Key Management Data\Config folder.
- Open the cardlist file in a text editor and add an asterisk (*) to authorize all Java Cards for dynamic slots.
- When configuring BeyondInsight, you must use Softcard protection or module protection. If using a Softcard, you must create it first. Perform the following steps on the BeyondInsight server in a PowerShell terminal as Administrator:
- Create the Softcard:
cd c:\Program Files\nCipher\nfast\bin ./ppmk -n beyondtrustsoftcard - Check for the Softcard:
./nfkminfo -s
- Create the Softcard:
Note
For more information on the integration of nShield HSMs and nShield as a Service with Password Safe, see the content available from the BeyondTrust nFinity HSM Partner Program page.
Configure HSM credentials
Ensure the following has been completed before configuring HSM credentials in BeyondInsight:
- The HSM has been installed and configured.
- The nShield client software has been installed and connected to the HSM.
- The Security World file has been created.
- A Softcard has been created using the nShield client software.
Note
There must not be any other credentials configured in the database when the HSM configuration procedure is executed.
Add an HSM credential to BeyondInsight
- Log in to the BeyondInsight server that is configured to access the HSM.
- Open the BeyondInsight Configuration tool:
- Start > Apps > eEye Digital Security > BeyondInsight Configuration.
- If a User Account Control dialog box appears, click Yes to continue.
- Click Configure HSM Credentials.
- The Configure HSM Credentials dialog appears. Select Edit > Add New HSM Credential.
- Enter HSM details as follows:
- 32-bit Driver Path: Select the 32-bit PKCS #11 driver that was supplied with your HSM client software.
- 64-bit Driver Path: Select the 64-bit PKCS #11 driver that was supplied with your HSM client software.
Note
The nShield HSM PKCS #11 drivers are located in the C:\Program Files\nCipher\nFast\toolkits\pkcs1 folder.
- Slot: After valid 32-bit/64-bit drivers are selected, this dropdown contains a list of the tokens presented by the driver in the format of label (slot number).
- The label is the name of the HSM token. Some HSMs have a default name. Otherwise, it is a name set when you configured your HSM.
- The slot number is an index number starting at 0, which indicates the token’s position within the list of tokens presented by the driver.
- Key Name: HSM keys are identified labels. A unique name must be provided for each key to associate encrypted credentials with the key used to encrypt and decrypt them. Any key name may be used as long as it is unique.
- Description: Information about the key, for display purposes only.
- PIN: The password for the HSM token that was set up for use by BeyondInsight. The token must have permission to create and access keys on the HSM.
- Click Save.
Manage Entrust nShield HSM Credentials
Change HSM credentials
Important
Editing an existing HSM credential could prevent Password Safe from successfully decrypting the credential. This occurs if the HSM credential does not match the encryption key name that was used to encrypt a credential. For this reason editing the key name is not permitted.
To edit HSM credentials:
- In the BeyondInsight Configuration Tool, right-click an existing credential.
- Select Edit Credential.
- Click the required cells and modify the values of:
- 32-bit Driver Path
- 64-bit Driver Path
- Slot
- Description
- PIN
- Click Save.
Delete existing HSM credentials
Important
Deleted credentials cannot be recovered, and Password Safe is unable to decrypt any credentials encrypted with those HSM credentials.
To delete HSM credentials:
- In the BeyondInsight Configuration Tool, right-click an existing credential.
- Click Delete Credential.
- Confirm the deletion.
- Click Save and Close.
Updated 6 days ago