Entrust nShield hardware security modules (HSM)
To integrate an existing Entrust nShield HSM with OneSpan Authentication Server, you need to configure the OneSpan Authentication Server host to become a client of the HSM. To do this, you need to set up the following components on the host before installing OneSpan Authentication Server:
Software packages
The following packages must be installed on the server hosting OneSpan Authentication Server. These packages are shipped with your HSM:
- Entrust nShield Hardware Support. This is the Entrust nShield runtime package, which contains the drivers, hardserver, runtime library, and utilities.
- Entrust nShield Core Tools. This includes the management utilities, including generatekey.
OneSpan Authentication Server supports version 11.60. As such, all instructions herein that relate to Entrust nShield HSM setup are specific to that version.
Security World
Security World is an Entrust nShield-specific term that refers to the framework that controls access to and usage of valuable cryptographic keys. OneSpan Authentication Server must first connect to a specific HSM belonging to a Security World to connect to that Security World. In turn, access control to a Security World is configured in each HSM within that Security World.
For more information about setting up a Security World, refer to the nShield Connect and netHSM User Guide, Section "Creating and managing a Security World". This guide is included with your HSM.
OneSpan Authentication Server supports both FIPS level 2 and FIPS level 3. However, we recommend the use of FIPS level 3 when you set up a Security World. When you configure a Security World to use FIPS level 3 with OneSpan Authentication Server, an OCS card should be permanently inserted into each HSM that is integrated with OneSpan Authentication Server.
SEE module
The SEE module contains custom firmware that allows an Entrust nShield HSM to load and manage keys provided and used by OneSpan Authentication Server Framework. The required SEE module is provided with OneSpan Authentication Server. The process of installing and configuring a SEE module integrates OneSpan Authentication Server Framework with the HSM.
Hardserver
The hardserver is an Entrust nShield client daemon that manages communication between each HSM inside the Security World and OneSpan Authentication Server. It is typically installed and configured on the same machine that hosts OneSpan Authentication Server.
When configuring and working with the Hardserver, you will need to establish a privileged connection for some operations and tasks (see Entrust nShield – Privileged connection requirements).
HSM usage limitations
- When using an Entrust nShield HSM, the EMV-CAP feature of OneSpan Authentication Server is not supported.