Preparing for hardware security module (HSM)

If you plan to integrate OneSpan Authentication Server with a supported HSM, the HSM must be installed and functioning correctly prior to OneSpan Authentication Server installation. For more information about setting up an HSM, see Hardware security module setup.

At the beginning of the installation, you will be asked whether you want to use OneSpan Authentication Server with an HSM. This option requires a configured HSM.

When integrating an HSM with OneSpan Authentication Server, you will need to configure the HSM driver before installing OneSpan Authentication Server. On all Linux distributions using the UNIX System V operating system, the HSM driver must be configured for communication with OneSpan Authentication Server because the script created upon driver installation does not automatically start the system service.

To verify the HSM driver communication with OneSpan Authentication Server (Thales ProtectServer)

  1. Open a terminal window.

  2. Log on as root:

    su -

  3. Change to the root folder:

    cd /

  4. Verify the connection between the HSM and the driver:

    ctconf -v

To verify the HSM driver communication with OneSpan Authentication Server (Entrust nShield)

  1. Open a terminal window.

  2. Log in as root:

    su -

  3. Verify the connection between the HSM and the driver:

    /opt/nfast/bin/enquiry

  4. Verify the driver link. If it is /etc/init.d/nc_hardserver, you must replace the init.d file with the system.d file.

  5. Replace /opt/nfast/scripts/init.d/hardserver with /opt/nfast/scripts/system.d/hardserver.

  6. Restart the computer to verify that the driver is loaded and the connection is working:

    /opt/nfast/bin/enquiry

The following steps must be taken before configuring OneSpan Authentication Server via the Configuration Wizard (see Configuring OneSpan Authentication Server (advanced installation)):

  • Set up all components required by your HSM.
  • Generate all keys you will be using (e.g. storage data key, sensitive data key).
  • Configure your HSM.

For more information about configuring your HSM and generating the keys, see Entrust nShield hardware security modules (HSM) and Thales ProtectServer hardware security modules (HSM).