Entrust nShield hardware security modules (HSM)

OneSpan Authentication Server supports the Entrust nShield Solo XC and Entrust nShield Connect XC hardware security module (HSM) models. These modules are supported with OneSpan Authentication Server running on a 64-bit (x86_64) version of Red Hat Enterprise Linux 8.

Using an Entrust nShield HSM with OneSpan Authentication Server requires the following:

  • Security World
  • SEE module
  • Hardserver

HSM usage limitations

  • When using an Entrust nShield HSM, the EMV-CAP feature of OneSpan Authentication Server is not supported.

Security World

Security World is an Entrust nShield-specific term that refers to the framework that controls access to and usage of valuable cryptographic keys. OneSpan Authentication Server must first connect to a specific HSM belonging to a Security World to connect to that Security World. In turn, access control to a Security World is configured in each HSM within that Security World.

A Security World consists of the following:

  • Entrust nShield HSM device(s)
  • Cryptographic keys. In the Security World, these keys are stored in an external file system. These keys are all encrypted by a Security World Master Key, which is only stored in the HSM itself.
  • Operator Card Set (OCS). This is a set of smart cards used to control access to Entrust nShield HSM application keys. When using an Entrust nShield HSM with OneSpan Authentication Server, the OCS is only required for the initial setup of the Security World.

For information about creating and using an OCS, refer to the nShield Connect and netHSM User Guide, Section "Managing card sets and soft cards".

For information about setting up a Security World, refer to the nShield Connect and netHSM User Guide, Section "Creating and managing a security world". This guide is available with your HSM.

OneSpan Authentication Server supports both FIPS level 2 and FIPS level 3. However, we recommend the use of FIPS level 3 when you set up a Security World. When you configure a Security World to use FIPS level 3 with OneSpan Authentication Server, an OCS card should be permanently inserted into each HSM that is integrated with OneSpan Authentication Server.

SEE module

OneSpan provides a Secure Execution Engine (SEE) module to be used with Entrust nShield HSM devices. The SEE module contains custom firmware which allows Entrust nShield HSM devices to load and manage keys provided and used by Authentication Server Framework.

For information about installing the SEE module, refer to the OneSpan Authentication Server Installation Guide for Linux.

Hardserver

The hardserver (also known as nFastServer) is a Entrust nShield client daemon that mediates communication between the HSM devices inside the Security World and OneSpan Authentication Server. This daemon facilitates the following HSM tasks:

  • Failover and disaster recovery
  • Load balancing between multiple HSM devices
  • Loading cryptographic keys into the HSM devices
  • Loading storage and transport keys into the SEE module

When using supported Entrust nShield HSM devices with OneSpan Authentication Server, the hardserver must be configured to automatically do the following:

  • Connect to each Entrust nShield HSM used with OneSpan Authentication Server.
  • Load the SEE module provided by OneSpan Authentication Server into each HSM.

In some cases, the server hosting the hardserver may also need to be configured to load the hardserver upon start.

For more information about configuring the hardserver to work with OneSpan Authentication Server, refer to the OneSpan Authentication Server Installation Guide for Linux.