Integrating an External Hardware Security Module (HSM)
As an alternative to the native software cryptography, you can integrate a network Entrust® nShield™ Connect HSM as an external HSM with the ActivID Appliance.
The Hardware Security Module (HSM) is responsible for encryption, decryption, key management, and digital signature creation and validation. This includes the following cryptographic operations:
-
Encrypting and decrypting database-sensitive information (that is, credentials, passwords, security questions and answers).
-
Encrypting the hash of database row signatures.
To integrate the Entrust nShield Connect HSM with the ActivID Appliance, perform the following steps:
-
Prepare the HSM and RFS for the appliance:
-
Install the Entrust Security World Software for nShield (recommended version 12.60.11), the software that facilitates the integration of the Entrust nShield Connect HSM with the appliance.
-
Create the HSM Keys (protected by the module or OCS card) to be used by the ActivID Appliance.
-
Create the Operator Card Sets.
-
Create the ActivID IDP keys and certificates.
-
Supported HSM Module Failover
The ActivID Appliance supports multiple Entrust® nShield® HSM modules in a cluster. This allows automatic failover to another HSM module if one fails.
Failover is supported in deployments with both HSM and OCS-protected keys although the failover transparency differs:
-
Module-protected keys – In HSM pool mode, the failover is transparent to the ActivID Appliance so there is no need for the supervisor to restart the applications.
-
OCS-protected keys – The failover is not transparent. The ActivID Appliance supervisor watchdog will automatically probe the authentication services and might restart the application services if necessary. In this case, the authentication services will be unavailable during the restart process (on average, for five minutes).
For further information about the required configuration, see Managing Clusters.
Topics in this section:
