Skip to main content
Skip table of contents

Security: Entrust nShield HSM

A Hardware Security Module (HSM) can be configured to store and protect cryptographic keys. Optionally, you can use the software-based SoftHSM implementation for demonstration or testing purposes.

The following chapter provides information on how to an Entrust nShield Connect HSM for the Software Appliance. For more information on the Entrust nShield Connect HSM, refer to the Entrust product documentation that you received with your purchase of the HSM. Please note that 2 versions of the Security World software package from Entrust are available: 12.80.4 and 13.4.4.

Configuring an HSM for the Software Appliance is irrevocable. To change an HSM configuration, you must reset the Software Appliance.

To configure an Entrust nShield Connect HSM for your Software Appliance, follow the steps below.

Supported Entrust HSM Features

The Software Appliance supports the following Entrust nShield Connect features:

  • Preload of any Operator CardSets with a k/n quorum.

  • Preload with HA of any 1/n quorum Operator CardSet (n>= number of connected HSMs).

  • Connection of any 1/n Operator CardSet without preload functionality

  • Softcards

If you run into issues after the configuration, you can get HSM specific log messages from a HSM Support Package. For further information please refer to Create an HSM Log.

Connect the Software Appliance with the Entrust nShield HSM

To connect the Software Appliance with the HSM proceed as follows:

Add an HSM Device

  1. Log in to your Software Appliance and open the Security page or click Configure HSM in the Overview.

  2. In the HSM Selection section, select Entrust nShield Connect to access the Configuration fields.

    Screenshot 2025-05-30 at 09.29.37-20250530-072943.png

  3. The client HSM Client Version selection shows the available Entrust nShield HSM drivers. Select the version to be installed.

    grafik-20250521-111030.png

  4. Click Add HSM Device.

  5. The form Add HSM Device opens.
    Enter the Connection Settings: The IP Address and Port of the Entrust nShield Connect.
    Enter the Device Information. The Electronic Serial Number (ESN) and the nShield Integrity Key Hash of the Entrust nShield Connect.

    Screenshot 2025-05-21 at 15.38.31-20250521-133836.png

  6. Confirm your entries with Add HSM Device.

A warning appears to inform you that after saving HSM configuration you can no longer switch to a different HSM.

To change the HSM configuration, you need to reset your EJBCA Software Appliance.
Click Activate to proceed.

grafik-20250521-135621.png

The Entrust nShield HSM device is now configured and listed in the section Entrust nShield Connect Configuration nShield HSM Devices.

grafik-20250521-135250.png

On the Overview page in the section HSM Overview the status is displayed as well.
Click Configure HSM to go back to the HSM Configuration on the Security page.

grafik-20250521-124710.png

JavaScript errors detected

Please note, these errors can depend on your browser setup.

If this problem persists, please contact our support.

Contact Support Close