The nCipher nShield Solo XC Cryptographic Module is Common Criteria certified HSM according to the Protection Profile (PP) EN 419 122-5 "Cryptographic Module for Trust Services". This HSM can be used with Ascertia SAM appliance to produce qualified remote signatures and seals. 

A new Crypto Source can be created in ADSS Server > Key Manager. Press the New button in the Crypto Source Screen to do so. The following form is presented:




The above page is described here:


Items

Description

Status

Set the status of this crypto profile. If the status is set to Inactive then it can not be used to generate or read the keys for cryptographic operations.

Friendly Name

Enter a friendly name for this HSM device. The name should be unique within this ADSS Server environment. Use a meaningful name for easy reference, e.g. nCipher_nShield_SoloXC etc.

Crypto Source Vendor

Select the option Entrust nCipher as Crypto source vendor.

Interface Type

This drop-down will allow the user to select the interface type for the UTIMACO crypto source vendor i.e. either  nShield PKCS#11 or nShield EN 419221-5. Both are explained below:

  • nShield PKCS#11: It offers full support including management of key generation and PKCS#7/CSR handling.
  • nShield EN 419221-5: It allows EU eIDAS compliant Remote Qualified Signatures to be produced where the signatures are created on nCipher nShield Solo XC EN 419 221-5 Common Criteria certified HSM.

PKCS#11 Module

Enter the PKCS#11 driver library file name/complete path for this HSM device.

Note: To find the library name of your device, refer to the documentation of the driver or contact the HSM vendor support to find the library name.

Fetch Slots

When this button is clicked then available slots within the PKCS#11 HSM are shown. The list of available slots will be shown in the next field i.e. Fetch Slots

Note: If no slots are shown, then the HSM may not be initialized correctly – consult the HSM installation & usage guide.

PKCS#11 Slot

Select the appropriate PKCS#11 slot. The drop down lists all the available slots for the configured PKCS#11 module.

PKCS#11 PIN

Enter the PIN or password of the Slot initializer user e.g. USR_0000. 

Note: The PIN is held securely in ADSS Server.

PKCS#11 Connection Pool Size

Enter the number of connections that will be maintained at any given time for this PKCS#11 device. Default value is 30.

PKCS#11 Monitoring Interval

Enter the monitoring time interval in minutes to periodically check whether the PKCS#11 device is alive. If it finds the device is not alive/available due to any reason then an email alert could be sent if Hardware crypto source monitoring is enabled in Key Manager > Alerts page.

Test Connection

This button is used to test communications with the configured hardware device.

Enable FIPS Mode

nShield Solo XC HSM is FIPS compliant device and this mode must be enabled by selecting this checkbox.

Key Template

The drop-down contains a list of key templates configured in Key Templates sub-module. Here, nCipher nShield CC certified key template will be attached from the drop-down. ADSS Server provides default key template for nCipher nShield CC certified HSM i.e. 'Default nShield EN 419221-5 Key Template'. The user can either attach the default key template or can create a new nCipher CC certified key template with desired configurations. 


Whenever the crypto source is changed, it is mandatory to re-start the ADSS Server Windows or Unix services.


ADSS Server communicates with nCipher nShiled HSM using ncipher.cfg file placed at [ADSS Server Installation Directory]/conf/hsm/ncipher. This file contains a default path "otp/nfast/kmdata" that needs to be replaced if ADSS is installed on Windows. Replace this default path with "C:/ProgramData/nCipher/Key Management Data" or to the path where nCipher is installed.



See also

PKCS#11 Standard

Utimaco CryptoServer CP5 HSM
Thales Luna K7 Cryptographic Module
nCipher nShield Solo XC Cryptographic Module
Azure Key Vault
AWS CloudHSM

Azure Managed HSM

MS-CAPI/CNG

Importing Existing Keys