nCipher nShield Solo XC Cryptographic Module
The nCipher nShield Solo XC Cryptographic Module is Common Criteria certified HSM according to the Protection Profile (PP) EN 419 122-5 "Cryptographic Module for Trust Services". This HSM can be used with Ascertia SAM appliance to produce qualified remote signatures and seals.
A new Crypto Source can be created in ADSS Server > Key Manager. Press the New button in the Crypto Source Screen to do so. The following form is presented:
The above page is described here:
Items |
Description |
Status |
Set the status of this crypto profile. If the status is set to Inactive then it can not be used to generate or read the keys for cryptographic operations. |
Friendly Name |
Enter a friendly name for this HSM device. The name should be unique within this ADSS Server environment. Use a meaningful name for easy reference, e.g. nCipher_nShield_SoloXC etc. |
Crypto Source Vendor |
Select the option Entrust nCipher as Crypto source vendor. |
Interface Type |
This drop-down will allow the user to select the interface type for the UTIMACO crypto source vendor i.e. either nShield PKCS#11 or nShield EN 419221-5. Both are explained below:
|
PKCS#11 Module |
Enter the PKCS#11 driver library file name/complete path for this HSM device. Note: To find the library name of your device, refer to the documentation of the driver or contact the HSM vendor support to find the library name. |
Fetch Slots |
When this button is clicked then available slots within the PKCS#11 HSM are shown. The list of available slots will be shown in the next field i.e. Fetch Slots Note: If no slots are shown, then the HSM may not be initialized correctly – consult the HSM installation & usage guide. |
PKCS#11 Slot |
Select the appropriate PKCS#11 slot. The drop down lists all the available slots for the configured PKCS#11 module. |
PKCS#11 PIN |
Enter the PIN or password of the Slot initializer user e.g. USR_0000. Note: The PIN is held securely in ADSS Server. |
PKCS#11 Connection Pool Size |
Enter the number of connections that will be maintained at any given time for this PKCS#11 device. Default value is 30. |
PKCS#11 Monitoring Interval |
Enter the monitoring time interval in minutes to periodically check whether the PKCS#11 device is alive. If it finds the device is not alive/available due to any reason then an email alert could be sent if Hardware crypto source monitoring is enabled in Key Manager > Alerts page. |
Test Connection |
This button is used to test communications with the configured hardware device. |
Enable FIPS Mode |
nShield Solo XC HSM is FIPS compliant device and this mode must be enabled by selecting this checkbox. |
Key Template |
The drop-down contains a list of key templates configured in Key Templates sub-module. Here, nCipher nShield CC certified key template will be attached from the drop-down. ADSS Server provides default key template for nCipher nShield CC certified HSM i.e. 'Default nShield EN 419221-5 Key Template'. The user can either attach the default key template or can create a new nCipher CC certified key template with desired configurations. |
Whenever the crypto source is changed, it is mandatory to re-start the ADSS Server Windows or Unix services. |
ADSS Server communicates with nCipher nShiled HSM using ncipher.cfg file placed at [ADSS Server Installation Directory]/conf/hsm/ncipher. This file contains a default path "otp/nfast/kmdata" that needs to be replaced if ADSS is installed on Windows. Replace this default path with "C:/ProgramData/nCipher/Key Management Data" or to the path where nCipher is installed. |
See also
Utimaco CryptoServer CP5 HSM
Thales Luna K7 Cryptographic Module
nCipher nShield Solo XC Cryptographic Module
Azure Key Vault
AWS CloudHSM