Apache HTTP Server - nShield® HSM Integration Guide - CHIL

- Industries
- Solutions
  - Zero Trust
    Entrust offers an unmatched suite of Zero Trust security solutions to help customers protect identities and data, reduce risk, and achieve compliance across their multi-cloud infrastructure.
    Learn More
  - Strong Identities
    1. Identity Verification
      Enable high assurance identities that empower citizens.
    2. ID Issuance
      Issue safe, secure digital and physical IDs in high volumes or instantly.
    3. User Identity
      Elevate trust by protecting identities with a broad range of authenticators.
    4. Machine Identity
      Issue and manage strong machine identities to enable secure IoT and digital transformation.
    5. Digital Signature
      Use secure, verifiable signatures and seals for digital documents.
  - Secure Payments
    1. Financial Issuance
      Issue digital and physical financial identities and credentials instantly or at scale.
    2. Digital Card Solution
      Issue digital payment credentials directly to cardholders from your bank's mobile app.
    3. Secure Transactions
      Ensure authenticated agreements between businesses, customers, and citizens.
  - Trusted Infrastructure
    1. Post-Quantum Cryptography
      Find, assess, and prepare your cryptographic assets for a post-quantum world.
    2. Database Security
      Secure databases with encryption, key management, and strong policy and access control.
    3. Multi-cloud Security
      Keys, data, and workload protection and compliance across hybrid and multi-cloud environments.
- Compliance
  - 1. PSD2
    2. HIPAA
    3. GDPR
    4. Swift
  - 1. CMMC
    2. eIDAS
    3. NITES
- Featured Products
  - As a Service Products
    1. Identity Verification as a Service
      Citizen verification for immigration, border management, or eGov service delivery.
    2. Identity as a Service (IDaaS)
      Cloud-based Identity and Access Management solution.
    3. Digital Signing as a Service
      Cloud-based digital signing solutions.
    4. Instant ID as a Service
      Issue physical and mobile IDs with one secure platform.
  - 1. Digital Card Solution
      Instantly provision digital payment credentials directly to cardholder’s mobile wallet.
    2. PKI as a Service
      A highly secure PKI that’s quick to deploy, scales on-demand, and runs where you do business.
    3. nShield as a Service
      Subscription-based access to dedicated nShield HSMs for cloud-based cryptographic services.
    4. Seamless Travel as a Service
      Remote identity verification, digital travel credentials, and touchless border processes.
  - 1. Instant Financial Issuance
      In-branch and self-service kiosk issuance of debit and credit cards.
    2. Central Financial Issuance
      High volume financial card issuance with delivery and insertion options.
    3. Instant ID Issuance
      Secure issuance of employee badges, student IDs, membership cards and more.
    4. Central ID Issuance
      Passports, national IDs and driver licenses.
    5. nShield HSMs
      Securely generate encryption and signing keys, create digital signatures, encrypting data and more.
  - 1. Cloud Security, Encryption and Key Management
      Powerful encryption, policy, and access control for virtual and public, private, and hybrid cloud environments.
    2. Digital Certificates
      TLS/SSL, digital signing, and qualified certificates plus services and tools for certificate lifecycle management.
    3. Identity and Access Management (IAM)
      One Identity portfolio for all your users — workforce, consumers, and citizens.
    4. Machine Identity Management
      Centralized visibility, control, and management of machine identities.
    5. Post-Quantum
      Learn what steps to take to migrate to quantum-resistant cryptography.
- Enterprise ID & Issuance
  - Instant ID as a Service
    Issue physical and mobile IDs with one secure platform.
    Learn More
  - Instant Issuance
    1. Sigma Direct-to-Card System
    2. Artista Retransfer System
    3. System Software
      Personalization, encoding and activation.
    4. Supplies
    5. Services
- Financial ID & Issuance
  - Digital Card Solution
    Instantly provision digital payment credentials directly to cardholder’s mobile wallet.
    Learn More
  - Digital Banking
    1. Digital Account Opening
    2. Digital Card Solution
  - Instant Issuance
    1. Sigma Direct-to-Card System
    2. Artista Retransfer System
    3. System Software
      Personalization, encoding and activation.
    4. Supplies
    5. Services
  - Central Issuance
    1. Card Issuance Systems
    2. Inline Card Delivery Systems
    3. Inline Envelope Insertion Systems
    4. Standalone Card Affixing/Envelope Insertion Systems
    5. Standalone Envelope Insertion Systems
    6. System Software
      Personalization, encoding, delivery and analytics.
    7. Supplies
    8. Services
- Government ID & Issuance
  - Digital Citizen
    1. eGovernment service delivery
    2. Identity Verification as a Service
    3. Seamless Travel as a Service
    4. ePassport as a Service
  - Central Issuance
    1. Passports, national IDs and driver licenses.
    2. Passport Issuance Systems
    3. National ID and Driver License Systems
    4. Inline Delivery & Insertion
    5. Standalone Delivery & Insertion
    6. System Software
      ID Personalization, encoding and delivery.
    7. Supplies
    8. Services
  - Instant Issuance
    1. Other citizen IDs and licenses.
    2. Sigma Direct-to-Card System
    3. Artista Retransfer System
    4. System Software
      Personalization, encoding, delivery and analytics.
    5. Supplies
    6. Services
  - Identity Verification as a Service
    Our IDVaaS solution allows remote verification of an individual’s claimed identity for immigration, border management, or digital services delivery.
    Learn More
- Cloud Security Posture Management
  - 1. CloudControl Enterprise for AWS
      Secure and ensure compliance for AWS configurations across multiple accounts, regions and availability zones.
    2. CloudControl Enterprise for Containers
      Security compliance and environmental hardening solution for contains and Kubernetes using VMware Tanzu and RedHat OpenShift platforms.
    3. CloudControl Enterprise for Swift
      Meet the compliance requirements for Swift’s Customer Security Program while protecting virtual infrastructure and data.
    4. CloudControl Enterprise for vSphere and NSX
      Comprehensive compliance, multi-factor authentication, secondary approval, RBAC for VMware vSphere NSX-T and VCF.
    5. CloudControl Foundation for vSphere
      Comprehensive compliance for VMware vSphere, NSX-T and SDDC and associated workload and management domains
  - CloudControl 30-Day Free Trial
    Entrust CloudControl offers comprehensive security and automated compliance across virtualization, public cloud, and container platforms while increasing visibility and decreasing risks that can lead to unintended downtime or security exposure.
    Start Free Trial
- Key Management and Encryption
  - 1. Entrust KeyControl
      Manage cryptographic keys and secrets with decentralized vaults and a compliance management dashboard for security policies and regulations.
    2. KeyControl BYOK
      Create and manage encryption keys on premises and in the cloud. Manage your key lifecycle while keeping control of your cryptographic keys.
    3. KeyControl for Database Encryption
      Integrates with your database for secure lifecycle management of your TDE encryption keys.
    4. KeyControl for Backup and Recovery
      Integrates with your backup and recovery solution for secure lifecycle management of your encryption keys.
  - 1. DataControl for Azure
      Data encryption, multi-cloud key management, and workload security for Azure.
    2. DataControl for AWS
      Data encryption, multi-cloud key management, and workload security for AWS.
    3. DataControl for IBM Cloud
      Data encryption, multi-cloud key management, and workload security for IBM Cloud.
  - KeyControl 30-Day Free Trial
    VMware vSphere and vSAN encryption require an external key manager, and KeyControl is VMware Ready certified and recommended. KeyControl enables enterprises to easily manage all their encryption keys at scale, including how often keys are rotated, and how they are shared securely.
    Start Free Trial
- Hardware Security Modules (HSM)
  - nShield as a Service
    1. Subscription-based access to dedicated nShield Cloud HSMs.
  - nShield HSMs
    1. nShield 5c
    2. nShield Connect
      Networked appliances that deliver cryptographic key services to distributed applications.
    3. nShield 5s
    4. nShield Solo
      PCI-Express card-based HSMs.
    5. nShield Edge
      Personal, USB-connected desktop HSMs.
  - Management and Monitoring
    1. nShield Monitor
    2. nShield Remote Administration
  - CodeSafe
    1. SDK for securing sensitive code within a FIPS 140-2 Level 3 certified nShield HSM.
    2. Post-Quantum SDK
  - Software Option Packs
  - Compliance and Certification
    1. FIPS 140-2/140-3
    2. Common Criteria
    3. eIDAS
    4. NIST 800-53
    5. GDPR
    6. PSD2
    7. HIPAA
    8. PCI-DSS
    9. NITES
  - Why you need an HSM
    1. Learn about all the details related to what hardware security modules offer you in security and cost savings...
    2. Learn More
  - Use Cases
- TLS/SSL Certificates
  - BUY NOW
    1. Buy Certificates
    2. Renew Certificates
  - TLS/SSL Certificates
  - Qualified Certificates
  - Sales and Services
- Identity and Access Management (IAM)
  - Products
    1. Identity as a Service
      Cloud-Based IAM
    2. Identity Enterprise
      On-prem IAM
    3. Identity Essentials
      On-prem MFA solution for Windows users
    4. APIs and SDKs
  - Integrations
  - Testimonials
  - Workforce
  - Consumer and Citizen
  - Get Entrust Identity as a Service Free for 60 Days
    Explore the Identity as a Service platform that gives you access to best-in-class MFA, SSO, adaptive risk-based authentication, and a multitude of advanced features that not only keep users secure, but also contribute to an optimal experience.
    Start Free Trial
- Electronic and Digital Signing
  - EU Qualified Trust Services
    In addition to our long-standing Adobe Approved Trust List (AATL) membership, we are a European Qualified Trust Service Provider for the issuance of eIDAS qualified certificates for qualified signatures and advanced seals, for PSD2 certificates and for QWACs
    Learn More
  - Digital Signing as a Service
  - Digital Signing Certificates
  - Digital Signing Infrastructure
- Public Trust Certificates
  - Verified Mark Certificates (VMCs) for BIMI
    Show your official logo on email communications. Download our white paper to learn all you need to know about VMCs and the BIMI standard.
    Learn More
  - Buy and Renew TLS/SSL Certificates
    1. Buy Certificates
    2. Renew Certificates
  - Signing Certificates
  - Qualified Certificates
    1. PSD2 Qualified Electronic Seal Certificates
  - Sales and Services
- Public Key Infrastructure (PKI)
  - PKI as a Service
    1. Use Cases
    2. Post-Quantum PKIaaS
  - PKI Products
  - Managed Services
  - Certificate Lifecycle Management
  - Cryptographic Center of Excellence
    1. PKI Health Check
    2. Cryptographic Health Check
  - Try Post-Quantum PKI as a Service Now
    Get PQ Ready. PKIaaS PQ provides customers with composite and pure quantum Certificate Authority hierarchies.
    Try Now
- Internet of Things (IoT) Security
  - Credentialing and Provisioning
  - Machine Identity Management
  - Global PKI IoT Trends Study
    Find out how organizations are using PKI and if they’re prepared for the possibilities of a more secure, connected world.
    Learn More
- Machine Identity Management
  - Lifecycle Management
  - Credentialing and Provisioning
  - The State of Machine Identity Management
    A recent survey by IDG uncovered the complexities around machine identities and the capabilities that IT leaders are seeking from a management solution.
    Get the White Paper
- Post-Quantum
  - Issuance and Provisioning
    1. PKI as a Service PQ
    2. PQ Standards and Research
  - Cryptographic Center of Excellence
    1. Crypto Health Check
    2. PKI Health Check
  - Are you ready for the threat of post-quantum computing?
    Know where your path to post-quantum readiness begins by taking our assessment.
    Begin Assessment
- Resources
  - Issuance Systems Knowledge Base
    Technotes, product bulletins, user guides, product registration, error codes and more.
    Learn More
  - Digital Security Knowledge Base
    Guides, white papers, installation help, FAQs and certificate services tools.
    Learn More
  - Cybersecurity Institute
    Get critical insights and education on security concepts from our Trust Matters newsletter, explainer videos, and the Cybersecurity Institute Podcast.
    Learn More
- Partners
  - Become an Entrust Partner
    Our partner programs can help you differentiate your business from the competition, increase revenues, and drive customer loyalty. Consider joining one or more of our Entrust partner programs and strategically position your company and brand in front of as many potential customers as possible.
    Learn More
  - Partner Directory
    Search for partners based on location, offerings, channel or technology.
    Search for a Partner
  - Programs
  - Partner Logins
- Buy
  - Shop Certificate Services
    Shop for new single certificate purchases.
    Learn More
  - Certificate Services Customer Portal
    Existing Entrust Certificate Services customers can login to issue and manage certificates or buy additional services.
    Learn More
  - Certificate Services Partner Portal
    Existing partners can provision new customers and manage inventory.
    Learn More
  - Instant Financial Card Issuance Supplies
    1. Registered Customer Login
    2. Request Access
- About Entrust
  - Securing a World in Motion Since 1969
    We’ve established secure connections across the planet and even into outer space. We’ve enabled reliable debit and credit card purchases with our card printing and issuance technologies. Protected international travel with our border control solutions. Created secure experiences on the internet with our SSL technologies. And safeguarded networks and devices with our suite of authentication products.
    Explore Our History
  - Cybersecurity Institute
    Get critical insights and education on security concepts from our Trust Matters newsletter, explainer videos, and the Cybersecurity Institute Podcast.
    Learn More
- Search Entrust
  - Search:

Introduction

The Apache HTTP Server 2.4.6 integrates with the Entrust nShield® Hardware Security Module (HSM) to provide a secure web server solution. The nShield HSMs are hardened, tamper-resistant cards which perform encryption, digital signing and key generation on behalf of an extensive range of commercial and custom-built applications, including certificate authorities, and code signing.

The benefits of using an nShield Hardware Security Module (HSM) with the Apache HTTP Server include:

Secure storage of the private key.
FIPS 140-2 Level 3 validated hardware.
Improved server performance by offloading the cryptographic processing.
Full life cycle management of the keys.
Failover support.
Load balancing between HSMs.

Note	Throughout this guide, the term HSM refers to nShield Solo and nShield Connect units. (nShield Solo products were formerly known as nShield).

This guide describes how to use the nShield Cryptographic Hardware Interface Library (CHIL) interface to integrate the HSM and Apache HTTP Server.

Product configurations

We have successfully tested nShield HSM integration with the server in the following configurations:

Operating System	Apache version	OpenSSL version	Security World Software version	nShield Solo support	nShield Connect support
Red Hat Enterprise Linux 7 x 64-bit	2.4.6	1.0.2k-fips	12.60.3 *	Yes	Yes

* The nShield 12.40 Compatibility Package is required for the Cryptographic Hardware Interface Library (CHIL) plugin. To obtain the package, contact contact Entrust nShield Support, https://nshieldsupport.entrust.com .

Supported nShield functionality

Feature	Support	Feature	Support	Feature	Support
Key Generation	Yes	1-of-N Operator Card Set	Yes	FIPS 140-2 Level 3 Support	Yes
Key Management	Yes	K-of-N Operator Card Set	Yes	Load Sharing	Yes
Key Import	Yes	Softcards	Yes	Fail Over	Yes
Key Recovery	Yes	Module-only Key	Yes

Requirements

Ensure that you have supported versions of the nShield, Apache, and third-party products. See Product configurations .

Consult the security team in your organization for a suitable setting of the SE Linux policy to allow the web server read access to the files in /opt/nfast .

To perform the integration tasks, you must have:

root access on the operating system.
Access to nfast and httpd accounts.

Before starting the integration process, familiarize yourself with:

The documentation for the HSM.
The documentation and setup process for the Apache HTTP server.

Before using the nShield software, you need to know:

The number and quorum of Administrator Cards in the Administrator Card Set (ACS), and the policy for managing these cards.
Whether the application keys are protected by the module or an Operator Card Set (OCS) with or without a pass phrase.
The number and quorum of Operator Cards in the OCS, and the policy for managing these cards.
Whether the security world should be compliant with FIPS 140-2 Level 3.

For more information, refer to the User Guide and Installation Guide for the HSM.

More information

For more information about OS support, contact your Apache HTTP Server sales representative or Entrust nShield Support, https://nshieldsupport.entrust.com .

Procedures

Integration procedures include:

Installing the HSM.
Installing the Security World Software and create the security world.
Installing the Apache HTTP Server.
Testing CHIL.
Configuring the Apache HTTP Server to use the HSM.

This chapter describes these procedures.

Installing the HSM

Install the HSM by following the instructions in the Installation Guide for the HSM.

We recommend that you install the HSM before configuring the Security World Software with your Apache HTTP Server.

Installing the Security World Software and creating the security world

To install the Security World Software and create the security world:

On the computer that you want to make the Apache HTTP Server, install the latest version of the Security World Software as described in the Installation Guide for the HSM.

Note
We recommend that you uninstall any existing nShield software before installing the new nShield software.
Create the security world as described in the User Guide , creating the ACS and OCS that you require.

Installing and configuring the Apache HTTP Server

To install the Apache HTTP Server:

sudo yum install httpd-tools openssl-libs mod_ssl

Testing CHIL

The nShield 12.40 Compatibility Package is required for the Cryptographic Hardware Interface Library (CHIL) plugin. Because this version of the library needs a gen2 Security World, either an old world needs to be loaded, or the utility new-world-1240 needs to be used to create a suitable Security World.

To check that CHIL is working:

# export LD_LIBRARY_PATH=/opt/nfast/toolkits/hwcrhk/
# openssl engine -t chil
(chil) CHIL hardware engine support
[ available ]

Configuring the Apache HTTP Server to use the HSM

Environment settings

For convenience:

export PATH=$PATH:/opt/nfast/bin

In /etc/sysconfig/httpd add the line

LD_LIBRARY_PATH=/opt/nfast/toolkits/hwcrhk

Set up Apache to use the CHIL library

Generate an embed key. Ensure that the key files are output to your home directory or another working directory.

# generatekey embed
protect: Protected by? (token, module) [token] > module
size: Key size? (bits, minimum 1024) [2048] >
OPTIONAL: pubexp: Public exponent for RSA key (hex)? []
> embedsavefile: Filename to write key to? []
> testkey
plainname: Key name? [] > testkey
x509country: Country code? [] > [...]
x509province: State or province? [] > [...]
x509locality: City or locality? [] > [...]
x509org: Organisation? [] > [...]
x509orgunit: Organisation unit? [] > [...]
x509dnscommon: Domain name? [] > [...]
x509email: Email address? [] > [...]
nvram: Blob in NVRAM (needs ACS)? (yes/no) [no] >
digest: Digest to sign cert req with? (md5, sha1, sha256, sha384, sha512)
[default sha256] >
key generation parameters:
operation       Operation to perform                generate
application     Application                         embed
protect         Protected by                        module
verify          Verify security of key              yes
type            Key type                            RSA
size            Key size                            2048
pubexp          Public exponent for RSA key (hex)
embedsavefile   Filename to write key to            testkey
plainname       Key name                            testkey
x509country     Country code                        [...]
x509province    State or province                   [...]
x509locality    City or locality                    [...]
x509org         Organisation                        [...]
x509orgunit     Organisation unit                   [...]
x509dnscommon   Domain name                         [...]
x509email       Email address                       [...]
nvram           Blob in NVRAM (needs ACS)           no
digest          Digest to sign cert req with        sha256
Key successfully generated.
Path to key: /opt/nfast/kmdata/local/key_embed_6d5706...
Path to CSR: /embed_6d5706..._req
Path to self-cert: /embed_6d5706..._selfcert

In the same folder as the self-cert there will also be a file called testkey .

Copy the files into the Apache installation using the following commands (adjust to the values you get):

cp /testkey /etc/pki/tls/private/testkey
cp /embed_6d5706..._selfcert /etc/pki/tls/certs/testkey_selfcert

In /etc/httpd/conf.d/ssl.conf , set

SSLCertificateFile /etc/pki/tls/certs/testkey_selfcert
SSLCertificateKeyFile /etc/pki/tls/private/testkey
SSLCryptoDevice chil

Open the firewall

firewall-cmd --zone=public --permanent --add-service=https
firewall-cmd --reload

Switch off SE Linux

If SE Linux is active, this might prevent Apache from loading our library. To switch it off:

setenforce 0

Start the HTTP daemon

service httpd start

https:// should work, and the certificate in the browser should show the information that was provided when creating the embed key above. For example:

Figure 2.1 HTTPD successfully started

Test the connection

Test the connection with a command similar to:

openssl s_client -crlf -connect localhost:443 -CAfile testkey_selfcert.pem
openssl s_client -crlf -connect localhost:443 -CAfile /embed_6d5706.._
selfcert

Check the following messages and fields in the output:

CONNECTED(00000003)
depth
Certificate chain information
Server certificate information
Session-ID
Master-Key
TLS session ticket:
Verify return code: 0 (ok)

Example output:

# openssl s_client -crlf -connect localhost:443 -CAfile embed_6d5706..._selfcert
CONNECTED(00000003)
depth=[...]
verify return:1
---
Certificate chain
0 s:/C=[...]
i:/C=[...]
---
Server certificate
-----BEGIN CERTIFICATE-----
...
-----END CERTIFICATE-----
subject=[...]
issuer=[...]
---
No client certificate CA names sent
Peer signing digest: SHA512
Server Temp Key: ECDH, P-256, 256 bits
---
SSL handshake has read 1570 bytes and written 415 bytes
---
New, TLSv1/SSLv3, Cipher is ECDHE-...
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
Protocol : TLSv1.2
Cipher : ECDHE-...
Session-ID: [...]
Session-ID-ctx:
Master-Key: [...]
Key-Arg : None
Krb5 Principal: None
PSK identity: None
PSK identity hint: None
TLS session ticket lifetime hint: 300 (seconds)
TLS session ticket:
...
Start Time: 1579086822
Timeout : 300 (sec)
Verify return code: 0 (ok)
---

OCS protection

If OCS protection is required, create an OCS:

createocs -Q1/1 -Napacheocs -m 1

Leave the OCS in the card reader and generate an embed key as in Set up Apache to use the CHIL library , but choose the protection to be token .

The steps to copy certificates about is the same as for module-protected keys.

When you are starting Apache, you will have to preload the OCS so that the key can be used without the web server having to load it:

preload -f /var/run/httpd/preload -c apacheocs /usr/sbin/httpd -e debug -X

Softcard protection

If softcard protection is required, create a softcard:

ppmk -n apachesoft

Generate an embed key as in Set up Apache to use the CHIL library , but choose the protection to be softcard .

The steps to copy certificates about is the same as for module protected keys.

When you are starting Apache, you will have to preload the softcard so that the key can be used without the web server having to load it:

preload -f /var/run/httpd/preload -s apachesoft /usr/sbin/httpd -e debug -X

Troubleshooting

If the logs produced by Apache do not lead to useful information, starting Apache with the following might lead to more information.

strace -f /usr/sbin/httpd 2> apache.trace

/usr/sbin/httpd -e debug -X

Table of Contents
Introduction
Procedures
Troubleshooting

RESOURCES

Integration Guide
Apache HTTP Server - nShield® HSM Integration Guide - CHIL

Table of Contents