You can integrate a Grid with a third-party, network-attached Hardware Security Modules (HSMs) for secure private key storage and generation, and zone-signing offloading. Infoblox appliances support integration with either Thales Luna HSMs or Entrust nShield HSMs. When using a network-attached HSM, you can provide tight physical access control, allowing only selected security personnel to physically access the HSM that stores the DNSSEC keys.
The Entrust nShield Hardware Security Module (HSM) group represents the collection of Entrust nShield HSM devices that are used for private key storage and generation.
Note that you can create one Entrust nShield HSM group in the Grid.
References to hsm:entrustnshieldgroup are object references.
The name part of the Entrust nShield HSM object reference has the following components:
- The Entrust nShield HSM group name
The object does not support the following operations:
The object cannot be managed on Cloud Platform members.
These fields are actual members of the object; thus, they can be requested by using _return_fields, if the fields are readable.
The basic version of the object contains the field(s): comment, key_server_ip, name.
The following fields are required to create this object:
| Field | Notes |
|---|---|
| card_name | See the field description for more information |
| entrustnshield_hsm | |
| key_server_ip | |
| name | |
| pass_phrase | See the field description for more information |
The Entrust nShield HSM softcard name.
Type
String.
Create
You must specify card_name when protection is set to ‘SOFTCARD’.
Search
The field is not available for search.
The Entrust nShield HSM group comment.
Type
String.
Create
The default value is empty.
Search
The field is available for search via
Notes
The comment is part of the base object.
The list of Entrust nShield HSM devices.
Type
A/An Entrust nShield Hardware Security Module struct array.
Create
The field is required on creation.
Search
The field is not available for search.
The remote file server (RFS) IPv4 Address.
Type
String.
Create
The field is required on creation.
Search
The field is not available for search.
Notes
The key_server_ip is part of the base object.
The remote file server (RFS) port.
Type
Unsigned integer.
Create
The default value is 9004.
Search
The field is not available for search.
The Entrust nShield HSM group name.
Type
String.
Values with leading or trailing white space are not valid for this field.
Create
The field is required on creation.
Search
The field is available for search via
Notes
The name is part of the base object.
The password phrase used to unlock the Entrust nShield HSM keystore.
Type
String.
Create
You must specify pass_phrase when protection is set to ‘SOFTCARD’.
Search
The field is not available for search.
Notes
pass_phrase is not readable.
This function is used to synchronize the HSM Entrust nShield configuration of HSM Entrust nShield devices.
This function does not support multiple object matches when called as part of an atomic insertion operation.
Input fields
None
Output fields
results ( String. Valid values are: “PASSED”, “INACTIVE”, “FAILED” ) The result of the HSM synchronization operation.
This function is used to test and verify HSM Entrust nShield functionallity (key pair request, predefined blob signing) via the utilities of the vendor.
This function does not support multiple object matches when called as part of an atomic insertion operation.
Input fields
None
Output fields
results ( String. Valid values are: “PASSED”, “INACTIVE”, “KEY_GEN”, “SIGNING” ) The result of the HSM status test operation.
| Field | Type | Req | R/O | Base | Search |
|---|---|---|---|---|---|
| card_name | String | Y* | N | N | N/A |
| comment | String | N | N | Y | : = ~ |
| entrustnshield_hsm | [struct] | Y | N | N | N/A |
| key_server_ip | String | Y | N | Y | N/A |
| key_server_port | Unsigned int | N | N | N | N/A |
| name | String | Y | N | Y | : = ~ |
| pass_phrase | String | Y* | N | N | N/A |
| protection | String | N | N | N | N/A |
| status | String | N | Y | N | N/A |
* Required in some cases, see detailed field description above.
