OneSpan Authentication Server Framework

- Industries
- Solutions
  - Our Expertise
  - Strong Identities
  - Secure Payments
  - Protected Data
- Featured Products
  - As a Service Products
- Enterprise ID & Issuance
  - Instant ID as a Service
    Learn More
  - Instant Issuance
- Financial ID & Issuance
  - Digital Card Solution
    Learn More
  - Digital Banking
    1. Digital Account Opening
    2. Digital Card Solution
  - Instant Issuance
  - Central Issuance
- Government ID & Issuance
  - Digital Citizen
    1. Seamless Travel as a Service
    2. ePassport as a Service
  - Instant Issuance
    1. Other citizen IDs and licenses.
    2. System Software
    3. Supplies
    4. Services
  - Central Issuance
    1. Passports, national IDs and driver licenses.
    2. Passport Issuance Systems
    3. National ID and Driver License Systems
    4. Inline Delivery & Insertion
    5. Standalone Delivery & Insertion
    6. System Software
    7. Supplies
    8. Services
  - Identity Verification as a Service
    Our IDVaaS solution allows remote verification of an individual’s claimed identity for immigration, border management, or digital services delivery.
    Learn More
- Cloud Security Posture Management
  - CloudControl 30-Day Free Trial
    Entrust CloudControl offers comprehensive security and automated compliance across virtualization, public cloud, and container platforms while increasing visibility and decreasing risks that can lead to unintended downtime or security exposure.
    Start Free Trial
- Key Management and Encryption
  - KeyControl for VM Encryption
  - KeyControl 30-Day Free Trial
    VMware vSphere and vSAN encryption require an external key manager, and KeyControl is VMware Ready certified and recommended. KeyControl enables enterprises to easily manage all their encryption keys at scale, including how often keys are rotated, and how they are shared securely.
    Start Free Trial
- Hardware Security Modules (HSM)
  - 1. nShield as a Service
  - nShield HSMs
  - Why you need an HSM
    Learn about all the details related to what hardware security modules offer you in security and cost savings...
    Learn More
- Digital Certificates
  - 1. Buy Certificates
    2. Renew Certificates
  - TLS/SSL Certificates
  - Qualified Certificates
    1. QWAC eIDAS Certificates
    2. QWAC PSD2 Certificates
  - Sales and Services
- Identity and Access Management (IAM)
  - Products
    1. Identity as a Service
      Cloud-Based IAM
    2. Identity Enterprise
      On-prem IAM
    3. Identity Essentials
      On-prem MFA solution for Windows users
    4. APIs and SDKs
  - Get Entrust Identity as a Service Free for 60 Days
    Explore the Identity as a Service platform that gives you access to best-in-class MFA, SSO, adaptive risk-based authentication, and a multitude of advanced features that not only keep users secure, but also contribute to an optimal experience.
    Start Free Trial
- Electronic and Digital Signing
  - Digital Signing as a Service
  - Digital Signing Certificates
  - Digital Signing Infrastructure
  - EU Qualified Trust Services
    In addition to our long-standing Adobe Approved Trust List (AATL) membership, we are a European Qualified Trust Service Provider for the issuance of eIDAS qualified certificates for qualified signatures and advanced seals, for PSD2 certificates and for QWACs
    Learn More
- Public Key Infrastructure (PKI)
  - PKI Products
  - Managed Services
  - Cryptographic Center of Excellence
  - Try Post-Quantum PKI as a Service Now
    Get PQ Ready. PKIaaS PQ provides customers with composite and pure quantum Certificate Authority hierarchies.
    Try Now
- Resources
  - Issuance Systems Knowledge Base
    Learn More
  - Digital Security Knowledge Base
    Learn More
  - Cybersecurity Institute
    Get critical insights and education on security concepts from our Trust Matters newsletter, explainer videos, and the Cybersecurity Institute Podcast.
    Learn More
- Partners
  - Partner with Entrust
    Join one or more of our partner programs and we’ll help you increase profitability, expand your brand, and target strategic customers.
    Learn More
  - Partner Directory
    Search for partners based on location, offerings, channel or technology.
    Search for a Partner
  - Programs
  - Partner Logins
- Buy
  - Shop Certificate Services
    Shop for new single certificate purchases.
    Learn More
  - Certificate Services Customer Portal
    Existing Entrust Certificate Services customers can login to issue and manage certificates or buy additional services.
    Learn More
  - Certificate Services Partner Portal
    Existing partners can provision new customers and manage inventory.
    Learn More
  - Instant Financial Card Issuance Supplies
    1. Registered Customer Login
    2. Request Access
- About Entrust
  - Securing a World in Motion Since 1969
    We’ve established secure connections across the planet and even into outer space. We’ve enabled reliable debit and credit card purchases with our card printing and issuance technologies. Protected international travel with our border control solutions. Created secure experiences on the internet with our SSL technologies. And safeguarded networks and devices with our suite of authentication products.
    Explore Our History
  - Cybersecurity Institute
    Get critical insights and education on security concepts from our Trust Matters newsletter, explainer videos, and the Cybersecurity Institute Podcast.
    Learn More
- Search Entrust
  - Search:

Introduction
Procedures
- Prerequisites
- Set up OneSpan ASF

Introduction

This document describes the integration of OneSpan Authentication Server Framework with the Entrust CodeSafe solution. This uses an Entrust nshield Hardware Security Module (HSM) root of trust.

CodeSafe is a runtime environment on the Entrust nshield HSM that allows third-party developers to run their own code within the secure boundary of the module.

Product configurations

Entrust has successfully tested nshield HSM integration with OneSpan Authentication Server Framework in the following configurations:

Product	Version
CodeSafe	12.80.4
Security World Compatibility Pack	1.1.0
Operating System	Red Hat Linux 8 64-bit
OneSpan ASF	3.21

Product

Version

CodeSafe

12.80.4

Security World Compatibility Pack

1.1.0

Operating System

Red Hat Linux 8 64-bit

OneSpan ASF

3.21

Supported nshield hardware and software versions

Entrust has successfully tested with the following nshield hardware and software versions:

Connect XC

Security World Software	Firmware	Image	OCS	Softcard	Module
12.80.4	12.50.11	12.80.4	✓	✓	✓

Security World Software

Firmware

Image

OCS

Softcard

Module

12.80.4

12.50.11

12.80.4

✓

Connect +

Security World Software	Firmware	Image	OCS	Softcard	Module
12.80.4	12.50.8	12.80.4	✓	✓	✓

Security World Software

Firmware

Image

OCS

Softcard

Module

12.80.4

12.50.8

12.80.4

✓

Note	Security World ciphersuite DLf3072s256mRijndael is required for the integration of OneSpan ASF and nshield HSM.

Supported nshield HSM functionality

Feature	Support
Module-only key	Yes
OCS cards	Yes
Softcards	Yes
nSaaS	Yes
FIPS 140-2 Level 3	Yes

Feature

Support

Module-only key

Yes

OCS cards

Yes

Softcards

Yes

nSaaS

Yes

FIPS 140-2 Level 3

Yes

Requirements

Before installing these products, read the associated documentation:

For the nshield HSM: Installation Guide and User Guide.
If nshield Remote Administration is to be used: nshield Remote Administration User Guide.
For CodeSafe: CodeSafe Developer Guide for Linux
OneSpan documentation: Authentication Server Framework HSM Module Management and Authentication Server Framework Key Management for nCipher nshield HSM

More information

For more information about OS support, contact your OneSpan sales representative or Entrust nshield Support, https://nshieldsupport.entrust.com.

Procedures

Prerequisites

Before you can use OneSpan Authentication Server Framework with CodeSafe and an nshield HSM, you must complete the following steps:

Set up the HSM. See the Installation Guide for your HSM.
Configure the HSM(s) to have the IP address of your host machine as a client.

Install the nshield compatibility pack:

% sudo mount -t iso9660 -o loop Compatibility_Package_1.1.0.iso /mnt
% cd /
% tar -zxvf /mnt/lin64/amd64/Compatibility_12.40_Lin64.tar.gz
% sudo umount /mnt

Load an existing Security World or create a new one on the HSM.

Note
The Security World DLf3072s256mRijndael ciphersuite is required.

For more information on configuring and managing nshield HSMs, Security Worlds, and Remote File Systems, see the User Guide for your HSM(s).

Install CodeSafe:

% sudo mount -t iso9660 -o loop Codesafe_Lin64-12.80.4.iso /mnt
% cd /
% tar -xf /mnt/linux/amd64/csd.tar.gz
% tar -xf /mnt/linux/amd64/csdref.tar.gz
% sudo umount /mnt

Set up OneSpan ASF

The following steps to install OneSpan ASF for nshield HSM are detailed in the Authentication Server Framework HSM Module Management guide.

OneSpan ASF software contains an example script to set up the user data file and upload the SEE machine. See the contents of the script or refer to the OneSpan ASF documentation for the individual steps which can be tailored to your organizational needs.

Install the RPM package for your specific Operating System:
```
% rpm -i <OneSpan_RPM_File>.rpm
```
Generate the SEE code-signing key:
```
% generatekey --generate seeinteg type=rsa size=2048 pubexp= recovery=yes nvram=no plainname=seesigningkey
```
Note
If using a FIPS 140-2 Level 3 Security World, an OCS will need to be inserted into the HSM during key generation.
Run the set-up script:
```
% /opt/vasco/VACMAN_Controller-HSM-3.21.0/hsm/ppc-xc/build_userdata.sh
```
Note
The ppc-xc directory is required in the command if using an nshield Connect XC. The ppc directory is required in the command if using an nshield Connect Plus.

OneSpan Authentication Server Framework is now set up and ready to be used. Note that OneSpan ASF software contains sample programs at /opt/vasco/VACMAN_Controller-HSM-3.21.0/sample/ that demonstrate communication between a host application and an nshield HSM.

Table of Contents
Introduction
Procedures

RESOURCES

Integration Guide
OneSpan Authentication Server Framework Integration Guide

Table of Contents

Introduction

Product configurations

Supported nshield hardware and software versions

Connect XC

Connect +

Supported nshield HSM functionality

Requirements

More information

Procedures

Prerequisites

Set up OneSpan ASF