BLOB migration from Thales WebSentry and Thales ProtectServer HSMs to Authentication Suite Server SDK for Entrust nShield HSM

The hardware-encrypted BLOBs used with other Authentication Suite Server SDK for HSM editions (VACMAN Controller for Thales WebSentry and Authentication Suite Server SDK for Thales ProtectServer HSM) and protected by a 3DESHSM-level BLOB storage key have a different format than the hardware-encrypted BLOBs used with Authentication Suite Server SDK for Entrust nShield HSM and are not compatible with it.

Since version 3.16.0.0, Authentication Suite Server SDK for Entrust nShield HSM is able to support migration of hardware-encrypted BLOBs coming initially from other Authentication Suite Server SDK for HSM editions.

The existing HSM migration functions AAL2GenMigrateBLOBCmdEx and AAL2ProcMigrateBLOBReply have been enhanced in Authentication Suite Server SDK for Entrust nShield HSM. These should support a hardware-encrypted authenticator application BLOB coming from VACMAN Controller for Thales WebSentry or from Authentication Suite Server SDK for Thales ProtectServer HSM in the input. In the output, they should support a hardware-encrypted authenticator application BLOB compatible with Authentication Suite Server SDK for Entrust nShield HSM.

For the context of the Secure Channel protocol involving a payload key, the existing HSM migration functions AAL2GenMigratePKBLOBCmdEx and AAL2ProcMigratePKBLOBReply have been enhanced in Authentication Suite Server SDK for Entrust nShield HSM. These should support a hardware-encrypted payload key BLOB coming from Authentication Suite Server SDK for Thales ProtectServer HSM in the input. In the output, these functions should support a hardware-encrypted authenticator application BLOB suitable with Authentication Suite Server SDK for Entrust nShield HSM.

To effectively proceed in the migration of hardware-encrypted BLOBs coming from either VACMAN Controller for Thales WebSentry or from Authentication Suite Server SDK for Thales ProtectServer HSM, it will be necessary to transfer the key on the Entrust nShield HSM environment. This is where the HSM key has been used on VACMAN Controller for Thales WebSentry or from Authentication Suite Server SDK for Thales ProtectServer HSM to protect the hardware-encrypted BLOB for migration. If this HSM key is not transferred on the Entrust nShield HSM environment for usage by Authentication Suite Server SDK for Entrust nShield HSM, the former hardware-encrypted BLOB migration cannot be performed.

It is then required to migrate first on the former environment the hardware encrypted BLOBs with the former Authentication Suite Server SDK) under an HSM key that will be possible to ‘transfer’ on Authentication Suite Server SDK for Entrust nShield HSM. This HSM key is called HSM-level BLOB transport key in the rest of this section.