Secure Auditing With Entrust nShield

As described in Using the Secure Auditing Verification Tool, you need to export the public key of the Master Audit Keypair from the hardware security module (HSM) when secure auditing is enabled. This public key is used by the Secure Auditing Verification Tool to verify secure audit entries.

When using an Entrust nShield HSM, the easiest way to export this public key is via the nCipher Export Secure Audit Public Key wizard. This wizard is available via the Maintenance Wizard whenever OneSpan Authentication Server is properly configured to work with an HSM.

To export the Entrust nShield secure auditing public key

1. Start the Maintenance Wizard.
2. Select nCipher Export Secure Audit Public Key.

3. Proceed to the Export of Secure Auditing Public Key page.

   Enter the information (i.e. absolute path to both public keys) as needed and click Next. The HSM public key filename is the BLOB file that was created via the procedure in Creating a secure auditing key (Entrust nShield).

4. On the Confirmation page, click Next. Click Finish.

   The secure auditing public key will be exported in PEM format, to be used to verify secure auditing entries (see Using the Secure Auditing Verification Tool).

To change/update the private key used by the Entrust nShield HSM for secure auditing, perform the following procedure after generating a new key.

To configure the Entrust nShield HSM to use a new secure auditing private key

1. Start the Maintenance Wizard.
2. Select nCipher Update Secure Audit Private Key.

3. Proceed to the Secure Auditing page.

   Enter the information required. For the key filename, provide the absolute path to the new private key you wish to use. The key hash is available from the master_audit_inf.txt file. For more information about this file, see Creating a secure auditing key (Entrust nShield).

   Click Next.

4. On the Confirmation page, click Next.
5. Click Finish.