Entrust nShield HSM Infrastucture Specialist
Posted 22 hours 28 minutes ago by ComTech Europe Limited
The IOS domain has purchased 5 nShield General Purpose hardware security modules (model number NH2075-B) from Entrust.
To use these HSMs in a broader PKI context, IOS is looking for an Entrust nShield Certified specialist who can assist with the following tasks:
Automation of Security World creation and associated Administrator Card Set and Operator Card Sets (this must be done according to industry best practices on 3 different environments spread over 2 data centers based on the requirements described below);
o the supplier can make better proposals than those in the requirements if he feels that they correspond better to industry best practices. It is up to the supplier to clearly indicate this in the proposal, such as for initialization, providing a key ceremony with associated documentation
Documenting and developing a demo regarding PKCS 11 integration. This with the intention to stimulate reuse with different software in use within the DG VD such as Axway API
Gateway, AppViewX, Forgerock AM, HashiCorp Vault Requirements for automation:
Create Active-Passive RFS "cluster"
Reset existing Security World (if present)
Create new FIPS 140-2 Level 3 compliant Security World
o Set AES as preferred cipher suite
In parallel ECC to be used as well as possible given the efficiency that comes with it
o Set 3/6 quorum for all operations (PIN reset, NVRAM access, RTC access, etc.)
o Set active-backup network connection
o Set 3 different NTP Servers stratum 0 NTP Servers: ntp-a.fediap.be, ntp-b.fediap.be, and ntp-c.fediap.be
o Set audit registration
o Set remote management
o Set remote reboot
o Set auto-push config
o Make module 1 a valid target for remote shares
when a cluster is already present: connect to existing Security World 025/BOSA/90533/DEF/V1.0/SUPPORT MISSION HSM 06/02/2025 7 INFRASTRUCTURE SPECIALIST
Create 3 2/5 quorum persistent OCS
o Set a timeout of 300 seconds
o Set passphrase replacement/PIN recovery
enforce passphrase complexity for ACS and OCS
All steps should be logged to provide evidence of correct execution! Ideally, automation steps should be reusable to enable, for example, automated reinitialization of an HSM in a Security World after a firmware upgrade.
The candidate should also have experience with Linux RHEL8 and higher;
In addition to the certification, also 5 years (or more) experience with Entrust products;
Knowledge of Dutch and/or French is a plus.