Entrust Nshield Hsm Infrastucture Specialist

The IOS domain has purchased 5 nShield General Purpose hardware security modules (model number NH2075-B) from Entrust. To use these HSMs in a broader PKI context, IOS is looking for an Entrust nShield Certified specialist who can assist with the following tasks: Automation of Security World creation and associated Administrator Card Set and Operator Card Sets (this must be done according to industry best practices on 3 different environments spread over 2 data centers based on the requirements described below); o the supplier can make better proposals than those in the requirements if he feels that they correspond better to industry best practices. It is up to the supplier to clearly indicate this in the proposal, such as for initialization, providing a key ceremony with associated documentation Documenting and developing a demo regarding PKCS 11 integration. This with the intention to stimulate reuse with different software in use within the DG VD such as Axway API Gateway, AppViewX, Forgerock AM, HashiCorp Vault Requirements for automation: Create Active-Passive RFS "cluster" Reset existing Security World (if present) Create new FIPS 140-2 Level 3 compliant Security World o Set AES as preferred cipher suite In parallel ECC to be used as well as possible given the efficiency that comes with it o Set 3/6 quorum for all operations (PIN reset, NVRAM access, RTC access, etc.) o Set active-backup network connection o Set 3 different NTP Servers stratum 0 NTP Servers: ntp-a.fediap.be, ntp-b.fediap.be, and ntp-c.fediap.be o Set audit registration o Set remote management o Set remote reboot o Set auto-push config o Make module 1 a valid target for remote shares **when a cluster is already present**: connect to existing Security World 025/BOSA/90533/DEF/V1.0/SUPPORT MISSION HSM 06/02/2025 7 INFRASTRUCTURE SPECIALIST Create 3 2/5 quorum persistent OCS o Set a timeout of 300 seconds o Set passphrase replacement/PIN recovery enforce passphrase complexity for ACS and OCS All steps should be logged to provide evidence of correct execution Ideally, automation steps should be reusable to enable, for example, automated reinitialization of an HSM in a Security World after a firmware upgrade.