Thales nShield provides a secure platform to help enterprises protect sensitive information. While the base functionality already covers the majority of requirements, Thales HSMs can be further enhanced to cover special cases. The following list gives you an overview of the available Option Packs and Developer Software. Please note the compatibility matrix at the end of this page.
CipherTools Developer Software
Thales HSMs can be integrated with many business applications through standardized APIs (Application Programming Interfaces), including Microsoft CAPI/CNG, PKCS#11, Java JCE and OpenSSL. In some cases, the official standards these interfaces support are too limiting, so Thales HSMs also offer the nCore interface for advanced integrations. CipherTools is for all application developers regardless of whether they’re using nCore or a vendor-neutral API. It contains documentation and example code to enable developers to take full advantage of the advanced functionality offered by nShield HSMs.
CodeSafe and Secure Execution Engine (SEE) Activation
The core functionality of hardware security modules is to protect keys from being compromised. While this provides an enhanced level of security, sensitive data could in some cases still be processed on the host system after it has been decrypted by the hardware security module. The CodeSafe Developer Software enables organizations to develop custom applications to run on the secure operating platform of the HSM so the data is never exposed to Trojans or insiders on the host systems. Organiations wishing to leverage the power of Codesafe Technology will need one license of CodeSafe Developer Software per developer and one Secure Execution Engine (SEE) Activation license for each HSM executing the code.
CodeSafe SSL
CodeSafe SSL provides an SSL stack to enable organizations to terminate SSL sessions inside the HSM, providing true end-to-end encryption from the browser to the HSM for high-risk data such as PINs and credit card numbers.
Database Security Option Pack
Databases often contain an organization's most sensitive data. As a result, the large database vendors have implemented native encryption in their database server products. Database Security Option Pack adds support for Microsoft’s Extensible Key Management (EKM). It enables organizations to better protect keys that protect sensitive data in Microsoft SQL Server 2008, manage keys across databases and systems, and separate security and database administration. More information >>
Users of Oracle 11g can take advantage of these features without requiring an option pack. More information >>
payShield Cardholder Authentication for nShield
To protect against credit card and online banking fraud, many financial institutions have implemented additional security measures for card-not-present transactions. payShield Cardholder Authentication for nShield complements other Thales payments products by enabling organizations to authenticate the cardholder through various means, such as Chip and PIN (CAP) authentication for online banking transactions and 3-D Secure, also known as Verified by Visa and MasterCard SecureCode. This option integrates with cardholder authentication solutions from ActivIdentity, Arcot, Bell ID, and Gemalto. Organizations with advanced requirements can also use the payShield Developer Software to produce custom solutions. Customers looking for other forms of payment security may also want to consider HSM 8000, P3, and SafeSign. More information >>
payShield Key Loading Device
Keys are typically generated inside an HSM to ensure that the key has never left the secure platform. However, some organizations receive tamper-proof envelopes containing keys from partners they are doing business with, or need to securely exchange sensitive data between systems from different vendors. The payShield Key Loading Device enables organizations to load symmetric encryption key fragments into Thales HSMs by entering them on a PIN pad and loading them onto a smart cards that can be read by Thales HSMs. The payShield Key Loading Device requires the use of payShield Cardholder Authentication for nShield.
Time Stamping Option Pack
Secure time stamps help organizations verify that certain data existed at a certain point in time and has not been manipulated since that time. This is critical for applications including digital archives, public key infrastructures, code signing, notary services, patent applications, lottery, as well as betting and gaming. The Thales Time Stamp Server is a turn-key solution for organizations who want a ready-to-use time stamping solution. For organizations looking for an OEM solution or who want to combine time stamping with other HSM functionality, the Time Stamp Option Pack enhances nShield Solo 500 to support standardized time stamps. Organizations looking to add time-stamping features in custom applications can benefit from the Time Stamping Developer Software. See also Thales Time Stamp Server >>
Time Stamping Developer Software
Some applications may benefit from the use of time stamps but don’t have an interface to request them. The Time Stamping Developer Software is an easy-to-use API that enables applications to request and verify time stamps from the Thales Time Stamp Server or a server featuring Thales nShield and the Time Stamping Option Pack.
Remote Operator Activation
Hardware security modules typically run in physically secure, lights-out data centers, often in several, redundant sites. Many organizations therefore find it impractical to gain physical access to the HSM for day-to-day operations. Remote Operator saves time and reduces travel costs by enabling users to present credentials to a remote HSM in a secure manner directly from their workstation.
Elliptic Curve (ECC) Activation
Thales HSMs offer a large number of cryptographic algorithms as part of the standard feature set, including AES, DSA and RSA. Organizations who want to take advantage of the next-generation elliptic curve algorithms can enhance their HSMs by adding the Elliptic Curve (ECC) Activation. While all Thales HSMs can process elliptic curve cryptography with this option pack, users of the nShield 500 PCI cards will additionally benefit from hardware acceleration.
KCDSA Activation
Especially sensitive areas of government and enterprises with a strong interest in national security sometimes prefer to use proprietary, national cryptographic algorithms to protect their most sensitive information. Given these security concerns, it makes sense to run such algorithms on a secure HSM platform. The KCDSA Activation enables South Korean agencies to use the Korean Certificate-based Digital Signature Algorithm (KCDSA) on the HSM. Thales recommends the CodeSafe technology to organizations who wish to implement their own national algorithms on the protected HSM platform.
nShield SmartCard Reader Rackmount
For customers deploying one or more nShield Solo modules in a 19" rack, the optional nShield SmartCard Reader Rackmount provides a practical and tidy solution to attach card readers in the data center.
The nShield SmartCard Reader Rackmount is 1U in height and can be equipped with up to four smart card readers, which are shipped as standard with nShield Solo cards. Each unit is shipped with three blanking plates to cover any unused slots.
Additional Client License
Each nShield Connect and netHSM is shipped with 3 bundled client licenses. Additional Client Licenses are available for customers who wish to connect their HSM to more than 3 clients. Please consult the documentation for the maximum number of clients supported by your HSM.
nToken
For organizations that wish to enhance security for their HSM clients, nTokens are PCI or PCI Express cards that enable strong authentication for clients of network-attached HSMs such as nShield Connect and netHSM, ensuring that servers cannot be impersonated. Thales offers HSM bundles that already include 3 nTokens; customers can purchase additional nTokens. Each nToken includes a client license. PCI variants are full-height; PCI Express variants are low-profile cards. nTokens are not compatible with virtual servers.
Replacement PSU for nShield Connect
nShield Connect features dual, hot-swap power supplies to enable premium business continuity. Thales offers replacement PSUs for nShield Connect to enable customers to replace failed parts instant without downtime.
Replacement Fan Tray for nShield Connect
In addition to the dual, hot-swap power supplies, nShield Connect features redundant, field-replaceable fans. The fans and battery are mounted on a fan tray that enables easy replacement; fans cannot be replaced individually. Like the power supplies, the fans are located outside the security boundary of the HSM.
Thales offers replacement fan trays for nShield Connect. This enables customers to replace failed parts instantly without downtime.
Keyboard for nShield Connect
While many functions of nShield Connect can be carried out easily with the touch wheel at the front of the unit, operators may require a keyboard for some operations and to configure the modules more efficiently. Thales offers an optional USB keyboard for these tasks. Because the keyboard is only required for few operations, one keyboard per datacenter site is typically sufficient. Customers can also use standard USB keyboards.
Slide rails for nShield Connect
To mount nShield Connect in a 19" rack without a shelf, Thales offers optional slide rails to be fitted with nShield Connect. These enable customers to use server racks more densely and enable easier hardware installation. Thales recommends that customer use these slide rails because parts from other manufacturers may not be compatible. The slide rails are always sold as a pair, i.e. ordering one unit of this part code will include two slide rails, sufficient to mount one nShield Connect module.
Compatibility overview
Please note that the options on this page are not compatible with payShield 9000 or its predecessor, HSM 8000.
S = standard; O = optional
*Only one of these CodeSafe applications can be run on the same HSM.