nShield Connect Options & Accessories
nShield Connect is available in multiple performance variants as follows:
- FIPS-pending Connect XC models: XC Base, XC Mid, and XC High
- FIPS-certified Connect+ models: 500+, 1500+, and 6000+
Please consult the nShield Connect data sheet for performance data.
Each nShield Connect ships with three client licenses. Additional licenses are available for purchase. The maximum number of client licenses supported vary by Connect model as shown in the tables below. Additionally, nTokens are an available accessory for authenticating HSM clients.
CodeSafe enables developers to execute applications within the nShield HSM, protecting them from threats such as insider attacks, malware, and Trojans that they would be vulnerable to on typical server platforms. CodeSafe provides a “sand box” where code can be validated for integrity—ideal for applications residing in untrusted locations. CodeSafe provides fine-grained access control for security-critical resources that are protected on the device, such as private keys and non-volatile user memory. Sample applications include digital meters, authentication agents, time-stamp engines, audit loggers, digital signature agents, and custom encryption processes. CodeSafe is available for all nShield FIPS 140-2 Level 3 certified HSMs excluding the nShield Edge.
CipherTools Developer Toolkit
Using the CipherTools Developer Toolkit, developers take full advantage of the advanced integration capabilities available for the nShield HSM family when applying custom applications. The Toolkit includes detailed tutorials, reference documentation, sample programs written in a range of high level languages, and additional libraries to expand capabilities for integration with applications beyond those that can be achieved by the standard application program interfaces (APIs).
Elliptic Curve Cryptography (ECC) Activation
nShield HSMs offer a wide variety of cryptographic algorithms, including AES, DSA and RSA, as part of the standard feature set. For organizations wishing to use ECC, an ECC Activation license is available. The optional activation license enables hardware-optimized ECC operation on nShield Connect HSMs.
Database Security Option Pack
Databases often contain an organization's most sensitive data. As a result, major database vendors have implemented native encryption in their database server products. The nShield Database Security Option Pack adds support for Microsoft’s Extensible Key Management (EKM) API. It enables organizations to better protect the keys that protect sensitive data in Microsoft SQL Server deployments using Transparent Data Encryption (TDE), manage keys across multiple databases and systems, and separate key management and database administration. More information >>
payShield Cardholder Authentication for nShield
To protect against credit card and online banking fraud, many financial institutions have implemented additional security measures for card-not-present transactions. payShield Cardholder Authentication for nShield complements other Thales payments products by enabling organizations to authenticate the cardholder through various means, such as Chip and PIN (CAP) for online banking transactions, and 3-D Secure, also known as Verified by Visa and MasterCard SecureCode. This option integrates with cardholder authentication solutions including ActivIdentity, Arcot, Bell ID and Gemalto. Organizations with advanced requirements can also use the payShield Developer Software to produce customer solutions.
Highly sensitive areas of government and enterprises with a strong interest in national security sometimes prefer to use proprietary, national cryptographic algorithms to protect their most sensitive information. Given these security concerns, it is advantageous to run such algorithms on a secure HSM platform. The KCDSA Activation enables South Korean agencies to use the Korean Certificate-based Digital Signature Algorithm (KCDSA) on an nShield HSM. Thales recommends CodeSafe technology to organizations that wish to implement their own national algorithms on the protected HSM platform.
Remote Administration Kits
Remote Administration lets you manage your HSMs—including adding applications, upgrading firmware, checking status, and more—from your location, and whenever you choose. Remote Administration lets you eliminate travel to data centers for routine HSM management, helping to cut costs and optimize your resources. Remote Administration helps you to:
Cut travel costs
Eliminate the risk of carrying cards to remote locations
Remote Administration Kits, which enable the feature, contain one or more Trusted Verification Devices (TVDs) (secure, custom card readers), Remote Administration Cards (smart cards), and client software. Kits are sized and priced based on the number of HSMs in the estate.
More details available here.
For organizations wishing to enhance security for their nShield Connect HSM clients, nTokens are PCI or PCI Express (PCIe) cards that enable client authentication to deter impersonation. Thales offers bundles of three nTokens, as well as individual nTokens. PCI variants are full-height and PCI Express variants are low-profile cards. nTokens are not compatible with virtual servers.
Replacement Power Supply Unit (PSU)
nShield Connect features dual, hot-swap power supplies. Thales PSUs enable you to replace failed parts without downtime.
Replacement Fan Tray
nShield Connect features redundant, field-replaceable fans. Thales replacement fan trays enable you to replace failed parts without downtime.
While many functions of nShield Connect can be carried out easily with the touch wheel at the front of the unit, operators may prefer using a keyboard. Thales offers an optional USB keyboard. Because the keyboard is typically only used for few operations, one keyboard per data center site is generally sufficient.
To mount nShield Connect in a 19" rack without a shelf, Thales offers optional slide rails to be fitted with nShield Connect. These enable easier hardware installation and allow you to use server racks more densely. Thales recommends that customers use these slide rails exclusively because parts from other manufacturers may not be compatible. The slide rails are always sold as a pair, i.e. ordering one unit of this part code will include two slide rails, sufficient to mount one nShield Connect module.
* Only one of these CodeSafe applications can be run on a single HSM.