Skip to main content
Version: 8.2511.x.x RR

Security modules

nevisProxy relies on the Transport Layer Security (TLS) protocol and the OpenSSL library to secure network connections to client applications and trusted servers. To this end, nevisProxy allows the configuration of public key certificates and private keys for both frontend and backend connections. There are two kinds of supported 'sources' for cryptographic material:

  • File-based certificates and private keys (sometimes called 'soft tokens');
  • Certificates and private keys stored in a Hardware Security Module (HSM, sometimes called 'hard token'). The integration depends on the vendor of the HSM.

If you use a Hardware Security Module (HSM), take into account the following points:

  • To integrate your HSM, follow the integration guides from the HSM vendor. The relevant sections are the ones covering the integration with Apache HTTP server (httpd) and mod_ssl. The following chapters show example setups for the HSMs we tested, as well as the nevisProxy-specific integration steps.
  • If integration does not work as expected, contact the HSM vendor to address any configuration or migration questions. If the problem lies with nevisProxy, you can also create a nevisProxy support request for further investigation. But only do this after verifying the issue with the HSM vendor.
info

We officially support the HSMs from Securosys and Gemalto, with the configurations as described in the following chapters. For these officially supported HSMs, we periodically verify the integration and correct functionality.

  • Securosys (PKCS#11): PrimusAPI_PKCS11-2.4.0, see chapter Securosys support;
  • Gemalto (OpenSSL engine): GemEngine 1.6, see chapter Gemalto GemEngine support.