Mission Description:

The IOS domain of the FOD BOSA has purchased 5 nShield General Purpose hardware security modules (model number NH2075-B) from Entrust.

In order to use these HSMs in a broader PKI context, IOS is looking for an Entrust nShield Certified specialist who can assist with the following tasks:

• Automation of the Security World creation and associated Administrator Card Set and Operator Card Sets (this must be done according to industry best practices across 3 different environments distributed over 2 data centers based on the requirements described below);

• The supplier may propose better solutions than those in the requirements if they believe these are more aligned with industry best practices. It is up to the supplier to clearly indicate this in the proposal, for example regarding initialization, providing a key ceremony with corresponding documentation.

• Documenting and developing a demo regarding PKCS 11 integration. This is intended to encourage reuse with various software used within FOD BOSA DG VD such as Axway API Gateway, AppViewX, Forgerock AM, HashiCorp Vault.

Automation requirements:

• Create Active-Passive RFS “cluster”
• Reset existing Security World (if present)

• Create new FIPS 140-2 Level 3 compliant Security World

• Set AES as the preferred cipher suite

• In parallel, deploy ECC as efficiently as possible considering the associated efficiency
• Set 3/6 quorum for all operations (PIN reset, NVRAM access, RTC access, etc.)
• Set up active-backup network connection
• Configure 3 different NTP servers
  Stratum 0 NTP servers: ntp-a.fediap.be, ntp-b.fediap.be, and ntp-c.fediap.be
• Set up audit logging
• Set up remote management
• Set up remote reboot
• Set up auto-push config

• Make module 1 a valid target for remote shares

• When a cluster already exists: join the existing Security World

025/BOSA/90533/DEF/V1.0/SUPPORT MISSION HSM 06/02/2025 7 INFRASTRUCTURE SPECIALIST

• Create 3 persistent OCS with 2/5 quorum

• Set a timeout of 300 seconds

• Set up passphrase replacement/PIN recovery
• Enforce passphrase complexity for ACS and OCS

All steps must be logged to provide evidence of proper execution! Ideally, automation steps should be reusable to enable, for example, automated reinitialization of an HSM in a Security World after a firmware upgrade.

The candidate must also have experience with Linux RHEL8 and above;

In addition to certification, also 5 years (or more) experience with Entrust products;

Knowledge of Dutch and/or French is an asset.