nShield 5 feature enhancements

nShield 5 Hardware

nShield 5s

The nShield 5s is a new HSM based on the PCIe form factor.

The hardware is similar to that of the nShield Solo XC with the following main differences:

  • Fanless operation

  • HSM mode switching is now under software control; the rear-panel mode switch and internal DIP switches have been removed

  • The rear panel Clear button is repurposed as a Recovery Mode button

  • Updated internal components including update to 8GB RAM

  • The Status LED now displays simplified ("BIOS" style) error codes, replacing the Morse Code "SOS" codes. See HSM status indicators and error codes (nShield 5s).

  • Recovery firmware

Both server and operating system compatibility was kept similar to that of the Solo XC, see hsm compatibility for more details of the support.

nShield 5c

The nShield 5c is a new network attached form factor HSM. Externally the nShield 5c will look very similar to the Connect XC, however internally the 5c has received a number of upgrades, namely:

  • Updated processor

  • Updated fans and new airflow ducting to support the nShield 5s

  • Internal module is an nShield 5s

The nShield 5c comes with serial console as default.

Firmware architecture

The architecture of the nShield 5s firmware has been updated to be service oriented and container-based. This will allow for multi-layer security and a clear separation of roles, to support a future multi-tenant environment.

The nShield 5s exposes a number of different services which are divided into platform services and the ncoreapi service. The ncoreapi service provides cryptographic services to the end user, whereas the platform services provide tasks associated with the installation, commissioning and maintenance of the HSM firmware and hardware. Each of the platform services and the ncoreapi service has its own communication channel with the host PC that is protected by use of SSH encryption.

The different services of the nShield 5 are described in more detail in Platform services.

Platform Management

The new nShield 5s Platform Services are administered through the unified utility hsmadmin, which directs the command to the service that implements the command. See hsmadmin for more information of the options provided by this new tool.

Host to nShield 5s communication

The communication protocol between the nShield 5s and the host has been updated to be based on the standard SSH protocol. To allow mutual authentication of the endpoints, the SSH protocol uses separate key pairs in the host and the HSM. You need to install the SSH keys for each nShield 5s service introduced above before you can use those services.

It is important that the SSH keys used for communication are managed properly. If the keys are lost or deleted it will not be possible to communicate with the HSM without first performing a recovery procedure. Follow the procedures in the Installation Guide and User Guide carefully when performing upgrades or changes to installations.

Firmware version v13.5 introduced additional enhancements making the SSH keys further protected by an internally generated certificate.

See setup ssh keys for more information about the use of SSH in the nShield 5s.

Because of this communication enhancement, the nShield 5s HSM cannot be moved from one machine/server to another. The SSH keys will have to be backed up and recovered on the new machine.

It is important to ensure the SSH keys are backed up, which can be done using the hsmadmin keys backup command. See backup for more information on the backup procedure.

The host still uses impath to communicate with the nShield 5c, same as the Connect XC.

nShield 5s firmware upgrade

The nShield 5s firmware consists of 3 major components:

  • Primary image firmware

  • Recovery image firmware

  • Bootloader firmware

Unlike the Solo XC, upgrade packages are provided in the .npkg format and there is a different upgrade package for each of the different components. However the same upgrade procedure is used for upgrading all parts of the firmware.

See Upgrade firmware: nShield 5s for detailed information about the procedure for upgrading the firmware on the nShield 5s.

The nShield 5s continues to have a Version Security Number (VSN), same as the Solo XC. However enhancements to how this VSN can be used have been made. See nShield 5s VSN management.

nShield 5c upgrade

There are no differences to upgrade procedure of the nShield 5c as compared to the Connect XC.

nShield 5s VSN management

The nShield 5s introduces improvements to the management of the Version Security Number (VSN) enabling customer flexibility in setting the minimum VSN.

Every nShield 5s records the minimum firmware VSN that it will accept. This is now set manually as opposed to using the VSN of the firmware installed. The firmware can be upgraded to a new firmware version with an equal or higher VSN than the minimum VSN set on module, even if the firmware currently installed on the module has a higher VSN than the firmware to which you are upgrading. You can never load firmware with a lower VSN than the target HSM’s minimum VSN requirement.

See firmware version control for more information.

nShield 5c VSN management

There are no differences to the VSN procedure of the nShield 5c as compared to the Connect XC.

nShield 5 modes of operation

The nShield 5s introduces differences to the HSM modes as compared to the Solo XC, including the addition of the new Recovery Mode which enables the return the HSM to a known good state for disaster recovery. Factory state operation also contains changes from that of the Solo XC all of which are detailed in operation modes.

On Windows, you have to run hsmadmin enroll after installation for the module to show in the enquiry output.

CodeSafe 5

The nShield 5s continues to support a Secure Execution Environment called CodeSafe, however this has been updated to take advantage of the changes made to the firmware architecture. As such, this is now called CodeSafe 5.

CodeSafe 5 introduces:

  • Applications as container images

    In CodeSafe 5, the application is a container image, meaning a complete filesystem image that can contain multiple executables, libraries, scripts, and data files.

  • Easy network connectivity

    nShield 5 HSMs and CodeSafe 5 containers are logically connected via TCP/IP networking. The container running the SEE Machine can receive incoming connections from the host side app, establishing two-way communication between host side app and SEE machine. Existing software that makes use of incoming or outgoing network connections can run with little or no modifications

  • 'Secure by default' client communication

    The CodeSafe 5 execution environment includes both a configurable firewall and an SSH server. The firewall is set according to configuration in the signed CodeSafe 5 application package so that only the network ports required by the application are allowed. The SSH server allows a secure tunnel to be established to the CodeSafe 5 application. The client credentials required to access this tunnel can be configured using the support tools.

  • Language support - the CodeSafe 5 SDK supports:

    • C and C++

    • Python 3

  • CodeSafe 5 applications are now signed

    Requires the use of a developer ID.

For more information on the differences in the development and use of CodeSafe 5, see CodeSafe 5 User Guide.

Specific instructions exist to port existing see machines, which details migrating current Solo XC CodeSafe apps to CodeSafe 5.

nShield 5 logging

The nShield 5s (ncoreapi) continues to provide access to the same logging and diagnostics as the nShield XC, including the use of Audit logging.

Audit Logging

Audit Logging on nShield HSMs provides the means to log administrative operations and key usage events across your estate of HSMs. Audit logging was first introduced in Security World v12.60 on the nShield XC platform. nShield 5 continues to provide the same Audit Logging functionality.

However, in Security World v13.6 (on v13.5+ nShield 5s firmware) a new Audit Logging format was introduced, called CEF audit logging. This is detailed in in the user guide, see audit logging.

System Logs

The nShield 5s contains new System Logs that provide important logs generated by the platform services. Within this there are two different types of logs:

  • init logs

  • system logs

Both logs record information automatically and there is no user configuration required. The information recorded is determined by the system and there is no user configuration of the level of information recorded.

For HSMs running firmware version 13.5 or later the system logs are produced in a signed format. HSMs running firmware earlier than 13.5 produce logs in an unsigned format.

For information about how to retrieve and clear the logs, see system logging.