Install and configure the Entrust nShield HSM
To install and configure the Entrust HSM:
Select the protection method
OCS, Softcard, or Module protection can be used to authorize access to the keys protected by the HSM. Follow your organization’s security policy to select which one.
Install the HSM
Install the nShield Connect HSM locally, remotely, or remotely via the serial console. See the following nShield Support articles and the Installation Guide for the HSM:
Access to the Entrust nShield Support Portal is available to customers under maintenance. To request an account, contact nshield.support@entrust.com. |
Install the nShield Security World Software and create the Security World
To install the nShield Security World Software and create the Security World:
-
Install the Security World software as described in Installation Guide and the User Guide for the HSM. This is supplied on the installation disc.
-
Add the Security World utilities path
/opt/nfast/bin
to the system path. -
Open the firewall port 9004 for the HSM connections.
-
Open a command window and confirm the HSM is
operational
:# enquiry Server: enquiry reply flags none enquiry reply level Six serial number 530E-02E0-D947 7724-8509-81E3 09AF-0BE9-53AA 9E10-03E0-D947 mode operational ... Module #1: enquiry reply flags none enquiry reply level Six serial number 530E-02E0-D947 mode operational ...
-
Create your Security World if one does not already exist, or copy an existing one. Follow your organization’s security policy for this. Create extra ACS cards as spares in case of a card failure or a lost card.
ACS cards cannot be duplicated after the Security World is created. -
Confirm the Security World is
usable
:# nfkminfo World generation 2 state 0x37270008 Initialised Usable ... ... Module #1 generation 2 state 0x2 Usable ...
Generate the OSC or Softcard in the CA server
The OCS or Softcard and associated passphrase will be used to authorize access to the keys protected by the HSM. Typically, one or the other will be used, but rarely both. Follow your organization’s security policy to select which one to use.
Create the OCS
To create the OCS:
-
Ensure file
/opt/nfast/kmdata/config/cardlist
contains the serial number of the card(s) to be presented, or the asterisk wildcard (*). -
Open a command window as administrator.
-
Run the
createocs
command as described below, entering a passphrase or password at the prompt.Follow your organization’s security policy for this for the values K/N, where K=1 as mentioned above. Use the same passphrase for all the OCS cards in the set (one for each person with access privilege, plus the spares). Note that
slot 2
, remote via a Trusted Verification Device (TVD), is used to present the card.After an OCS card set has been created, the cards cannot be duplicated. # createocs -m1 -s2 -N testOCS -Q 1/1 FIPS 140-2 level 3 auth obtained. Creating Cardset: Module 1: 0 cards of 1 written Module 1 slot 0: Admin Card #1 Module 1 slot 2: empty Module 1 slot 3: empty Module 1 slot 2: blank card Module 1 slot 2:- passphrase specified - writing card Card writing complete. cardset created; hkltu = a165a26f929841fe9ff2acdf4bb6141c1f1a2eed
Add the -p (persistent) option to the command above to retain authentication after the OCS card has been removed from the HSM front panel slot, or from the TVD. The authentication provided by the OCS as shown in the command line above is non-persistent and only available while the OCS card is inserted in the HSM front panel slot, or the TVD.
-
Verify the OCS was created:
# nfkminfo -c Cardset list - 1 cardsets: (P)ersistent/(N)ot, (R)emoteable/(L)ocal-only Operator logical token hash k/n timeout name a165a26f929841fe9ff2acdf4bb6141c1f1a2eed 1/1 none-NL testOCS
The
rocs
utility also shows the OCS was created:# rocs `rocs' key recovery tool Useful commands: `help', `help intro', `quit'. rocs> list cardset No. Name Keys (recov) Sharing 1 testOCS 0 (0) 1 of 1 rocs> quit
Create the Softcard
To create the Softcard:
-
Run the following command and enter a passphrase or password:
# ppmk -n EntrustSNSoftcard Enter new pass phrase: Enter new pass phrase again: New softcard created: HKLTU d9414ed688c6405aab675471d3722f8c70f5d864
-
Verify the Softcard was created:
# nfkminfo -s SoftCard summary - 1 softcards: Operator logical token hash name d9414ed688c6405aab675471d3722f8c70f5d864 testSC
The
rocs
utility also shows that the OCS and Softcard were created:# rocs `rocs` key recovery tool Useful commands: 'help', 'help intro', 'quit'. rocs> list cards No. Name Keys (recov) Sharing 1 testOCS 0 (0) 1 of 1 2 testSC 0 (0) (softcard) rocs> quit