Install

Install the HSM

Install the HSM by following the instructions in the Installation Guide for the HSM.

Entrust recommends that you install the HSM before configuring the Security World Software with your Password Safe Server.

Install the Security World Software and creating the Security World

To install the Security World Software and create the Security World:

  1. On your Password Safe server, install the latest version of the Security World Software as described in the Installation Guide for the HSM.

    Entrust recommends that you uninstall any existing nShield software before installing the new nShield software.
  2. Create the Security World as described in the User Guide. Create the ACS and Softcards that you require.

  3. Configure the cknfastrc environment variables:

    1. Open the C:\Program Files\nCipher\nfast\cknfastrc file.

    2. Add the following environment variables to the file:

      CKNFAST_FAKE_ACCELERATOR_LOGIN=1
      CKNFAST_NO_ACCELERATOR_SLOTS=0
      CKNFAST_LOADSHARING=1
  4. Update the cardlist file:

    1. Go to the C:\ProgramData\nCipher\Key Management Data\config folder.

    2. Open the cardlist file in a text editor and add an asterisk (*) to authorize all Java Cards for dynamic slots.

  5. Create a Softcard that will be used with Password Safe.

    When you are configuring Password Safe, you will need to use Softcard protection or module protection. If you are using a Softcard, you need to create it first.

    Perform the processes in Create a Softcard on the Password Safe server, using a PowerShell terminal as Administrator.

Create the OCS

For this integration, an OCS card is required and must be inserted into the HSM to enable softcard protection for this integration.

To create the OCS:

  1. Ensure file C:\ProgramData\nCipher\Key Management Data\config\cardlist contains the serial number of the card(s) to be presented, or the wildcard "*".

  2. Open a command window as an administrator.

  3. Run the createocs command as described below, entering a passphrase or password at the prompt.

    Create one card for each person with access privilege, plus the spares.

    After an Operator Card Set has been created, the cards cannot be duplicated.
    # createocs -m1 -s2 -N testOCS -Q 1/1
    
    FIPS 140-2 level 3 auth obtained.
    
    Creating Cardset:
     Module 1: 0 cards of 1 written
     Module 1 slot 0: Admin Card #1
     Module 1 slot 2: empty
     Module 1 slot 3: empty
     Module 1 slot 2: blank cardSteps:
    
     Module 1 slot 2:- passphrase specified - writing card
    Card writing complete.
    
    cardset created; hkltu = a165a26f929841fe9ff2acdf4bb6141c1f1a2eed
  4. Verify the OCS was created:

    # nfkminfo -c
    Cardset list - 1 cardsets:  (P)ersistent/(N)ot, (R)emoteable/(L)ocal-only
     Operator logical token hash               k/n timeout  name
     a165a26f929841fe9ff2acdf4bb6141c1f1a2eed  1/1  none-NL testOCS

    The rocs utility also shows the OCS was created:

    # rocs
    `rocs' key recovery tool
    Useful commands: `help', `help intro', `quit'.
    rocs> list cardset
    No. Name                     Keys (recov) Sharing
      1 testOCS                  2 (2)        1 of 1;
    rocs> quit

Create a Softcard

To create a Softcard:

  1. Run the following command, and enter a passphrase or password at the prompt:

    # ppmk -n testSC
    
    Enter new pass phrase:
    Enter new pass phrase again:
    New softcard created: HKLTU d9414ed688c6405aab675471d3722f8c70f5d864
  2. Verify the Softcard was created:

    # nfkminfo -s
    SoftCard summary - 1 softcards:
     Operator logical token hash               name
     d9414ed688c6405aab675471d3722f8c70f5d864  testSC

    The rocs utility also shows that the OCS and Softcard were created:

    # rocs
    `rocs' key recovery tool
    Useful commands: `help', `help intro', `quit'.
    rocs> list cards
    No. Name                     Keys (recov) Sharing
      1 testOCS                  2 (2)        1 of 1;
      2 testSC                   0 (0)        (softcard)
    rocs> quit

Install Password Safe on the Password Safe server

To install Password Safe on the Password Safe server, you have two options:

  • Install BeyondInsight.

    BeyondInsight includes Password Safe.

  • Install a U-Series Appliance.

    U-Series virtual appliances include BeyondInsight and Password Safe.

For details and installation instructions, see https://www.beyondtrust.com/docs/beyondinsight-password-safe/index.htm.