Install
Install the HSM
Install the HSM by following the instructions in the Installation Guide for the HSM.
Entrust recommends that you install the HSM before configuring the Security World Software with your Password Safe Server.
Install the Security World Software and creating the Security World
To install the Security World Software and create the Security World:
-
On your Password Safe server, install the latest version of the Security World Software as described in the Installation Guide for the HSM.
Entrust recommends that you uninstall any existing nShield software before installing the new nShield software. -
Create the Security World as described in the User Guide. Create the ACS and Softcards that you require.
-
Configure the
cknfastrc
environment variables:-
Open the
C:\Program Files\nCipher\nfast\cknfastrc
file. -
Add the following environment variables to the file:
CKNFAST_FAKE_ACCELERATOR_LOGIN=1 CKNFAST_NO_ACCELERATOR_SLOTS=0 CKNFAST_LOADSHARING=1
-
-
Update the
cardlist
file:-
Go to the
C:\ProgramData\nCipher\Key Management Data\config
folder. -
Open the
cardlist
file in a text editor and add an asterisk (*) to authorize all Java Cards for dynamic slots.
-
-
Create a Softcard that will be used with Password Safe.
When you are configuring Password Safe, you will need to use Softcard protection or module protection. If you are using a Softcard, you need to create it first.
Perform the processes in Create a Softcard on the Password Safe server, using a PowerShell terminal as
Administrator
.
Create the OCS
For this integration, an OCS card is required and must be inserted into the HSM to enable softcard protection for this integration.
To create the OCS:
-
Ensure file
C:\ProgramData\nCipher\Key Management Data\config\cardlist
contains the serial number of the card(s) to be presented, or the wildcard "*". -
Open a command window as an administrator.
-
Run the
createocs
command as described below, entering a passphrase or password at the prompt.Create one card for each person with access privilege, plus the spares.
After an Operator Card Set has been created, the cards cannot be duplicated. # createocs -m1 -s2 -N testOCS -Q 1/1 FIPS 140-2 level 3 auth obtained. Creating Cardset: Module 1: 0 cards of 1 written Module 1 slot 0: Admin Card #1 Module 1 slot 2: empty Module 1 slot 3: empty Module 1 slot 2: blank cardSteps: Module 1 slot 2:- passphrase specified - writing card Card writing complete. cardset created; hkltu = a165a26f929841fe9ff2acdf4bb6141c1f1a2eed
-
Verify the OCS was created:
# nfkminfo -c Cardset list - 1 cardsets: (P)ersistent/(N)ot, (R)emoteable/(L)ocal-only Operator logical token hash k/n timeout name a165a26f929841fe9ff2acdf4bb6141c1f1a2eed 1/1 none-NL testOCS
The
rocs
utility also shows the OCS was created:# rocs `rocs' key recovery tool Useful commands: `help', `help intro', `quit'. rocs> list cardset No. Name Keys (recov) Sharing 1 testOCS 2 (2) 1 of 1; rocs> quit
Create a Softcard
To create a Softcard:
-
Run the following command, and enter a passphrase or password at the prompt:
# ppmk -n testSC Enter new pass phrase: Enter new pass phrase again: New softcard created: HKLTU d9414ed688c6405aab675471d3722f8c70f5d864
-
Verify the Softcard was created:
# nfkminfo -s SoftCard summary - 1 softcards: Operator logical token hash name d9414ed688c6405aab675471d3722f8c70f5d864 testSC
The
rocs
utility also shows that the OCS and Softcard were created:# rocs `rocs' key recovery tool Useful commands: `help', `help intro', `quit'. rocs> list cards No. Name Keys (recov) Sharing 1 testOCS 2 (2) 1 of 1; 2 testSC 0 (0) (softcard) rocs> quit
Install Password Safe on the Password Safe server
To install Password Safe on the Password Safe server, you have two options:
-
Install BeyondInsight.
BeyondInsight includes Password Safe.
-
Install a U-Series Appliance.
U-Series virtual appliances include BeyondInsight and Password Safe.
For details and installation instructions, see https://www.beyondtrust.com/docs/beyondinsight-password-safe/index.htm.