Install and configure the Entrust nShield HSM
Install the HSM
Install the nShield Connect HSM locally, remotely, or remotely via the serial console. Condensed instructions are available in the following Entrust nShield Support articles.
The complete instruction set is available at nShield v13.6.3 HSM User Guide.
Install the nShield Security World Software and create the Security World
Perform these steps in the CyberArk PAS EPV Vault server.
-
Install the Security World software by executing file
setup.msi
. The complete instruction set is available at nShield Security World Software v13.6.3 Installation Guide. -
Add the Security World utilities path
C:\Program Files\nCipher\nfast\bin
to the Windows system path. -
Open firewall port 9004 for the Entrust nShield HSM connections.
-
If using remote administration, open firewall port 9005 for the Entrust nShield Trusted Verification Device (TVD).
-
Configure the CyberArk PAS EPV Vault server as a client Entrust nShield HSM.
-
Open a command window and run the following to confirm the HSM is
operational
.C:\Users\Administrator>enquiry Server: enquiry reply flags none enquiry reply level Six serial number mode operational version 13.6.3 ... Module #1: enquiry reply flags none enquiry reply level Six serial number 7852-268D-3BF9 mode operational version 13.2.4 ...
-
Create your Security World if one does not already exist or copy an existing one. Follow your organization’s security policy for this. Create extra ACS cards as spares in case of a card failure or a lost card.
ACS cards cannot be duplicated after the Security World is created. -
Confirm the Security World is
usable
.C:\ProgramData\nCipher\Key Management Data>nfkminfo World generation 2 state 0x3737000c Initialised Usable ... ... Module #1 generation 2 state 0x2 Usable ...
Select the protection method
OCS or Module protection can be used to authorize access to the keys protected by the HSM.
-
Operator Cards Set (OCS) are smartcards that are presented to the physical smartcard reader of an HSM. For more information on OCS use, properties, and k-of-N values, see the User Guide for your HSM.
-
Module protection has no passphrase.
Follow your organization’s security policy to select an authorization access method.
-
Edit the
cknfastrc
configuration file based on the selected protection method. This file is located in the %NFAST_HOME% directory, which is typicallyC:\Program Files\nCipher\nfast
.If you get a permissions error trying to edit the file, right select cknfastrc > Properties > Security > Edit Users and check Allow for Full Control. After editing the file, you can remove full control. Ensure that the Read and Read & execute options are selected.
-
If you are using module-protected keys:
CKNFAST_OVERRIDE_SECURITY_ASSURANCES=none CKNFAST_LOADSHARING=1 CKNFAST_FAKE_ACCELERATOR_LOGIN=1
-
If you are using OCS-protected keys and K=1:
CKNFAST_OVERRIDE_SECURITY_ASSURANCES=none CKNFAST_LOADSHARING=1
-
If you are using OCS-protected keys and K>1:
CKNFAST_OVERRIDE_SECURITY_ASSURANCES=none CKNFAST_LOADSHARING=1 NFAST_NFKM_TOKENSFILE=C:\ProgramData\nCipher\nfast-nfkm-tokensfile
-
-
If using OCS protection, edit the
cardlist
configuration file. This file is located in theC:\ProgramData\nCipher\Key Management Data\config
directory.