Install and configure the Entrust nShield HSM

Install the HSM

Install the nShield Connect HSM locally, remotely, or remotely via the serial console. Condensed instructions are available in the following Entrust nShield Support articles.

The complete instruction set is available at nShield v13.6.3 HSM User Guide.

Install the nShield Security World Software and create the Security World

Perform these steps in the CyberArk PAS EPV Vault server.

  1. Install the Security World software by executing file setup.msi. The complete instruction set is available at nShield Security World Software v13.6.3 Installation Guide.

  2. Add the Security World utilities path C:\Program Files\nCipher\nfast\bin to the Windows system path.

  3. Open firewall port 9004 for the Entrust nShield HSM connections.

  4. If using remote administration, open firewall port 9005 for the Entrust nShield Trusted Verification Device (TVD).

  5. Configure the CyberArk PAS EPV Vault server as a client Entrust nShield HSM.

  6. Open a command window and run the following to confirm the HSM is operational.

    C:\Users\Administrator>enquiry
    Server:
     enquiry reply flags  none
     enquiry reply level  Six
     serial number
     mode                 operational
     version              13.6.3
    ...
    Module #1:
     enquiry reply flags  none
     enquiry reply level  Six
     serial number        7852-268D-3BF9
     mode                 operational
     version              13.2.4
     ...
  7. Create your Security World if one does not already exist or copy an existing one. Follow your organization’s security policy for this. Create extra ACS cards as spares in case of a card failure or a lost card.

    ACS cards cannot be duplicated after the Security World is created.
  8. Confirm the Security World is usable.

    C:\ProgramData\nCipher\Key Management Data>nfkminfo
    World
     generation  2
     state       0x3737000c Initialised Usable ...
     ...
    Module #1
     generation 2
     state      0x2 Usable
     ...

Select the protection method

OCS or Module protection can be used to authorize access to the keys protected by the HSM.

  • Operator Cards Set (OCS) are smartcards that are presented to the physical smartcard reader of an HSM. For more information on OCS use, properties, and k-of-N values, see the User Guide for your HSM.

  • Module protection has no passphrase.

Follow your organization’s security policy to select an authorization access method.

  1. Edit the cknfastrc configuration file based on the selected protection method. This file is located in the %NFAST_HOME% directory, which is typically C:\Program Files\nCipher\nfast.

    If you get a permissions error trying to edit the file, right select cknfastrc > Properties > Security > Edit Users and check Allow for Full Control. After editing the file, you can remove full control. Ensure that the Read and Read & execute options are selected.

    • If you are using module-protected keys:

    CKNFAST_OVERRIDE_SECURITY_ASSURANCES=none
    CKNFAST_LOADSHARING=1
    CKNFAST_FAKE_ACCELERATOR_LOGIN=1
    • If you are using OCS-protected keys and K=1:

    CKNFAST_OVERRIDE_SECURITY_ASSURANCES=none
    CKNFAST_LOADSHARING=1
    • If you are using OCS-protected keys and K>1:

    CKNFAST_OVERRIDE_SECURITY_ASSURANCES=none
    CKNFAST_LOADSHARING=1
    NFAST_NFKM_TOKENSFILE=C:\ProgramData\nCipher\nfast-nfkm-tokensfile
  2. If using OCS protection, edit the cardlist configuration file. This file is located in the C:\ProgramData\nCipher\Key Management Data\config directory.