Deploy and configure the nShield HSM

All steps in this section are performed on the server running the Secret Server.

Install the Entrust nShield HSM

Install the nShield Connect HSM locally, remotely, or remotely via the serial console. Condensed instructions are available in the following Entrust nShield Support articles.

For detailed instructions see the nShield v13.6.11 Hardware Install and Setup. Guides.

Install the Security World software and create a Security World

  1. Install the Security World software. For detailed instructions see the nShield Security World Software v13.6.11 Installation Guide.

  2. Add the Security World utilities path to the system path. This path is typically C:\Program Files\nCipher\nfast\bin.

  3. Open the firewall port 9004 for the HSM connections.

  4. If you are using remote administration, open firewall port 9005 for the Entrust nShield Trusted Verification Device (TVD).

  5. Inform the HSM of the location of this client computer as described Configuring the nShield HSM to use the client.

  6. Configure this client to use the HSM as described Configuring client computers to use the nShield HSM.

  7. Open a command window and run the following utility to confirm that the HSM is operational:

    C:\Users\Administrator.INTEROP>enquiry
    Server:
     enquiry reply flags  none
     enquiry reply level  Six
     serial number        xxxx-xxxx-xxxx xxxx-xxxx-xxxx
     mode                 operational
     version              13.6.11
    ...
    Module #1:
     enquiry reply flags  UnprivOnly
     enquiry reply level  Six
     serial number        xxxx-xxxx-xxxx
     mode                 operational
     version              13.4.5
    ...
    Module #2:
     enquiry reply flags  UnprivOnly
     enquiry reply level  Six
     serial number        xxxx-xxxx-xxxx
     mode                 operational
     version              12.72.3
    ...
  8. Create your Security World if one does not already exist or copy an existing one. Follow your organization’s security policy for this. For more information see Create a new Security World.

    ACS cards cannot be duplicated after the Security World is created. You may want to create extras in case of a card failure or a lost card.
  9. Confirm that the Security World is "Usable*:

    C:\Users\Administrator.INTEROP>nfkminfo
    World
     generation  2
     state       0x3737000c Initialised Usable ...
     ...
    Module #1
     generation 2
     state      0x2 Usable
     ...
    Module #2
     generation 2
     state      0x2 Usable
     ...

Select the protection method

The following protection methods are available to authorize access to Secret Server keys protected by the HSM.

  • Operator Cards Set (OCS) are smartcards that are presented to the physical smartcard reader of an HSM. For more information on OCS use, properties, and K-of-N values, see Operator Card Sets (OCS).

  • Softcards are logical tokens (passphrases) that protect the key and authorize its use. For more information on softcards use, see Softcards.

  • Module protected keys are simply protected by a module key. For more information on module protection use see Module protection.

Follow your organization’s security policy to select an authorization access method.

Depending on the protection method select, you may need to define some environment variables. You have the option to set these environment variables with the Windows set command, or edit file C:\Program Files\nCipher\nfast\cknfastrc. The Windows set command is preferred. As reference, all environment variables are listed in nShield PKCS #11 library environment variables.

Enable softcard protection:

C:\Users\Administrator.INTEROP>set CKNFAST_LOADSHARING=1

Enable module protection:

C:\Users\Administrator.INTEROP>set CKNFAST_FAKE_ACCELERATOR_LOGIN=1

Sample C:\Program Files\nCipher\nfast\cknfastrc file:

# Enable Softcard protection
CKNFAST_LOADSHARING=1

# Enable Module protection
CKNFAST_FAKE_ACCELERATOR_LOGIN=1

# OCS Preload file location and card set state
NFAST_NFKM_TOKENSFILE="C:\Program Files\nCipher\nfast\preloadtoken"
CKNFAST_NONREMOVABLE=1

Create the OCS

The OCS quorum and passphrase must be set as shown next.

Feature CNG Cryptography Provider PKCS #11 API

Quorum K

1

1

Passphrase

None. Left blank

<passphrase>

Recovering from a power failure requires the OCS to be inserted in the HSM or the TVD.

  1. Ensure file /opt/nfast/kmdata/config/cardlist contains the serial number of the card(s) to be presented or an asterisk wildcard the use of any card.

  2. Open a command window as Administrator.

  3. Create the OCS as described in Create Operator Card Sets (OCSs).

    Follow your organization’s security policy for the values of K/N, where K=1 as mentioned above. Use the same passphrase (left blank with CNG) for all the OCS cards in the set (one for each person with access privilege, plus spares).

    In the example below, slot 2, remote via TVD, was used to present the card in this integration.

    The -p (persistent) option makes the authentication persist after you remove OCS card from the HSM front panel slot or from the TVD.

    After an OCS card set has been created, the cards cannot be duplicated.
    # createocs -m1 -s2 -N testOCSnopassphrase -Q 1/1
    
    FIPS 140-2 level 3 auth obtained.
    
    Creating Cardset:
     Module 1: 0 cards of 1 written
     Module 1 slot 0: Admin Card #1
     Module 1 slot 2: empty
     Module 1 slot 3: empty
     Module 1 slot 2: blank cardSteps:
    
     Module 1 slot 2:- no passphrase specified - writing card
    Card writing complete.
    
    cardset created; hkltu = 7aaf758bc6790206198ea5218040d4faa09f035f
  4. Verify that the OCS was created.

    C:\Users\Administrator.INTEROP>nfkminfo -c
    Cardset list - 2 cardsets:  (P)ersistent/(N)ot, (R)emoteable/(L)ocal-only
     Operator logical token hash               k/n timeout  name
     7aaf758bc6790206198ea5218040d4faa09f035f  1/5  none-NL testOCSnopassphrase
     edb3d45a28e5a6b22b033684ce589d9e198272c2  1/5  none-NL testOCS

    The rocs utility also shows the OCS created.

    C:\Users\Administrator.INTEROP>rocs
    `rocs' key recovery tool
    Useful commands: `help', `help intro', `quit'.
    rocs> list cardset
    No. Name                     Keys (recov) Sharing
      1 testOCSnopassphrase      0 (0)        1 of 5
      2 testOCS                  1 (1)        1 of 5
    rocs> exit

Create the softcard

  1. Enable softcard protection as described in Select the protection method.

  2. Open a command window as an administrator.

  3. Create the softcard as described in Create softcards.

    For example

    # ppmk -n testSC
    
    Enter new pass phrase:
    Enter new pass phrase again:
    New softcard created: HKLTU d23456789234567234567471d3722f8c70f5d864
  4. Verify the softcard.

    # nfkminfo -s
    SoftCard summary - 1 softcards:
     Operator logical token hash               name
     9252345678923456234567897bde3753d24e7744  testSC

    The rocs utility also shows the new softcard.

    # rocs
    `rocs' key recovery tool
    Useful commands: `help', `help intro', `quit'.
    rocs> list cards
    No. Name                     Keys (recov) Sharing
      1 testOCS                  0 (0)        1 of 5
      2 testSC                   0 (0)        (softcard)
    rocs> quit

Automatically start the nShield service agent at startup

  1. Create a shortcut of C:\Program Files\nCipher\nfast\bin\nShield_service_agent.exe and place temporarily on the desktop.

  2. Select the Windows key + R, type shell:startup. Then select OK.

  3. Move the shortcut to the Startup folder.

  4. Reboot.

  5. Notice the nShield service agent icon shown below.

    nshield service agent