Deploy and configure the Entrust nShield HSM

All steps below are performed in the server running the Secret Server.

Install the Security World software and create a Security World
Automatically start the nShield service agent at startup
Create the OCS

Install the Security World software and create a Security World

Install and configure the Security World software. For instructions, see the Installation Guide and the User Guide for the HSM.
Add the Security World utilities path C:\Program Files\nCipher\nfast\bin to the Windows system path.
Open port 9004 in the firewall for inbound and outbound traffic for the HSM connection.
Open port 9005 in the firewall for inbound and outbound traffic for remote administration using a nShield Trusted Verification Device (TVD).
Install the nShield Connect HSM locally, remotely, or remotely via the serial console. See the following nShield Support articles, and the Installation Guide for the HSM:
Access to the Entrust nShield Support Portal is available to customers under maintenance. To request an account, contact nshield.support@entrust.com.

Run enquiry to verify that the HSM is correctly configured:

C:\Users\Administrator>enquiry
Server
 enquiry reply flags	none
 enquiry reply level	Six
 serial number		    <ESN-of-HSM>
 mode			        operational
...
Module #1
 enquiry reply flags	none
 enquiry reply level	Six
 serial number  		<ESN-of-HSM>
 mode			        operational
...

Create your Security World if one does not exist already. Follow your organization’s security policy for this. Create extra ACS cards, one for each person with access privilege, plus spares.
```
new-world -i -m <module_number> -Q <K/N>
```
After an ACS card set has been created, the cards cannot be duplicated.

Run nfkminfo to confirm the Security World is operational and usable:

C:\Users\Administrator>nfkminfo
World
 generation		2
 state			0x37270008 Initialised Usable ...
...
Module #1
 generation		2
 state			0x2 Usable
...
Module #1 Slot #0 IC 0
 generation		1
 phystype		SmartCard
 ...
 error			OK
...
Module #1 Slot #1 IC 0
 generation		1
 phystype		SoftToken
 ...
 error			OK
...

Automatically start the nShield service agent at startup

Create a shortcut of C:\Program Files\nCipher\nfast\bin\nShield_service_agent.exe and place temporarily on the desktop.
Select the Windows key + R, type shell:startup, then select OK.
Copy and paste the shortcut to the Startup folder.
Reboot.
Notice the nShield service agent icon shown below.

Create the OCS

The Delinea Secret Server private keys generated by the Entrust nShield HSM can be protected with Softcard, module-only, and OCS as described in section intro.adoc#supported-product-features.

OCS are smartcards that are presented to the physical smartcard reader of a HSM, or remotely via an nShield trusted verification device (TVD). The quorum K must be equal to 1 in the Secret Server application. For more information on OCS use, properties, and K-of-N values, see the User Guide for your HSM.
Softcards are logical tokens protected with a passphrase.
Module-only are logical tokens with no passphrase.

The examples shown in this integration guide use OCS protection. The following steps create the OCS.

Ensure file /opt/nfast/kmdata/config/cardlist contains the serial number of the card(s) to be presented or an asterisk wildcard the use of any card.
Open a command window as administrator.
Run createocs.

Press Return when prompted to enter a blank passphrase.

Follow your organization’s security policy for the values of K/N, where K=1 as mentioned above. Use the same passphrase (left blank with CNG) for all the OCS cards in the set (one for each person with access privilege, plus spares).

slot 2, remote via TVD, was used to present the card in this integration.

The -p (persistent) option makes the authentication persist after you remove OCS card from the HSM front panel slot or from the TVD.

After an OCS card set has been created, the cards cannot be duplicated.
```
# createocs -m1 -s2 -N SecretServer -Q 1/1 -p

Creating Cardset:
 Module 1: 0 cards of 1 written
 Module 1 slot 0: Admin Card #1
 Module 1 slot 2: blank card
 Module 1 slot 3: empty
 Module 1 slot 2:- no passphrase specified - writing card
Card writing complete.

cardset created; hkltu = 5481cad7a4b86705678e262162e95ec9318d43e6
```

Verify that the OCS was created:

# nfkminfo -c
Cardset list - 1 cardsets:  (P)ersistent/(N)ot, (R)emoteable/(L)ocal-only
 Operator logical token hash               k/n timeout  name
 5481cad7a4b86705678e262162e95ec9318d43e6  1/1  none-PL SecretServer

The output of rocs also shows the OCS:

# rocs
`rocs' key recovery tool
Useful commands: `help', `help intro', `quit'.
rocs> list cardset
No. Name                     Keys (recov) Sharing
  1 SecretServer             0 (0)        1 of 1; persistent
rocs> exit