Configure the Entrust Authority Security Manager

Establish a preload session

You can use an OCS or Softcard to establish connection with the HSM. Before installing Security Manager, you must preload the OCS or Softcard that is used to protect the Entrust keys. If you are using a K-of-N OCS, this section assumes the OCS has been created. Refer to your Security World User Guide on how to create an OCS or Softcard. You must decide which method you will use for the connection before proceeding.

To initialize Security Manager, the OCS or Softcard has to be preloaded.

  1. Edit the cknfastrc environment variables. The cknfastrc file can be found in %NFAST_HOME%\cknfastrc. Edit the file to include:

    # Softcard
CKNFAST_LOADSHARING=1

# Enable Module Protection
CKNFAST_FAKE_ACCELERATOR_LOGIN=1

# Other variables
CKNFAST_NO_UNWRAP=1
CKNFAST_NO_ACCELERATOR_SLOTS=1
CKNFAST_OVERRIDE_SECURITY_ASSURANCES=none

# Preload file location
NFAST_NFKM_TOKENSFILE=C:\preload\<filename>

# PCKS #11 log level and file location
CKNFAST_DEBUG=10
CKNFAST_DEBUGFILE=C:\preload\pkcs11.log

    Useful information about environment variables:

    • The filename is user defined and will be referenced in the preload command. For example, %NFAST_HOME%\Bin>preload -c <OCS Name> -f <pathname to preload file and filename> pause.

    • When using a K-of-N Card Set where K>1, set CKNFAST_LOADSHARING=0. When using a K-of-N Card Set where K=1, set CKNFAST_LOADSHARING=1. This also applies to when using Softcards.

    • For Enhanced Database Protection (EDP) use CKNFAST_LOADSHARING=0 after enabling the database hardware protection. Restart the system for load sharing to work.

    • When you are using nShield with ePassport CVCA, use CKNFAST_ASSUME_SINGLE_PROCESS=0. If ePassport Document Verifier Certificate requests are canceled, this setting ensures that the associated physical key is deleted in the HSM. For information on environment variables, see the User Guide for the HSM.

    For more information about the environment variables used in cknfastrc, see the nShield PKCS11 library environment variables section in the User Guide for the HSM.

  2. Create an empty folder called Preload on drive C:.

  3. Right-click on a command prompt and select Run as Administrator and navigate to %NFAST_HOME%\bin>.

  4. Run the following command to list the OCS:

    • For K-of-N OCS:

      % nfkminfo.exe -c

    • For Softcard:

      % nfkminfo.exe -s

  5. Open a command window to run preload exclusively.

    Do not close this window throughout the Entrust Security Manager configuration. Otherwise the configuration will fail.

  6. Preload the Card Set by running the preload -c command for OCS, or preload -s command for Softcard.

    # preload -<c/s> <OCS/Softcard> -f <location of file above> pause

    Present the OCS cards and passphrase when prompted.

    For example:

    % preload -c testOCS -f C:\preload\entrustsmtoken pause
2023-02-15 15:56:48: [4256]: INFO: Preload running with: -c testOCS -f C:\preload\entrustsmtoken pause
2023-02-15 15:56:48: [4256]: INFO: Created a (new) connection to Hardserver
2023-02-15 15:56:48: [4256]: INFO: Modules newly usable: [1].
2023-02-15 15:56:48: [4256]: INFO: Found a change in the system: an update pass is needed.
2023-02-15 15:56:48: [4256]: INFO: Loading cardset: testOCS in modules: [1]

Loading `testOCS':
 Module 1 slot 2: `testOCS' #1
 Module 1 slot 0: Admin Card #1
 Module 1 slot 3: empty
 Module 1 slot 4: empty
 Module 1 slot 5: empty
 Module 1 slot 2:- passphrase supplied - reading card
Card reading complete.

2023-02-15 15:56:52: [4256]: INFO: Stored Admin key: kfips (4c0b...) in module #1
2023-02-15 15:56:52: [4256]: INFO: Loading cardset: Cardset: testOCS (6951...) in module: 1
2023-02-15 15:56:52: [4256]: INFO: Stored Cardset: testOCS (6951...) in module #1
2023-02-15 15:56:52: [4256]: INFO: Maintaining the cardset testOCS protected key(s)=[].
2023-02-15 15:56:52: [4256]: INFO: Loading complete. Now pausing...
    If non-persistent cards are used, then the last card in the quorum must remain inserted in the card reader. If persistent cards are used, then the last card in the quorum can be removed from the card reader.
    The filename is user defined but must be consistent when setting the variable in cknfastrc and invoking preload. For example: A variable set in cknfastrc: NFAST_NFKM_TOKENSFILE=C:\Preload\filename A variable invoked with preload: >preload.exe -c ocsname -f "C:\Preload\filename" pause

  7. Confirm the OCS or Softcard has been preloaded by opening a separate command window and running the following command. You must keep the preload command window active. You can minimize it but do not close it, otherwise you will shut down the session. The loaded Objects will be reported.

    • For K-of-N OCS:

      % preload.exe -c <cardsetname> -f <pathname>\<filename> nfkminfo

    • For Softcard:

      % preload -s <softcardname> -f <pathname>\<filename> nfkminfo

    For example:

    % preload.exe -c testOCS -f

...

C:\preload\entrustsmtoken nfkminfo
Pre-Loaded Objects (  2):  objecthash   module objectid  generation
 6951563523344ac316e14299c7006a8e0aecd377   1 0x47473d92 1
 4c0b199373e08db20f69aa4378106181a2e2571e   1 0x47473d95 1

Useful information concerning Operator Card Sets (OCS):

  • You must present sufficient different OCS cards to fulfil the quorum. The passphrase (if any) can be different for each OCS card.

  • If non-persistent cards are used, then the last card in the quorum must remain inserted in the card reader.

  • If persistent cards are used, then the last card in the quorum can be removed from the card reader.

  • The tokens file is generated by the preload utility and is valid for one continuous session only. If the session is lost, then the token authorization is lost. You cannot reuse the same token file once the session is lost, even if you will use the exact same OCS cards again. To restart, you must delete the expired tokens file, and will have to go through the entire preload sequence again.

  • A session, and tokens authorization may be lost if:

    • There is a temporary power failure

    • You remove the last card in the quorum if they are non-persistent OCS cards

    • You clear the module.

The tokens file represents a security risk if permissions to access it are not restricted to authorized persons only.

nShield Edge pre-configuration

If you are using an nShield Edge device, it is necessary to adjust the .ini file settings for Security Manager in order to allow for a sufficient timeout duration for the system to initialize properly. The nShield Edge exhibits slower service startup times with respect to operations, which is to be expected. Therefore, in order to ensure optimal performance, it is recommended that the timeout settings be configured appropriately in the .ini file.

Navigate to the ini directory:

  • By default: C:\Program Files\Entrust\Security Manager\etc\ini\entMgr.ini

  • Edit the entMgr.ini file in the [login] section and add this setting:

    serviceStartStopWaitSeconds=3600
clusterStartWaitSeconds=1800
clusterStopWaitSeconds=300
For more information regarding the serviceStartStopWaitSeconds setting, refer to Security Manager 10.0 Configuration File Management Guide Issue 5.0, which is available on the Entrust TrustedCare Portal.

Configure the Entrust Authority Security Manager

This section describes how to configure Entrust Security Manager. You can configure Security Manager immediately after you install it. You must configure Security Manager before you can initialize it. (Initializing Security Manager allows you to use Security Manager).

When you configure Security Manager:

  • You provide data that allows Security Manager to connect to your directory and the Security Manager database.

  • You then choose certificate algorithms, lifetimes, and other options for your Certification Authority.

You can only configure Security Manager once. If you make a mistake configuring Security Manager, you can change some of the settings by editing the entmgr.ini file, or you can uninstall Security Manager, then reinstall and configure it.

To configure Security Manager:

  1. Navigate to the Security Manager \bin directory.

    By default, this is: C:\Program Files\Entrust\Security Manager\bin.

  2. Double-click entConfig.exe.

    The Database Deployment Model dialog appears.

    Database Deployment Model

  3. Select Yes.

  4. In the Entrust Authority Security Manager Configuration dialog, select Next.

    The Security Manager License Information dialog appears.

    entrust licensing information

  5. Enter the Enterprise licensing information that appears on your Entrust licensing card:

    • Serial Number

    • Enterprise user limit

    • Enterprise licensing code

  6. Select Next.

    The Security Manager Data and Backup Locations dialog appears.

    entrust security manager data and backup locations

  7. Accept the defaults:

    • For the data files, the default is c:\authdata.

    • For the backup files, the default is c:\entbackup.

  8. Select Next.

    The Directory Node and Port dialog appears.

    entrust directory node and port

  9. Enter the required details:

    • Select the type of directory that the Security Manager will use, for example: LDAP Directory.

    • Enter the Directory node name (server name or IP address) of your directory services server.

    • Set the Directory listen port to 389.

  10. Select Next.

    The CA Distinguished Name and Password dialog appears.

    entrustconfig2

  11. Enter the CA DN and CA Directory access password, which you provided when you were configuring the Directory Services for use with Security Manager, see Install the Entrust Authority Security Manager.

  12. Select Test Bind Information.

    • If the bind is successful, select OK.

    • If the bind is unsuccessful, ensure that the server name or IP address are correct, and that the Directory Services is running and retest using the following information:

      • Set CA DN to o=CA<name>.

      • Enter the CA Directory access password.

  13. Select Next.

    The Directory Administrator Distinguished Name and Password dialog appears.

    entrustconfig3

  14. Enter the distinguished name and password details:

    • Enter the Directory administrator DN as cn=diradmin,ou=CA,o=Entrust.

    • Enter the Directory access password.

  15. Select Test Bind Information.

    • If the bind is successful, select OK.

    • If the bind is unsuccessful, ensure that the server name or IP address are correct, and that the Directory Services is running and retest using the following information:

      • Set Directory administrator DN to cn=<manager>.

      • Enter the Directory access password.

  16. Select Next.

    The Advanced Directory Attributes dialog appears. This displays the distinguished name for the First Officer.

    entrustconfig5

  17. Verify the information for the First Officer is correct. This should follow the cn=First Officer, o=CA<name> general format.

  18. Select Next.

    The Verify Directory Information dialog appears.

    entrust verify directory information

  19. Select Verify Directory information now, then select Next.

    The ENTDVT Logfile page appears.

    The Entrust Directory Verification Tool (EntDVT) will verify the settings. At the bottom of the dialogue there should be no errors in the Summary section. For example:

    entrust entdvt logfile
    If there are errors on the results, you need to address them in your directory services setup before proceeding.

  20. Select Next.

    The Current User’s Windows Login Password dialog appears.

    entrust current windows user password

  21. Log in with your Windows credentials.

  22. Clear the Enable autologin for automatic service startup checkbox.

  23. Select Next.

    The Database User and Password dialog appears.

    entrust database user password

  24. Enter the password that was assigned to easm_entrust when you installed the PostgreSQL Server, see Install the Entrust Authority Security Manager, then select Next.

    The Database User and Password dialog appears.

    entrust database backup user password

  25. Enter the password that was assigned to the backup user when you installed the PostgreSQL Server, see Install the Entrust Authority Security Manager, then select Next.

    The Security Manager Port Configuration dialog appears.

    entrust security manager port configuration

  26. Accept the defaults, then select Next.

    The CA Type dialog appears.

    entrust ca type

  27. Choose the default Root CA option, ensure that the Root CA used as Single Point of Contact CA (SPOC) box remains unchecked, and then select Next.

    The Cryptographic Information dialog appears.

    entrust chryptografic information

  28. Select the Certification Authority Key Generation tab, select Use hardware, then select Next.

  29. On the CA Key Type tab, which defines the CA key pair type and parameters, accept the defaults, then select Next.

    entrust ca key pairtype

  30. On the Database tab, which defines the database encryption algorithm, accept the default, then select Next.

    entrust database encryption algorithm

  31. On the User Signing Key Type tab, which defines the key pair type and parameters for user signing keys, accept the defaults, then select Next.

    entrust signing nonrepudiation keys

  32. On the User Encryption Key Type tab, which defines the key pair type and parameters for user encryption keys, accept the defaults, then select Next.

    entrust encryption dual usage keys

  33. On the CA Signing Algorithm Type tab, accept the default, then select Next.

    entrust signature algorithm

  34. On the Policy Certificate tab, which defines the lifetime of the Entrust policy certificate, accept the default, then select Next.

    entrust policy lifetime
    For this integration to work with EC-P and RSAPSS, the ECC activation feature must be enabled for the nShield HSM. In the %NFAST_ HOME%\bin directory, run FET.exe.

    The No Hardware Device Found dialog appears.

    entrust no hardware devide found

  35. Select Ok.

    A file explorer opens.

    entrust select library

  36. To select the nShield PKCS11 library, navigate to and select %NFAST_HOME%\toolkits\pkcs11\cknfast.dll.

    You can confirm this location by opening the entmgr.ini file located in the Entrust directory and looking for the CryptokiV2LibraryNT = C:\Program Files\nCipher\nfast\toolkits\pkcs11\cknfast.dll entry.

  37. In the Use This Hardware dialog, select the HSM slot, then select Next.

    choose hsm

  38. In the CRL Configuration dialog, select No, do not work with Microsoft Windows applications, then select Next.

    entrust crl configuration

  39. In the CRL Distribution Point dialog, accept the defaults, then select Next.

    entrust crl distribution

  40. In the CA Certificate Properties dialog, accept the default of 120 months for the CA certificate lifetime and 100% for the private key usage period, then select Next.

    entrust ca certificate properties
    Consult your security policy of your organization about recommendations for CA lifetime.

    The CRL Share Warning dialog appears.

    entrust crl share

  41. Select OK.

    The Configuration Complete dialog appears.

    entrust complete configuration

  42. To initialize the CA, select Run Security Manager Control Command Shell now, and then select OK.

    The Security Manager Control Command Shell (entsh) launches, and starts the CA initialization process.

    You will have the option to initialize the CA later by running the init command from the entsh command window.

  43. Provide the password for the HSM PKCS11 user that you created when you installed and initialized the HSM using the tools provided by the HSM.

  44. Enter and confirm passwords for all Master users and the First Officer. These are required later during testing. For example:

    Starting First-Time Initialization...

A Hardware Security Module (HSM) will be used for the CA key:
    nCipher Corp. Ltd  SN : b0xxxxxxxxxxxx19e
    The HSM requires a password.

Enter password for CA hardware security module (HSM):
Enter new password for Master1:
Confirm new password for Master1:
Enter new password for Master2:
Confirm new password for Master2:
Enter new password for Master3:
Confirm new password for Master3:
Enter new password for First Officer:
Confirm new password for First Officer:

Initialization starting; creating ca keys...
Initialization complete.
Starting the services...
Creating CA profile...
Creating First Officer profile...
You are logged in to Security Manager Control Command Shell.
Performing database backup...
NOTICE:  pg_stop_backup complete, all required WAL segments have been archived
SUCCESS: Full backup completed successfully.
Enabling autologin for service startup...
Press return to exit

  45. Close any open windows or dialogs.