Install and configure the nShield HSM

Select the protection method

OCS or Softcard protection can be used to authorize access to the keys protected by the HSM. Follow your organization’s security policy to select an authorization access method.

Install the nShield HSM

Install the nShield HSM locally, remotely, or remotely via the serial console. Condensed instructions are available in the following Entrust nShield Support articles.

Access to the Entrust nShield Support Portal is available to customers under maintenance. To request an account, contact nshield.support@entrust.com.

The complete instruction set is available at nShield v13.6.5 Hardware Install and Setup Guides.

Install the nShield Security World Software and create the Security World

Install the nShield Security World Software and create the Security World on the same server that will host the Entrust Certificate Authority.

  1. Install the Security World software. The complete instruction set is available at nShield Security World Software v13.6.5 Installation Guide.

  2. Add the Security World utilities path C:\Program Files\nCipher\nfast\bin to the system path.

  3. Open firewall port 9004 for the HSM connections.

  4. If using remote administration, open firewall port 9005 for the Entrust nShield Trusted Verification Device (TVD).

  5. Configure the server as a client of the HSM.

  6. Open a command window and run the following to confirm the HSM is operational.

    # enquiry
Server:
 enquiry reply flags  none
 enquiry reply level  Six
 serial number
 mode                 operational
 version              13.6.5
...
Module #1:
  enquiry reply flags  UnprivOnly
 enquiry reply level  Six
 serial number        8FE1-B519-C5AA
 mode                 operational
 version              13.4.5
 ...

  7. Create your Security World if one does not already exist, or copy an existing one. Follow your organization’s security policy when creating the Security World. Create extra ACS cards as spares in case of a card failure or a lost card.

    ACS cards cannot be duplicated after the Security World is created. You may want to create extras per your organization security policy.

  8. Confirm the Security World is Usable.

    # nfkminfo
World
 generation  2
 state       0x37270008 Initialised Usable ...
 ...
Module #1
 generation 2
 state      0x2 Usable
 ...

Create the OCS or Softcard

OCS are smart cards that are presented to the HSM via the physical smart card reader or via the TVD. For more information on OCS use, properties, and k-of-N values, see Operator Card Sets (OCS).

When selecting your protection method take into consideration:

  1. Your organization’s security policy.

  2. Unattended startup requirements.

The OCS or Softcard needs to the presented initially when configuring the Entrust Certificate Authority Manager. In production, unattended startup is possible in some scenarios.

Create the OCS

To create the OCS:

  1. Ensure file C:\ProgramData\nCipher\Key Management Data\config\cardlist contains the serial number of the card(s) to be presented, or the wildcard "*".

  2. Open a command window as an administrator.

  3. Run the createocs utility as described below, entering a passphrase (a password) at the prompt. The passphrase (if any) can be different for each OCS card.

    Create one card for each person with access privilege, plus the spares.

    The --persist option allows for removal of the OCS for save storage. Otherwise, the authentication provided by the OCS is only available while the OCS card is inserted in the Entrust nShield HSM front panel slot, or presented remotely via the TVD. In this example the OCS is presented via the TVD, slot 2.

    After an Operator Card Set has been created, the cards cannot be duplicated. 
    # createocs -m1 -s2 -N testOCS -Q 1/1 --persist

FIPS 140-2 level 3 auth obtained.

Creating Cardset:
 Module 1: 0 cards of 1 written
 Module 1 slot 0: Admin Card #1
 Module 1 slot 2: empty
 Module 1 slot 3: empty
 Module 1 slot 2: blank cardSteps:

 Module 1 slot 2:- passphrase specified - writing card
Card writing complete.

cardset created; hkltu = a165a26f929841fe9ff2acdf4bb6141c1f1a2eed

  4. Verify the OCS was created:

    # nfkminfo -c
Cardset list - 1 cardsets:  (P)ersistent/(N)ot, (R)emoteable/(L)ocal-only
 Operator logical token hash               k/n timeout  name
 02466cfb08d1115802ebe39920bc562b43b0d43b  1/1  none-PL testOCS

    The rocs utility also shows the newly created OCS:

    # rocs
`rocs' key recovery tool
Useful commands: `help', `help intro', `quit'.
rocs> list cardset
No. Name                     Keys (recov) Sharing
  1 testOCS                  2 (2)        1 of 1; persistent
rocs> quit

Create a Softcard

  1. Run the following utility, and enter a passphrase at the prompt:

    # ppmk -n EntrustSNSoftcard

Enter new pass phrase:
Enter new pass phrase again:
New softcard created: HKLTU d9414ed688c6405aab675471d3722f8c70f5d864

  2. Verify the Softcard was created:

    # nfkminfo -s
SoftCard summary - 1 softcards:
 Operator logical token hash               name
 d9414ed688c6405aab675471d3722f8c70f5d864  testSC

    The rocs utility also shows the newly created Softcard:

    # rocs
`rocs' key recovery tool
Useful commands: `help', `help intro', `quit'.
rocs> list cards
No. Name                     Keys (recov) Sharing
  1 testOCS                  2 (2)        1 of 1; persistent
  2 testSC                   0 (0)        (softcard)
rocs> quit