Install and configure the Entrust nShield HSM

This section applies to on-premises applications. In nSaaS applications, the Entrust PKI Hub gets the key management data as defined by the nSaaS service.

Deploy a Linux server and install in it the security world software. Make this server a client of the HSM and create a world and OCS.

The Entrust Cryptographic Security Platform PKI Hub utilizes the key management data from this server.

Install the Entrust nShield HSM

Install the nShield Connect HSM locally, remotely, or remotely via the serial console. Condensed instructions are available in the following Entrust nShield Support articles.

Access to the Entrust nShield Support Portal is available to customers under maintenance. To request an account, contact nshield.support@entrust.com.

The complete instruction set is available at nShield v13.9.0 Hardware Install and Setup Guides.

For detailed instructions see the nShield documentation.

Install the Entrust nShield Security World Software and create the Security World

This section applies to the server deployed where Entrust nShield HSM infrastructure exists.

  1. Install the Security World software. For detailed instructions see the nShield documentation.

  2. Add the Security World utilities path to the system path. This path is typically /opt/nfast/bin.

  3. Open firewall port 9004 for the Entrust nShield HSM connections.

  4. If using remote administration, open firewall port 9005 for the Entrust nShield Trusted Verification Device (TVD).

  5. Configure the server as a client of the Entrust nShield HSM.

  6. Open a command window and run the following to confirm the Entrust nShield HSM is operational.

    root@dev-ubuntu:~# enquiry
Server:
 enquiry reply flags  none
 enquiry reply level  Six
 serial number
 mode                 operational
 version              13.9.0
...
Module #1:
 enquiry reply flags  UnprivOnly
 enquiry reply level  Six
 serial number        92C8-8591-52EB
 mode                 operational
 version              13.8.0
 ...

  7. Create your Security World or copy an existing one. Follow your organization’s security policy for this.

    ACS cards cannot be duplicated after the Security World is created. You may want to create extras per your organization security policy.

  8. Confirm the Security World is usable.

    root@dev-ubuntu:~# nfkminfo
World
 generation  2
 state       0x3737000c Initialised Usable ...
 ...
Module #1
 generation 2
 state      0x2 Usable

Edit the configuration files

This section applies to the server where the Entrust nShield HSM infrastructure exists.

  1. Edit the configuration file /opt/nfast/cknfastrc, adding the lines shown below. Set the file permissions to read & execute by all.

    CKNFAST_OVERRIDE_SECURITY_ASSURANCES=none
CKNFAST_LOADSHARING=1

  2. Edit the configuration file /opt/nfast/kmdata/config/cardlist. Add the serial numbers of the remote administration ready OCS smart cards, or a wild card.

  3. Restart the Security World software.

    % sudo /opt/nfast/sbin/init.d-ncipher restart

Create the OCS

OCS are smart cards that are presented to the physical smart card reader of the HSM. For more information on OCS use, properties, and k-of-N values, see the nShield documentation.

For an existing Entrust nShield HSM infrastructure, you have the choice of using an existing OCS (k=1) corresponding to your world, or create a new one. The quorum k of k-of-N must be 1 for this application.

Otherwise, create an OCS card set following your organization’s security policy, with k=1.

OCS cards cannot be duplicated after they are created. You may want to create extras per your organization security policy.