Install and configure the Entrust nShield HSM
This section applies to on-premises applications. In nSaaS applications, the Entrust PKI Hub gets the key management data as defined by the nSaaS service.
There are two scenarios for on-premises applications:
-
An Entrust nShield HSM infrastructure already exists.
-
No existing Entrust nShield HSM infrastructure.
In the first scenario, the Entrust PKI Hub pulls the key management data from the remote file system (RFS).
At this point in time only Linux based RFS are supported.
The RFS doesn’t have to be a client of an HSM.
However, it must contain the key management data (world, module file, and an OCS) in its local directory.
Copy these files from an existing client to the RFS.
When no Entrust nShield HSM infrastructure exists, deploy a Linux server and install in it the security world software. Make this server a client of the HSM and create a world and OCS. After completing the configuration of the Entrust PKI Hub, this server can be removed as a client of the HSM and decommissioned.
The Entrust PKI Hub utilizes a user account to pulls the key management data from either the RFS or server. The permissions required for this account are described below.
Install the Entrust nShield HSM
Install the nShield Connect HSM locally, remotely, or remotely via the serial console. Condensed instructions are available in the following Entrust nShield Support articles.
The complete instruction set is available at nShield v13.6.5 Hardware Install and Setup Guides.
Install the Entrust nShield Security World Software and create the Security World
This section applies to the sever deployed when no Entrust nShield HSM infrastructure exists.
-
Install the Security World software. The complete instruction set is available at nShield Security World Software v13.6.5 Installation Guide.
-
Add the Security World utilities path to the system path. This path is typically
/opt/nfast/bin. -
Open firewall port 9004 for the Entrust nShield HSM connections.
-
If using remote administration, open firewall port 9005 for the Entrust nShield Trusted Verification Device (TVD).
-
Configure the server as a client of the Entrust nShield HSM.
-
Open a command window and run the following to confirm the Entrust nShield HSM is operational.
root@dev-ubuntu:~# enquiry Server: enquiry reply flags none enquiry reply level Six serial number mode operational version 13.6.3 ... Module #1: enquiry reply flags none enquiry reply level Six serial number 7852-268D-3BF9 mode operational version 13.2.4 ... -
Create your Security World or copy an existing one. Follow your organization’s security policy for this.
ACS cards cannot be duplicated after the Security World is created. You may want to create extras per your organization security policy. -
Confirm the Security World is
usable.root@dev-ubuntu:~# nfkminfo World generation 2 state 0x3737000c Initialised Usable ... ... Module #1 generation 2 state 0x2 Usable
Edit the configuration files
This section applies to the sever deployed when no Entrust nShield HSM infrastructure exists.
-
Edit the configuration file
/opt/nfast/cknfastrc, adding the lines shown below. Set the file permissions to read & execute by all.CKNFAST_OVERRIDE_SECURITY_ASSURANCES=none CKNFAST_LOADSHARING=1 -
Edit the configuration file
/opt/nfast/kmdata/config/cardlist. Add the serial numbers of the remote administration ready OCS smart cards, or a wild card. -
Restart the Security World software.
root@dev-ubuntu:~# /opt/nfast/sbin/init.d-ncipher restart
Create the OCS
OCS are smart cards that are presented to the physical smart card reader of the HSM. For more information on OCS use, properties, and k-of-N values, see Operator Card Sets (OCS).
In case of an existing Entrust nShield HSM infrastructure, you have the choice of using an existing OCS (k=1) corresponding to your world, or create a new one. The quorum k of k-of-N must be 1 for this application.
Otherwise, create an OCS card set following your organization’s security policy, with k=1.
| OCS cards cannot be duplicated after they are created. You may want to create extras per your organization security policy. |