Test the integration

This test consists of validating the key created in the HSM in Integrate the Entrust Cryptographic Security Platform PKI Hub and the Entrust nShield HSM.

  1. Log in into the Entrust Cryptographic Security Platform PKI Hub Management Console web GUI.

  2. In the content pane, under Certificate Authorities, select Manage Solution.

  3. Select the download arrow icon to the right of Export Configuration. Notice the compressed file (pkihub-configuration.zip) downloaded to your computer.

  4. Unzip the compressed file, pkihub-configuration.zip.

  5. Navigate to Downloads\pkihub-configuration where you can find kmdata.tar.

  6. Untar the kmdata.tar file.

    The kmdata/local folder with the HSM files are now available

    % tar -xvf kmdata.tar

    • Notice the key_ncore_…​ file, that is, key_ncore_pkihub-attila-wrapping-key. This file is the key blob corresponding to the key created in the Entrust nShield HSM.

  7. For the purpose of validating the key, copy the key blob to a HSM client using the same world and place it in the folder /opt/nfast/kmdata/local/.

  8. Execute the following commands. Notice the key name.

    % nfkminfo -k

Key list - 1 keys
 AppName ncore                Ident pkihub-attila-wrapping-key


% rocs
`rocs' key recovery tool
Useful commands: `help', `help intro', `quit'.
rocs> list keys
  No. Name                           App   Protected by
    1 Id: pkihub-attila-wrapping-key ncore testOCS

rocs> exit

  9. Verify the key.

    ** [Security world] **
    Ciphersuite: DLf3072s256mAEScSP800131Ar1
    128-bit security level
    7 Administrator Card(s)
    (NOT IN ANY SLOT of an attached module)
    HKNSO b5cb518930e8dd1fea1bd8a3e99347b598382d85
    Cardset recovery ENABLED
    Passphrase recovery disabled
    Common Criteria CMTS 419221-5 disabled
    Strict FIPS 140-2 level 3 (does not improve security) disabled
    SEE application non-volatile storage ENABLED
    real time clock setting ENABLED
    SEE debugging ENABLED
    SEE debugging restricted
    Foreign Token Open authorization ENABLED
    Generating module ESN 92C8-8591-52EB currently #1
    Generating module has since been ERASED AND REPROGRAMMED

---


** [Application key ncore pkihub-attila-wrapping-key] **
    [Not named]
    Useable by HOST applications
    Cardset protected: 1/1 PERSISTENT [0s `testOCS']
    Cardset hash ba061036ffd4bb52c7403bc9fb5ff50bbe6e6cfe
     (Currently in Module #1 Slot #2: Card #1)
    Key useable INDEFINITELY (after card loading)
    Recovery ENABLED
    Type HMACSHA256 256 bits
    Key may be used for: GENERATING or verifying message authentication codes
    Generating module ESN 92C8-8591-52EB currently #1 (in same incarnation)
    nCore hash c6c96634f71f155050d624704f71053753c66c74
    Public half is ABSENT

Verification successful, confirm details above.  1 key verified.

  10. Delete this key blob from the HSM client or server. It remains in the Entrust PKI Hub.