Install and configure the Entrust nShield HSM

Install the Entrust nShield HSM

Install the nShield Connect HSM locally, remotely, or remotely via the serial console. Condensed instructions are available in the following Entrust nShield Support articles.

For detailed instructions see the nShield v13.6.8 Hardware Install and Setup Guides.

Install the nShield Security World Software and create the Security World

  1. Install the Security World software. For detailed instructions see the nShield Security World Software v13.6.8 Installation Guide.

    If using the older Security World version v12.81.2, install TAC-955 hot fix.
  2. Add the Security World utilities path to the system path. This path is typically /opt/nfast/bin:

    # sudo vi /etc/profile.d/nfast.sh

    Add the following info to nfast.sh and save:

    # Entrust Security World path variable
    export PATH=$PATH:/opt/nfast/bin
  3. Open firewall port 9004 for the Entrust nShield HSM connections:

    # sudo firewall-cmd --permanent --add-port=9004/tcp
    # sudo firewall-cmd --reload
  4. If using remote administration, open firewall port 9005 for the Entrust nShield Trusted Verification Device (TVD):

  5. Open a command window and run the following to confirm the HSM is operational:

    # enquiry
    Server:
     enquiry reply flags  none
     enquiry reply level  Six
     serial number        8FE1-B519-C5AA
     mode                 operational
    ...
    Module #1:
     enquiry reply flags  UnprivOnly
     enquiry reply level  Six
     serial number        8FE1-B519-C5AA
     mode                 operational
     ...
  6. Create your Security World if one does not already exist or copy an existing one. Follow your organization’s security policy for this. For more information see Create a new Security World.

    ACS cards cannot be duplicated after the Security World is created. You may want to create extras in case of a card failure or a lost card.
  7. Confirm the Security World is Usable:

    # nfkminfo
    World
     generation  2
     state       0x3737000c Initialised Usable ...
     ...
    Module #1
     generation 2
     state      0x2 Usable
     ...

Select the protection method

OCS, Softcard, or Module protection can be used to authorize access to the keys protected by the HSM. Typically, an organization’s security policies dictate the use of one or the others.

  • Operator Cards Set (OCS) are smartcards that are presented to the physical smartcard reader of an HSM. For more information on OCS use, properties, and k-of-N values, see Operator Card Sets (OCS).

  • Softcards are logical tokens (passphrases) that protect the key and authorize its use. For more information on Softcards use see Softcards.

  • Module protection has no passphrase.

Follow your organization’s security policy to select an authorization access method.

  1. Create file /opt/nfast/cknfastrc containing the nShield PKCS #11 library environment variables per the selection above.

    For example:

    # Enable Softcard protection
    CKNFAST_LOADSHARING=1
    
    # Enable Module protection
    CKNFAST_FAKE_ACCELERATOR_LOGIN=1
    
    # Needed for managed key
    CKNFAST_OVERRIDE_SECURITY_ASSURANCES=wrapping_crypt
    
    # OCS Preload file location and card set state
    NFAST_NFKM_TOKENSFILE=/opt/nfast/preloadtoken
    CKNFAST_NONREMOVABLE=1
    
    # PKCS #11 log level and file location
    CKNFAST_DEBUG=10
    CKNFAST_DEBUGFILE=/opt/nfast/log/pkcs11.log
  2. Change ownership of /opt/nfast/cknfastrc to nfast.

    # ls -al /opt/nfast/cknfastrc
    -rw-rw-rw-. 1 root root 324 Apr  3 16:12 /opt/nfast/cknfastrc
    
    # chown nfast:nfast /opt/nfast/cknfastrc
    
    # ls -al /opt/nfast/cknfastrc
    -rw-rw-rw-. 1 nfast nfast 324 Apr  3 16:12 /opt/nfast/cknfastrc

Create the OCS

  1. Edit file /opt/nfast/kmdata/config/cardlist adding the serial number of the card(s) to be presented, or the wildcard "*".

  2. Open a command window as an administrator.

  3. Run the createocs command as described below, entering a passphrase at the prompt.

    Follow your organization’s security policy for the values K/N. Use the same passphrase for all the OCS cards in the set (one for each person with access privilege, plus the spares). In this example note that slot 2, remote via a TVD, is used to present the card.

    Vault requires k = 1 whereas N can be up to, but not exceeding, 64.
    After an OCS card set has been created, the cards cannot be duplicated. You may want to create extras in case of a card failure or a lost card.
    The preload utility loads OCS onto the HSM. This feature makes the OCS available for use after been physically removed from the HSM for safe storage or other reasons. Add the -p (persistent) option to the command below to have authentication after the OCS card has been removed from the HSM front panel slot, or from the TVD.
    # createocs -m1 -s2 -N testOCS -Q 1/1
    
    FIPS 140-2 level 3 auth obtained.
    
    Creating Cardset:
     Module 1: 0 cards of 1 written
     Module 1 slot 0: Admin Card #1
     Module 1 slot 2: empty
     Module 1 slot 3: empty
     Module 1 slot 2: blank cardSteps:
    
     Module 1 slot 2:- passphrase specified - writing card
    Card writing complete.
    
    cardset created; hkltu = a165a26f929841fe9ff2acdf4bb6141c1f1a2eed

    The authentication provided by the OCS as shown in the command line above is non-persistent and only available while the OCS card is inserted in the HSM front panel slot, or the TVD.

  4. Verify the OCS created:

    # nfkminfo -c
    Cardset list - 2 cardsets:  (P)ersistent/(N)ot, (R)emoteable/(L)ocal-only
     Operator logical token hash               k/n timeout  name
     edb3d45a28e5a6b22b033684ce589d9e198272c2  1/5  none-NL testOCS

    The rocs utility also shows the OCS created:

    # rocs
    `rocs' key recovery tool
    Useful commands: `help', `help intro', `quit'.
    rocs> list cardset
    No. Name                     Keys (recov) Sharing
      1 testOCS                  0 (0)        1 of 5
    rocs> quit

Create the Softcard

  1. Enable Softcard protection as described in Select the protection method.

  2. Open a command window as an administrator.

  3. Run the following command, and enter a passphrase at the prompt:

    # ppmk -n testSC
    
    Enter new pass phrase:
    Enter new pass phrase again:
    New softcard created: HKLTU d9414ed688c6405aab675471d3722f8c70f5d864
  4. Verify the Softcard created:

    # nfkminfo -s
    SoftCard summary - 1 softcards:
     Operator logical token hash               name
     925f67e72ea3c354cae4e6797bde3753d24e7744  testSC

    The rocs utility also shows the OCS and Softcard created:

    # rocs
    `rocs' key recovery tool
    Useful commands: `help', `help intro', `quit'.
    rocs> list cards
    No. Name                     Keys (recov) Sharing
      1 testOCS                  0 (0)        1 of 5
      2 testSC                   0 (0)        (softcard)
    rocs> quit