Install and configure the Entrust nShield HSM

Select the protection method

OCS, Softcard, or Module protection can be used to authorize access to the keys protected by the HSM.

  • Operator Cards Set (OCS) are smartcards that are presented to the physical smartcard reader of an HSM. For more information on OCS use, properties, and k-of-N values, see the User Guide for your HSM.

  • Softcards are logical tokens (passphrases) that protect they key and authorize its use.

  • Module protection has no passphrase.

Follow your organization’s security policy to select an authorization access method.

Install the HSM

Install the nShield Connect HSM locally, remotely, or remotely via the serial console. See the following nShield Support articles and the Installation Guide for the HSM:

Install the nShield Security World Software and create the Security World

To install the nShield Security World Software and create the Security World:

  1. Install the Security World software as described in Installation Guide and the User Guide for the HSM. This is supplied on the installation disc.

  2. Install the TAC-955 hot fix. This hotfix contains an updated version of the PKCS#11 library and utilities.

  3. Add the Security World utilities path /opt/nfast/bin to the system path.

    # sudo vi /etc/profile.d/nfast.sh

    Add the following info to nfast.sh and save:

    # Entrust Security World path variable
export PATH=$PATH:/opt/nfast/bin

  4. Open the firewall port 9004 for the HSM connections.

    # sudo firewall-cmd --permanent --add-port=9004/tcp
# sudo firewall-cmd --reload

  5. Open a command window and run the following to confirm the HSM is operational.

    # enquiry
Server:
 enquiry reply flags  none
 enquiry reply level  Six
 serial number        7852-268D-3BF9
 mode                 operational
...
Module #1:
 enquiry reply flags  none
 enquiry reply level  Six
 serial number        7852-268D-3BF9
 mode                 operational
 ...

  6. Create your Security World if one does not already exist or copy an existing one. Follow your organization’s security policy for this. Create extra ACS cards as spares in case of a card failure or a lost card.

    ACS cards cannot be duplicated after the Security World is created.

  7. Confirm the Security World is usable.

    # nfkminfo
World
 generation  2
 state       0x3737000c Initialised Usable ...
 ...
Module #1
 generation 2
 state      0x2 Usable
 ...

Create the OCS or Softcard

The OCS or Softcard and associated passphrase will be used to authorize access to the keys protected by the HSM. Typically, one or the other will be used, but rarely both. Follow your organization’s security policy to select an authorization access method.

Create the OCS

  1. Ensure file /opt/nfast/kmdata/config/cardlist contains the serial number of the card(s) to be presented, or the wildcard "*".

  2. Open a command window as an administrator.

  3. Run the createocs command as described below, entering a passphrase or password at the prompt.

    Follow your organization’s security policy for this for the values K/N, where K=1 as mentioned above. Use the same passphrase for all the OCS cards in the set (one for each person with access privilege, plus the spares). Note that slot 2, remote via a Trusted Verification Device (TVD), is used to present the card.

    After an OCS card set has been created, the cards cannot be duplicated.
    Vault requires k = 1 whereas N can be up to, but not exceed, 64. 
    # createocs -m1 -s2 -N testOCS -Q 1/1

FIPS 140-2 level 3 auth obtained.

Creating Cardset:
 Module 1: 0 cards of 1 written
 Module 1 slot 0: Admin Card #1
 Module 1 slot 2: empty
 Module 1 slot 3: empty
 Module 1 slot 2: blank cardSteps:

 Module 1 slot 2:- passphrase specified - writing card
Card writing complete.

cardset created; hkltu = a165a26f929841fe9ff2acdf4bb6141c1f1a2eed

    Add the -p (persistent) option to the command above to have authentication after the OCS card has been removed from the HSM front panel slot, or from the TVD. The authentication provided by the OCS as shown in the command line above is non-persistent and only available while the OCS card is inserted in the HSM front panel slot, or the TVD.

  4. Verify the OCS was created:

    # nfkminfo -c
Cardset list - 2 cardsets:  (P)ersistent/(N)ot, (R)emoteable/(L)ocal-only
 Operator logical token hash               k/n timeout  name
 edb3d45a28e5a6b22b033684ce589d9e198272c2  1/5  none-NL testOCS

    The rocs utility also shows the OCS was created:

    # rocs
`rocs' key recovery tool
Useful commands: `help', `help intro', `quit'.
rocs> list cardset
No. Name                     Keys (recov) Sharing
  1 testOCS                  0 (0)        1 of 5
rocs> quit

Create the Softcard

  1. Create an /opt/nfast/cknfastrc file if it does not exist to enable Softcard protection. This is an example:

    # Enable Softcard protection
CKNFAST_LOADSHARING=1

# Enable Module protection
CKNFAST_FAKE_ACCELERATOR_LOGIN=1

# PKCS #11 log level and file location
CKNFAST_DEBUG=10
CKNFAST_DEBUGFILE=/opt/nfast/log/pkcs11.log

  2. Run the following command, and enter a passphrase or password at the prompt:

    # ppmk -n testSC

Enter new pass phrase:
Enter new pass phrase again:
New softcard created: HKLTU d9414ed688c6405aab675471d3722f8c70f5d864

  3. Verify the Softcard was created:

    # nfkminfo -s
SoftCard summary - 1 softcards:
 Operator logical token hash               name
 925f67e72ea3c354cae4e6797bde3753d24e7744  testSC

    The rocs utility also shows that the OCS and Softcard were created:

    # rocs
`rocs' key recovery tool
Useful commands: `help', `help intro', `quit'.
rocs> list cards
No. Name                     Keys (recov) Sharing
  1 testOCS                  0 (0)        1 of 5
  2 testSC                   0 (0)        (softcard)
rocs> quit