Procedures

Follow these steps to install and configure the HID Global Validation Authority with the nShield HSM.

Install Java
Install the HSM
Install the Security World software and create a Security World
Create the OCS
Configure Java
Install and configure the database
Install the HID Global Validation Authority
Configure the HID Global Validation Authority
Start the HID Global Validation Authority

Install Java

Install the Java Development Kit (JDK).

HID specifically requires the JDK and not the Java Runtime Environment (JRE). Refer to the HID documentation for validated versions of the JDK.
Set the JAVA_HOME environment variables To do this, open a command prompt as Administrator and run:
```
>setx JAVA_HOME "C:\Program Files\Java\jdk1.8.0_361"

SUCCESS: Specified value was saved.
```
Add the Java utilities path %JAVA_HOME%\bin to the Windows system path.

Install the HSM

Install the nShield Connect HSM locally, remotely, or remotely via the serial console. See the following nShield Support articles and the Installation Guide for the HSM:

Access to the Entrust nShield Support Portal is available to customers under maintenance. To request an account, contact nshield.support@entrust.com.

Install the Security World software and create a Security World

Install the Security World software:
1. Mount the DVD or .iso/disc image and locate setup.exe.
2. Right-click the setup.exe icon and select Run as Administrator.
3. For detailed instructions, see the Installation Guide and the User Guide for the HSM.
Add the Security World utilities path C:\Program Files\nCipher\nfast\bin to the Windows system path.
Open the firewall port 9004 for the HSM connections.

Enrol the HSM:

>nethsmenroll -m 1 -f -p 10.194.148.30
Remote module returned ESN: 6308-03E0-D947
                    HKNETI: 5b8a765a49d46d2c186aec5b189387cb9716573e
Is the above correct? (yes/no): yes
OK configuring hardserver's nethsm imports

Open a command window and run the following command to confirm that the HSM is operational:

>enquiry
Server:
 enquiry reply flags  none
 enquiry reply level  Six
 serial number        6308-03E0-D947
 mode                 operational
...
Module #1:
 enquiry reply flags  none
 enquiry reply level  Six
 serial number        6308-03E0-D947
 mode                 operational
...

Create your Security World if one does not already exist, or copy an existing one. Follow your organization’s security policy for this.

Confirm that the Security World is usable:

>nfkminfo
World
 generation  2
 state       0x3fb7000c Initialised Usable ...
...
 mode        fips1402level3

Module #1
 generation 2
 state      0x2 Usable

Edit the C:\ProgramData\nCipher\Key Management Data\config\config file. Add the following lines in the [server_startup] section:
```
[server_startup]
...
priv_port=9001
nonpriv_port=9000
```

Create the OCS

To create the OCS

Create the OCS, following your organization’s security policy for the value N of K/N. As required, create extra OCS cards, one for each person with access privilege, plus spares.

Administrator Card Set (ACS) authorization is required to create an OCS in FIPS 140 level 3.

After an OCS card set has been created, the cards cannot be duplicated.

# createocs -m1 -s2 -N HIDValAuth -Q 1/1

FIPS 140-2 level 3 auth obtained.

Creating Cardset:
 Module 1: 0 cards of 1 written
 Module 1 slot 3: Admin Card #1
 Module 1 slot 2: blank card
 Module 1 slot 0: empty
 Module 1 slot 2:- passphrase specified - writing card
Card writing complete.

cardset created; hkltu = 6165632fe011c6475f4d61ac555698d437230cf3

List the OCS created:

>nfkminfo -c
Cardset list - 1 cardsets:  (P)ersistent/(N)ot, (R)emoteable/(L)ocal-only
 Operator logical token hash               k/n timeout  name
 6165632fe011c6475f4d61ac555698d437230cf3  1/1  none-NL HIDValAuth

Configure Java

To configure Java:

Copy the nCipherKM.jar file from %NFAST_HOME%\java\classes\ to the extensions folder of the local Java %JAVA_HOME%\jre\lib\ext\:

>copy "C:\Program Files\nCipher\nfast\java\classes\nCipherKM.jar" "C:\Program Files\Java\jdk1.8.0_361\jre\lib\ext\."
        1 file(s) copied.

Download jce_policy-8 from Oracle. For example:

Extract and copy the extracted files local_policy.jar and US_export_policy.jar into the security directory %JAVA_HOME%\jre\lib\security:

>copy "C:\Users\Administrator\Downloads\jce_policy-8\UnlimitedJCEPolicyJDK8\local_policy.jar" "C:\Program Files\Java\jdk1.8.0_361\jre\lib\security\."
        1 file(s) copied.

>copy "C:\Users\Administrator\Downloads\jce_policy-8\UnlimitedJCEPolicyJDK8\US_export_policy.jar" "C:\Program Files\Java\jdk1.8.0_361\jre\lib\security\."
        1 file(s) copied.

Delete the following files from C:\Program Files (x86)\Common Files\Oracle\Java\javapath\:
1. java
2. javaw
3. javaws

Install and configure the database

To install and configure the database:

Install the database where information about issuers, credentials, and revocation lists will be stored. See the HID documentation for compatible database versions.
Create a new database called rtc.
Create a new login as follows:
1. For Login name, enter rtc.
2. Select SQL server authentication.
3. Enter a Password and confirm the password.
4. For Default database, select rtc. For example:
5. For Users mapped to this login, select rtc.
6. For Access privilege, select db_datareader, db_datawriter, db_ddladmin, db_owner, and public. For example:
7. For Server authentication, select SQL Server and Windows Authentication mode.
Enable the TCP/IP network protocol.
Open the firewall port 1433 for the TCP/IP connection to the MS SQL server.

Install the HID Global Validation Authority

For detailed instructions, see the ActivID® Validation Authority Installation and Configuration Guide.

Run through the HID VA installer.
On the Choose Java Virtual Machine page of the installer, choose the Java executable within the JDK folder.
On the HSM Support page of the installer:
1. Select Install Support for an HSM.
2. Select Choose and find %NFAST_HOME%\java\classes.
Complete the installation.
Launch the Windows Services and locate ActivID Validation Authority.
Right-click ActivID Validation Authority to select its properties.
On the General tab, for Startup type select Manual.
On the Log On tab, select Local System account.
Select Apply and then select OK.

Configure the HID Global Validation Authority

Insert the OCS in the HSM.
On the Windows Start menu, run Configure Validation Authority.
Select Begin.
Select whether you are upgrading or new installation.
On the next page, provide your organization name.
On the Keystore page:
1. Select nShield (client software v11 or later) from the drop-down menu.
2. Clear the Oracle SunJCE keystore for SSL Key check box.
3. Select Regenerate Keys to create a new set of security keys that are protected by the nShield HSM.
4. Select all four key options if this is a fresh install.
  
  This version of the VA has a known issue. It does not support an ECC key for the Asymmetric SSL Key option. If you want to install the VA using ECC keys, contact HID for more information.
5. Under Message Digest Algorithms:
  For the For Signatures property, select SHA-256.
  
  For the For OCSP Response Data property, select SHA-256.
6. Under Keystore Password (Required)
  Select Prompt for Password at Server Start.
  
  Enter and confirm the enter the OCS passphrase.
7. Select Next.
In the Configure Database page:
1. For Vendor, select Microsoft SQL Server.
2. For Host, enter localhost.
3. For Port, enter 1433.
4. For Database, enter rtc.
5. For User, enter rtc.
6. For Password, enter the database password defined in Install and configure the database.
7. Select Next.
In the Initialize Database page:
1. Clear the Remove all ActivID Validation Authority data and drop tables check box.
2. Select Create required tables.
3. Select Next.
In the Multi-Person Control page, select Next.
In the Administrator Account page:
1. Enter the credentials for the HID Global Validation Authority.
2. Select Next.
In the Proxy page, do not update any properties. Then, select Next.
In the Ports page, do not update any properties. Then, select Next.
Select Start/Restart to finish.

A password dialog appears. Be aware that the dialog may be behind the Browser window.
Enter the OCS passphrase and select OK.

The installation completes.
Verify the installation:
1. Close your browser.
2. Open your browser and enter the following URL http://localhost:3501/monitor.jsp.
3. Confirm that STATUS OK appears.

Start the HID Global Validation Authority

To start the HID Global Validation Authority:

Insert the OCS card into the HSM.

Open a command prompt and start HID VA.

C:\Program Files\HID Global\Validation Authority 7.3\authority\bin>server.bat start
Using CATALINA_BASE:   "C:\Program Files\HID Global\Validation Authority 7.3\authority"
Using CATALINA_HOME:   "C:\Program Files\HID Global\Validation Authority 7.3\authority\..\tomcat"
Using CATALINA_TMPDIR: "C:\Program Files\HID Global\Validation Authority 7.3\authority\temp"
Using JRE_HOME:        "C:\Program Files\Java\jdk1.8.0_361"
Using CLASSPATH:       "C:\Program Files\HID Global\Validation Authority 7.3\authority\..\tomcat\bin\bootstrap.jar;C:\Program Files\HID Global\Validation Authority 7.3\authority\..\tomcat\bin\tomcat-juli.jar"
Using Security Manager

Entrust was unable to start the HID VA service from services as detailed in the HID Global documentation. The server.bat file was used instead.

A password dialog appears. Be aware that the dialog may be behind the Browser window.

Enter the OCS passphrase.
Access the HID Validation Authority Management Console from a web browser. To do this, select Start > HID Global > Validation Authority Management.