Deploy and configure the Entrust nShield HSM

All steps below are performed in the server running IIS.

Install the Entrust nShield HSM

Install the nShield Connect HSM locally, remotely, or remotely via the serial console. Condensed instructions are available in the following Entrust nShield Support articles.

For detailed instructions see the nShield v13.6.11 Hardware Install and Setup Guides.

Install the Security World software and create a Security World

  1. Install the Security World software. For detailed instructions see the nShield Security World Software v13.6.11 Installation Guide.

  2. Add the Security World utilities path to the system path. This path is typically C:\Program Files\nCipher\nfast\bin.

  3. Open the firewall port 9004 for the HSM connections.

  4. If using remote administration, open firewall port 9005 for the Entrust nShield Trusted Verification Device (TVD).

  5. Inform the HSM of the client’s location. In this integration the client is the IIS server. For instructions, see Configuring the nShield HSM to use the client. If it’s a high-availability setup, repeat the client configuration for each HSM.

  6. Enroll the IIS server as a client of the HSM. For instructions, see Configuring client computers to use the nShield HSM. If it’s a high-availability setup, repeat the enrolment for each HSM.

  7. Open a command window and run the following to confirm the HSM is operational:

    >enquiry
Server:
 enquiry reply flags  none
 enquiry reply level  Six
 serial number        7852-268D-3BF9
 mode                 operational
...
Module #1:
 enquiry reply flags  UnprivOnly
 enquiry reply level  Six
 serial number        5F08-02E0-D947
 mode                 operational
 ...

  8. Create your Security World if one does not already exist or copy an existing one. Follow your organization’s security policy for this. For more information see Create a new Security World.

    ACS cards cannot be duplicated after the Security World is created. You may want to create extras in case of a card failure or a lost card.

  9. Confirm the Security World is Usable:

    >nfkminfo
World
 generation  2
 state       0x3737000c Initialised Usable ...
 ...
Module #1
 generation 2
 state      0x2 Usable
 ...
 Module #2
 generation 2
 state      0x2 Usable
 ...

Select the protection method

IIS binding is only possible with:

  • OCS protection

  • Module protection.

Typically, an organization’s security policies dictate the use of one or the other.

  • Operator Cards Set (OCS) are smartcards that are presented to the physical smartcard reader of an HSM. For more information on OCS use, properties, and K-of-N values, see Operator Card Sets (OCS).

  • Module protection has no passphrase.

Follow your organization’s security policy to select an authorization access method.

Depending on the protection method selected, you may need to define some environment variables. You have the option to set these environment variables with the Windows set command, or edit file C:\Program Files\nCipher\nfast\cknfastrc. As reference, all environment variables are listed in nShield PKCS #11 library environment variables.

Enable Module protection:

>set CKNFAST_FAKE_ACCELERATOR_LOGIN=1

Sample C:\Program Files\nCipher\nfast\cknfastrc file:

# Enable Module protection
CKNFAST_FAKE_ACCELERATOR_LOGIN=1

# OCS Preload file location and card set state
NFAST_NFKM_TOKENSFILE="C:\Program Files\nCipher\nfast\preloadtoken"
CKNFAST_NONREMOVABLE=1

Create the OCS

Due to limitations of IIS itself, no GUI prompts (even via nShield Service Agent) can be displayed. Therefore, OCS protection must be passphrase-less and 1/N quorum.

  1. Edit file C:\ProgramData\nCipher\Key Management Data\config\cardlist adding the serial number of the card(s) to be presented, or the wildcard "*".

  2. Open a command window as an administrator.

  3. Run the createocs command as described below, entering a blank passphrase at the prompt.

    Follow your organization’s security policy for the values K/N. Use the same passphrase for all the OCS cards in the set (one for each person with access privilege, plus the spares). In this example note that slot 2, remote via a TVD, is used to present the card.

    IIS binding requires K = 1 whereas N can be up to, but not exceeding, 64.
    After an OCS card set has been created, the cards cannot be duplicated. You may want to create extras in case of a card failure or a lost card.
    The preload utility loads OCS onto the HSM. This feature makes the OCS available for use after been physically removed from the HSM for safe storage or other reasons. Add the -p (persistent) option to the command below to have authentication after the OCS card has been removed from the HSM front panel slot, or from the TVD. 
    > createocs -m1 -s2 -N testOCS -Q 1/1

FIPS 140-2 level 3 auth obtained.

Creating Cardset:
 Module 1: 0 cards of 1 written
 Module 1 slot 0: Admin Card #1
 Module 1 slot 2: empty
 Module 1 slot 3: empty
 Module 1 slot 2: blank cardSteps:

 Module 1 slot 2:- passphrase specified - writing card
Card writing complete.

cardset created; hkltu = a165a26f929841fe9ff2acdf4bb6141c1f1a2eed

    The authentication provided by the OCS as shown in the command line above is non-persistent and only available while the OCS card is inserted in the HSM front panel slot, or the TVD.

  4. Verify the OCS created:

    >nfkminfo -c
Cardset list - 1 cardsets:  (P)ersistent/(N)ot, (R)emoteable/(L)ocal-only
 Operator logical token hash               k/n timeout  name
 7aaf758bc6790206198ea5218040d4faa09f035f  1/5  none-NL testOCSnopassphrase

    The rocs utility also shows the OCS created:

    >rocs
`rocs' key recovery tool
Useful commands: `help', `help intro', `quit'.
rocs> list cardset
No. Name                     Keys (recov) Sharing
  1 testOCSnopassphrase      0 (0)        1 of 5
rocs> quit