Installation

The KeySafe 5 agent is installed alongside an existing nShield Security World Software installation.

The KeySafe 5 agent is a privileged client of the hardserver. For more information on privileged clients, see the nShield Security World Software documentation.

Ensure the system clock of the KeySafe 5 agent is synchronized with the central platform.

If you are upgrading an existing KeySafe 5 Agent install, see Agent Upgrade.

Install on Linux

  1. Untar the KeySafe 5 agent install package to the root directory of the machine. The agent install package can be found in keysafe5-agent directory of the KeySafe 5 release package.

    This unpacks the KeySafe 5 agent binaries and associated scripts into the /opt/nfast/ directory.

    sudo tar -C / -xf /path/to/keysafe5-1.5.0-Linux-keysafe5-agent.tar.gz

  2. Ensure the messagebus/tls directory is in place.

    sudo mkdir -p /opt/nfast/keysafe5/conf/messagebus/tls

  3. Configure this KeySafe 5 agent instance as described in Agent Configuration and Message Bus Authentication.

  4. Run the install script:

    sudo /opt/nfast/keysafe5/sbin/install

The installer creates the following items, as required:

  • A new configuration from the example configuration if one does not already exist.

  • Either a SysV-style init script or systemd script for automatically starting and stopping the service.

  • The keysafe5d user.

    This user is dedicated to running the keysafe5-agent service, and is a member of the nfast and nfastadmin groups.

It also sets the correct permissions on the /opt/nfast/keysafe5/conf/messagebus/tls directory.

The KeySafe 5 agent is not affected by the standard nShield /opt/nfast/sbin/init.d-ncipher script. To stop, start, or restart the KeySafe 5 agent you may either:

  • Use /opt/nfast/scripts/init.d/keysafe5-agent, or

  • Use your standard init system scripts, addressing the nc_keysafe5-agent service.

Install on Windows

The KeySafe 5 Agent requires the hardserver TCP ports be enabled. To do this, either:

  • Run config-serverstartup.exe --port 9000 --privport 9001, or

  • Edit the file (located at %NFAST_KMDATA%\config\config) and set nonpriv_port=9000 and priv_port=9001.

After enabling the hardserver TCP ports, you must restart the hardserver service.

If those ports are not available and different ports are set, then the environment variables NFAST_SERVER_PORT and NFAST_SERVER_PRIVPORT must also be set appropriately as described in the nShield documentation. They may be set globally in System Environment Variables, or only for this service by adding a Multi-String Value named Environment under Computer\HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\nShield KeySafe 5 Agent, and to Value data adding the lines NFAST_SERVER_PORT=port-number and NFAST_SERVER_PRIVPORT=port-number. You may need to restart the computer after adding the System Environment Variables.

Launch the keysafe5-agent.msi installer. The installer is in the keysafe5-agent directory of the KeySafe 5 release package.

After installing the files, the installer will do some configuring, not overwriting any existing configuration:

  • Copy the example configuration.

  • Generate a private key and its Certificate Signing Request.

  • The KeySafe 5 Agent service will be created and started.

If the configuration did not complete then the KeySafe 5 Agent service will not start, and the steps described in Agent Configuration and Message Bus Authentication will need to be followed before restarting the service using Windows Service Manager.