nShield Security World v13.4.5 Release Notes
Introduction
These release notes apply to release of version 13.4.5 of Security World Software for the nShield family of Hardware Security Modules (HSMs).
These release notes contain information specific to this release such as new features, defect fixes, and known issues. They may be updated with issues that have become known after this release has been made available. For the latest version, see https://nshieldsupport.entrust.com/hc/en-us/sections/360001115837-Release-Notes. Access to the Support Portal is available to customers under maintenance. To request an account, contact nshield.support@entrust.com.
We continuously improve the user documents and update them after the general availability (GA) release. Changes in the document set are recorded in these release notes and are published at https://nshielddocs.entrust.com.
Updated nShield Software Release Policy
Entrust has recently introduced an update to the nShield Software release policy to better define the type of release and the associated update and support policy. As part of this, the concept of Long Term Support (LTS) and Standard Term Support (STS) software releases has been introduced, with each software release being either a LTS or STS release.
For more information on the software release policy, see the nShield Security World Release Information. Alternatively contact https://nshieldsupport.entrust.com for more information.
Purpose of Security World v13.4
Security World version v13.4 introduces enhancements as described in this document and introduces new functionality to the nShield 5s firmware **
Security World v13.4 is a Standard-Term Supported (STS) release with Long-Term Supported Certified (LTS-C) firmware.
The certified nShield 5s firmware from this release is under the Long-Term support policy.+
Following the end of the STS support, Security World v13.6 Long-Term support (LTS) client-side and Connect images should be used with this LTS-C firmware release.
At this point these release notes will capture the details of the firmware only. See the nShield Security World Release Information for details of the supported versions, support dates and the nShield release policy. |
FIPS Approved Firmware release
nShield HSM firmware v13.4 has been certified to FIPS 140-3 Level 3. The following table lists the full details of the v13.4 FIPS approved firmware versions and links to the security policy and FIPS certificate.
HSM | Certified Release | Version Info | FIPS Level | Certificate | Security Policy |
---|---|---|---|---|---|
nShield 5s |
v13.4.5 |
|
140-3 Level 3 |
nShield 5 Adoption Guide
A new nShield 5 Adoption Guide has been created which contains detailed information on how to adopt the nShield 5 HSM into an existing Security World of nShield XC HSMs. Consult this guide, as well as the v13.2 product documentation, for information about adopting the new nShield 5 HSM.
Versions of these Release Notes
Revision | Date | Description |
---|---|---|
4.0 |
2025-06-12 |
Update with details of the now FIPS approved v13.4.5 nShield 5s Firmware. Release notes update in line with new LTS release policy. |
3.3 |
2024-07-15 |
New section in the Release Notes tracking post-release documentation changes: [prdocupdates]. |
3.2 |
2024-06-11 |
Terminology change from firmware image version to firmware version. No content change to the product or the Release Notes. |
3.1 |
2024-03-20 |
Documentation only update. NSE-53291 has been removed from the list of fixes in [defects-clientside]. |
3.0 |
2023-12-12 |
Updated to reflect the v13.4.5 release. |
2.3 |
2023-11-21 |
Republishing from updated documentation tool chain. No content changes to the Release Notes. |
2.2 |
2023-11-03 |
Update to include warning about nShield 5c image upgrades. See [nshield5c-images]. |
2.1 |
2023-09-26 |
Updated to include details of Audit Logging functionality available in the v13.4 release; see Connect Remote Client Identification in Audit logging. There are no updates to the released versions. |
2.0 |
2023-08-03 |
Second revision of document, additions for full GA release 13.4.4 |
1.0 |
2023-07-20 |
Initial revision of document |
User documentation
In v13.4, the Security World user documentation was moved from the software package to https://nshielddocs.entrust.com.
-
Release notes and user documentation for recent releases are publicly available at https://nshielddocs.entrust.com.
-
PDF versions of all supported release notes and user documents are available in the Entrust nShield Help Center at https://nshieldsupport.entrust.com/hc/en-us/categories/360000473317-Documents-Manuals. Access to the Entrust nShield Help Center is available to customers under maintenance. Contact Entrust nShield Technical Support at nshield.support@entrust.com to request an account.
From v13.4, the HSM User Guides are platform neutral. Information for both Linux and Windows operating systems are covered in the same PDF chapters and HTML topics. Differences between the operating systems are called out if and where necessary.
Product versions
Security World software versions
Version | Date | Description |
---|---|---|
v13.4.5 |
2023-12-12 |
Third release of 13.4 Security World Software |
v13.4.4 |
2023-7-18 |
Second release of 13.4 Security World Software |
v13.4.3 |
2023-6-30 |
First release of 13.4 Security World Software |
CodeSafe Developer software versions
Version | Date | Description |
---|---|---|
v13.4.3 |
2023-6-30 |
Release of 13.4 CodeSafe 5 Developer software. |
Firmware and nShield Connect ISO versions
Version | Date | Description |
---|---|---|
v13.4.5 |
2023-12-12 |
Third release of 13.4 Firmware and Connect ISO, for all hardware platforms. |
v13.4.4 |
2023-7-18 |
Second release of 13.4 Firmware and Connect ISO, for all hardware platforms. |
v13.4.3 |
2023-6-30 |
First release of 13.4 Firmware and Connect ISO, targeted for nShield 5s and nShield 5c only. |
nShield firmware versions
Version | Date | Description |
---|---|---|
v13.4.5 |
2023-12-12 |
Updated release of 13.4 Firmware for the Solo XC and the nShield 5s. The nShield 5s firmware from this release has been FIPS 140-3 certified. |
v13.4.4 |
2023-7-31 |
Updated release of 13.4 Firmware for nShield 5s and 5c. |
v13.4.3 |
2023-6-30 |
First release of 13.4 Firmware for nShield 5s. |
Updated FIPS approved nShield 5s Bootloader
An updated bootloader for the nShield 5s has been released to fix startup issues encountered with the nShield 5s HSM with some certain servers. This Bootloader has been FIPS approved and the v13.4 FIPS certificate, 4745, has been updated to contain the v1.4.1 bootloader as an approved configuration.
The bootloader is the program that boots the HSM and loads the main application. The nShield 5s has a discrete bootloader that can be updated independently of the Primary and Recovery images. See Upgrade nShield 5s HSM Firmware for more information about how to upgrade to the new v1.4.1 version of bootloader.
Feature of Security World v13.4.5
nShield 5s VSN Updates
Impacts: nShield 5s
The latest 13.4.5 FIPS approved nShield 5s firmware contains a VSN increment to a value of 4.
CodeSafe 5 support added to the nShield 5
Impacts: nShield 5s and 5c
The latest generation of CodeSafe provides improved performance, flexibility, easier and faster network connectivity, additional language support, and developer authentication.
-
CodeSafe 5 host application compilation requires GCC compiler version 8.x or later.
-
CodeSafe 5 is only compatible with nShield 5s or 5c hardware platforms.
-
CodeSafe 5 does not provide host application Java examples, however CodeSafe 5 host application development in Java is still possible.
For usage instructions, see the CodeSafe 5 Developer Guide for your HSM.
Permanently enable ECC on nShield 5s and nShield 5c
Impacts: nShield 5s and 5c
-
From 13.4 onwards, the nShield 5s and 5c will report EllipticCurve and AcceleratedECC feature-enable bits permanently "on", and behave as such.
Concatenation KDF with KMAC is now available
Impacts: clientside software
-
KDF algorithm support for 5G development is now available in firmware through the nCore API.
Relaxed token keys rules
Impacts: clientside software
It is now possible, using C_CopyObject
, to change a key’s CKA_TOKEN
value from CK_FALSE
to CK_TRUE
.
This requires the CKNFAST_JCE_COMPATIBILITY
environment variable to be set to 1
.
The original key’s CKA_TOKEN
value will remain unchanged.
See the User Guide for your HSM for more information on CKNFAST_JCE_COMPATIBILITY
.
PKCS#11 3GPP performance enhancements
Impacts: clientside software
Performance under loadsharing has been enhanced for TUAK and Milenage signing. It is now possible to control whether session keys will be automatically loadshared or not. Loadsharing adds overhead, but also adds resilience and improves utilization of a multi-module estate. Selection of session keys to be loadshared is by key origin. The default is to loadshare all session keys, which is the previous behaviour.
HMAC support added to perfcheck and ncperftest
Impacts: clientside software
It is now possible to specify HMAC
as the key type for perfcheck
and ncperftest
when signing or verifying.
The following mechansisms are supported:
-
HMACSHA256
-
HMACSHA512
-
HMACSHA3b256
Java generic stub and JCE provider support
Impacts: clientside software
The nShield Security World software Java generic stub and JCE provider now supports Amazon Corretto.
Migration tool options
Impacts: clientside software
The migrate-world
tool now allows you to select:
-
The source OCS or Softcard in the source Security World from which the keys will be migrated.
-
A pre-generated OCS or Softcard in the destination Security World into which the keys will be migrated.
Linux signed RPMs
Impacts: clientside software
The Security World Linux ISO now contains RPM files in the linux-rpms/amd64
directory.
These RPMs should be installable on all supported Linux based operating systems that support RPM packages.
See Supported operating systems.
The Codesafe ISO also now contains signed RPMs.
To provide validation of the shipped RPMs, a public key half is shipped on the ISO (under linux-rpms/amd64
) for verification using the RPM package tooling.
Post-install of RPMs should follow the same process as a TAR installation.
Increased number of connects that can be added to a client
Impacts: clientside software
The number of nShield Connects that can be enrolled to an individual client side software hardserver has been increased to 250.
Connect Watchdog utility
Impacts: nShield Connect+, nShield Connect CLX, nShield Connect XC, nShield 5c
nShield Connect contains a watch dog facility to provide additional logging information for front panel service operations and failures. This feature is turned off by default, it can be enabled from the front panel. "1-1-12-1 >Enable watchdog"
Connect Remote Client Identification in Audit logging
Impacts: nShield Connect+, nShield Connect CLX, nShield Connect XC, nShield 5c
Security World Audit Logging functionality has been updated to allow audit logs from the nShield Connect to be traced to the client machine that initiated a command for the HSM.
A new session
field has been added to audit log messages that contains a unique identifier for the remote client.
This identifier is generated when the client initiates the session and a Cmd_SessionCreate
audit log entry is created to associate the identifier with the client IP address and KNETI hash as in the example below:
CEF:0|nCipher Security|nShield Solo|13.4.0|1|Cmd_SessionCreate|1|esn=03A0-D075-C49A rsid=23 rtc=1557084181642 seqNo=66 source=host outcome=success description=IP:"192.168.10.21:33044";KNETI:"3952eca167a7dcf251a08b745d53bdfd821a393b" session=639b0bc800000001
All audit logs for commands issued by that client will then reference the client’s unique session identifier (session=639b0bc800000001
in this case) as in the below example:
CEF:0|nCipher Security|nShield Solo|13.4.0|1|Cmd_GenerateLogicalToken|1|esn=03A0-D075-C49A rsid=23 rtc=1557084181681 seqNo=447 source=host session=639b0bc800000001 outcome=success htok=8512ea2397bb0e407de3ba617b2d5fc33d5a6fe3 sharesneeded=1 sharestotal=1 timelimit=100 hkm=82a0ddfaac7b8a0c8a39afbcbdd4df9a7f3e44dd
Termination of that client session (when the Impath resilience session times out or immediately after connection loss if Impath resilience is not enabled in config) is recorded with a Cmd_SessionDestroy
entry in the log.
The nShield Connect User Guide has been updated with full details of the change, see the "Client ID Session Extension" section.
Connect IPv6 remote syslog support
Impacts: nShield Connect+, nShield Connect CLX, nShield Connect XC, nShield 5c
It is now possible to configure remote syslog using IPv6 addresses. See the User Guide for your HSM for more information.
OpenSSL with NFKM Engine application note
The OpenSSL with NFKM Engine application note has been published and is available via https://nshielddocs.entrust.com.
Notes for future releases
The following are important notes about up-coming changes in future Security World releases that are being highlighted early.
-
The CEF logging subsystem is being replaced with a new Audit Logging system in a future firmware release.
-
The Tiger hash algorithm will be removed in a future firmware release.
Firmware and certifications
Firmware is available on the nShield firmware and nShield Connect image ISO that is available as download only.
The latest LTS release (Security World v13.6) contains the v13.4 FIPS approved nShield 5s firmware detailed below.
This ISO can be obtained through contacting https://nshieldsupport.entrust.com (asking for product code SW2187C-FW
on the v13.6 release).
nShield 5c image that contains this v13.4.5 HSM firmware is available as part of the Security World v13.6 LTS release.
Firmware images
nShield 5s firmware
Type | Version | Description | Directory | VSN |
---|---|---|---|---|
FIPS Approved |
13.4.5 |
FIPS approved firmware with features from v13.4 release. |
|
4 |
nShield 5s Recovery image
Type | Version | Description | Directory |
---|---|---|---|
FIPS Approved |
13.2.4 |
FIPS approved nShield5s Recovery image. |
|
nShield 5s Bootloader
See Upgrade nShield 5s HSM Firmware for more information about how to upgrade to the new v1.4.1 version of bootloader.
Type | Version | Description | Directory |
---|---|---|---|
FIPS Approved Recommended |
1.4.1 |
FIPS approved nShield5s Bootloader. |
|
FIPS Approved |
1.1.0 |
FIPS approved nShield5s Bootloader. |
|
Upgrade from previous releases
Security World Software upgrade
Before installing this release, you must:
-
Confirm that you have a current maintenance contract that licenses you to deploy upgrades on each nShield HSM and corresponding client operating system.
-
Uninstall previous releases of Security World Software from the client machines.
-
Install the latest LTS release of Security World Software.
For instructions, see the Installation Guide for your HSM.
The instructions in the Installation Guide assume that the HSM being installed has not previously been installed and is in 'factory state' which means that it is using the factory default SSH key. If the HSM being installed has been installed previously it may contain non-default SSH keys. See the instructions in the User Guide for how to install HSMs in this state. |
Upgrade nShield 5s HSM Firmware
As detailed in the nShield HSM User Guide, the nShield 5s HSM firmware consists of 3 major components:
-
Primary Image
-
Recovery Image
-
Bootloader
During normal operation, the nShield 5s is running firmware that is loaded from the Primary image. If required, the nShield ts can be forced into recovery mode to run firmware loaded from the Recovery image. The main purpose of recovery mode is to allow essential maintenance activities that are not possible in when the nShield 5s is running the primary image firmware.
This release supplies updated versions of the primary and recovery HSM firmware and all need to be upgraded to be in a valid FIPS approved configuration. Details for upgrading the different components are detailed in the following section.
nShield 5s Firmware Version Check
Following the upgrade, the nShield 5s the primary image, recovery image and bootloader versions can be checked using the hsmadmin command:
hsmadmin status --json
Following the upgrade, it should report as follows:
"mode": "primary",
"primary-version": "13.4.5-751-56c6f1db",
"recovery-version": "13.2.4-280-7f4f0c24",
"uboot-version": "1.4.1-0-edb84d6e",
If this is reported, the nShield 5s is in a valid FIPS 140-3 Level 3 certified configuration.
Upgrading the nShield 5s Primary & Recovery Image
Upgrade packages may contain updates for any of these components. The same upgrade method is used in all cases. The system will automatically detect which components are included in the update package and will load the firmware to the correct location.
It is not recommended to upgrade both the Primary and Recovery images at the same time. The recommended procedure is to upgrade the Primary firmware first. Test that the system performs as expected and then upgrade the Recovery firmware at a later date.
The primary and recovery images can be upgraded using the following command:
For primary:
hsmadmin upgrade nShield5s-13-4-5-vsn4.npkg --esn module-esn
and for recovery:
hsmadmin upgrade nshield5s-recovery-13-2-4.npkg --esn module-esn
Upgrading the nShield 5s Bootloader
The bootloader is the program that boots the HSM and loads the main application. The nShield 5s has a discrete bootloader that can be updated independently of the Primary and Recovery images.
Pre-Requisites
Whilst the bootloader is an independent part of the firmware, the capability to upgrade the bootloader on the nShield 5s was introduced as part of the Security World v13.4 firmware release. As such, the nShield 5s firmware must be upgraded to the FIPS approved v13.4 as a minimum to enable this bootloader upgrade to work.
Upgrading bootloader
Once the primary firmware is at version v13.4 or later, the bootloader can be upgraded using the hsmadmin
upgrade command:
hsmadmin upgrade nShield5s-uboot-1-4-1.npkg --esn module-esn
Note: Once the bootloader version is upgraded, it is not possible to downgrade the bootloader to the previous version. The Primary and Recovery images can still be downgraded and upgraded independent of this bootloader version. |
Compatibility
Supported hardware
This release is targeted at deployments with any combination of the following nShield HSMs:
-
nShield 5s (Base, Mid, High)
Supported operating systems
This release has been tested for compatibility with the following operating systems:
Operating System | nShield 5s | Microsoft Windows 10 x64 | Y | Microsoft Windows 11 x64 | Y |
---|---|---|---|---|---|
Microsoft Windows Server 2016 x64 |
Y |
Microsoft Windows Server 2019 x64 |
Y |
Microsoft Windows Server 2022 x64 |
Y |
Microsoft Windows Server 2022 Core x64 |
Y |
Red Hat Enterprise Linux 7 x64 |
Y |
Red Hat Enterprise Linux 8 x64 |
Y |
Red Hat Enterprise Linux 9 x64 |
Y |
SUSE Enterprise Linux 12 x64 |
Y |
SUSE Enterprise Linux 15 x64 |
Y |
Security World v13.4.5 Linux support is restricted to x86/x64 architectures. Additional mainstream x86/x64 based Linux distributions other than those listed above may be compatible, however Entrust cannot guarantee this compatibility.
Known and fixed issues
The table below lists known and fixed issues in the 13.4.5 firmware. For details of known and fixed issues in the nShield 5c or clientside used with this firmware, consult the relevant Security World release notes for that release.
Reference | Scope | Status | Description |
---|---|---|---|
NSE-52524 |
Firmware |
Resolved |
Addressed a memory issue in hardserver |
NSE-51001 |
Firmware |
Resolved |
Corrected an issue with the reporting of module memory in nShield 5s. |
NSE-50120 |
Firmware |
Resolved |
Fixed an issue related to the minimum battery voltage needed for a bootloader upgrade. |
NSE-41609 |
Firmware |
Resolved |
Fixed an issue with GCM accepting a 0-byte GCM IV. |
NSE-41547 |
Firmware |
Resolved |
Addressed missing FIPS restrictions for |
NSE-47044 |
Firmware |
Open |
The reset of the nShield 5s that occurs when using hsmadmin reset, factorystate or upgrade may not work reliably in some servers. A restart of the server may be required. |
NSE-40144 |
Firmware |
Open |
If the nShield 5s device driver is installed in a Windows server before the hardware is installed, an additional reboot will be required before the card will be recognized. |