nShield Security World v13.4.5 Release Notes

Introduction

These release notes apply to release of version 13.4.5 of Security World Software for the nShield family of Hardware Security Modules (HSMs).

These release notes contain information specific to this release such as new features, defect fixes, and known issues. They may be updated with issues that have become known after this release has been made available. For the latest version, see https://nshieldsupport.entrust.com/hc/en-us/sections/360001115837-Release-Notes. Access to the Support Portal is available to customers under maintenance. To request an account, contact nshield.support@entrust.com.

We continuously improve the user documents and update them after the general availability (GA) release. Changes in the document set are recorded in these release notes and are published at https://nshielddocs.entrust.com.

Updated nShield Software Release Policy

Entrust has recently introduced an update to the nShield Software release policy to better define the type of release and the associated update and support policy. As part of this, the concept of Long Term Support (LTS) and Standard Term Support (STS) software releases has been introduced, with each software release being either a LTS or STS release.

For more information on the software release policy, see the nShield Security World Release Information. Alternatively contact https://nshieldsupport.entrust.com for more information.

Purpose of Security World v13.4

Security World version v13.4 introduces enhancements as described in this document and introduces new functionality to the nShield 5s firmware **

Security World v13.4 is a Standard-Term Supported (STS) release with Long-Term Supported Certified (LTS-C) firmware. The certified nShield 5s firmware from this release is under the Long-Term support policy.+ Following the end of the STS support, Security World v13.6 Long-Term support (LTS) client-side and Connect images should be used with this LTS-C firmware release. At this point these release notes will capture the details of the firmware only.
See the nShield Security World Release Information for details of the supported versions, support dates and the nShield release policy.

FIPS Approved Firmware release

nShield HSM firmware v13.4 has been certified to FIPS 140-3 Level 3. The following table lists the full details of the v13.4 FIPS approved firmware versions and links to the security policy and FIPS certificate.

HSM Certified Release Version Info FIPS Level Certificate Security Policy

nShield 5s

v13.4.5

  • primary-version: 13.4.5-751-56c6f1db

  • recovery-version: 13.2.4-280-7f4f0c24

  • uboot-version: 1.4.1-0-edb84d6e and 1.1.0-1245-b9bedfa

140-3 Level 3

4765

Security Policy

nShield 5 Adoption Guide

A new nShield 5 Adoption Guide has been created which contains detailed information on how to adopt the nShield 5 HSM into an existing Security World of nShield XC HSMs. Consult this guide, as well as the v13.2 product documentation, for information about adopting the new nShield 5 HSM.

Versions of these Release Notes

Revision Date Description

4.0

2025-06-12

Update with details of the now FIPS approved v13.4.5 nShield 5s Firmware. Release notes update in line with new LTS release policy.

3.3

2024-07-15

New section in the Release Notes tracking post-release documentation changes: [prdocupdates].

3.2

2024-06-11

Terminology change from firmware image version to firmware version. No content change to the product or the Release Notes.

3.1

2024-03-20

Documentation only update. NSE-53291 has been removed from the list of fixes in [defects-clientside].

3.0

2023-12-12

Updated to reflect the v13.4.5 release.

2.3

2023-11-21

Republishing from updated documentation tool chain. No content changes to the Release Notes.

2.2

2023-11-03

Update to include warning about nShield 5c image upgrades. See [nshield5c-images].

2.1

2023-09-26

Updated to include details of Audit Logging functionality available in the v13.4 release; see Connect Remote Client Identification in Audit logging. There are no updates to the released versions.

2.0

2023-08-03

Second revision of document, additions for full GA release 13.4.4

1.0

2023-07-20

Initial revision of document

User documentation

In v13.4, the Security World user documentation was moved from the software package to https://nshielddocs.entrust.com.

From v13.4, the HSM User Guides are platform neutral. Information for both Linux and Windows operating systems are covered in the same PDF chapters and HTML topics. Differences between the operating systems are called out if and where necessary.

Product versions

Security World software versions

Version Date Description

v13.4.5

2023-12-12

Third release of 13.4 Security World Software

v13.4.4

2023-7-18

Second release of 13.4 Security World Software

v13.4.3

2023-6-30

First release of 13.4 Security World Software

CodeSafe Developer software versions

Version Date Description

v13.4.3

2023-6-30

Release of 13.4 CodeSafe 5 Developer software.

Firmware and nShield Connect ISO versions

Version Date Description

v13.4.5

2023-12-12

Third release of 13.4 Firmware and Connect ISO, for all hardware platforms.

v13.4.4

2023-7-18

Second release of 13.4 Firmware and Connect ISO, for all hardware platforms.

v13.4.3

2023-6-30

First release of 13.4 Firmware and Connect ISO, targeted for nShield 5s and nShield 5c only.

nShield firmware versions

Version Date Description

v13.4.5

2023-12-12

Updated release of 13.4 Firmware for the Solo XC and the nShield 5s. The nShield 5s firmware from this release has been FIPS 140-3 certified.

v13.4.4

2023-7-31

Updated release of 13.4 Firmware for nShield 5s and 5c.

v13.4.3

2023-6-30

First release of 13.4 Firmware for nShield 5s.

nShield Connect image versions

Version Date Description

v13.4.5

2023-12-12

Second release of nShield Connect images for 13.4 containing the latest features and fixes.

v13.4.3

2023-6-30

First release of nShield Connect images for 13.4 containing the latest features and fixes.

Updated FIPS approved nShield 5s Bootloader

An updated bootloader for the nShield 5s has been released to fix startup issues encountered with the nShield 5s HSM with some certain servers. This Bootloader has been FIPS approved and the v13.4 FIPS certificate, 4745, has been updated to contain the v1.4.1 bootloader as an approved configuration.

The bootloader is the program that boots the HSM and loads the main application. The nShield 5s has a discrete bootloader that can be updated independently of the Primary and Recovery images. See Upgrade nShield 5s HSM Firmware for more information about how to upgrade to the new v1.4.1 version of bootloader.

Feature of Security World v13.4.5

nShield 5s VSN Updates

Impacts: nShield 5s

The latest 13.4.5 FIPS approved nShield 5s firmware contains a VSN increment to a value of 4.

CodeSafe 5 support added to the nShield 5

Impacts: nShield 5s and 5c

The latest generation of CodeSafe provides improved performance, flexibility, easier and faster network connectivity, additional language support, and developer authentication.

  • CodeSafe 5 host application compilation requires GCC compiler version 8.x or later.

  • CodeSafe 5 is only compatible with nShield 5s or 5c hardware platforms.

  • CodeSafe 5 does not provide host application Java examples, however CodeSafe 5 host application development in Java is still possible.

For usage instructions, see the CodeSafe 5 Developer Guide for your HSM.

Permanently enable ECC on nShield 5s and nShield 5c

Impacts: nShield 5s and 5c

  • From 13.4 onwards, the nShield 5s and 5c will report EllipticCurve and AcceleratedECC feature-enable bits permanently "on", and behave as such.

Concatenation KDF with KMAC is now available

Impacts: clientside software

  • KDF algorithm support for 5G development is now available in firmware through the nCore API.

Relaxed token keys rules

Impacts: clientside software

It is now possible, using C_CopyObject, to change a key’s CKA_TOKEN value from CK_FALSE to CK_TRUE. This requires the CKNFAST_JCE_COMPATIBILITY environment variable to be set to 1.

The original key’s CKA_TOKEN value will remain unchanged.

See the User Guide for your HSM for more information on CKNFAST_JCE_COMPATIBILITY.

PKCS#11 3GPP performance enhancements

Impacts: clientside software

Performance under loadsharing has been enhanced for TUAK and Milenage signing. It is now possible to control whether session keys will be automatically loadshared or not. Loadsharing adds overhead, but also adds resilience and improves utilization of a multi-module estate. Selection of session keys to be loadshared is by key origin. The default is to loadshare all session keys, which is the previous behaviour.

HMAC support added to perfcheck and ncperftest

Impacts: clientside software

It is now possible to specify HMAC as the key type for perfcheck and ncperftest when signing or verifying. The following mechansisms are supported:

  • HMACSHA256

  • HMACSHA512

  • HMACSHA3b256

Java generic stub and JCE provider support

Impacts: clientside software

The nShield Security World software Java generic stub and JCE provider now supports Amazon Corretto.

Migration tool options

Impacts: clientside software

The migrate-world tool now allows you to select:

  • The source OCS or Softcard in the source Security World from which the keys will be migrated.

  • A pre-generated OCS or Softcard in the destination Security World into which the keys will be migrated.

Linux signed RPMs

Impacts: clientside software

The Security World Linux ISO now contains RPM files in the linux-rpms/amd64 directory. These RPMs should be installable on all supported Linux based operating systems that support RPM packages. See Supported operating systems.

The Codesafe ISO also now contains signed RPMs.

To provide validation of the shipped RPMs, a public key half is shipped on the ISO (under linux-rpms/amd64) for verification using the RPM package tooling. Post-install of RPMs should follow the same process as a TAR installation.

Increased number of connects that can be added to a client

Impacts: clientside software

The number of nShield Connects that can be enrolled to an individual client side software hardserver has been increased to 250.

Connect Watchdog utility

Impacts: nShield Connect+, nShield Connect CLX, nShield Connect XC, nShield 5c

nShield Connect contains a watch dog facility to provide additional logging information for front panel service operations and failures. This feature is turned off by default, it can be enabled from the front panel. "1-1-12-1 >Enable watchdog"

Connect Remote Client Identification in Audit logging

Impacts: nShield Connect+, nShield Connect CLX, nShield Connect XC, nShield 5c

Security World Audit Logging functionality has been updated to allow audit logs from the nShield Connect to be traced to the client machine that initiated a command for the HSM.

A new session field has been added to audit log messages that contains a unique identifier for the remote client. This identifier is generated when the client initiates the session and a Cmd_SessionCreate audit log entry is created to associate the identifier with the client IP address and KNETI hash as in the example below:

CEF:0|nCipher Security|nShield Solo|13.4.0|1|Cmd_SessionCreate|1|esn=03A0-D075-C49A rsid=23 rtc=1557084181642 seqNo=66 source=host outcome=success description=IP:"192.168.10.21:33044";KNETI:"3952eca167a7dcf251a08b745d53bdfd821a393b" session=639b0bc800000001

All audit logs for commands issued by that client will then reference the client’s unique session identifier (session=639b0bc800000001 in this case) as in the below example:

CEF:0|nCipher Security|nShield Solo|13.4.0|1|Cmd_GenerateLogicalToken|1|esn=03A0-D075-C49A rsid=23 rtc=1557084181681 seqNo=447 source=host session=639b0bc800000001 outcome=success htok=8512ea2397bb0e407de3ba617b2d5fc33d5a6fe3 sharesneeded=1 sharestotal=1 timelimit=100 hkm=82a0ddfaac7b8a0c8a39afbcbdd4df9a7f3e44dd

Termination of that client session (when the Impath resilience session times out or immediately after connection loss if Impath resilience is not enabled in config) is recorded with a Cmd_SessionDestroy entry in the log.

The nShield Connect User Guide has been updated with full details of the change, see the "Client ID Session Extension" section.

Connect IPv6 remote syslog support

Impacts: nShield Connect+, nShield Connect CLX, nShield Connect XC, nShield 5c

It is now possible to configure remote syslog using IPv6 addresses. See the User Guide for your HSM for more information.

OpenSSL with NFKM Engine application note

The OpenSSL with NFKM Engine application note has been published and is available via https://nshielddocs.entrust.com.

Notes for future releases

The following are important notes about up-coming changes in future Security World releases that are being highlighted early.

  • The CEF logging subsystem is being replaced with a new Audit Logging system in a future firmware release.

  • The Tiger hash algorithm will be removed in a future firmware release.

Firmware and certifications

Firmware is available on the nShield firmware and nShield Connect image ISO that is available as download only. The latest LTS release (Security World v13.6) contains the v13.4 FIPS approved nShield 5s firmware detailed below. This ISO can be obtained through contacting https://nshieldsupport.entrust.com (asking for product code SW2187C-FW on the v13.6 release).

nShield 5c image that contains this v13.4.5 HSM firmware is available as part of the Security World v13.6 LTS release.

Firmware images

nShield 5s firmware

Type Version Description Directory VSN

FIPS Approved

13.4.5

FIPS approved firmware with features from v13.4 release.

firmware/nShield5s/latest/nShield5s-13-4-5-vsn4.npkg

4

nShield 5s Recovery image

Type Version Description Directory

FIPS Approved

13.2.4

FIPS approved nShield5s Recovery image.

firmware/nShield5s/fips/nShield5s-recovery-13-2-4.npkg

nShield 5s Bootloader

See Upgrade nShield 5s HSM Firmware for more information about how to upgrade to the new v1.4.1 version of bootloader.

Type Version Description Directory

FIPS Approved Recommended

1.4.1

FIPS approved nShield5s Bootloader.

firmware/nShield5s/fips/nShield5s-uboot-1-4-1.npkg

FIPS Approved

1.1.0

FIPS approved nShield5s Bootloader.

firmware/nShield5s/fips/nShield5s-uboot-1-1-0.npkg

Upgrade from previous releases

Security World Software upgrade

Before installing this release, you must:

  • Confirm that you have a current maintenance contract that licenses you to deploy upgrades on each nShield HSM and corresponding client operating system.

  • Uninstall previous releases of Security World Software from the client machines.

  • Install the latest LTS release of Security World Software.

For instructions, see the Installation Guide for your HSM.

The instructions in the Installation Guide assume that the HSM being installed has not previously been installed and is in 'factory state' which means that it is using the factory default SSH key. If the HSM being installed has been installed previously it may contain non-default SSH keys. See the instructions in the User Guide for how to install HSMs in this state.

Upgrade nShield 5s HSM Firmware

As detailed in the nShield HSM User Guide, the nShield 5s HSM firmware consists of 3 major components:

  • Primary Image

  • Recovery Image

  • Bootloader

During normal operation, the nShield 5s is running firmware that is loaded from the Primary image. If required, the nShield ts can be forced into recovery mode to run firmware loaded from the Recovery image. The main purpose of recovery mode is to allow essential maintenance activities that are not possible in when the nShield 5s is running the primary image firmware.

This release supplies updated versions of the primary and recovery HSM firmware and all need to be upgraded to be in a valid FIPS approved configuration. Details for upgrading the different components are detailed in the following section.

nShield 5s Firmware Version Check

Following the upgrade, the nShield 5s the primary image, recovery image and bootloader versions can be checked using the hsmadmin command:

hsmadmin status --json

Following the upgrade, it should report as follows:

"mode": "primary",
"primary-version": "13.4.5-751-56c6f1db",
"recovery-version": "13.2.4-280-7f4f0c24",
"uboot-version": "1.4.1-0-edb84d6e",

If this is reported, the nShield 5s is in a valid FIPS 140-3 Level 3 certified configuration.

Upgrading the nShield 5s Primary & Recovery Image

Upgrade packages may contain updates for any of these components. The same upgrade method is used in all cases. The system will automatically detect which components are included in the update package and will load the firmware to the correct location.

It is not recommended to upgrade both the Primary and Recovery images at the same time. The recommended procedure is to upgrade the Primary firmware first. Test that the system performs as expected and then upgrade the Recovery firmware at a later date.

The primary and recovery images can be upgraded using the following command:

For primary:

hsmadmin upgrade nShield5s-13-4-5-vsn4.npkg --esn module-esn

and for recovery:

hsmadmin upgrade nshield5s-recovery-13-2-4.npkg --esn module-esn

Upgrading the nShield 5s Bootloader

The bootloader is the program that boots the HSM and loads the main application. The nShield 5s has a discrete bootloader that can be updated independently of the Primary and Recovery images.

Pre-Requisites

Whilst the bootloader is an independent part of the firmware, the capability to upgrade the bootloader on the nShield 5s was introduced as part of the Security World v13.4 firmware release. As such, the nShield 5s firmware must be upgraded to the FIPS approved v13.4 as a minimum to enable this bootloader upgrade to work.

Upgrading bootloader

Once the primary firmware is at version v13.4 or later, the bootloader can be upgraded using the hsmadmin upgrade command:

hsmadmin upgrade nShield5s-uboot-1-4-1.npkg --esn module-esn

Note: Once the bootloader version is upgraded, it is not possible to downgrade the bootloader to the previous version. The Primary and Recovery images can still be downgraded and upgraded independent of this bootloader version.

Compatibility

Supported hardware

This release is targeted at deployments with any combination of the following nShield HSMs:

  • nShield 5s (Base, Mid, High)

Supported operating systems

This release has been tested for compatibility with the following operating systems:

Operating System nShield 5s Microsoft Windows 10 x64 Y Microsoft Windows 11 x64 Y

Microsoft Windows Server 2016 x64

Y

Microsoft Windows Server 2019 x64

Y

Microsoft Windows Server 2022 x64

Y

Microsoft Windows Server 2022 Core x64

Y

Red Hat Enterprise Linux 7 x64

Y

Red Hat Enterprise Linux 8 x64

Y

Red Hat Enterprise Linux 9 x64

Y

SUSE Enterprise Linux 12 x64

Y

SUSE Enterprise Linux 15 x64

Y

Security World v13.4.5 Linux support is restricted to x86/x64 architectures. Additional mainstream x86/x64 based Linux distributions other than those listed above may be compatible, however Entrust cannot guarantee this compatibility.

Supported virtual environments

Operating System nShield 5s Microsoft Hyper-V Server 2016 N Microsoft Hyper-V Server 2019 N Microsoft Hyper-V Server 2022

Known and fixed issues

The table below lists known and fixed issues in the 13.4.5 firmware. For details of known and fixed issues in the nShield 5c or clientside used with this firmware, consult the relevant Security World release notes for that release.

Reference Scope Status Description

NSE-52524

Firmware

Resolved

Addressed a memory issue in hardserver Cmd_GetPublishedObject.

NSE-51001

Firmware

Resolved

Corrected an issue with the reporting of module memory in nShield 5s.

NSE-50120

Firmware

Resolved

Fixed an issue related to the minimum battery voltage needed for a bootloader upgrade.

NSE-41609

Firmware

Resolved

Fixed an issue with GCM accepting a 0-byte GCM IV.

NSE-41547

Firmware

Resolved

Addressed missing FIPS restrictions for DeriveMech_ConcatenationKDF.

NSE-47044

Firmware

Open

The reset of the nShield 5s that occurs when using hsmadmin reset, factorystate or upgrade may not work reliably in some servers. A restart of the server may be required.

NSE-40144

Firmware

Open

If the nShield 5s device driver is installed in a Windows server before the hardware is installed, an additional reboot will be required before the card will be recognized.