nShield Security World v13.9.3 Release Notes

Introduction

These release notes apply to the release of version 13.9.3 of Security World for the nShield family of Hardware Security Modules (HSMs).

These release notes contain information specific to this release such as new features, defect fixes, and known issues. They may be updated with issues that have become known after this release has been made available. For the latest version, see https://trustedcare.entrust.com/. Access to the Support Portal is available to customers under maintenance. To request an account, contact nshield.support@entrust.com.

We continuously improve the user documents and update them after the general availability (GA) release. Changes in the document set are recorded in these release notes and are published at https://nshielddocs.entrust.com.

Updated nShield Software Release Policy

Entrust has recently introduced an update to the nShield Software release policy to better define the type of release and the associated update and support policy. As part of this, the concept of Long Term Support (LTS) and Standard Term Support (STS) software releases has been introduced, with each software release being either a LTS or STS release.

For more information on the software release policy, see the nShield Security World Release Information. Alternatively contact https://trustedcare.entrust.com/ for more information.

Purpose of Security World v13.9

Security World version v13.9 introduces new features and enhancements as described in Features of Security World Security World v13.9 STS Release 2. It also corrects a number of defects that have been identified in earlier releases.

Security World 13.9.3 is a Standard-Term Supported (STS) release. This release is designed to give early access to new nShield features and has a shorter support period.
For long-term support (LTS), frequent stability updates and certified firmware, it is recommended to use the v13.6 Long-Term Support release. See the nShield Security World Release Information for details of the supported versions and the STS & LTS policy.

This release contains updates to the following products:

  • Updated firmware for nShield 5s

  • Updated Connect images for nShield 5c and Connect XC

Versions of these Release Notes

Revision Date Description

1.0

2025-12-12

Release notes for the release of v13.9.3, Security World v13.9 STS Release 2.

Product versions

Security World software versions

Version Date Description

v13.9.3

2025-12-12

Full Release of the 13.9.3 Linux and Windows ISOs.

CodeSafe Developer software versions

Version Date Description

v13.9.3

2025-12-12

Full Release of the 13.9.3 Codesafe Linux and Windows ISOs.

Firmware and Connect ISO versions

Version Date Description

v13.9.3

2025-12-12

Full Release of the 13.9.3 FW ISO including the updated 13.9 Connect images and 13.8 firmware.

nShield Firmware versions

Version Date Description

v13.8.4

2025-12-12

Full Release of 13.8 Firmware for the nShield 5s HSM containing the latest features and fixes.

Connect image versions

Version Date Description

v13.9.3

2025-12-12

Full Release of 13.9 images for nShield 5c and nShield Connect XC HSMs containing the latest features and fixes.

Features of Security World Security World v13.9 STS Release 2

New v13.9.3 Connect Images

Refer to Connect images for more information on the new v13.9.3 Connect images.

Refer to Known and fixed issues for more information on fixed issues in the new v13.9.3 Connect images.

Unset module RTC upgrade issue on Connect 5c units

v13.9 images are unaffected by this issue as it is no longer possible to up to a v13.9 image with an unset RTC. An appropriate error will be displayed if the RTC is unset during the upgrade process and the nShield 5c RTC will need to be set to continue with the upgrade.

Connect 5c only Due to NSE-69020 if the nShield 5c unit RTC is not set it will result in an upgrade failure.

The following nShield 5c images are impacted by NSE-69020:

Release nShield 5c Version

Security World v13.6.3 LTS Release

v13.6.1

Security World v13.6.5 LTS Update 1

v13.6.4

Security World v13.6.8 LTS Update 2

v13.6.7

Security World v13.7.3 STS Release 1

v13.7.1

To determine if your nShield 5c unit has the RTC set correctly, execute the ncdate command against the target nShield 5c unit.

A nShield 5c with the correct RTC date and time set should display a variance of the following:

# ncdate -m1
Local time is 07:03:54.943 2025.03.12

An nShield 5c with the the incorrect RTC date and time set will display a variance of the following:

# ncdate -m1
Local time is 07:03:54.943 1970.03.12

Please contact nshield.support@entrust.com if the RTC for your nShield 5c unit is incorrectly set for more assistance.

nShield 5 Cryptographic Acceleration Profiles (NSE-72725)

Security World v13.9 STS Release 2 introduces nShield 5s firmware v13.8, which adds support for configurable cryptographic acceleration profiles. These profiles allow you to optimize performance by selecting different mixes of algorithm acceleration.

Available Acceleration Profiles (Firmware v13.8.4)

Profile ID Profile Name Description

pk

PK Algorithm Acceleration

Accelerates traditional PK algorithms. Matches the acceleration in Security World v13.9 Release 1.

hy

Hybrid PK and PQ

Combines acceleration for traditional PK algorithms and post-quantum (PQ) algorithms. In Release 2, this includes ML-DSA PQ acceleration only.

This feature is supported only on nShield 5 Mid and High-speed variants.

Profile Management

  • Profiles can only be changed when the HSM is in maintenance mode.

  • Changing the profile does not affect the Security World configuration and can be performed at any time during the Security World life.

  • Different HSMs within the same Security World are able to take advantage of different acceleration profiles. Profiles can be selected independently.

New Command: hsmadmin select acceleration

The hsmadmin select acceleration command enables configuration of acceleration profiles.

It provides two options:

  • hsmadmin select acceleration --show

    • Displays the available cryptographic accelerator options.

  • hsmadmin select acceleration --set <ID>

    • Selects the cryptographic accelerator options corresponding to the specified profile ID.

    • The module must be restarted for the new profile to take effect.

Codesafe 5: SDK improvements (NSE-72572)

Security World v13.9 STS Release 2 resolves the following issues in Codesafe 5:

  • SEElib_Transact is no longer unresponsive under certain conditions

  • SEElib_StartProcessorThreads() no longer crashes if nthreads is too high

  • 'pending job table full' / Status_ObjectNotReady error from SEElib_Transact() no longer occurs when many hundreds of threads are created

  • CodeSafe developer id certificates can be issued for RSA keys and the issued RSA keys can now sign images

  • Java PublishedSEEWorld’s getInitStatus() method should no longer throw a null pointer exception for already successfully initialised Worlds

Refer to Known and fixed issues for more information on fixed Codesafe 5 issues in Security World v13.9 STS Release 2.

Support for FIPS-203 ML-KEM in PKCS#11 (NSE-64740)

Security World v13.9 STS Release 2 introduces the ability to generate ML-KEM keys using CKM_ML_KEM_KEY_PAIR_GEN, with the following set of mechanisms available for encapsulate and decapsulate operations:

  • CKM_ML_KEM

All three parameter sets, as defined within FIPS 203, are supported: CKP_ML_KEM_512, CKP_ML_KEM_768 and CKP_ML_KEM_1024.

Use of these mechanisms requires a firmware version of v13.8.3 or greater and the PostQuantum feature to be enabled, see the User Guide for your HSM for more information.

See the nShield PKCS #11 API Reference Guide for further information on these mechanisms.

Enhanced nShield PKCS#11 high-availability support (NSE-68840)

Security World v13.9 STS Release 2 introduces high-availability support for the nShield PKCS#11 library without requiring the use of preload.

When operating in high-availability mode, the nShield PKCS#11 library will detect modules being added to, or removed from, the current Security World and, provided that one module remains available, applications will no longer require restarting to adapt to changes in module availability. This behaviour is automatically enabled when CKNFAST_LOADSHARING is set to 1 (if CKNFAST_LOADSHARING is unset, or disabled, high-availability mode will be disabled).

The interval that modules are checked can be configured by setting CKNFAST_HA_MINIMUM_INTERVAL. Note:

  • If unset, a default interval of 60 seconds is used.

  • If set to 0, high-availability mode will be disabled.

The time it takes for the nShield PKCS#11 library to detect modules can vary and is dependent on both the state a module is transitioning from and, for example, whether an application is active and whether remote operator cards are in use.

If operating within a FIPS Security World, it is necessary to ensure at least one operator card is available to provide FIPS authorization.

Support for PKCS#11 RSA/AES key delivery to Global Platform cards (NSE-64059)

Security World v13.9 STS Release 2 introduces support for the delivery of RSA and AES key types to smartcards that support the Global Platform specification, using the PKCS#11 API.

nShield diagnostics tool (nfdiag) improvements (NSE-52858)

Security World v13.9 STS Release 2 introduces changes to the nfdiag utility. nfdiag now captures additional log files, diagnostics and devices information.

ECDSA with SECP256k1 in strict FIPS mode (NSE-53422)

Security World v13.9 STS Release 2 introduces support for SECP256k1 in FIPS level 3 enforced mode in JCE.

The generatekey utility can now create ECDSA keys using SECP256k1 in FIPS Level 3 Enforced Mode.

LSA signing for nShield Windows Cryptographic Providers (NSE-13511)

Security World v13.9 STS Release 2 contains Microsoft Countersigned CNG (64 bit only) DLLs which are installed by default.

This allows usage in environments where LSA protection is enabled.

Symmetric encryption performance improvements for nShield 5 (NSE-73582)

Security World v13.9 STS Release 2 introduces performance optimizations for the nShield 5 to increase bandwidth. This is especially impactful for symmetric operations in nCore, and for CodeSafe 5 communication.

For symmetric encryption and decryption, concurrent operation bandwidth is now at least doubled compared to previous releases, particularly for medium-sized and larger payloads. Exact gains depend on the operation, payload size, concurrency level, and client machine performance.

Communication bandwidth with CodeSafe 5 over the SSH tunnel (including SEEJobs) has also doubled or better as a result of these changes.

Alongside these performance improvements, the transport security strength for symmetric secrecy and authenticity has been upgraded from 128-bit to 256-bit, doubling both throughput and cryptographic strength simultaneously.

Open Source Software Updates in the Security World v13.9 STS Release 2

The following Open Source components have been updated as part of Security World v13.9 STS Release 2:

nShield 5s

OSS Name v13.9 STS Release 1 v13.9 STS Release 2

expat

2.7.1

2.7.3

hpn-ssh

N/A

18.7.1

libopenssl

3.0.16

3.0.18

linux

5.4.234

6.6.108

linux-headers

5.4.234

6.6.108

ncurses

6.4-2023060

6.5-20250705

python-setuptools

75.8.0

80.9.0

sudo

1.9.15p5

1.9.17p1

Security World Software

OSS Name v13.9 STS Release 1 v13.9 STS Release 2

gperftools-tcmalloc

2.7

2.17.2

Go

1.23.10

1.24.9

golang.org/x/crypto

v0.39.0

v0.43.0

golang.org/x/sys

v0.33.0

v0.37.0

Python

3.11.12

3.11.14

SQLite

3.49.2

3.50.3
The secworld-licenses.pdf file on the ISO images incorrectly states that OpenSSL has moved from 3.0.17 to 3.0.18 for Security World Software in v13.9 STS Release 2. OpenSSL has not changed version for v13.9 STS Release 2 for Security World Software and remains at 3.0.17.

Security World Software Python Packages

OSS Name v13.9 STS Release 1 v13.9 STS Release 2

certvalidator

0.12.0.dev1-nshield.28.900e7f7098

1.0.0+nshield.5215cff3ff

libtiff

4.7.0

4.7.1

setuptools

78.1.1

79.0.1

zeroconf

0.39.4

0.147.0

*The v13.9 STS Release 2 nShield Python contains more than one version of the setuptools package. The setuptools package labelled with nShield Python is the one primarily used by the v13.6.14 LTS Update 5 nShield Python build, unless the other packages are directly used.

nShield Connect XC and nShield 5c

OSS Name v13.9 STS Release 1 v13.9 STS Release 2

expat

2.7.1

2.7.3

libopenssl

3.0.16

3.0.17

linux

5.15.116

6.6.108

linux-headers

5.15.116

6.6.108

linux-pam

1.6.1

1.7.1

ncurses

6.5-20241109

6.5-20250705

OpenSSL

3.0.16

3.0.17

Python

3.11.12

3.11.14

setuptools

73.0.0

79.0.1

sqlite

3.49.2

3.50.3
The connect-licenses.pdf file on the ISO images incorrectly states that libopenssl and OpenSSL have moved from 3.0.17 to 3.0.18 for nShield Connect XC and nShield 5c in v13.9 STS Release 2. The correct version for libopenssl and OpenSSL in v13.9 STS Release 2 for nShield Connect XC and nShield 5c is 3.0.17.

Remote Administration Client

OSS Name v13.9 STS Release 1 v13.9 STS Release 2

certifi

2024.8.30

2025.1.31

libtiff

4.7.0

4.7.1

Python

3.11.12

3.11.14

urllib3

2.2.3

2.5.0

Deprecated and discontinued features

The following features are deprecated or discontinued in Security World v13.9. If you have been using these features, plan for a new configuration and workflow that does not make use of the feature:

  • KeySafe
    This is the legacy Java application. KeySafe 5 continues to be supported in v13.9.
    KeySafe information has been removed from the user documentation for v13.9 and later releases. Previous user documentation releases that cover KeySafe continue to be available at https://nshielddocs.entrust.com/.

Firmware images

nShield 5s firmware

The nShield 5s HSM firmware consists of 3 major components:

  • Primary Image

  • Recovery Image

  • Bootloader

The v13.9 release contains a new v13.8 firmware for the nShield 5s. This new firmware only updates the Primary image. The Recovery image and Bootloader can be kept at previously released versions.

Details on what the components are used for and how to upgrade the different components are detailed in Upgrade nShield 5s HSM Firmware. Read this section prior to upgrading any nShield 5s.

nShield 5s firmware

Type Version Description Directory VSN

Latest

13.8.4

Latest firmware with features from v13.9 STS Release 2.

firmware/nShield5s/latest/nShield5s-13.8.4-vsn5.npkg

5

Solo XC firmware

Type Version Description Directory VSN

Latest

13.8.3

Latest firmware with features from v13.9 STS Release 2.

firmware/SoloXC/latest/soloxc-13.8.3-vsn37.nff

37

nShield Edge Firmware

There is no updated nShield Edge firmware being made available with the v13.9 release.

Connect images

The nShield firmware and Connect Image ISO includes v13.9.3 Connect images that contain the Solo XC and nShield 5s firmware described in Firmware images.

Install a Connect image

As part of the Security World installation, the /opt/nfast/nethsm-firmware directory is created, but it is empty. When the Connect image that needs to be installed has been chosen, the subdirectory and the image should be copied from the nShield firmware and Connect ISO into the /opt/nfast/nethsm-firmware directory and installed onto the Connect as usual.

nShield 5c images

Type Version Description Firmware included Directory VSN

Latest

13.9.3

13.9 nShield 5c image with latest nShield 5s 13.8 firmware

13.8.4

nethsm-firmware/latest-all-13-9-3-vsn33/

33

For security reasons the Version Security Number (VSN) of the nShield 5c image has been increased to 33. Upon updating to the new images it will not be possible to downgrade to previous releases.

The following releases can be updated to post this change:

  • v13.6.12 LTS Update 4

  • v13.6.14 LTS Update 5

Connect XC images

Type Version Description Firmware included Directory VSN

Latest

13.9.3

13.9 Connect XC image with latest Solo XC 13.8 firmware

13.8.3

nethsm-firmware/latest-all-13-9-3-vsn33/

33

For security reasons the Version Security Number (VSN) of the nShield Connect XC image has been increased to 33. Upon updating to the new images it will not be possible to downgrade to previous releases.

The following releases can be updated to post this change:

  • v13.6.12 LTS Update 4

  • v13.6.14 LTS Update 5

Upgrade from previous releases

Install 13.9.3 Security World Software

Before installing this release, you must:

  • Confirm that you have a current maintenance contract that licenses you to deploy upgrades on each nShield HSM and corresponding client operating system.

  • Uninstall previous releases of Security World Software from the client machines.

For instructions, see the Installation Guide for your HSM.

Upgrade Solo XC firmware

The following are important notes to observe when upgrading the Solo XC firmware to the latest version:

If the Solo XC HSM is installed with the earlier 3.3.10 firmware it cannot be upgraded directly to the latest firmware and needs to be first upgraded to an intermediate version. Please contact nshield.support@entrust.com and request the firmware upgrade patch from 3.3.10 to 3.3.20.

If the Solo XC HSM is installed with firmware earlier than 12.50.7, 12.50.2, 3.4.2 or 3.3.41 it cannot be upgraded directly to the latest firmware and needs to be first upgraded to an intermediate version. Any of the firmware versions listed above can be used as an intermediate version. Please contact nshield.support@entrust.com for any other version of firmware.

Whilst every effort is made to ensure Solo XC firmware compatibility with all mainstream hardware and virtualized environments as well as operating systems there may be occasions where a particular configuration is not compatible (either through current version or after upgrading to a newer version of the firmware). Please contact nshield.support@entrust.com if you experience any issues following an upgrade or during integration activity.

Upgrade nShield 5s HSM Firmware

As detailed in the nShield v13.9.3 HSM User Guide, the nShield 5s HSM firmware consists of 3 major components:

  • Primary Image

  • Recovery Image

  • Bootloader

During normal operation, the nShield 5s is running firmware that is loaded from the Primary image. If required, the nShield 5s can be forced into recovery mode to run firmware loaded from the Recovery image. The main purpose of recovery mode is to allow essential maintenance activities that are not possible in when the nShield 5s is running the primary image firmware.

nShield 5s Firmware Version Check

Following the upgrade, the nShield 5s the primary image, recovery image and bootloader versions can be checked using the hsmadmin command:

hsmadmin status --json

As an example, following an upgrade, it should report as follows:

"mode": "primary",
"primary-version": "13.8.4-181-97cca219",
"recovery-version": "13.5.0-0-e2ec16eefd",
"uboot-version": "1.4.1-0-edb84d6e",

Upgrading the nShield 5s Primary & Recovery Image

Upgrade packages may contain updates for any of these components. The same upgrade method is used in all cases. The system will automatically detect which components are included in the update package and will load the firmware to the correct location.

It is not recommended to upgrade both the Primary and Recovery images at the same time. The recommended procedure is to upgrade the Primary firmware first. Test that the system performs as expected and then upgrade the Recovery firmware at a later date.

The primary and recovery images can be upgraded using the following command:

For primary:

hsmadmin upgrade nShield5s-13.8.4-vsn5.npkg --esn module-esn

and for recovery:

hsmadmin upgrade nshield5s-recovery-13-5-0.npkg --esn module-esn

Upgrading the nShield 5s Bootloader

The bootloader is the program that boots the HSM and loads the main application. The nShield 5s has a discrete bootloader that can be updated independently of the Primary and Recovery images.

Pre-Requisites

Whilst the bootloader is an independent part of the firmware, the capability to upgrade the bootloader on the nShield 5s was introduced as part of the Security World v13.4 firmware release. For earlier versions of firmware prior to v13.4, the nShield 5s firmware must be upgraded to v13.4 as a minimum to enable this bootloader upgrade to work. Contact nShield Support for details of obtaining the v13.4 version of firmware.

Upgrading bootloader

Once the primary firmware is at version v13.4 or later, the bootloader can be upgraded using the same hsmadmin upgrade command:

hsmadmin upgrade nShield5s-uboot-1-4-1.npkg --esn module-esn

Note: Once the bootloader version is upgraded, it is not possible to downgrade the bootloader to the previous version. The Primary and Recovery images can still be downgraded and upgraded independent of this bootloader version.

The v1.4.1 version of bootloader is not FIPS certified and should not be upgraded if a FIPS certified HSM is required.

Upgrade a Connect XC image

If the Connect XC HSM is installed with image earlier than 12.45, 12.46, 12.50.4, or 12.50.7 it cannot be upgraded directly to the latest Connect image and needs to be first upgraded to an intermediate version. Any of the Connect image versions listed above can be used as an intermediate version. Please contact nshield.support@entrust.com for any other version of Connect image.

Compatibility

Supported hardware

This release is targeted at deployments with any combination of the following nShield HSMs:

  • nShield 5s (Base, Mid, High)

  • Solo XC (Base, Mid, High)

  • nShield 5c (Base, Mid, High)

  • Connect XC (Base, Mid, High, Serial Console)

Supported operating systems

This release has been tested for compatibility with the following operating systems:

Operating System Solo XC nShield 5s Connect XC, nShield 5c

Microsoft Windows 10 x64

Y

Y

Y

Microsoft Windows 11 x64

Y

Y

Y

Microsoft Windows Server 2019 x64

Y

Y

Y

Microsoft Windows Server 2022 x64

Y

Y

Y

Microsoft Windows Server 2022 Core x64

Y

Y

Y

Microsoft Windows Server 2025 x64

Y

Y

Y

Red Hat Enterprise Linux 8 x64

Y

Y

Y

Red Hat Enterprise Linux 9 x64

Y

Y

Y

SUSE Enterprise Linux 15 x64

Y

Y

Y

Oracle Enterprise Linux 8 x64

Y

Y

Y

Oracle Enterprise Linux 9 x64

Y

Y

Y

Security World v13.9.3 support is restricted to the x64 architecture. Additional mainstream x64-based Linux distributions other than those listed above may be compatible, however Entrust cannot guarantee this compatibility.

API support

Java

The versions in the table below are for both Oracle JDK and Open JDK.

Version Supported

17

Y

21

Y

Python

This lists the versions of Python that are supported.

Version Supported

3.11

Y

Supported hypervisors and virtual environments

Operating System Solo XC nShield 5s Connect XC, nShield 5c

Microsoft Hyper-V Server 2016

Y

N

Y

Microsoft Hyper-V Server 2019

Y

N

Y

Microsoft Hyper-V Server 2022

Y

N

Y

VMWare ESXi 7.0

Y

N

Y

VMWare ESXi 8.0

Y

N

Y

Citrix XenServer 8.2

Y

N

Y

Supported compilers for Microsoft Windows C developers

Security World v13.9.3 C libraries for Windows were built using Visual Studio 2022 and have been compiled with the SDL flag. This makes them incompatible with older versions of Visual Studio. This applies primarily to static libraries.

Microsoft Windows developers should upgrade to Visual Studio 2022.

Version Supported

2022

Y

Known and fixed issues

hsmadmin issues and workarounds

Incorrect maintenance mode reporting

hsmadmin commands that require the HSM to be in maintenance mode occasionally fail because the module is incorrectly reported as not being in maintenance mode, even when it is.

Workaround

As this misreporting is usually transient, re-running the hsmadmin command typically succeeds.

nShield5 HSMs may fail to be discovered after execution of hsmadmin reset, blocking further hsmadmin commands

Execution of hsmadmin reset may prevent the nShield 5s from being discovered during subsequent hsmadmin commands which prevents them from running.

This may occur when an alternative FPGA image is loaded using:

hsmadmin select hsmadmin reset

The error encountered will start with Exception in thread zeroconf-ServiceBrowser-_ns-setup and will be 1 of the following:

UnicodeDecodeError InvalidESNError

A module in this state can be recovered by either:

Option A

Restart the Hardserver, then execute: hsmadmin reset --force hsmadmin enroll

Option B (Linux only)

/opt/nfast/sbin/install
Reference Scope Status Description

NSE-74083

Client-side

Resolved

Addressed and issue where Java PublishedSEEWorld’s getInitStatus() method would throw a null pointer exception for already successfully initialised Worlds.

Resolved in 13.9 client-side.

NSE-72542

Client-side

Resolved

Addressed an issue where SEElib_StartProcessorThreads() no longer crashes if nthreads is too high.

Resolved in 13.9 client-side.

NSE-72539

Client-side

Resolved

Addressed an issue where 'pending job table full' / Status_ObjectNotReady error from SEElib_Transact() no longer occurs when many hundreds of threads are created.

Resolved in 13.9 client-side.

NSE-72532

Client-side

Open

Running perfcheck may result in a Too many open files Python exception if the system in use is low on resources.

Issue first found in 13.9

NSE-72090

Connect 5c

Resolved

Addressed an issue where new remote client connections to a Connect or 5c would be rejected if the module failed after startup (this did not affect clients that were already connected when the failure occurred). This change supports remote recovery using a privileged client, using "nethsmadmin -r -m1" to reboot the appliance, or (in the case of 5c) using "nopclearfail -r -m1" to attempt to retry after an error (e.g. to clear an SOS code). Note that if an error is cleared without a reboot, it may be necessary to restart the client hardserver (or remove and re-import the 5c using nethsmenroll) in order to reflect the updated state of no longer being Failed. This is not required if the appliance is rebooted instead.

Resolved in 13.9 client-side.

NSE-71960

Client-side

Resolved

Addressed an issue where 'cnglist --show-sd' would not produce extra information correctly.

Resolved in 13.9 client-side.

NSE-71959

Client-side

Resolved

Addressed an issue where NTE_NOT_FOUND errors would appear when listing CNG keys verbosely.

Resolved in 13.9 client-side.

NSE-71927

Client-side

Resolved

Addressed an issue where csadmin image signing can fail when not all modules are usable within the current Security World.

Resolved in 13.9 client-side.

NSE-71923

Client-side

Resolved

Fixed various issues with Connect XC and Connect 5c units.

Resolved in 13.9 client-side.

NSE-71851

Client-side

Resolved

csadmin image signing subcommands now support specifying the application type (such as 'simple' or 'seeinteg') for Developer ID keys and Application Signing Keys. The previous default of 'simple' application type is retained for now for compatibility, but 'seeinteg' may be a more convenient choice for the Application Signing Key in order to support the use of the 'seeintegname' option in the 'generatekey' tool to generate keys that are restricted to the CodeSafe application.

Resolved in 13.9 client-side.

NSE-71838

Client-side

Resolved

Fixed various issues with Connect XC and Connect 5c units.

Resolved in 13.9 client-side.

NSE-71732

Client-side

Resolved

Fixed an issue where the automatic configuration of CodeSafe 5 via [codesafe] config section or the hsc_codesafe tool directly failed to stop existing applications on v13.4 firmware. [codesafe] configuration section and hsc_codesafe tool are now supported with v13.4 firmware when using the latest SecWorld and CodeSafe SDK.

Resolved in 13.9 client-side.

NSE-71688

Documentation

Resolved

The Security Manual has been updated to state the limitations of the Connect/5c tamper log, and to emphasize the recommendation that Audit Logging should be enabled in new Security World creation as the primary security log mechanism.

Resolved in 13.9 documentation.

NSE-71681

Firmware (5s only)

Resolved

Addressed an issue where a zero length salt could cause the HSM to fail.

Resolved in 13.8.1 firmware.

NSE-71638

Documentation

Resolved

Updated the Security Manual to clarify the HSM form factors and the distinction between the Connect/5c appliance and the certified HSM inside it.

Resolved in 13.9 documentation.

NSE-71637

Documentation

Resolved

Updated the Security Manual to clarify HSM decommissioning steps, especially that factory state is recommended for Connect/5c/5s modules, not just erasure of the Security World.

Resolved in 13.9 documentation.

NSE-71635

Connect XC and 5c

Resolved

Fixed various issues with Connect XC and Connect 5c units.

Resolved in 13.9 Connect Images.

NSE-71617

Connect XC and 5c

Resolved

Fixed various issues with Connect XC and Connect 5c units.

Resolved in 13.9 Connect Images.

NSE-71565

Connect XC and 5c

Resolved

Fixed various issues with Connect XC and Connect 5c units.

Resolved in 13.9 Connect Images.

NSE-71493

Client-side

Resolved

Addressed an issue where _nfpython3.so in CodeSafe5 SDK is not stripped.

Resolved in 13.9 client-side.

NSE-71350

Connect

Resolved

Addressed an issue where the Connect unit cannot upgrade from v12.x Connect images.

Resolved in 13.9 Connect images.

NSE-71308

Connect

Resolved

Fixed an issue where client licenses for 4 clients would not be applied correctly on Connect XC/5c in v13.6 or v13.7 Connect images. This issue is fixed in v13.6.12 (latest v13.6 LTS) and in v13.9 Connect images.

Resolved in 13.9 Connect images.

NSE-71089

Firmware

Resolved

Addressed an issue to stop accepting elliptic curve domain parameters with certain types of unsupported fields.

Resolved in 13.8 firmware.

NSE-70686

Client-side

Resolved

Addressed an issue where the nShield 5s wouldn’t be available for several minutes after a reboot.

Resolved in 13.9 client-side.

NSE-70540

Firmware

Resolved

Addressed an issue where launcher does not check certificate policies for CS5 intermediate certs.

Resolved in 13.8 firmware.

NSE-70375

Firmware (5s only)

Resolved

Addressed an issue with EllipticCurve ASN.1 inputs

Resolved in 13.8.1 firmware.

NSE-70302

Client-side

Resolved

Addressed an issue where cksotool doesn’t ask for FIPS auth in a sensible way.

Resolved in 13.9 client-side.

NSE-70283

Client-side

Resolved

Addressed an issue where 'signextra' with non-FIPS mechanisms gives StrictFIPS140 error on load.

Resolved in 13.9 client-side.

NSE-70232

Firmware (5s only)

Open

While under a prelonged period of heavy load generated by continuous signing or key generation operations using MLDSA 44, the 5s or 5c unit may fail with a RC_SP_WRONG_PREAMBLE error in the logs. Restarting the unit will restore it to a working state.

Issue first found in 13.8.1 firmware

NSE-70194

Client-side

Resolved

Addressed an issue where harmless operations are not logged if a key has any restrictions.

Resolved in 13.9 client-side.

NSE-70105

Client-side

Resolved

Addressed an issue where the Codesafe XC NFKM libraries for GLIBC were missing from the Codesafe installer.

Resolved in 13.9 client-side.

NSE-70062

Client-side

Resolved

Fixed an issue where a CodeSafe 5 application would abort if more than 154 jobs were enqueued simultaneously.

Resolved in 13.9 client-side.

NSE-70007

Firmware

Resolved

Addressed an issue where KCDSA domain validation did not check parameters correctly.

Resolved in 13.8 firmware.

NSE-69976

Client-side

Resolved

Addressed an issue where generatekey was missing AES import.

Resolved in 13.9 client-side.

NSE-69925

Client-side

Resolved

Addressed various memory leaks in RQCard library.

Resolved in 13.9 client-side.

NSE-69830

Client-side

Resolved

Addressed an issue where ch_checkkey() didn’t reject non-FIPS keys in FIPS mode.

Resolved in 13.9 client-side.

NSE-69623

Firmware

Resolved

Addressed RSA length inconsistencies.

Resolved in 13.8 firmware.

NSE-69523

Client-side

Resolved

Addressed small memory leaks in C_Initialize, when run against a FIPS level 3 enforced Security World.

Resolved in 13.9 client-side.

NSE-69520

Client-side

Resolved

Fixed an issue on Windows where perfcheck called the deprecated Windows wmic tool, which may no longer be installed, to query CPU information for its report.

Resolved in 13.7 client-side.

NSE-69503

Client-side

Resolved

Addressed an issue where the signers_transact() was broken in Codesafe 5 Developer examples.

Resolved in 13.9 client-side.

NSE-69326

Client-side

Resolved

Addressed an issue where sendcerts permits groups below the ciphersuite’s minimum.

Resolved in 13.9 client-side.

NSE-69076

Client-side

Resolved

Improved the CodeSafe 5 crash reporter so that some information would be provided even when a full backtrace was not available.

Resolved in 13.7 client-side.

NSE-69053

Client-side

Resolved

Addressed an issue where the nShield 5s driver failed to report the version in dmesg.

Resolved in 13.9 client-side.

NSE-69020

Connect

Resolved

Addressed an issue where the Connect 5c upgrade will fail to upgrade if the time is not set on the module. Refer to Unset module RTC upgrade issue on Connect 5c units for more information.

Resolved in 13.9 Connect images.

NSE-68919

Client-side

Resolved

The csadmin tool is now strict by default in requiring that the "launcher" service on the HSM has an attestation certificate. This certificate is only available in v13.5 and later firmware (and a factory state may be required to generate it if it is not present). If using a firmware version without support for attestation certificates (such as v13.4), the NC_SSH_ATTEST_CERT or NC_SSH_ATTEST_<esn> environment variables can be set in the environment of the csadmin tool to control the behaviour if there is a missing certificate. It can be set to IGNORE (connection proceeds silently), WARN (previous behavior prior to this change), or FAIL (connection will fail, new behavior). Setting NC_SSH_ATTEST_CERT=WARN or NC_SSH_ATTEST_CERT=IGNORE is suggested if using v13.4 firmware. It is recommended that factory state be done if necessary to generate the certificate if using v13.5 or later firmware if it is currently absent.

Resolved in 13.9 client-side.

NSE-68675

Client-side

Resolved

Addressed some performance and scheduling issues.

Resolved in 13.9 clientside.

NSE-68534

Firmware

Resolved

Addressed an issue where legacy key-migration mistakes could lead to an inability to carry out further key-migration.

Resolved in 13.8 firmware.

NSE-68179

Client-side

Resolved

Fixed an issue on Windows where an unwanted message box could appear relating to the TVD driver installation during a Security World software or Remote Administration software installation.

Resolved in 13.7 client-side.

NSE-68093

Firmware

Resolved

Addressed performance issues with Codesafe 5 administration operations.

Resolved in 13.8 firmware.

NSE-68044

Client-side

Resolved

Addressed an issue where the csadmin utility failed to include the scope ID when reporting link-local addresses.

Resolved in 13.7 client-side.

NSE-68007

Client-side

Resolved

Fixed an issue where incorrect parameters in client nCore commands (like wrong module number) were unnecessarily reported as errors in the hardserver log.

Resolved in 13.7 client-side.

NSE-67930

Client-side

Resolved

Fixed an issue where CodeSafe 5 CSEE (SEElib) applications could fail with SIGPIPE in some cases.

Resolved in 13.7 client-side.

NSE-67913

Firmware

Resolved

Addressed an issue with service restrictions and permissions.

Resolved in 13.8 firmware.

NSE-67846

Client-side

Resolved

Fixed an issue where the nShield Audit Service could fail to correctly resume handling the export and expiry of system logs where an interruption had occurred during export on a previous run.

Resolved in 13.7 client-side.

NSE-67839

Client-side

Resolved

Addressed an issue where DHPrivate 'xlength' checking is not exact.

Resolved in 13.9 client-side.

NSE-67776

Firmware

Resolved

Addressed an issue where the ch_generatekeypair didn’t always spot bogus key generation parameters.

Resolved in 13.8 firmware.

NSE-67758

Firmware

Resolved

Addressed an issue where the firmware would provide incomplete validation error messages in response to the csadmin utility loading a Codesafe 5 application.

Resolved in 13.8 firmware.

NSE-67601

Firmware

Resolved

Addressed an issue where the incorrect BIOS code would be reported when the VCM would fail to start in single-tenant mode.

Resolved in 13.7 firmware.

NSE-67579

Client-side

Resolved

Fixed an issue where output from nshieldaudit when printing to stdout rather than to file was not in JSON format as intended.

Resolved in 13.7 client-side.

NSE-67248

Client-side

Resolved

Addressed an issue where the auditlog spooler service would log every 5 minutes when unconfigured.

Resolved in 13.9 client-side.

NSE-66905

Documentation

Resolved

The documented set of allowed CodeSafe 5 system calls now reflects the set of system calls allowed by seccomp.

Resolved in 13.7 documentation.

NSE-66800

Client-side

Resolved

Addressed an issue where some client-side Codesafe developer libraries were shipped as source code rather than built as libraries.

Resolved in 13.9 client-side.

NSE-66437

Connect

Resolved

Made the Connect CLI command setminvsn more user-friendly.

Resolved in 13.7 Connect images.

NSE-66432

Connect

Resolved

Addressed an issue with hsmdiagnose where a test was incorrectly skipped.

Resolved in 13.7 Connect images.

NSE-66415

Open

The appliance-cli gethsmstatus command returns a 'Failed to retrieve status' error when executed against Legacy FIPS Connect image. This means the version information for the Legacy FIPS Connect image cannot be retrieved at this time.

Issue first found in 13.6

NSE-66256

Client-side

Resolved

Addressed an issue where the message "Failed to parse last log data from current log" would be displayed in the nshieldauditd logfile.

Resolved in 13.7 client-side.

NSE-66232

Firmware

Resolved

Addressed a firmware issue which prevented CodeSafe 5 CSEE machines built with 13.4 SDK from working on later versions of firmware. Applications built with 13.4 SDK will work on 13.7 and later firmware, but they cannot run on 13.5 firmware which does not have this fix.

Resolved in 13.7 firmware.

NSE-65799

Client-side

Resolved

Addressed an issue where a stack trace would be displayed during installation on SLES12 platforms.

Resolved in 13.7 client-side.

NSE-65310

Client-side

Resolved

Addressed an issue where encryption with CKM_AES_CTR in PKCS#11 failed if used with a token key that had not been loaded on the module..

Resolved in 13.9 client-side.

NSE-65292

Firmware

Resolved

Addressed an issue where a Status_Failed message would occur instead of Status_DecryptFailed with RSAUnwrap and AES Key unwrapping under certain circumstances.

Resolved in 13.7 firmware.

NSE-65229

Firmware

Resolved

Addressed an issue where DeriveMech_PublicFromPrivate doesn’t work with Ed448Private.

Resolved in 13.7 firmware.

NSE-65109

Firmware

Resolved

Addressed an issue where the Solo XC was too enthusiastic to clear the module from the clear button.

Resolved in 13.7 firmware.

NSE-64885

Client-side

Resolved

Addressed an issue where the CONNECTION ERROR: Unable to connect to 'monitor' failure would occur when multiple clients were attempting to connect to the monitor service.

Resolved in 13.7 client-side.

NSE-64885

Documentation

Resolved

Addressed an issue where the M_AESmGCM HTML docs omitted the ciphertext format.

Resolved in 13.7 documentation.

NSE-64625

Client-side

Resolved

Addressed an issue where HSM Pool Mode would not work in PKCS #11 with a v13 client-side and older v12 firmwares.

Resolved in 13.9 client-side.

NSE-64525

Client-side

Resolved

Addressed an issue where nfkmverify didn’t accept keys which could perform ECIES unwrapping.

Resolved in 13.9 client-side.

NSE-64438

Firmware

Resolved

Addressed an NVMWearLevel issue for Solo XC and nShield 5s units.

Resolved in 13.7 firmware.

NSE-64409

Client-side

Resolved

Fixed an issue which prevented later CodeSafe SDKs from running on v13.4 firmware. Rebuilding application with the latest CodeSafe SDK will enable it to run on v13.4 firmware. This re-enables support for applications written in C. For Python support, the v13.4 CodeSafe SDK must continue to be used with v13.4 firmware. Newer CodeSafe SDK is supported on v13.5 and later firmware in all cases.

Resolved in 13.9 client-side.

NSE-64304

Client-side

Resolved

Addressed an issue where D3S certificates appear in ncoreapi’s stderr.

Resolved in 13.9 client-side.

NSE-63892

Client-side

Resolved

Addressed an issue where generated nCore HTML pages could be missing.

Resolved in 13.7 client-side.

NSE-63502

Open

When using KeySafe5 with the agent on the Connect the following error will populate the logs 'Command failed: monitor codesafestats get-all'. Users should increase the codesafe_update_interval using the ks5agent command via the Connect CLI.

ks5agent cfg codesafe_update_interval=48h

If you wish the logs to be cleared then enabling the Audit tooling will expire the system logs containing the above error.

Issue first found in 13.6

NSE-63449

Client-side

Resolved

Addressed an issue in PKCS#11 where the following error would be reported: 'Key generation certificate with no private/secret key?'

Resolved in 13.7 client-side.

NSE-63444

Client-side

Resolved

Addressed an issue in PKCS#11 where a mixing up of key type enums cause a 'NFBER_Encode_Octet_BitStr_Key failed for len' error.

Resolved in 13.7 client-side.

NSE-63091

Client-side

Resolved

Fixed an issue where the C_GetAttributeValue return value could be overwritten.

Resolved in 13.9 client-side.

NSE-62533

Client-side

Resolved

Addressed an issue in PKCS#11 where SELinux would prevent CodeSafe 5 SEE Machines from binding on some ports.

Resolved in 13.7 client-side.

NSE-62267

Client-side

Resolved

Addressed and issue where multiple hardware failures on Edge units would occur.

Resolved in 13.9 client-side.

NSE-61967

Client-side

Resolved

Addressed an issue where the tar utility would be killed by seccomp when used within a CodeSafe 5 application.

Resolved in 13.7 client-side.

NSE-61966

Client-side

Resolved

An issue has been fixed where, if a CodeSafe 5 machine created files on its local disk, 'csadmin destroy' reported an error when trying to remove those files.

Resolved in 13.9 client-side.

NSE-61540

Client-side

Resolved

Addressed an issue where the CS5 Compatibility Layer would not stay listening for incoming connections.

Resolved in 13.7 client-side.

NSE-61148

Firmware

Resolved

Addressed an issue where the init log is not created by replacement Python code as it should be.

Resolved in 13.7 firmware.

NSE-61033

Firmware (5s only)

Resolved

Addressed an issue where deprecated options were reported in the nShield 5s system logs.

Resolved in 13.7 nShield 5s firmware.

NSE-60936

Firmware

Resolved

Addressed an issue where Codesafe can lose trace data.

Resolved in 13.7 firmware.

NSE-60554

Client-side

Resolved

Addressed an issue where TUAK and Milenage session key generation performance had decreased due to the need to generate key generation certificates at the point of key generation. This has been resolved by adding a new PKCS#11 environment variable: CKNFAST_SESSION_TO_TOKEN, this is enabled by default. The default behaviour is to generate session keys without Key Generation Certificates. This can be disabled by setting CKNFAST_SESSION_TO_TOKEN=0.

Resolved in 13.7 client-side.

NSE-59598

Client-side

Resolved

Fixed an issue where RQCard used in conjunction with nflog could cause a segmentation fault.

Resolved in 13.9 client-side.

NSE-59281

Client-side

Resolved

Addressed an issue where CodeSafe developer id certificates can be issued for RSA keys and the issued RSA keys can now sign images.

Resolved in 13.9 client-side.

NSE-57030

Client-side

Resolved

On Linux, the sshadmin client key for nShield 5s is now backed-up automatically to /root/.ssh/id_nshield5_sshadmin as a precaution against /opt/nfast/services/client directory being deleted. This backup is restricted to the local machine by default. It is recommended on both Windows and Linux to backup the sshadmin key if using nShield 5s. If it may be necessary to move the HSM to a different machine (or to reinstall the OS) at a later stage, the key should be backed up with the "hsmadmin keys backup --passphrase" option so that it is protected by a passphrase rather than being restricted to the local machine and OS installation.

Resolved in 13.9 client-side.

NSE-55780

Open

Starting a CodeSafe 5 SEE machine on an nShield 5c mentions "Could not find nshield network interfaces for service discovery" in the verbose output.

Issue first found in 13.4

NSE-55428

Open

Building classic Codesafe examples fails with older compiler.

Issue first found in 13.4

NSE-55425

Firmware

Resolved

Addressed an issue where 'Unable to perform operation due to service interdependency lock' was reported when using the csadmin utility.

Resolved in 13.7 firmware.

NSE-55378

Open

Minor inconsistency when enabling autostart via csadmin config.

NSE-55142

Open

From 13.4 keys generated using ckrsagen will now produce a warning using nfkmverify, this is due to stricter policy enforce on unwrap permissions. To overcome this use CKA_UNWRAP_TEMPLATE when generating PKCS#11 keys.

Issue first found 13.4

NSE-55136

Client-side

Resolved

Fixed an issue where offline produced Codesafe 5 image signatures would fail CreateSEEConnection.

Resolved in 13.9 client-side.

NSE-52456

Firmware (5s only)

Resolved

Addressed an issue where hsmadmin settime would leave the module around 2 seconds behind the host.

Resolved in 13.7 nShield 5s firmware.

NSE-52302

Firmware (5s only)

Resolved

Addressed an issue with impath command sanitization.

Resolved in 13.8.1 firmware.

NSE-50848

Client-side

Resolved

Fixed an issue where ckmechinfo would advertise wrap support that didn’t work.

Resolved in 13.9 client-side.

NSE-50050

Client-side

Resolved

Fixed an issue where the nfkmverify utility would not reject wrapping keys with the decrypt permission set.

Resolved in 13.9 client-side.

NSE-49263

Client-side

Resolved

Fixed an issue where mkaclx printed an unclear error when a malformed ident string was specified on the command-line.

Resolved in 13.9 client-side.

NSE-48991

Client-side

Resolved

Addressed an issue where nfkmutils.loadkey did not support softcards.

Resolved in 13.7 client-side.

NSE-43472

Client-side

Resolved

Addressed various issues with nfkmutils.loadkey.

Resolved in 13.7 client-side.

NSE-42031

Firmware (XC only)

Resolved

Addressed a gradual increase in memory usage on nShield Solo XC modules.

Resolved in 13.7 nShield Solo XC firmware.

NSE-41205

Firmware (XC only)

Resolved

An issue has been fixed that can cause a Solo XC or Connect XC HSM to enter an SOS state after many days of running. The issue would have generally manifested as an SOS-HV or SOS-HRTP, but other SOS codes are possible. A number of "SpiRetries" as reported by stattree utility may precede the failure.

Resolved in 13.7 nShield Solo XC firmware.

NSE-48073

Open

Connect+ models running software earlier than v12 must first be upgraded to a v12 version before being upgraded to v13. See section Upgrade from previous releases for more details.

Issue first found in 13.3

NSE-42017

Connect

Resolved

Fixed various issues with Connect XC and Connect 5c units.

Resolved in 13.9 Connect images.

NSE-39031

Open

In Security World v12.10 a compliance mode was added to the Connect to allow compliance with USGv6 or IPv6 Ready requirements.

Issue first found in 12.80

NSE-36086

Client-side

Resolved

Addressed an issue where OpenSSH did not enable TCP_NODELAY resulting in latency spikes in CodeSafe 5 communication.

Resolved in 13.7 client-side.

NSE-35974

Firmware

Resolved

Addressed an issue where nvram-sw could not delete all NVRAM files.

Resolved in 13.8 firmware.

NSE-35520

Client-side

Resolved

Addressed an issue where the nfkmverify utility would reject future impath groups.

Resolved in 13.9 client-side.

NSE-28606

Open

Entrust do not recommend migrating keys to non-recoverable worlds since it would then be impossible to migrate the keys in future should the need arise. If keys are migrated into a non-recoverable world then it is not possible to verify OCS and softcard protected keys directly with nfkmverify. The OCS or softcards must be preloaded prior to attempting to verify the keys.

NSE-25401

Open

When installing 12.60 on a Dell XPS 8930 PC, a "Files in Use" screen may be displayed where it prompts to close down and restart Dell, Intel and NVIDIA applications. This can be ignored.

Issue first found in 12.60

NSE-24335

Open

This issue applies to 12.50.11 XC firmware only. As a result of work to improve the upgrade experience with Solo XC it is necessary to add the following lines to /etc/vmware/passthru.map for successful operation of Solo XC in an ESXi environment:

# Solo XC

1957 082c link false

Issue first found in 12.50

NSE-23982

Open

While resetting password if user enters incorrect password, cli prompt prints lone "I". This is where login handler program would print "Incorrect password for cli" message. Only "I" gets through the wire in time due to slow baud rate of the connection. This error is trivial and is only seen at the first log in during password reset.

Issue first found in 12.50

NSE-22692

Client-side

Resolved

Addressed an issue where the rocs utlity would truncate key names where were more thatn 24 characters long.

Resolved in 13.9 client-side.

NSE-22484

Client-side

Resolved

Addressed an issue where the generatekey utility would ignore preloaded FIPS auth.

Resolved in 13.9 client-side.

NSE-14406

Open

In the Connect config file the remote_sys_log config entry implies multiple entries can be defined but only one remote syslog server can be configured.

Issue first found in 12.50

NSE-8568

Client-side

Resolved

Addressed an issue on Linux platforms where the edgeHandler.sh script failed to cope with more than 1 serial_dtpp_device line in the configuration file.

Resolved in 13.9 client-side.

NSE-4551

Client-side

Resolved

Addressed an issue where unregistering the CNG providers using the cngregister utility would complain that it failed to delete the local machine key.

Resolved in 13.9 client-side.