Auto-Load Configuration of CodeSafe 5 Applications via the nShield 5c

The nShield 5c (Connect) with this configuration supports the following CodeSafe 5 functionality:

  • CodeSafe 5 applications can be started directly via the nShield 5c (Connect) config file, with CodeSafe 5 and Developer ID certificates pulled automatically from the RFS.

  • Applications specified in the nShield 5c config are started automatically when the nShield 5c is rebooted or module cleared.

  • CodeSafe 5 applications loaded directly from the nShield 5c can make their SEE World ID available as a published object, enabling multiple remote client machines to communicate with the same CodeSafe 5 application via the SEEJobs protocol.

Installation and Setup

Install the latest nShield host-side software and run the rfs-setup utility to allow the nShield 5c to retrieve the required Developer ID certificate(s) from the RFS’s cscerts volume. If you have previously configured your RFS prior to this release, rfs-setup must be run again to add the permission for this new volume.

Build and sign the CodeSafe 5 image as described in Building CodeSafe 5 applications.

Permit the nShield 5c to have a configuration file pushed from a remote machine. By default, the configuration file can be pushed from the RFS, provided it is authenticated. To allow another remote client to push configuration, use the 5c’s Client config push menu from its front panel UI (menu 1-1-6-2). For more information, see Connect configuration.

Configure the nShield 5c to append its logs (hardserver and system logs) to the RFS once per minute in order to get timely feedback on CodeSafe 5 configuration operations. For more information, see Connect logging configuration.

Copy the Developer ID certificate(s) required by the CodeSafe 5 application to this directory on the RFS /opt/nfast/kmdata/cscerts (Linux) or C:\ProgramData\nCipher\Key Management Data\cscerts (Windows).

Copy the CodeSafe 5 image into /opt/nfast/custom-seemachines (Linux) or C:\Program Files\nCipher\nfast\custom-seemachines (Windows).

Configuring CodeSafe 5 Auto-Load

Copy the original nShield 5c configuration file /opt/nfast/kmdata/hsm-<ESN>/config/config (Linux) or C:\ProgramData\nCipher\Key Management Data\hsm-<ESN>\config\config (Windows) to config.new in the same directory.

SEEJobs Configuration

Edit the nShield 5c config.new file’s [codesafe] section on the RFS to have the following contents (replace seemachine.cs5 with the actual filename - this will be pulled from the RFS volume for custom-seemachines so just the filename and not the path must be used here):

[codesafe]
image_file=seemachine.cs5
worldid_pubname=mysee
pull_rfs=yes

Optimized SEEJobs Configuration

The seejobs_transport=plain option may be used to allow plaintext communication internally inside the appliance, between the 5c (Connect) hardserver and the CodeSafe 5 application running on the HSM inside the appliance. This improves SEEJobs latency and throughput and may be appropriate if plaintext internal communication is acceptable for your security model. Remote communication for SEEJobs is secured via nCipher Secure Transport/Impath regardless of this setting, so communication is always secured on the external network.

[codesafe]
image_file=seemachine.cs5
seejobs_transport=plain
worldid_pubname=mysee
pull_rfs=yes

Non-SEEJobs Configuration

If SEEJobs are not being used, the seejobs_port option can be set to 0. The worldid_pubname option may still be specified, but may not be relevant unless the SEE World ID is needed for ticketing objects. Non-SEEJobs TCP protocols that are allowed in the CodeSafe 5 application’s firewall rules will be exposed on the 5c’s external network interface in this case.

[codesafe]
image_file=seemachine.cs5
seejobs_port=0
pull_rfs=yes

Copying the Configuration and CodeSafe 5 Application to the Appliance

For more information on the [codesafe] section, see CodeSafe 5 configuration section.

Permit the nShield 5c to have a configuration file pushed from a remote machine. By default, the configuration file can be pushed from the RFS machine, provided it is authenticated.

To allow another remote machine to push configuration, use the 5c’s Client config push menu from its front panel UI (menu 1-1-6-2).

Configure the nShield 5c to append its logs (hardserver and system logs) to the RFS once per minute in order to get timely feedback on CodeSafe 5 configuration operations. Alternatively, you can configure a remote UDP syslog server to receive streamed logs, or you can obtain the most recent logs that have not yet been pushed to the RFS on demand from a privileged client by using the following commands (replace -m1 with the module number of the 5c):

appliance-cli -m1 getservlog --log hardserver
appliance-cli -m1 getservlog --log system

Push the configuration to the nShield 5c using the cfg-pushnethsm utility.

On Linux:

cfg-pushnethsm -a <nShield 5c IP address> -m <module number> /opt/nfast/kmdata/hsm-<ESN>/config/config.new

On Windows:

cfg-pushnethsm -a <nShield 5c IP address> -m <module number> "C:\ProgramData\nCipher\Key Management Data\hsm-<ESN>\config\config.new"

The CodeSafe application is automatically transferred from the RFS to the nShield 5c appliance storage within a few seconds. This will not immediately apply the configuration to the HSM itself or stop any currently running CodeSafe 5 application, but will allow the new configuration to be applied on the next reboot or clear of the module, at which point the new CodeSafe 5 application will be loaded and started automatically.

Starting the CodeSafe 5 Application

Clear the nShield 5c to apply the new configuration and start the CodeSafe 5 application:

nopclearfail -m <module number> --clear --wait

Wait for the CodeSafe 5 application to be automatically loaded and started. Check the nShield 5c’s hardserver log (using one of the logging options explained in the previous section) for the following message, which indicates that the application has been started:

Startup: hsc_codesafe:INFO: READY: /config/see/machine/seemachine.cs5 running on <ESN> (#1); SEE World ID published as mysee; appliance-cli -m <module number> cs5 getlog <UUID> to retrieve logs

Note that seemachine.cs5 mentioned in the log message is the internal filename when it has been copied from the RFS. The actual file on the RFS with the original filename specified in the config file is what will have been copied.

Clients can now communicate with the CodeSafe 5 application.

See the Debugging CodeSafe 5 applications section for information about debugging a CodeSafe 5 application.