nShield 5c CodeSafe 5 Configuration

The nShield 5c (Connect) can be configured for two different modes of automatic CodeSafe 5 SEE machine loading. These two configurations are mutually exclusive:

  1. Automatic loading from the [codesafe] configuration section in the nShield 5c (Connect) appliance config file. See: Auto-Load Configuration of CodeSafe 5 Applications via the nShield 5c. If using SEEJobs, this enables multiple remote clients to communicate with the CodeSafe 5 application via its published SEE World ID. It also allows the CodeSafe application to be automatically loaded on appliance startup so it is ready for SEEJobs or other TCP communication as implemented by the CodeSafe application shortly after boot. SEEJobs communication externally on the network is secured via nCipher Secure Transport/Impath rather than SSH in this case, and the internal communication between the 5c hardserver and the CodeSafe application inside the HSM may optionally be configured to be plaintext for performance reasons if this is acceptable for the security model (although SSH is used internally in the appliance by default).

  2. A single remote client machine has direct control over the CodeSafe launcher service inside the HSM, and has direct access to configure the CodeSafe application via the csadmin utility run on the client machine, but doesn’t allow multiple remote clients access to the CodeSafe 5 application via SEEJobs, although any non-SEEJobs TCP services exposed in the CodeSafe application’s firewall rules will still be accessible via the 5c’s network interface. This setup uses the [codesafe] configuration section in the config file of the machine that is the client of the nShield 5c, in which case both launcher and (if applicable) SEEJobs SSH protocol keys are securely exchanged automatically to enable secure communication directly to the HSM inside the 5c over the network. See: Automatic Configuration of CodeSafe 5 Applications via the Host Machine. This configuration is more convenient for debugging purposes (including via interactive hsc_codesafe execution) due to the direct csadmin and launcher service access, and also enables direct communication to the HSM for SEEJobs which has security and performance benefits.

It is also possible to manually configure the nShield 5c for CodeSafe 5. See CodeSafe 5 setup for the nShield 5c for more information about manual setup where required (for unprivileged clients, where not using the automatic configuration, or when using a Connect image prior to v13.7 when automatic configuration was introduced).