Basic nShield Connect, RFS and client configuration
This chapter describes the initial nShield Connect, RFS and client computer configuration steps. For more about:
-
Security World Software installation and options, see Installing the software.
-
Installing the optional nToken, see the nToken Installation Guide.
-
The menu options, see Top-level menu.
-
Advanced nShield Connect and client configuration options, see the User Guide.
An installation will have only one RFS, but may have one or more Clients. The RFS can also dual role as a Client. Before you can continue with the following configuration, the RFS and every Client must have the Security World software installed, see Installing the software. |
About nShield Connect and client configuration
An nShield Connect and a client communicate using their hardservers. These handle secure transactions between the HSM within the Connect and any applications that run on the client. You must configure:
-
Each client hardserver to communicate with the hardserver of the nShield Connect that it needs to use.
-
The nShield Connect hardserver to communicate with the hardserver of the clients that are allowed to use it.
Multiple nShield Connects can be configured to communicate with one client, just as multiple clients can be configured to communicate with one nShield Connect. |
Remote file system (RFS)
Each nShield Connect must have a remote file system (RFS) configured. This includes master copies of all the files that the nShield Connect needs. See the User Guide for your HSM for more information about the RFS.
nShield Connect configuration
The current configuration files for the hardserver of an nShield Connect are stored in its local file system. These files are automatically:
-
Updated when the nShield Connect is configured.
-
Exported to the appropriate RFS directory.
Each nShield Connect in a Security World has separate configuration files on the RFS. See the User Guide for more about nShield Connect configuration files and advanced configuration options.
Client configuration
The current configuration files for the hardserver of a client are stored in its local file system.
See the User Guide for more about client configuration files and advanced configuration options.
The following steps assume that you have added the path %NFAST_HOME%\bin (Windows) or /opt/nfast/bin/ (Linux) to the PATH system variable.
|
Basic nShield Connect and RFS configuration
After installing the Security World Software and the nShield Connect, you need to do the following:
-
Configure the nShield Connect Ethernet interfaces.
-
Configure the RFS.
You should complete the RFS tasks before:
-
Configuring the nShield Connect and client to work together.
-
Creating a Security World and an Operator Card Set (OCS). See the User Guide for more about creating a Security World and the OCS.
Configuring the Ethernet interfaces - IPv4 and IPv6
An nShield Connect communicates with one or more clients over an Ethernet network. You must supply IP addresses for the nShield Connect and the client. Contact your system administrator for this information if necessary.
There are two network interfaces on the nShield Connect. Three configurations are supported:
-
Single network interface.
-
Two independent network interfaces.
You must connect the interfaces to physically different networks.
-
The two network interfaces combined as a bond interface.
The bond interface can use:
-
Active backup mode.
-
802.3ad mode (requires a switch that supports 802.3ad).
-
You can configure the nShield Connect using the front panel Network config menu, or by pushing a configuration file to the nShield Connect over the network. The initial set up of the nShield Connect must be done using the front panel. The following can be configured:
-
Interface addresses
-
Bond
-
Default gateway
-
Network routes
-
Network speed.
If the nShield Connect is already configured, you can update the displayed values.
If you ever change any of the IP addresses on the nShield Connect, you must update the configuration of all the clients that work with it to reflect the new IP addresses.
By default, the hardserver listens on all interfaces. However, you can choose to set specific network interfaces on which the hardserver listens. This may be useful in cases such as if one of the Ethernet interfaces is to be connected to external hosts. See the User Guide for more information. |
IPv4 and IPv6
Support for IPv6 is in addition to IPv4. Both Ethernet interfaces can be configured to support:
-
IPv4 only
-
IPv4 and IPv6
-
IPv6 only.
Interface#1 is enabled by default and cannot be disabled. Interface #2 is disabled by default and can be enabled and disabled. |
IPv6 addresses
An IPv4 address is 32 bits long and typically represented as 4 octets, for example 192.168.0.1. An IPv6 address is 128 bits long and is made up of a subnet prefix (n bits long) and an interface ID (128 - n bits long).
An IPv6 address and its associated subnet is typically represented by the notation ipv6-address/prefix-length, where:
-
ipv6-address is an IPv6 address represented in any of the notations described below.
-
prefix-length is a decimal value specifying how many of the leftmost contiguous bits of the address make up the prefix.
The IPv6 address notation mirrors the way subnets are represented in the IPv4 Classless Inter-Domain Routing (CIDR) notation.
IPv6 address notation
An nShield Connect will accept an IPv6 address if it is entered in one of the forms shown below and if the address is valid for context in which it is used. There are two conventional forms for representing IPv6 addresses as text strings:
-
The long representation is x:x:x:x:x:x:x:x, where each
x
is a field containing hexadecimal characters (0
toffff
) for each 16 bits of the address.For example:
1234:2345:3456:4567:5678:6789:789a:89ab
1234:5678:0:0:0:0:9abc:abcd/64
-
If one or more consecutive fields are 0 then they can be replaced by
::
.For example:
1234:5678:0:0:0:0:9abc:abcd/64
can be written as1234:5678::9abc:abcd/64
::
can only appear once in an IPv6 address.
Unless the address is a link-local address, the nShield Connect front panel only allows lower-case letters in an IPv6 address.
IPv6 addresses keyed manually on the nShield Connect front panel are validated on entry by the nShield Connect. As well as checking that the format of the address is correct, the nShield Connect also validates that the address entered is valid for the context in which it will be used, see Acceptable IPv6 address by use case.
If Stateless Address Auto Configuration (SLAAC) is enabled the nShield Connect will automatically form IPv6 addresses from network prefixes contained in Router Advertisements (RAs). RAs are received directly by the nShield Connect Operating System and automatically forms IPv6 addresses by combining the network prefixes contained in the RA with the MAC address of the receiving Ethernet interface. As they are created by the Operating System, SLAAC IPv6 addresses are not subject to the same validation rules as addresses entered via the nShield Connect front panel. If SLAAC is to be used to configure nShield Connect IPv6 addresses in preference to statically entered addresses then network planners must take care to ensure that prefixes advertised to the nShield Connect are of a suitable type, see Acceptable IPv6 address by use case.
IPv6 compliance
A new sub-menu (1-1-1-9 - Set IPv6 compliance) has been added to the nShield Connect front panel menu to permit the User to select an IPv6 compliance mode for an nShield Connect. Compliance with USGv6 or IPv6 ready can be selected.
Both these modes change the settings for the nShield Connect firewall so that it will pass-through packets which are discarded in the normal Default* mode. This behaviour is required for compliance testing but is not recommended for normal use since allowing packets with invalid fields or parameters through the firewall increases the attack surface. When either USGv6 or IPv6 ready are selected, a confirmation message is displayed to reduce the likelihood that they are enabled by accident.
It is recommended that the IPv6 compliance mode is set to Default for all normal operations.
Acceptable IPv6 address by use case
The types of IPv6 which are acceptable as a static address are given in the table below For examples of valid IPv6 addresses, see Valid IPv6 Addresses.
Use Case | Acceptable Address Type |
---|---|
Static IPv6 Address Entry |
|
IPv6 Default Gateway |
|
IPv6 Route Entry - IP Range |
|
IPv6 Route Entry - Gateway |
|
RFS Address |
|
Client Address |
|
Push Client Address |
|
Ping |
|
Traceroute |
|
Stateless address auto-configuration (IPv6 only)
Unlike IPv4, IPv6 is designed to be auto-configuring. SLAAC is an IPv6 mechanism by which IPv6 hosts can configure their IPv6 addresses automatically when connected to an IPv6 network using the Neighbour Discovery Protocol (NDP). Using NDP IPv6 hosts are able to solicit advertisements from on-link routers and use the network prefix(es) contained in the advertisements to generate IPv6 address(es).
SLAAC is disabled by default in an nShield Connect, but can be selectively enabled for each Ethernet interface either using the nShield Connect front panel or by setting the appropriate configuration item and pushing an nShield Connect configuration file.
Configure Ethernet interface #1
To set up Ethernet interface #1 (default):
Enable/disable IPv4
To enable/disable IPv4:
-
From the front panel menu, select System > System configuration > Network config > Set up interface #1 > Configure #1 IPv4 > IPv4 enable/disable.
The following screen displays:
Network configuration IPv4 enable/disable: ENABLE CANCEL FINISH
-
Set the ENABLE/DISABLE field to the required option.
-
To accept, press the right-hand navigation button.
Set up IPv4 static address
To set up IPv4 static address:
-
From the front panel menu, select System > System configuration > Network config > Set up interface #1 > Configure #1 IPv4 > Static IPv4 address.
The following screen displays:
Network configuration Enter IPv4 address for interface #1: 0. 0. 0. 0 Enter netmask: 0. 0. 0. 0 CANCEL NEXT
-
Set each field of the IP address and netmask for the interface (press the Select button to move to the next field).
-
Once all fields have been set, press the right-hand navigation button to continue.
-
To accept the changes, press the right-hand navigation button and then CONTINUE to go back to the Static IPv4 address menu.
Enable/disable IPv6
To enable/disable IPv6:
-
From the front panel menu, select System > System configuration > Network config > Set up interface #1 > Configure #1 IPv6 > Enable/Disable IPv6.
The following screen displays:
Network configuration IPv6 enable/disable: DISABLE CANCEL FINISH
-
Set the ENABLE/DISABLE field to the required option.
-
To accept, press the right-hand navigation button.
Set up IPv6 static address
To set up IPv6 static address:
-
From the front panel menu, select System > System configuration > Network config > Set up interface #1 > Configure #1 IPv6 > Static addr/SLAAC > Select Static/SLAAC.
The following screen is displayed:
Network configuration Do you want to use a static address or SLAAC?
Select static and press the right-hand navigation button.
Then, select Static IPv6 address and press the right-hand navigation button.
The following screen displays:
Network configuration Enter IPv6 address For interface #1: CANCEL NEXT
-
Enter the required IPv6 address.
-
When the IPv6 address is correct, press the right-hand navigation button. The following screen displays:
Network configuration IPv6 address xxxx:xxxx:xxxx:xxxx: xxxx:xxxx:xxxx:xxxx Enter prefix length: 64 BACK NEXT
-
When the IPv6 address prefix details are correct, press the right-hand navigation button.
-
You are asked whether you wish to accept the new interface. To accept, press the right-hand navigation button.
Enabling static IPv6 addresses on a Connect’s network interface disables SLAAC on this interface. See Enable IPv6 SLAAC for SLAAC addresses.
Set the link speed for interface #1
To set up the link speed for interface #1:
-
From the front panel menu, select System > System configuration > Network config > Set up interface #1 > Set link speed for #1.
-
The following screen displays:
Network configuration Select desired link speed: auto / 1Gb CANCEL NEXT
You can choose from auto / 1Gb, 10BaseT, 10BaseT-FDX, 100BaseTX, or 100BaseTX-FDX.
Entrust recommends that you configure your network speed for automatic negotiation, using the auto / 1Gb or auto option. You will be asked to confirm the changes if auto / 1Gb is not selected. On the nShield Connect, selecting auto / 1Gb is the only means of achieving 1Gb link speed. -
Press the right-hand navigation button and you will be returned to the Set up interface #1 screen and you can then continue with the configuration.
Configure Ethernet interface #2
To set up the Ethernet interface #2, if required:
-
From the front panel menu, select System > System configuration > Network config > Set up interface #2.
-
Enter the details for interface #2 in the same manner that you entered the details for interface #1.
-
Once the interface #2 details have been entered you need to explicitly enable interface #2. Select System > System configuration > Network config > Set up interface #2 > Enable/Disable Int #2.
-
The following screen displays:
Network configuration Interface #2 DISABLE CANCEL FINISH
-
Select the ENABLE option.
-
Press the right-hand navigation button to accept. A screen similar to that used for interface #1 is displayed.
Configure an Ethernet bond interface
Enable or disable the use of a bond interface
-
From the front panel menu, select System > System configuration > Network config > Set up bond > Enable/disable bond.
The following screen displays:
Network configuration Bond Interface DISABLE CANCEL FINISH
-
Set the ENABLE/DISABLE field to the required option.
-
To accept, press the right-hand navigation button.
Set up a bond interface
-
From the front panel menu, select System > System configuration > Network config > Set up bond > Configure bond.
The following screen displays:
Bond interface config will use the eth0 IPv4 and IPv6 config if they are enabled CANCEL NEXT
-
Press the right-hand navigation button.
The following screen displays:
Bond interface config Update parameter mode: 802.3ad BACK NEXT
-
Set the mode field to the required option, either
802.3ad
oractive-backup
. -
To accept, press the right-hand navigation button.
The following screen displays:
Bond interface config Update parameter miimon: 100 BACK NEXT
-
Set the
miimon
field to the required value, the range is0
-10000
milliseconds.Setting the
miimon
value to0
disables it. This can prevent the bonding resilience from functioning correctly inactive-backup
mode. -
To accept, press the right-hand navigation button.
The following screen displays:
Bond interface config Update parameter lacp_rate: slow only valid for 802.3ad (LACP) mode BACK NEXT
-
Set the
lacp_rate
field to the required option, eitherslow
orfast
.This parameter is only valid for 802.3ad mode. This setting is ignored in other modes.
slow request LACPDUs to be transmitted every 30 seconds
fast request LACPDUs to be transmitted every 1 second
-
To accept, press the right-hand navigation button.
The following screen displays:
Bond interface config Update parameter xmit hash policy: layer2 only valid for 802.3ad (LACP) mode BACK NEXT
-
Set the
xmit hash policy
field to the required option.This parameter is only valid for 802.3ad mode. This setting is ignored in other modes.
Options:
-
layer2
-
encap2+3
-
layer2+3.
For more information, see https://www.kernel.org/doc/Documentation/networking/bonding.txt
-
-
To accept, press the right-hand navigation button.
The following screen displays:
Bond interface config Update parameter primary device: eth0 only valid for active-backup mode BACK NEXT
-
Set the
primary device
field to the required option, eithereth0
oreth1
.This parameter is only valid for
active backup
mode. This setting is ignored in other modes. -
To accept, press the right-hand navigation button.
The following screen displays:
Bond interface config Update parameter resend igmp: 1 only valid for active-backup mode BACK NEXT
-
Set the
resend igmp
field to the required value. Range:0
-255
.This parameter is only valid for
active backup
mode. This setting is ignored in other modes. -
To accept, press the right-hand navigation button.
The following screen displays:
Bond interface config Are you sure you wish to change the config ? CANCEL CONFIRM
-
To accept and apply changes to the bond config, press the right-hand navigation button.
The following confirmation screen displays:
Bond interface config completed OK CONFIRM
Default gateway
Set default gateway for IPv4
To set a default gateway for IPv4:
-
From the front panel menu, select System > System configuration > Network config > Set default gateway > IPv4 Gateway.
The following screen is displayed:
Gateway configuration Enter IPv4 address of the default gateway: 0. 0. 0. 0 CANCEL NEXT
-
Enter the IPv4 address of the default gateway.
-
Press the right-hand navigation button NEXT and then FINISH to accept.
Set default gateway for IPv6
To set a default gateway for IPv6:
-
From the front panel menu, select System > System configuration > Network config > Set default gateway > IPv6 gateway.
The following screen is displayed:
Gateway configuration Enter IPv6 address of the default gateway: CANCEL NEXT
Enter the address for the gateway. Press the right-hand navigation button. The following screen is displayed if the address entered was a link-local address:
Gateway configuration Select an interface for link-local address: :: CANCEL NEXT
Select the interface for the IPv6 gateway. Press the right-hand navigation button to accept.
Set up Routing
Set up routing for IPv4
To set a new route entry for IPv4:
-
From the front panel menu, select System > System configuration > Network config > Set up routing > New IPv4 route entry.
The following screen is displayed:
Edit route entry Enter IP range and mask length: 0. 0. 0. 0/ 0 Enter the gateway: 0. 0. 0. 0 CANCEL FINISH
-
Enter the IPv4 address range details for the route. Press the right-hand navigation button to accept.
Set up routing for IPv6
To set a new route entry for IPv6:
-
From the front panel menu, select System > System configuration > Network config > Set up routing > New IPv6 route entry.
The following screen is displayed:
Edit route entry Enter the IP range and prefix length: ::/64 CANCEL NEXT
-
Enter the IPv6 address range details for the route. Press the right-hand navigation button to accept. The following screen is displayed:
Edit route entry xxxx:xxxx:xxxx:xxxx: xxxx:xxxx:xxxx:xxxx /xxx Enter the gateway: :: BACK NEXT
-
Enter the gateway address; if it is a link local address, the following screen is displayed.
Edit route entry Select an interface for link-local address: fe80:xxxx:xxxx:xxxx: xxxx:xxxx:xxxx:xxxx Interface #1 BACK NEXT
-
Select the interface for the IPv6 gateway and press the right-hand navigation button to accept.
-
If the new route entry entered for IPv6 is incorrect an error message is displayed on the next screen, select BACK to go to the route entry screen. The new IPv6 route entry will need to be entered again.
Edit route entry
Edit IPv4 route entry
To edit a route entry for IPv4:
-
From the front panel menu, select System > System configuration > Network config > Set up routing > Edit route entry.
The following screen is displayed:
► 1. 1. 1. 1/ 1 3. 3. 3. 3/ 3 1111:1111:1111:1111: 1111:1111:1111:1111 /128 BACK SELECT
-
Select the IPv4 route to be edited. Press the right-hand navigation button. The following screen is displayed:
Edit route entry Enter the IP range and mask length: 1. 1. 1. 1/ 1 Enter the gateway 2. 2. 2. 2 CANCEL FINISH
-
Edit the IPv4 route entry. Press the right-hand navigation button to accept the changes.
Edit IPv6 route entry
To edit a route entry for IPv6:
-
From the front panel menu, select System > System configuration > Network config > Set up routing > Edit route entry.
The following screen is displayed:
Edit route entry ► 1. 1. 1. 1/ 1 3. 3. 3. 3/ 3 1111:1111:1111:1111: 1111:1111:1111:1111 /128 BACK SELECT
-
Select the IPv6 route to be edited. Press the right-hand navigation button. The following screen is displayed:
Edit route entry Enter the IP range and prefix length: 1111:1111::1111:1111: 1111:1111:1111:1111/128 CANCEL NEXT
-
Edit the IPv6 route entry. Press the right-hand navigation button.
Edit route entry 1111:1111:1111:1111: 1111:1111:1111:1111/128 Enter the gateway 2222:2222:2222:2222 BACK NEXT
-
Enter the IPv6 route gateway. If a link-local address is entered for the IPv6 route gateway the screen below will be displayed.
Edit route entry Select an interface for link-local address: fe80:2222:2222:2222: 2222:2222:2222:2222 Interface #1 BACK NEXT
-
Select the interface for the IPv6 gateway. Press the right-hand navigation button to accept.
Remove route entry
To remove a route entry:
-
From the front panel menu, select System > System configuration > Network config > Set up routing > Remove route entry.
The following screen is displayed:
► 1. 1. 1. 1/ 1 3. 3. 3. 3/ 3 1111:1111:1111:1111: 1111:1111:1111:1111 /128 BACK SELECT
-
Select the IPv4/IPv6 route to be removed. Press the right-hand navigation button.
-
The selected route will be displayed. Press the right-hand navigation button to remove the route.
Enable IPv6 SLAAC
SLAAC can be enabled/disabled independently on each of the two interfaces.
To enable SLAAC:
-
From the front panel menu, select System > System configuration > Network config > Set up interface #1 > Configure #1 IPv6 > Static addr/SLAAC > Select Static/SLAAC.
The following screen is displayed:
Network configuration Do you want to use a static address or SLAAC?
-
Select slaac and press the right-hand navigation button.
-
The IPv6 address config selected screen is displayed. Press the right-hand navigation button to accept.
-
Select the required state and press the right-hand navigation button.
-
The SLAAC configuration completed OK screen is displayed. Press the right-hand navigation button to accept.
Enabling SLAAC on a Connect’s network interface disables the use of static IPv6 addresses on this interface. |
Configuring the Remote File System (RFS)
The RFS contains the master copy of the Security World data for backup purposes. The RFS can be a standalone machine, and can also dual role as a client. If the RFS duals as a client, a common file structure serves both the RFS and the configuration files for the client.
See the User Guide for more about the RFS and its contents.
The nShield Connect must be able to connect to TCP port 9004 of the RFS. If necessary, modify the firewall configuration to allow this connection on either the RFS itself, or on a router between the RFS and the nShield Connect, or both.
Obtain the following information about the nShield Connect before you set up an RFS for the first time:
-
The IP address.
The following nShield Connect information can be obtained automatically (or manually):
-
The electronic serial number (ESN).
-
The hash of the
K
NETI key (HK
NETI). TheK
NETI key authenticates the nShield Connect to clients. It is generated when the nShield Connect is first initialized from factory state.
If your network is secure and you know the IP address of the nShield Connect, you can use the anonkneti
utility to obtain the ESN and hash of the K
NETI key by giving the following command on the client computer.
For guidance on network security, see the nShield Security Manual.
anonkneti <Unit IP>
In this command, <Unit IP> is the IP address of the nShield Connect, which could be one of the following:
-
An IPv4 address, for example
123.456.789.123
. -
An IPv6 address, for example
fc00::1
. -
A link-local IPv6 address, for example,
fe80::1%eth0
. -
A hostname.
The command returns output in the following form:
A285-4F5A-7500 2418ec85c86027eb2d5959fef35edc5e1b3b698f
In this example output, A285-4F5A-7500
is the ESN and 2418ec85c86027eb2d5959fef35edc5e1b3b698f
is the hash of the K
NETI key.
Alternatively, you can find this information on the nShield Connect startup screen. Use the touch wheel to scroll to the appropriate information.
When you have the necessary information, set up an RFS and nShield Connect in the following order:
-
Prepare the RFS by running the following command on that computer:
rfs-setup <Unit IP> A285-4F5A-7500 2418ec85c86027eb2d5959fef35edc5e1b3b698f
In this command:
-
<Unit IP> is the IP address of the nShield Connect.
-
A285-4F5A-7500
is the ESN of the nShield Connect. -
keyhash
is the hash of theK
NETI key.
-
-
On the nShield Connect display screen, use the right-hand navigation button to select System > System configuration > Remote file system and enter the IP address of the client computer on which you set up the RFS.
Leave the port number at the default setting of 9004.
After you have defined the RFS, the nShield Connect configuration files are exported automatically to it See the User Guide for more about configuration files.
To modify an RFS at a later date, select System configuration > Remote file system, and then select the required action.
Systems configured for Remote Administration
If you are planning to use Remote Administration or to configure NTP, you should enable auto push on the nShield Connect for the client computer you intend to use for configuration.
On the nShield Connect display, use the right-hand navigation button to select System > System configuration > Config file options > Setup auto push > Auto push mode and then select CONFIRM. A confirmation message will be displayed.
Once auto push has been enabled, you must specify the IP address of the client from which to push the configuration from. On the nShield Connect display, use the right-hand navigation button to select System > System configuration > Config file options > Setup auto push > IP address. Enter the IP address and select CONFIRM. A message will be displayed confirming your chosen IP address. Select CONTINUE.
Once auto push is enabled, you can complete the configuration steps by editing the configuration files, rather than by using the front panel of the nShield Connect. See the User Guide for more about configuration files.
Basic configuration of the client to use the nShield Connect
Client configuration utilities
Entrust provides the following utilities for client configuration:
Utility | Description |
---|---|
|
Used to configure the client to communicate with the nShield Connect. |
|
Used to configure the hardserver of the client to enable TCP sockets. |
nethsmenroll
The nethsmenroll
command-line utility edits the client hardserver’s configuration file to add the specified nShield Connect.
If the nShield Connect’s ESN
and HKNETI
are not specified, nethsmenroll
attempts to contact the nShield Connect to determine what they are, and requests confirmation.
Usage:
nethsmenroll [Options] --privileged <{product_family} Connect IP> <{product_family} Connect ESN> <{product_family} Connect KNETI HASH>
Options:
|
Specifies the local module number that should be used (default is |
||
|
Makes the hardserver request a privileged connection to the nShield Connect (default |
||
|
The IP address of the nShield Connect, which could be one of the following:
|
||
|
Removes the configuration of the specified nShield Connect. |
||
|
Forces reconfiguration of an nShield Connect already known. |
||
|
Does not request confirmation when automatically determining the nShield Connect’s
|
||
|
When the |
||
|
Specifies the port to use when connecting to the given nShield Connect (default |
||
|
Specifies the |
config-serverstartup
The config-serverstartup
command-line utility automatically edits the [server_startup]
section in the local hardserver configuration file in order to enable TCP ports for Java and KeySafe.
Any fields for which values are not specified remain unchanged.
After making any changes you are prompted to restart the hardserver.
Run config-serverstartup
using the following commands:
config-serverstartup [OPTIONS]
For more information about the options available to use with config-serverstartup
, run the command:
config-serverstartup --help
Configuring a client to communicate through an nToken
You can configure a client to use its nToken to communicate with an nShield Connect, if it has one installed. When this happens, the nShield Connect:
-
Examines the IP address of the client.
-
Requires the client to identify itself using a signing key.
If an nToken is installed in a client, it can be used to both generate and protect a key that is then used for the impath communication between the nShield Connect and the client. A strongly protected key is used at both ends of the impath as a result. |
Enrolling the client from the command line
Complete the following steps to initially configure a client computer to communicate with and use an nShield Connect. See Basic nShield Connect, RFS and client configuration for more about the available options.
Do the following:
-
On the client, open a command line window, and run the command:
nethsmenroll --help
-
To retrieve the
ESN
andHKNETI
of the nShield Connect, run the command:anonkneti <Unit IP>
The following is an example of the output:
3138-147F-2D64 691be427bb125f38768638a18bfd2eab75623320
If the
ESN
andHKNETI
are not specified,nethsmenroll
attempts to contact the nShield Connect to determine what they are, and requests confirmation. -
Do one of the following:
If you are enrolling a client with an nToken installed, run the command:
nethsmenroll --ntoken-esn <nToken ESN> [Options] --privileged <Unit IP> <Unit ESN> <Unit KNETI HASH>
If you are enrolling a client without an nToken installed, run the command:
nethsmenroll [Options] --privileged < Unit IP> < Unit ESN> < Unit KNETI HASH>
The following is an example of the output:
OK configuring hardserver's nethsm imports.
Basic configuration of an nShield Connect to use a client
Do the following:
-
On the nShield Connect front panel, use the right-hand navigation button to select System > System configuration > Client config > New client.
The following screen displays:
Client configuration Please enter your client IP address: CANCEL NEXT
-
Enter the IP address of the client, and press the right-hand navigation button.
-
Use the touch wheel to confirm whether you want to save the IP or not, and press the right-hand navigation button.
Client configuration Do you want to save the IP in the config? (No for dynamic client IPs) No Back Next
-
Use the touch wheel to select the connection type between the nShield Connect and the client.
Client configuration Please choose the client permissions Unprivileged BACK NEXT
The following options are available:
Option Description Unprivileged
Privileged connections are never allowed.
Priv. on low ports
Privileged connections are allowed only from ports numbered less than 1024. These ports are reserved for use by root on Linux.
Priv. on any ports
Privileged connections are allowed on all ports.
A privileged connection is required to administer the nShield Connect, for example to initialize a Security World. If privileged connections are allowed, the client can issue commands (such as clearing the nShield Connect) which interfere with the normal operation of the nShield Connect. Entrust recommends that you allow only unprivileged connections unless you are performing administrative tasks. -
When you have selected a connection option, press the right-hand navigation button.
The following screen is displayed:
Client configuration do you want secure authentication enabled on this client? Yes BACK NEXT
The next steps in the configuration process vary slightly depending on whether the client uses an nToken to communicate with the nShield Connect, or not.
-
Do one of the following:
To enroll the client without secure authentication:
-
Select No and press the right-hand navigation button.
The unit displays a message reporting that the client has been configured.
-
Press the right-hand navigation button again.
To enroll the client with secure authentication:
-
First confirm the nToken authentication key.
-
On the client, open a command line window, and run the command:
ntokenenroll -H
The following is an example of the output:
nToken module #1 nToken ESN:3138-147F-2D64 nToken key hash: 691be427bb125f387686 38a18bfd2eab75623320
-
Ensure that you write down the hash or have it otherwise available for the next steps.
-
On the nShield Connect, enter the number of the port on which the client is listening and press the right-hand navigation button. (The default port is 9004.)
The following is an example of the information displayed by the nShield Connect. This identifies the client by its ESN and displays the reported key hash:
Client reported the software key hash: 691be427bb125f387686 38a18bfd2eab75623320 Is this EXACTLY right? CANCEL CONFIRM
-
Compare the hash displayed by the nShield Connect with the nToken key hash returned by
ntokenenroll
. -
If there is an exact match, press the right-hand navigation button to configure the client. The unit displays a message reporting that the client has been configured. ..Press the right-hand navigation button again.
-
See the User Guide for more about modifying or deleting an existing client, configuring multiple clients, client licenses, configuring an nShield Connect to use a client with configuration files and auto push, and advanced configuration options.
Restarting the hardserver
In order to establish any configuration changes you may have entered, you must restart the hardserver (also called the nfast server).
-
Do one of the following to stop and restart the hardserver, according to your operating system:
-
Windows:
net stop "nfast server" net start "nfast server"
-
Linux:
/opt/nfast/sbin/init.d-ncipher restart
-
Zero touch configuration of an nShield Connect
On a serial-enabled nShield Connect (see Model numbers) you can configure the nShield Connect by using the nShield Connect Serial Console rather than the front panel. See the nShield Connect User Guide for more information on the Serial Console.
Once the nShield Connect’s power, Ethernet and serial cables have been connected, to allow zero touch configuration of the nShield Connect (no further use of the front panel required), follow these steps:
-
Log in to the nShield Connect Serial Console (see the nShield Connect User Guide).
-
Configure networking on Ethernet Interface #1:
-
Set the IP address and netmask of the interface:
(cli) netcfg iface=0 addr=0.0.0.0 netmask=0.0.0.0
-
Set the IP address of the gateway for the nShield Connect:
(cli) gateway 0.0.0.0
If your network environment requires you to configure static routes you may also use the nShield Connect Serial Console to configure static routes for the nShield Connect at this stage.
-
-
Allow configuration files to be pushed to the nShield Connect from a remote computer.
You can optionally set the IP address of the client that is allowed to push config files. By default any IP address that is configured as a client of the nShield Connect is allowed to push configuration files. If you set an IP address you can optionally set the hash of the key with which the authorized client is to authenticate itself (defaults to no key authentication required).
(cli) push ON [IP [KEYHASH]]
Enabling the push feature allows any client computer to change the HSM configuration file and gives the client the power to make configuration changes that are normally only available through the HSM secure user interface.
Once you have setup the nShield Connect for zero touch configuration, everything that can be configured using the front panel, can then be configured remotely using one of the following methods:
-
The nShield Connect Serial Console.
-
The
cfg-pushnethsm
utility to push an updated configuration file to the nShield Connect (see the nShield Connect User Guide). From the configuration file you can configure the RFS, add clients, or change the network configuration. -
The
nethsmadmin
utility (see the nShield Connect User Guide).
Checking the installation
To check that the module is installed and configured correctly on the client:
-
Log in as a user and open a command window.
-
Run the command:
enquiry
For an example of the output following a successful
enquiry
command. See Enquiry utility.If you are configuring a client belonging to an nShield Connect, the response to the
enquiry
command should be populated and thehardware status
shown asOK
.If the
mode
isoperational
the HSM has been installed correctly.If the
mode
isinitialization
, the HSM has been installed correctly, but you must change the mode tooperational
.If the output from the
enquiry
command says that the module is not found, first restart your computer, then re-run theenquiry
command.