Basic nShield Connect, RFS and client configuration

This chapter describes the initial nShield Connect, RFS and client computer configuration steps. For more about:

Security World Software installation and options, see Installing the software.
Installing the optional nToken, see the nToken Installation Guide.
The menu options, see Top-level menu.
Advanced nShield Connect and client configuration options, see the User Guide.

An installation will have only one RFS, but may have one or more Clients. The RFS can also dual role as a Client. Before you can continue with the following configuration, the RFS and every Client must have the Security World software installed, see Installing the software.

About nShield Connect and client configuration

An nShield Connect and a client communicate using their hardservers. These handle secure transactions between the HSM within the Connect and any applications that run on the client. You must configure:

Each client hardserver to communicate with the hardserver of the nShield Connect that it needs to use.
The nShield Connect hardserver to communicate with the hardserver of the clients that are allowed to use it.

Multiple nShield Connects can be configured to communicate with one client, just as multiple clients can be configured to communicate with one nShield Connect.

Remote file system (RFS)

Each nShield Connect must have a remote file system (RFS) configured. This includes master copies of all the files that the nShield Connect needs. See the User Guide for your HSM for more information about the RFS.

nShield Connect configuration

The current configuration files for the hardserver of an nShield Connect are stored in its local file system. These files are automatically:

Updated when the nShield Connect is configured.
Exported to the appropriate RFS directory.

Each nShield Connect in a Security World has separate configuration files on the RFS. See the User Guide for more about nShield Connect configuration files and advanced configuration options.

Client configuration

The current configuration files for the hardserver of a client are stored in its local file system.

See the User Guide for more about client configuration files and advanced configuration options.

The following steps assume that you have added the path %NFAST_HOME%\bin (Windows) or /opt/nfast/bin/ (Linux) to the PATH system variable.

Basic nShield Connect and RFS configuration

After installing the Security World Software and the nShield Connect, you need to do the following:

Configure the nShield Connect Ethernet interfaces.
Configure the RFS.

You should complete the RFS tasks before:

Configuring the nShield Connect and client to work together.
Creating a Security World and an Operator Card Set (OCS). See the User Guide for more about creating a Security World and the OCS.

Configuring the Ethernet interfaces - IPv4 and IPv6

An nShield Connect communicates with one or more clients over an Ethernet network. You must supply IP addresses for the nShield Connect and the client. Contact your system administrator for this information if necessary.

There are two network interfaces on the nShield Connect. Three configurations are supported:

Single network interface.
Two independent network interfaces.

You must connect the interfaces to physically different networks.
The two network interfaces combined as a bond interface.

The bond interface can use:
- Active backup mode.
- 802.3ad mode (requires a switch that supports 802.3ad).

You can configure the nShield Connect using the front panel Network config menu, or by pushing a configuration file to the nShield Connect over the network. The initial set up of the nShield Connect must be done using the front panel. The following can be configured:

Interface addresses
Bond
Default gateway
Network routes
Network speed.

If the nShield Connect is already configured, you can update the displayed values.

If you ever change any of the IP addresses on the nShield Connect, you must update the configuration of all the clients that work with it to reflect the new IP addresses.

By default, the hardserver listens on all interfaces. However, you can choose to set specific network interfaces on which the hardserver listens. This may be useful in cases such as if one of the Ethernet interfaces is to be connected to external hosts. See the User Guide for more information.

IPv4 and IPv6

Support for IPv6 is in addition to IPv4. Both Ethernet interfaces can be configured to support:

IPv4 only
IPv4 and IPv6
IPv6 only.

Interface#1 is enabled by default and cannot be disabled. Interface #2 is disabled by default and can be enabled and disabled.

IPv6 addresses

An IPv4 address is 32 bits long and typically represented as 4 octets, for example 192.168.0.1. An IPv6 address is 128 bits long and is made up of a subnet prefix (n bits long) and an interface ID (128 - n bits long).

An IPv6 address and its associated subnet is typically represented by the notation ipv6-address/prefix-length, where:

ipv6-address is an IPv6 address represented in any of the notations described below.
prefix-length is a decimal value specifying how many of the leftmost contiguous bits of the address make up the prefix.

The IPv6 address notation mirrors the way subnets are represented in the IPv4 Classless Inter-Domain Routing (CIDR) notation.

IPv6 address notation

An nShield Connect will accept an IPv6 address if it is entered in one of the forms shown below and if the address is valid for context in which it is used. There are two conventional forms for representing IPv6 addresses as text strings:

The long representation is x:x:x:x:x:x:x:x, where each x is a field containing hexadecimal characters (0 to ffff) for each 16 bits of the address.

For example:

1234:2345:3456:4567:5678:6789:789a:89ab

1234:5678:0:0:0:0:9abc:abcd/64
If one or more consecutive fields are 0 then they can be replaced by ::.

For example:

1234:5678:0:0:0:0:9abc:abcd/64 can be written as 1234:5678::9abc:abcd/64

:: can only appear once in an IPv6 address.

Unless the address is a link-local address, the nShield Connect front panel only allows lower-case letters in an IPv6 address.

IPv6 addresses keyed manually on the nShield Connect front panel are validated on entry by the nShield Connect. As well as checking that the format of the address is correct, the nShield Connect also validates that the address entered is valid for the context in which it will be used, see Acceptable IPv6 address by use case.

If Stateless Address Auto Configuration (SLAAC) is enabled the nShield Connect will automatically form IPv6 addresses from network prefixes contained in Router Advertisements (RAs). RAs are received directly by the nShield Connect Operating System and automatically forms IPv6 addresses by combining the network prefixes contained in the RA with the MAC address of the receiving Ethernet interface. As they are created by the Operating System, SLAAC IPv6 addresses are not subject to the same validation rules as addresses entered via the nShield Connect front panel. If SLAAC is to be used to configure nShield Connect IPv6 addresses in preference to statically entered addresses then network planners must take care to ensure that prefixes advertised to the nShield Connect are of a suitable type, see Acceptable IPv6 address by use case.

IPv6 compliance

A new sub-menu (1-1-1-9 - Set IPv6 compliance) has been added to the nShield Connect front panel menu to permit the User to select an IPv6 compliance mode for an nShield Connect. Compliance with USGv6 or IPv6 ready can be selected.

Both these modes change the settings for the nShield Connect firewall so that it will pass-through packets which are discarded in the normal Default* mode. This behaviour is required for compliance testing but is not recommended for normal use since allowing packets with invalid fields or parameters through the firewall increases the attack surface. When either USGv6 or IPv6 ready are selected, a confirmation message is displayed to reduce the likelihood that they are enabled by accident.

It is recommended that the IPv6 compliance mode is set to Default for all normal operations.

Acceptable IPv6 address by use case

The types of IPv6 which are acceptable as a static address are given in the table below For examples of valid IPv6 addresses, see Valid IPv6 Addresses.

Use Case	Acceptable Address Type
Static IPv6 Address Entry	Global Unicast Local Unicast
IPv6 Default Gateway	Global Unicast Local Unicast Link-local
IPv6 Route Entry - IP Range	Unknown Loopback Global Unicast Local Unicast Link local Teredo Benchmarking Orchid 6to4 Documentation Multicast
IPv6 Route Entry - Gateway	Global Unicast Local Unicast Link-local
RFS Address	Global Unicast Local Unicast
Client Address	Global Unicast Local Unicast
Push Client Address	Global Unicast Local Unicast
Ping	Unknown Loopback Global Unicast Local Unicast Link-local Teredo Benchmarking Orchid 6to4 Documentation Multicast
Traceroute	Unknown Loopback Global Unicast Local Unicast Link-local Teredo Benchmarking Orchid 6to4 Documentation Multicast

Use Case

Acceptable Address Type

Static IPv6 Address Entry

Global Unicast
Local Unicast

IPv6 Default Gateway

Global Unicast
Local Unicast
Link-local

IPv6 Route Entry - IP Range

Unknown
Loopback
Global Unicast
Local Unicast
Link local
Teredo
Benchmarking
Orchid
6to4
Documentation
Multicast

IPv6 Route Entry - Gateway

Global Unicast
Local Unicast
Link-local

RFS Address

Global Unicast
Local Unicast

Client Address

Global Unicast
Local Unicast

Push Client Address

Global Unicast
Local Unicast

Ping

Unknown
Loopback
Global Unicast
Local Unicast
Link-local
Teredo
Benchmarking
Orchid
6to4
Documentation
Multicast

Traceroute

Unknown
Loopback
Global Unicast
Local Unicast
Link-local
Teredo
Benchmarking
Orchid
6to4
Documentation
Multicast

Stateless address auto-configuration (IPv6 only)

Unlike IPv4, IPv6 is designed to be auto-configuring. SLAAC is an IPv6 mechanism by which IPv6 hosts can configure their IPv6 addresses automatically when connected to an IPv6 network using the Neighbour Discovery Protocol (NDP). Using NDP IPv6 hosts are able to solicit advertisements from on-link routers and use the network prefix(es) contained in the advertisements to generate IPv6 address(es).

SLAAC is disabled by default in an nShield Connect, but can be selectively enabled for each Ethernet interface either using the nShield Connect front panel or by setting the appropriate configuration item and pushing an nShield Connect configuration file.

Configure Ethernet interface #1

To set up Ethernet interface #1 (default):

Enable/disable IPv4

To enable/disable IPv4:

From the front panel menu, select System > System configuration > Network config > Set up interface #1 > Configure #1 IPv4 > IPv4 enable/disable.

The following screen displays:
```
Network configuration

IPv4 enable/disable:

ENABLE

CANCEL    FINISH
```
Set the ENABLE/DISABLE field to the required option.
To accept, press the right-hand navigation button.

Set up IPv4 static address

To set up IPv4 static address:

From the front panel menu, select System > System configuration > Network config > Set up interface #1 > Configure #1 IPv4 > Static IPv4 address.

The following screen displays:
```
Network configuration

Enter IPv4 address
for interface #1:
     0.  0.  0.  0
Enter netmask:
     0.  0.  0.  0
CANCEL           NEXT
```
Set each field of the IP address and netmask for the interface (press the Select button to move to the next field).
Once all fields have been set, press the right-hand navigation button to continue.
To accept the changes, press the right-hand navigation button and then CONTINUE to go back to the Static IPv4 address menu.

Enable/disable IPv6

To enable/disable IPv6:

From the front panel menu, select System > System configuration > Network config > Set up interface #1 > Configure #1 IPv6 > Enable/Disable IPv6.

The following screen displays:
```
Network configuration

IPv6 enable/disable:
DISABLE

CANCEL    FINISH
```
Set the ENABLE/DISABLE field to the required option.
To accept, press the right-hand navigation button.

Set up IPv6 static address

To set up IPv6 static address:

From the front panel menu, select System > System configuration > Network config > Set up interface #1 > Configure #1 IPv6 > Static addr/SLAAC > Select Static/SLAAC.

The following screen is displayed:
```
Network configuration
Do you want to use a
static address or
SLAAC?
```
Select static and press the right-hand navigation button.

Then, select Static IPv6 address and press the right-hand navigation button.

The following screen displays:
```
Network configuration
Enter IPv6 address
For interface #1:



CANCEL    NEXT
```
Enter the required IPv6 address.

When the IPv6 address is correct, press the right-hand navigation button. The following screen displays:

Network configuration
IPv6 address
xxxx:xxxx:xxxx:xxxx:
xxxx:xxxx:xxxx:xxxx

Enter prefix length:
64

BACK    NEXT

When the IPv6 address prefix details are correct, press the right-hand navigation button.
You are asked whether you wish to accept the new interface. To accept, press the right-hand navigation button.

Enabling static IPv6 addresses on a Connect’s network interface disables SLAAC on this interface. See Enable IPv6 SLAAC for SLAAC addresses.

Set the link speed for interface #1

To set up the link speed for interface #1:

From the front panel menu, select System > System configuration > Network config > Set up interface #1 > Set link speed for #1.

The following screen displays:

Network configuration

Select desired link
speed:
auto / 1Gb

CANCEL    NEXT

You can choose from auto / 1Gb, 10BaseT, 10BaseT-FDX, 100BaseTX, or 100BaseTX-FDX.

Entrust recommends that you configure your network speed for automatic negotiation, using the auto / 1Gb or auto option. You will be asked to confirm the changes if auto / 1Gb is not selected. On the nShield Connect, selecting auto / 1Gb is the only means of achieving 1Gb link speed.

Press the right-hand navigation button and you will be returned to the Set up interface #1 screen and you can then continue with the configuration.

Configure Ethernet interface #2

To set up the Ethernet interface #2, if required:

From the front panel menu, select System > System configuration > Network config > Set up interface #2.
Enter the details for interface #2 in the same manner that you entered the details for interface #1.
Once the interface #2 details have been entered you need to explicitly enable interface #2. Select System > System configuration > Network config > Set up interface #2 > Enable/Disable Int #2.

The following screen displays:

Network configuration

Interface #2
DISABLE

CANCEL    FINISH

Select the ENABLE option.
Press the right-hand navigation button to accept. A screen similar to that used for interface #1 is displayed.

Configure an Ethernet bond interface

Enable or disable the use of a bond interface

From the front panel menu, select System > System configuration > Network config > Set up bond > Enable/disable bond.

The following screen displays:
```
Network configuration

Bond Interface

DISABLE

CANCEL    FINISH
```
Set the ENABLE/DISABLE field to the required option.
To accept, press the right-hand navigation button.

Set up a bond interface

From the front panel menu, select System > System configuration > Network config > Set up bond > Configure bond.

The following screen displays:
```
Bond interface config
will use the eth0
IPv4 and IPv6 config
if they are enabled

CANCEL    NEXT
```
Press the right-hand navigation button.

The following screen displays:
```
Bond interface config
Update parameter

mode: 802.3ad

BACK    NEXT
```
Set the mode field to the required option, either 802.3ad or active-backup.
To accept, press the right-hand navigation button.

The following screen displays:
```
Bond interface config
Update parameter

miimon: 100

BACK    NEXT
```
Set the miimon field to the required value, the range is 0 - 10000 milliseconds.

Setting the miimon value to 0 disables it. This can prevent the bonding resilience from functioning correctly in active-backup mode.

To accept, press the right-hand navigation button.

The following screen displays:

Bond interface config
Update parameter

lacp_rate: slow

only valid for
802.3ad (LACP) mode

BACK    NEXT

Set the lacp_rate field to the required option, either slow or fast.

This parameter is only valid for 802.3ad mode. This setting is ignored in other modes.

slow
request LACPDUs to be transmitted every 30 seconds

fast
request LACPDUs to be transmitted every 1 second

To accept, press the right-hand navigation button.

The following screen displays:

Bond interface config
Update parameter
xmit hash policy:
layer2

only valid for
802.3ad (LACP) mode

BACK    NEXT

Set the xmit hash policy field to the required option.

This parameter is only valid for 802.3ad mode. This setting is ignored in other modes.

Options:
- layer2
- encap2+3
- layer2+3.
For more information, see https://www.kernel.org/doc/Documentation/networking/bonding.txt

To accept, press the right-hand navigation button.

The following screen displays:

Bond interface config
Update parameter

primary device: eth0

only valid for
active-backup mode

BACK    NEXT

Set the primary device field to the required option, either eth0 or eth1.

This parameter is only valid for active backup mode. This setting is ignored in other modes.

To accept, press the right-hand navigation button.

The following screen displays:

Bond interface config
Update parameter

resend igmp: 1

only valid for
active-backup mode

BACK    NEXT

Set the resend igmp field to the required value. Range: 0 - 255.

This parameter is only valid for active backup mode. This setting is ignored in other modes.

To accept, press the right-hand navigation button.

The following screen displays:

Bond interface config

Are you sure you wish
to change the config ?

CANCEL    CONFIRM

To accept and apply changes to the bond config, press the right-hand navigation button.

The following confirmation screen displays:
```
Bond interface
config completed OK

CONFIRM
```

Default gateway

Set default gateway for IPv4

To set a default gateway for IPv4:

From the front panel menu, select System > System configuration > Network config > Set default gateway > IPv4 Gateway.

The following screen is displayed:
```
Gateway configuration

Enter IPv4 address of
the default gateway:

0. 0. 0. 0

CANCEL    NEXT
```
Enter the IPv4 address of the default gateway.
Press the right-hand navigation button NEXT and then FINISH to accept.

Set default gateway for IPv6

To set a default gateway for IPv6:

From the front panel menu, select System > System configuration > Network config > Set default gateway > IPv6 gateway.

The following screen is displayed:
```
Gateway configuration

Enter IPv6 address of
the default gateway:



CANCEL    NEXT
```
Enter the address for the gateway. Press the right-hand navigation button. The following screen is displayed if the address entered was a link-local address:
```
Gateway configuration

Select an interface for link-local address:

::

CANCEL    NEXT
```
Select the interface for the IPv6 gateway. Press the right-hand navigation button to accept.

Set up Routing

Set up routing for IPv4

To set a new route entry for IPv4:

From the front panel menu, select System > System configuration > Network config > Set up routing > New IPv4 route entry.

The following screen is displayed:
```
Edit route entry

Enter IP range
and mask length:
0.  0.  0.  0/ 0
Enter the gateway:
0.  0.  0.  0

CANCEL    FINISH
```
Enter the IPv4 address range details for the route. Press the right-hand navigation button to accept.

Set up routing for IPv6

To set a new route entry for IPv6:

From the front panel menu, select System > System configuration > Network config > Set up routing > New IPv6 route entry.

The following screen is displayed:
```
Edit route entry

Enter the IP range
and prefix length:
::/64

CANCEL    NEXT
```
Enter the IPv6 address range details for the route. Press the right-hand navigation button to accept. The following screen is displayed:
```
Edit route entry
xxxx:xxxx:xxxx:xxxx:
 xxxx:xxxx:xxxx:xxxx
 /xxx

Enter the gateway:
::


BACK    NEXT
```

Enter the gateway address; if it is a link local address, the following screen is displayed.

Edit route entry

Select an interface
for link-local address:
fe80:xxxx:xxxx:xxxx:
xxxx:xxxx:xxxx:xxxx
  Interface #1
BACK    NEXT

Select the interface for the IPv6 gateway and press the right-hand navigation button to accept.
If the new route entry entered for IPv6 is incorrect an error message is displayed on the next screen, select BACK to go to the route entry screen. The new IPv6 route entry will need to be entered again.

Edit route entry

Edit IPv4 route entry

To edit a route entry for IPv4:

From the front panel menu, select System > System configuration > Network config > Set up routing > Edit route entry.

The following screen is displayed:
```
►  1. 1. 1. 1/ 1
3. 3. 3. 3/ 3
1111:1111:1111:1111:
1111:1111:1111:1111
 /128

BACK    SELECT
```

Select the IPv4 route to be edited. Press the right-hand navigation button. The following screen is displayed:

Edit route entry

Enter the IP range
and mask length:
1. 1. 1. 1/ 1
Enter the gateway
2. 2. 2. 2
CANCEL    FINISH

Edit the IPv4 route entry. Press the right-hand navigation button to accept the changes.

Edit IPv6 route entry

To edit a route entry for IPv6:

From the front panel menu, select System > System configuration > Network config > Set up routing > Edit route entry.

The following screen is displayed:
```
Edit route entry
►  1. 1. 1. 1/ 1
3. 3. 3. 3/ 3
1111:1111:1111:1111:
1111:1111:1111:1111
/128


BACK    SELECT
```

Select the IPv6 route to be edited. Press the right-hand navigation button. The following screen is displayed:

Edit route entry

Enter the IP range
and prefix length:
1111:1111::1111:1111:
 1111:1111:1111:1111/128

CANCEL    NEXT

Edit the IPv6 route entry. Press the right-hand navigation button.

Edit route entry
1111:1111:1111:1111:
 1111:1111:1111:1111/128

Enter the gateway
2222:2222:2222:2222

BACK  NEXT

Enter the IPv6 route gateway. If a link-local address is entered for the IPv6 route gateway the screen below will be displayed.

Edit route entry

Select an interface
for link-local address:
fe80:2222:2222:2222:
2222:2222:2222:2222
Interface #1
BACK    NEXT

Select the interface for the IPv6 gateway. Press the right-hand navigation button to accept.

Remove route entry

To remove a route entry:

From the front panel menu, select System > System configuration > Network config > Set up routing > Remove route entry.

The following screen is displayed:
```
►  1. 1. 1. 1/ 1
3. 3. 3. 3/ 3
1111:1111:1111:1111:
1111:1111:1111:1111
/128


BACK    SELECT
```
Select the IPv4/IPv6 route to be removed. Press the right-hand navigation button.
The selected route will be displayed. Press the right-hand navigation button to remove the route.

Enable IPv6 SLAAC

SLAAC can be enabled/disabled independently on each of the two interfaces.

To enable SLAAC:

From the front panel menu, select System > System configuration > Network config > Set up interface #1 > Configure #1 IPv6 > Static addr/SLAAC > Select Static/SLAAC.

The following screen is displayed:
```
Network configuration
Do you want to use a
static address or
SLAAC?
```
Select slaac and press the right-hand navigation button.
The IPv6 address config selected screen is displayed. Press the right-hand navigation button to accept.
Select the required state and press the right-hand navigation button.
The SLAAC configuration completed OK screen is displayed. Press the right-hand navigation button to accept.

Enabling SLAAC on a Connect’s network interface disables the use of static IPv6 addresses on this interface.

Configuring the Remote File System (RFS)

The RFS contains the master copy of the Security World data for backup purposes. The RFS can be a standalone machine, and can also dual role as a client. If the RFS duals as a client, a common file structure serves both the RFS and the configuration files for the client.

See the User Guide for more about the RFS and its contents.

The nShield Connect must be able to connect to TCP port 9004 of the RFS. If necessary, modify the firewall configuration to allow this connection on either the RFS itself, or on a router between the RFS and the nShield Connect, or both.

Obtain the following information about the nShield Connect before you set up an RFS for the first time:

The IP address.

The following nShield Connect information can be obtained automatically (or manually):
The electronic serial number (ESN).
The hash of the K_NETI key (HK_NETI). The K_NETI key authenticates the nShield Connect to clients. It is generated when the nShield Connect is first initialized from factory state.

If your network is secure and you know the IP address of the nShield Connect, you can use the anonkneti utility to obtain the ESN and hash of the K_NETI key by giving the following command on the client computer. For guidance on network security, see the nShield Security Manual.

anonkneti <Unit IP>

In this command, <Unit IP> is the IP address of the nShield Connect, which could be one of the following:

An IPv4 address, for example 123.456.789.123.
An IPv6 address, for example fc00::1.
A link-local IPv6 address, for example, fe80::1%eth0.
A hostname.

The command returns output in the following form:

A285-4F5A-7500 2418ec85c86027eb2d5959fef35edc5e1b3b698f

In this example output, A285-4F5A-7500 is the ESN and 2418ec85c86027eb2d5959fef35edc5e1b3b698f is the hash of the K_NETI key.

Alternatively, you can find this information on the nShield Connect startup screen. Use the touch wheel to scroll to the appropriate information.

When you have the necessary information, set up an RFS and nShield Connect in the following order:

Prepare the RFS by running the following command on that computer:
```
rfs-setup <Unit IP> A285-4F5A-7500 2418ec85c86027eb2d5959fef35edc5e1b3b698f
```
In this command:
- <Unit IP> is the IP address of the nShield Connect.
- A285-4F5A-7500 is the ESN of the nShield Connect.
- keyhash is the hash of the K_NETI key.
On the nShield Connect display screen, use the right-hand navigation button to select System > System configuration > Remote file system and enter the IP address of the client computer on which you set up the RFS.

Leave the port number at the default setting of 9004.

After you have defined the RFS, the nShield Connect configuration files are exported automatically to it See the User Guide for more about configuration files.

To modify an RFS at a later date, select System configuration > Remote file system, and then select the required action.

Systems configured for Remote Administration

If you are planning to use Remote Administration or to configure NTP, you should enable auto push on the nShield Connect for the client computer you intend to use for configuration.

On the nShield Connect display, use the right-hand navigation button to select System > System configuration > Config file options > Setup auto push > Auto push mode and then select CONFIRM. A confirmation message will be displayed.

Once auto push has been enabled, you must specify the IP address of the client from which to push the configuration from. On the nShield Connect display, use the right-hand navigation button to select System > System configuration > Config file options > Setup auto push > IP address. Enter the IP address and select CONFIRM. A message will be displayed confirming your chosen IP address. Select CONTINUE.

Once auto push is enabled, you can complete the configuration steps by editing the configuration files, rather than by using the front panel of the nShield Connect. See the User Guide for more about configuration files.

Basic configuration of the client to use the nShield Connect

Client configuration utilities

Entrust provides the following utilities for client configuration:

Utility Description

Utility	Description
`nethsmenroll`	Used to configure the client to communicate with the nShield Connect.
`config-serverstartup`	Used to configure the hardserver of the client to enable TCP sockets.

nethsmenroll

Used to configure the client to communicate with the nShield Connect.

config-serverstartup

Used to configure the hardserver of the client to enable TCP sockets.

nethsmenroll

The nethsmenroll command-line utility edits the client hardserver’s configuration file to add the specified nShield Connect. If the nShield Connect’s ESN and HKNETI are not specified, nethsmenroll attempts to contact the nShield Connect to determine what they are, and requests confirmation.

Usage:

nethsmenroll [Options] --privileged <{product_family} Connect IP> <{product_family} Connect ESN> <{product_family} Connect KNETI HASH>

Options:

-m, --module=MODULE

Specifies the local module number that should be used (default is 0 for dynamic configuration by hardserver).

-p, --privileged

Makes the hardserver request a privileged connection to the nShield Connect (default unprivileged).

-<nShield Connect IP>

The IP address of the nShield Connect, which could be one of the following:

An IPv4 address, for example 123.456.789.123.
An IPv6 address, for example fc00::1.
A link-local IPv6 address, for example fe80::1%eth0.
A hostname.

-r, --remove

Removes the configuration of the specified nShield Connect.

-f, --force

Forces reconfiguration of an nShield Connect already known.

--no-hkneti-confirmation

Does not request confirmation when automatically determining the nShield Connect’s ESN and HKNETI.

This option is potentially insecure and should only be used on secure networks where there is no possibility of a man-in-the-middle attack. For guidance on network security, see the nShield Security Manual.

-V, --verify-nethsm-details

When the ESN and HKNETI have been provided on the command line, verifies that the selected HSM is online, reachable and matches those details.

-P, --port=PORT

Specifies the port to use when connecting to the given nShield Connect (default 9004).

-n, --ntoken-esn=ESN

Specifies the ESN of the nToken to be used to authenticate this client. If the option is omitted, then software authentication will be used instead.

config-serverstartup

The config-serverstartup command-line utility automatically edits the [server_startup] section in the local hardserver configuration file in order to enable TCP ports for Java and KeySafe. Any fields for which values are not specified remain unchanged. After making any changes you are prompted to restart the hardserver.

Run config-serverstartup using the following commands:

config-serverstartup [OPTIONS]

For more information about the options available to use with config-serverstartup, run the command:

config-serverstartup --help

Configuring a client to communicate through an nToken

You can configure a client to use its nToken to communicate with an nShield Connect, if it has one installed. When this happens, the nShield Connect:

Examines the IP address of the client.
Requires the client to identify itself using a signing key.

If an nToken is installed in a client, it can be used to both generate and protect a key that is then used for the impath communication between the nShield Connect and the client. A strongly protected key is used at both ends of the impath as a result.

Enrolling the client from the command line

Complete the following steps to initially configure a client computer to communicate with and use an nShield Connect. See Basic nShield Connect, RFS and client configuration for more about the available options.

Do the following:

On the client, open a command line window, and run the command:
```
nethsmenroll --help
```
To retrieve the ESN and HKNETI of the nShield Connect, run the command:
```
anonkneti <Unit IP>
```
The following is an example of the output:
```
3138-147F-2D64 691be427bb125f38768638a18bfd2eab75623320
```
If the ESN and HKNETI are not specified, nethsmenroll attempts to contact the nShield Connect to determine what they are, and requests confirmation.

Do one of the following:

If you are enrolling a client with an nToken installed, run the command:

nethsmenroll --ntoken-esn <nToken ESN> [Options] --privileged <Unit IP> <Unit ESN> <Unit KNETI HASH>

If you are enrolling a client without an nToken installed, run the command:

nethsmenroll [Options] --privileged < Unit IP> < Unit ESN> < Unit KNETI HASH>

The following is an example of the output:

OK configuring hardserver's nethsm imports.

Configure the TCP sockets on the client for Java applications

To configure the TCP sockets on the client for Java applications (for example, KeySafe):

Run the command:

config-serverstartup --enable-tcp --enable-privileged-tcp

Basic configuration of an nShield Connect to use a client

Do the following:

On the nShield Connect front panel, use the right-hand navigation button to select System > System configuration > Client config > New client.

The following screen displays:
```
Client configuration

Please enter your
client IP address:



 CANCEL          NEXT
```
Enter the IP address of the client, and press the right-hand navigation button.

Use the touch wheel to confirm whether you want to save the IP or not, and press the right-hand navigation button.

Client configuration

Do you want to save
the IP in the config?
(No for dynamic client
IPs)
          No
 Back            Next

Use the touch wheel to select the connection type between the nShield Connect and the client.

Client configuration

Please choose the
client permissions

Unprivileged

BACK    NEXT

The following options are available:

Option	Description
Unprivileged	Privileged connections are never allowed.
Priv. on low ports	Privileged connections are allowed only from ports numbered less than 1024. These ports are reserved for use by root on Linux.
Priv. on any ports	Privileged connections are allowed on all ports.

Option

Description

Unprivileged

Privileged connections are never allowed.

Priv. on low ports

Privileged connections are allowed only from ports numbered less than 1024. These ports are reserved for use by root on Linux.

Priv. on any ports

Privileged connections are allowed on all ports.

A privileged connection is required to administer the nShield Connect, for example to initialize a Security World. If privileged connections are allowed, the client can issue commands (such as clearing the nShield Connect) which interfere with the normal operation of the nShield Connect. Entrust recommends that you allow only unprivileged connections unless you are performing administrative tasks.

When you have selected a connection option, press the right-hand navigation button.

The following screen is displayed:
```
Client configuration

do you want secure
authentication enabled
on this client?

          Yes
 BACK             NEXT
```
The next steps in the configuration process vary slightly depending on whether the client uses an nToken to communicate with the nShield Connect, or not.
Do one of the following:

To enroll the client without secure authentication:
1. Select No and press the right-hand navigation button.
  
  The unit displays a message reporting that the client has been configured.
2. Press the right-hand navigation button again.
To enroll the client with secure authentication:
1. First confirm the nToken authentication key.
2. On the client, open a command line window, and run the command:
  ntokenenroll -H
  The following is an example of the output:
  nToken module #1 nToken ESN:3138-147F-2D64 nToken key hash: 691be427bb125f387686 38a18bfd2eab75623320
3. Ensure that you write down the hash or have it otherwise available for the next steps.
4. On the nShield Connect, enter the number of the port on which the client is listening and press the right-hand navigation button. (The default port is 9004.)
  
  The following is an example of the information displayed by the nShield Connect. This identifies the client by its ESN and displays the reported key hash:
  Client reported the software key hash: 691be427bb125f387686 38a18bfd2eab75623320 Is this EXACTLY right? CANCEL CONFIRM
5. Compare the hash displayed by the nShield Connect with the nToken key hash returned by ntokenenroll.
6. If there is an exact match, press the right-hand navigation button to configure the client. The unit displays a message reporting that the client has been configured. ..Press the right-hand navigation button again.

See the User Guide for more about modifying or deleting an existing client, configuring multiple clients, client licenses, configuring an nShield Connect to use a client with configuration files and auto push, and advanced configuration options.

Restarting the hardserver

In order to establish any configuration changes you may have entered, you must restart the hardserver (also called the nfast server).

Do one of the following to stop and restart the hardserver, according to your operating system:
1. Windows:
  net stop "nfast server" net start "nfast server"
2. Linux:
  /opt/nfast/sbin/init.d-ncipher restart

Zero touch configuration of an nShield Connect

On a serial-enabled nShield Connect (see Model numbers) you can configure the nShield Connect by using the nShield Connect Serial Console rather than the front panel. See the nShield Connect User Guide for more information on the Serial Console.

Once the nShield Connect’s power, Ethernet and serial cables have been connected, to allow zero touch configuration of the nShield Connect (no further use of the front panel required), follow these steps:

Log in to the nShield Connect Serial Console (see the nShield Connect User Guide).
Configure networking on Ethernet Interface #1:
1. Set the IP address and netmask of the interface:
  (cli) netcfg iface=0 addr=0.0.0.0 netmask=0.0.0.0
2. Set the IP address of the gateway for the nShield Connect:
  (cli) gateway 0.0.0.0
  If your network environment requires you to configure static routes you may also use the nShield Connect Serial Console to configure static routes for the nShield Connect at this stage.

Allow configuration files to be pushed to the nShield Connect from a remote computer.

You can optionally set the IP address of the client that is allowed to push config files. By default any IP address that is configured as a client of the nShield Connect is allowed to push configuration files. If you set an IP address you can optionally set the hash of the key with which the authorized client is to authenticate itself (defaults to no key authentication required).

(cli) push ON [IP [KEYHASH]]

Enabling the push feature allows any client computer to change the HSM configuration file and gives the client the power to make configuration changes that are normally only available through the HSM secure user interface.

Once you have setup the nShield Connect for zero touch configuration, everything that can be configured using the front panel, can then be configured remotely using one of the following methods:

The nShield Connect Serial Console.
The cfg-pushnethsm utility to push an updated configuration file to the nShield Connect (see the nShield Connect User Guide). From the configuration file you can configure the RFS, add clients, or change the network configuration.
The nethsmadmin utility (see the nShield Connect User Guide).

Checking the installation

To check that the module is installed and configured correctly on the client:

Log in as a user and open a command window.
Run the command:
```
enquiry
```
For an example of the output following a successful enquiry command. See Enquiry utility.

If you are configuring a client belonging to an nShield Connect, the response to the enquiry command should be populated and the hardware status shown as OK.

If the mode is operational the HSM has been installed correctly.

If the mode is initialization, the HSM has been installed correctly, but you must change the mode to operational.

If the output from the enquiry command says that the module is not found, first restart your computer, then re-run the enquiry command.

Using a Security World

See the User Guide for more about creating a Security World or loading an existing one.

slow	request LACPDUs to be transmitted every 30 seconds
fast	request LACPDUs to be transmitted every 1 second