Remote Administration v12.81 User Guide
Introduction
Remote Administration overview
nShield Remote Administration lets you administer distantly located nShield Solo and Connect Hardware Security Modules (HSMs). It uses the following components to locally manage remote HSMs:
-
Remote Administration Cards — Custom smart cards equipped with a nShield applet.
-
Trusted Verification Devices (TVDs) — nShield smart card readers used with Remote Administration Cards to create a secure connection with the target HSM (includes Type A USB connector).
-
Remote Administration Client (RAC) software — GUI tool running on client laptop or workstation to configure connection to HSM.
-
Remote Administration Service — nShield software that runs on the data center side and enables the connection from Remote Administration Clients to the target HSMs.
Figure 2.1: Remote Administration architecture
nShield Remote Administration creates a secure connection between your remote HSM and your local Remote Administration Cards and TVD, letting you present your quorum of smartcards and administer your HSMs as if physically present with the device. Communicating over your VPN, you control the HSM from a laptop or workstation via remote desktop or secure shell session. Whenever a card is required, for example, when creating a card set or authorizing an operation, an nShield Remote Administration Card is inserted in the appropriate card reader as and when the Security World software instructs you to do so.
The full range of administrative tasks can be carried out from a different location to that of an nShield Connect or nShield Solo. Security World software and utilities are used to manage the HSM, communicating through the remote access solution that your organization normally uses, such as SSH or a remote desktop application.
All card holders need to be able to view the same remote session so they know when to insert their cards. As an alternative, the person running the remote session needs to be able to contact all relevant card holders, to tell them when to insert cards in their TVD, and verify the ESN of the appropriate HSM.
Entrust recommends that you only use an nShield Trusted Verification Device or a standard smart card reader for ISO/IEC 7816 compliant smart cards. The remainder of this guide assumes that you are using an nShield TVD.
Remote Administration Cards
nShield Remote Administration Cards are compliant with FIPS140-2 Level 3. They are capable of negotiating cryptographically secure connections with an HSM, using warrants as the root of trust.
nShield Remote Administration Cards store token shares in a similar way to standard nShield cards, but are also capable of establishing and using a secure connection to communicate token shares.
For a card to be recognized by the system, it must be included in the Authorized Card List, which is used to control Remote Administration access. See the User Guide for your HSM for more information about the Authorized Card List.
Trusted Verification Devices (TVDs)
The TVD provides additional assurance, by requiring you to verify the Electronic Serial Number (ESN) of the relevant HSM, before it is communicated to the nShield Remote Administration Card and a secure connection is established between the card and the HSM.
Multiple TVDs can be associated with a single HSM, up to the maximum number of Dynamic Slots allowed in the HSM configuration. Dynamic Slots are virtual card slots that allow you to associate a TVD with a specific HSM. They are configured by the person responsible for setting up your nShield HSM environment.
A nShield Remote Administration Client can connect to one TVD during a session. This can be selected from multiple readers that may be attached to your computer.
A TVD can only be associated with one HSM during a nShield Remote Administration Client session.
Remote Administration Client (RAC) software
The RAC application resides on your local Windows, Linux-based or OS X computer. This is the RAC icon:
The RAC enables you to:
-
Associate a suitable card reader that is attached to your computer with an nShield HSM in a different location
-
Present an nShield Remote Administration Card to the appropriate HSM using either:
-
A TVD (recommended).
-
A standard smart card reader for ISO/IEC 7816 compliant smart cards.
Only use in line with the security policies of your organization. A standard smart card reader provides no protection from security threats such as, for example, malicious software on your computer.
-
The secure connection between an nShield Remote Administration Card and the target HSM is provided through the Remote Administration Service.
When you start the nShield Remote Administration Client, you:
-
Select the appropriate Remote Administration Service. Hostnames are supported.
-
Select an HSM from a list of all HSMs available through the chosen Remote Administration Service.
-
Select a TVD.
Your local TVD is now associated with the HSM for the duration of the current GUI or command-line session. This means that:
-
A computer equipped with a TVD and the nShield Remote Administration Client can be used to present cards in the data center.
-
A quorum of card holders can assemble in a local office to present their cards, rather than traveling to the data center.
The nShield Remote Administration Client also displays whether the TVD is connected and whether a card is inserted.
Remote Administration Service
The Remote Administration Service runs alongside the appropriate hardserver, which is an nShield-provided software service that controls communication between applications and nShield HSMs.
The hardserver resides on:
-
An nShield Solo host.
-
A Remote File System (RFS), which is also a client of an nShield Connect.
-
A client of an nShield Connect.
The Remote Administration Service:
-
Listens by default on port 9005 for incoming connection requests from nShield Remote Administration Clients. The default port can be changed during system configuration.
-
Supplies a list of available HSMs to the nShield Remote Administration Client.
-
Communicates with the hardserver that is connected to the requested HSM, to establish and maintain an association between the relevant TVD and the HSM.
-
Relays encrypted messages between the relevant HSM and the nShield Remote Administration Card in the reader that is attached to your local computer.
Depending on the hardserver configuration, the Remote Administration Service can associate up to 16 TVDs with each HSM. The default number of devices that can be associated with an HSM is zero.