Server-side preparation tasks
This chapter outlines the tasks required on the server-side that must be completed before the Remote Administration Client can be installed and used.
The Remote Administration Client requires that quorum participants use their cards in a TVD associated with the HSM. The steps involved in meeting this requirement are as follows:
-
Remote Administration Service has been enabled.
-
If the HSM and the associated Security World are being installed the first time, install the HSM and, as part of the overall installation process, install the Remote Administration Service bundle (
raserv
). For installation instructions, follow the Installation Guide of the HSM. -
If the HSM and the associated Security World are already installed but Remote Administration was not installed:
-
You have to re-install the Security World software. See Prepare an existing Security World installation for Remote Administration.
-
If ACS cards are already in use but they are not labeled Remote Administrator Ready, then the cards have to be migrated to Java cards before they can be used via a Remote Administration Client.
-
-
-
Cards have been enabled for use through RAC. See Edit the cardlist file to enable cards for use through RAC.
-
Dynamic slots have been configured so that cards can be presented remotely. See Set up dynamic slots.
In some cases, the steps are covered in more detail in the User Guide for your HSM. These are referenced in the appropriate section. We recommend you have the User Guide available to you at the same time as reviewing the Remote Administration setup steps. |
Prepare an existing Security World installation for Remote Administration
If you need to enable the Remote Administration Service into an existing system:
-
Ensure the HSM firmware is compatible with Remote Administration.
-
For Solo HSMs only: Ensure the nShield Solo+/ XC HSM is warranted with a KLF2 warrant.
-
For Connect HSMs only: Connect HSM can also accept a configuration from a remote computer, see Enable auto push on nShield Connect.
Ensure the HSM firmware is compatible with Remote Administration
You can confirm current firmware version via the enquiry
command.
In section Module, look for version and check it against the information in Compatibility with nShield firmware and Security World releases.
If the firmware needs upgrading, follow the instructions relevant to the HSM:
Upgrade the nShield Connect image file and firmware using the front panel
Important: If you upgrade your nShield Connect firmware you must make sure that you have a working quorum of Administrator Cards, as you will need to reload your Security World back onto the HSM once the firmware has been upgraded. If you cannot provide the required quorum from the ACS do not perform a firmware upgrade! |
-
From the main menu on the nShield Connect front panel, select System > Upgrade system.
-
Confirm that you want to upgrade the image file and/or firmware.
-
Verify the image version, HSM (firmware) version, and image VSN that are displayed, and confirm the upgrade when prompted. If in doubt contact nShield support for assistance in determining the correct version to use.
-
When the image file and/or firmware upgrade is complete, the front panel may be slow to respond. We recommend a full power off and power on to complete the upgrade procedure and to restore optimum front panel responsiveness. This may need to be repeated for a second time if the front panel seems slow to respond.
-
On the front panel select System > Shutdown/Reboot > Shutdown.
-
Switch the power supplies, at the rear of the nShield Connect, to 0, then back to 1.
-
Upgrade the nShield Connect image file and firmware from privileged client
-
Use the
nethsmadmin
utility to list the nethsm image files on the RFS. Run the command:Linux:
#/opt/nfast/bin/nethsmadmin --module=MODULE --rfs=RFS_IP --list-images
Windows:
C:\Program Files\nCipher\nfast\bin>nethsmadmin --module=MODULE --rfs=RFS_IP --list-images
In this command:
-
RFS_IP specifies the IP address of the RFS.
-
-
If the image file you require is not on the RFS, copy the directory that contains the required image file to the following directory on the RFS:
%NFAST_HOME%\nethsm-firmware
-
Use the
nethsmadmin
utility to make the nShield Connect use a specific image file from the RFS. Run the command:nethsmadmin --module=MODULE --upgrade-image=image_name
In this command:
-
MODULE specifies the HSM to use, by its ModuleID (default = 1)
-
image_name specifies the image file to use from the RFS
image_name must be the path to the image file that is displayed when you execute the nethsmadmin
command with the--list-images
option. Errors are reported if you use either just the image name, or the full path.The following is an example of the output:
nethsmadmin --upgrade-image=nethsm-firmware/12-60-2-latest/nCx3N.nff Initiating appliance image upgrade using file nethsm-firmware/12-60-2-latest/nCx3N.nff Upgrade operation state changed to: Image Transfer Initiated Upgrade operation state changed to: Image Transferred Upgrade operation state changed to: Image Verified Not able to contact appliance because of reason(23): CrossModule,#1-NetworkError Upgrade operation final state: Image Verified Image upgrade completed. Please wait for appliance to reboot. Please wait for approximately half an hour for the appliance to internally upgrade.
The following line is expected as the Connect temporarily severs its network connection whilst it performs certain sensitive activities such as a firmware upgrade. No action is required.
Not able to contact appliance because of reason(23): CrossModule,#1-NetworkError
If the nShield Connect suffers a loss of power while you are upgrading the image file and/or internal module firmware, you should exit the nethsmadmin
utility and try to restart the process at Step 1, once power has been restored to the HSM.
-
-
Run the
enquiry
command-line utility to verify the HSM is in operational state and has the correct firmware version. In Operational mode, theenquiry
command-line utility shows the version number of the firmwareLinux:
/opt/nfast/bin/enquiry
Windows:
C:\Program Files\nCipher\nfast\bin>enquiry.exe
Upgrade the nShield Solo firmware
-
Sign in to the host as an Administrator.
-
Put the HSM in Maintenance mode and reset the HSM.
For information on changing the mode, see the nShield Edge and nShield Solo User Guide Appendix, Checking and changing the mode on an nShield Solo module. -
Run the following command-line utility to check that the HSM is in the pre-maintenance state.
Linux:
/opt/nfast/bin/enquiry
Windows:
C:\Program Files\nCipher\nfast\bin>enquiry
If the nShield Solo HSM is still in the operational state, it means that the override switch is on. Refer to the installation instructions in the nShield Edge and nShield Solo Installation Guide for information on accessing the override switch and switching it off. -
Locate the firmware folder on the installation media in the firmware directory. For example:
Linux:
/tmp/firmware/FW_VERSION
Windows:
E:\firmware\FW_VERSION
-
Load the new firmware:
Linux:
/opt/nfast/bin/loadrom –m1 /tmp/firmware/FW_Version/ncx3p-xx.nff
Windows:
C:\Program Files\nCipher\nfast\bin>loadrom –m1 E:\firmware\FW_VERSION\ncx3p-xx.nff
The upgrade may take a while to complete, during which time no activity will be observed. Wait at least five minutes before proceeding unless you are informed the upgrade has completed successfully beforehand.
-
Solo XC only:
Reboot the Solo XC for the firmware upgrade to take effect.
Linux:
-
Bare metal environments:
With the module in Maintenance mode, run the following command to reboot the Solo XC.
nopclearfail -S -m<module_number>
Wait for the Solo XC to reboot, which will take about ten minutes on a host machine running Linux.
The module has completed rebooting when running enquiry no longer shows the module as Offline.
-
Virtual environment hosts:
Reboot the Solo XC by rebooting the system that is hosting the Solo XC.
Windows:
With the module in Maintenance mode, reboot the Solo XC for the firmware upgrade to take effect. To do this, reboot the system that is hosting the Solo XC.
Wait for the Solo XC to reboot. The module has completed rebooting when running enquiry no longer shows the module as Offline.
-
-
Put the HSM in Initialization mode and reset the HSM:
Linux:
/opt/nfast/bin/initunit
Windows:
C:\Program Files\nCipher\nfast\bin>initunit
-
Put the HSM into Operational mode.
-
Run the
enquiry
command-line utility to verify the HSM is in operational state and has the correct firmware version. In Operational mode, theenquiry
command-line utility shows the version number of the firmware.
Re-install the Security World software
Ensure that you select to install the Remote Administration Service package. The new installation will create the user roles, etc. that are required for Remote Administration. For re-installation instructions, follow the Installation Guide of the HSM
Ensure the nShield Solo+/ XC HSM is warranted with a KLF2 warrant
-
Confirm that a warrant is installed and that it is a KLF2 warrant.
nfwarrant.exe --check
-
If no warrant exists or it is a KLF1 one, generate a certificate signing request:
nfwarrant.exe --csr --req=esn_of_module
-
Supply the certificate signing request to Entrust nShield Support who will then issue you a warrant for use with the specified HSM.
-
Warrant the HSM, see the nShield Solo User Guide.
Enable auto push on nShield Connect
-
From the nShield Connect front panel main menu, select System configuration > Config file options > Allow auto push.
-
Select IPv4 then specify the IP address of the computer from which to accept the configuration.
-
Make sure that port 9005 is open for incoming connection requests from the nShield Remote Administration clients.
Edit the cardlist file to enable cards for use through RAC
-
Go to the following folder on the RFS:
Linux:
#/opt/nfast/kmdata/config
Windows:
C:\ProgramData\nCipher\Key Management Data\config
-
Open the
cardlist
file in a text editor.Add * to authorize all Smartcards for Remote Administration. If only certain cards are authorized for this use, list them by their serial number:
4286005559064791 4286005559064792 4286005559064793
-
Copy the updated
cardlist
file from the RFS to all clients.
Set up dynamic slots
Set up dynamic slots using the nShield Connect HSM front panel
-
Use the nShield Connect front panel controls to navigate to Security World mgmt > Set up dynamic slots > Dynamic slots and follow the instructions on the screen.
OR
Use the dynamic_slots section in the client configuration file to define the number of dynamic slots for each relevant HSM.
-
Clear the HSM for the changes to take effect, run the
nopclearfail
command or press the Clear button on the front of the unit. The-a
option clears all enrolled HSMs.Linux:
#/opt/nfast/bin/nopclearfail -c -a
Windows:
C:\Program Files\nCipher\nfast\bin>nopclearfail.exe -c -a
The following message is displayed:
Module 1, command ClearUnit: OK Module 2, command ClearUnit: OK
-
Check if dynamic slots appear by running the
slotinfo
command:Linux:
#/opt/nfast/bin/slotinfo -m2
Windows:
C:\Program Files\nCipher\nfast\bin>slotinfo.exe -m2
The following message is displayed:
Module 2: Slot Type Token IC Flags Details #0 Smartcard present 1 A #1 Software Tkn - 0 #2 Smartcard - 0 AD #3 Smartcard - 0 AD
The dynamic slots are identified with the D flag in the example above, slots 2 and 3.
Set up dynamic slots for nShield Connect remotely via config push option
In the following example the RFS server is being used as remote push computer. For setting up autopush, see Enable auto push on nShield Connect.
-
Sign in to the RFS machine as a privileged user.
-
Create a copy of the configuration file as
config.new
, from the RFS in the following directory on the remote computer.Linux:
/opt/nfast/kmdata/hsm-ESN/config
Windows:
C:\Program Data\nCipher\nfast\kmdata\hsm-ESN\config
In the example below, following config file copied as
config.new
./opt/nfast/kmdata/hsm-49D5-C944-F159/config/config.new
-
Edit the
config.new
file so that it contains the required configuration for dynamic_slots as shown below:[dynamic_slots] # Start of the dynamic_slots section # The dynamic smartcard slots that the modules should provide for the use of # administrators who do not have physical access to the module hardware # Each entry has the following fields: # # ESN of the module to be configured with dynamic slots. # esn=ESN # # Number of dynamic slots the module will support. (default=0) # slotcount=INT esn=esn_number slotcount=2
-
Run the
cfg-pushnethsm
utility on the updated configuration file, specifying the updated file and the IP address of the nShield Connect to load the new configuration. To do this, use a command similar to the following:cfg-pushnethsm --address=<module_IP_address> <full_path_to_config_file>
In this command, <module_IP_address> is that of the nShield Connect on which to load the configuration and <full_path_to_config_file> is the path to, and name of the updated configuration file.
For example:
/opt/nfast/bin/cfg-pushnethsm –address 192.168.156.30 /opt/nfast/kmdata/hsm-49D5-C944-F159/config/config.new
-
Check that the configuration file on the RFS has been updated with the dynamic_slots changes. This can be confirmed using the timestamp on the updated config file.
-
Clear the HSM for the changes to take effect, run the
nopclearfail
command:#/opt/nfast/bin/nopclearfail -c -a Module 1, command ClearUnit: OK Module 2, command ClearUnit: OK
-
Check if dynamic slots appear by running the
slotinfo
command:#/opt/nfast/bin/slotinfo –m2 Module 2: Slot Type Token IC Flags Details #0 Smartcard present 1 A #1 Software Tkn - 0 #2 Smartcard - 0 AD #3 Smartcard - 0 AD
Set up dynamic slots for nShield Solo
-
Sign in into the computer where the nShield Solo HSM is installed, as privileged user.
-
Navigate to the following folder from the terminal.
Linux:
/opt/nfast/kmdata/config/
Windows:
C:\Program Data\nCipher\nfast\kmdata\config
-
Edit the config file so that it contains the required configuration for dynamic_slots as shown below:
[dynamic_slots] # Start of the dynamic_slots section # The dynamic smartcard slots that the modules should provide for the use of # administrators who do not have physical access to the module hardware # Each entry has the following fields: # # ESN of the module to be configured with dynamic slots. # esn=ESN # # Number of dynamic slots the module will support. (default=0) # slotcount=INT esn=esn_number slotcount=2
To add multiple ESN and slot count entries, separate them by four dashes:
esn=esn_number_1 slotcount=2 ---- esn=esn_number_2 slotcount=2
-
Clear the HSM for the changes to take effect, run the
nopclearfail
command:Linux:
#/opt/nfast/bin/nopclearfail -c -a
Windows:
C:\Program Files\nCipher\nfast\bin>nopclearfail.exe -c -a
The following message will be displayed:
Module 1, command ClearUnit: OK Module 2, command ClearUnit: OK
-
Check if dynamic slots appear by running the
slotinfo
command:#/opt/nfast/bin/slotinfo –m1 Module 1: Slot Type Token IC Flags Details #0 Smartcard present 1 A #1 Software Tkn - 0 #2 Smartcard - 0 AD #3 Smartcard - 0 AD
Map dynamic slots to slot #0
You must have a working initialized Security World before you can map slots to Slot #0. Some APIs require that all tokens be loaded to Slot #0 e.g. PKCS#11.
To map a dynamic slot to slot 0 from the front panel of an nShield Connect:
-
From the menu navigate to Security World mgmt [3] > Set up dynamic slots [3-9] > Slot mapping and set the required dynamic slot to exchange for slot 0.
-
Clear the HSM after initiating the change.
-
If you want to set slot mapping using the nShield Connect configuration file, make sure that you have enabled Allow autopush for the nShield Connect.
-
Navigate to the nShield Connect configuration file
%NFAST_KMDATA%\HSM-ESN
(for example,C:\ProgramData\nCipher\Key Management Data\hsm-HSM-ESN\config\config
) and open it using your preferred test editor. Look for:[slot_mapping] # Start of the slot_mapping section # Slot remapping configuration. # Each entry has the following fields: # # ESN of the module on which slot 0 will be remapped with another. # esn=ESN # # Slot to exchange with slot 0. Setting this value to 0 means do # nothing.(default=0) # slot=INT
-
Uncomment the esn and slot entries and enter the relevant nShield Connect ESN and the number of the slot you want to mark as slot #0 (e.g. 2).
-
Save the file as
config.new
. -
Push the
config.new
file to the nShield Connect using the following command:cfg-pushnethsm.exe -a Connect_IP_address full_path_to_the_config.new_file
-
Execute the
nopclearfail -c -mx
command, where x is the number of the nShield Connect module.