Basic HSM, RFS and client configuration

This chapter describes the initial nShield Connect, RFS and client computer configuration steps. For more about:

  • Security World Software installation and options, see Installing the software.

  • Installing the optional nToken, see the nToken Installation Guide.

  • The menu options, see Top-level menu.

  • Advanced nShield Connect and client configuration options, see the nShield Connect User Guide.

An installation will have only one RFS, but may have one or more Clients. The RFS can also dual role as a Client. Before you can continue with the following configuration, the RFS and every Client must have the Security World software installed, see Installing the software.

About nShield Connect and client configuration

An nShield Connect and a client communicate using their hardservers. These handle secure transactions between the HSM and applications that run on the client. You must configure:

  • Each client hardserver to communicate with the hardserver of the nShield Connect that it needs to use.

  • The nShield Connect hardserver to communicate with the hardserver of the clients that are allowed to use it.

Multiple nShield HSMs can be configured to communicate with one client, just as multiple clients can be configured to communicate with one nShield Connect.

Remote file system (RFS)

Each nShield Connect must have a remote file system (RFS) configured. This includes master copies of all the files that the nShield Connect needs. See the nShield Connect User Guide for more information about the RFS.

HSM configuration

The current configuration files for the hardserver of an nShield Connect are stored in its local file system. These files are automatically:

  • Updated when the nShield Connect is configured.

  • Exported to the appropriate RFS directory.

Each nShield Connect in a Security World has separate configuration files on the RFS. See the nShield Connect User Guide for more about nShield Connect configuration files and advanced configuration options.

Client configuration

The current configuration files for the hardserver of a client are stored in its local file system.

See the nShield Connect User Guide for more about client configuration files and advanced configuration options.

The following steps assume that you have added the path %NFAST_HOME%\bin (Windows) or /opt/nfast/bin/ (Linux) to the PATH system variable.

Basic nShield Connect and RFS configuration

After installing the Security World Software and the nShield Connect, you need to do the following:

  • Configure the nShield Connect Ethernet interfaces.

  • Configure the RFS.

You should complete the RFS tasks before:

  • Configuring the nShield Connect and client to work together.

  • Creating a Security World and an Operator Card Set (OCS). See the nShield Connect User Guide for more about creating a Security World and the OCS.

Configuring the Ethernet interfaces - IPv4 and IPv6

An nShield Connect communicates with one or more clients over an Ethernet network. You must supply IP addresses for the nShield Connect and the client. Contact your system administrator for this information if necessary.

There are two network interfaces on the nShield Connect. Three configurations are supported:

  • Single network interface.

  • Two independent network interfaces.

    You must connect the interfaces to physically different networks.

  • The two network interfaces combined as a bond interface.

    The bond interface can use:

    • Active backup mode.

    • 802.3ad mode (requires a switch that supports 802.3ad).

You can configure the nShield Connect using the front panel Network config menu or by pushing a configuration file to the nShield Connect over the network. The following can be configured:

  • Interface addresses

  • Bond

  • Default gateway

  • Network routes

  • Network speed.

If the nShield Connect is already configured, you can update the displayed values.

If you ever change any of the IP addresses on the nShield Connect, you must update the configuration of all the clients that work with it to reflect the new IP addresses.

By default, the hardserver listens on all interfaces. However, you can choose to set specific network interfaces on which the hardserver listens. This may be useful in cases such as if one of the Ethernet interfaces is to be connected to external hosts. See the nShield Connect User Guide for more information.

IPv4 and IPv6

Support for IPv6 is in addition to IPv4. Both Ethernet interfaces can be configured to support:

  • IPv4 only

  • IPv4 and IPv6

  • IPv6 only.

Interface#1 is enabled by default and cannot be disabled. Interface #2 is disabled by default and can be enabled and disabled.
IPv6 addresses

An IPv4 address is 32 bits long and typically represented as 4 octets, for example 192.168.0.1. An IPv6 address is 128 bits long and is made up of a subnet prefix (n bits long) and an interface ID (128 - n bits long).

An IPv6 address and its associated subnet is typically represented by the notation ipv6-address/prefix-length, where:

  • ipv6-address is an IPv6 address represented in any of the notations described below.

  • prefix-length is a decimal value specifying how many of the leftmost contiguous bits of the address make up the prefix.

The IPv6 address notation mirrors the way subnets are represented in the IPv4 Classless Inter-Domain Routing (CIDR) notation.

IPv6 address notation

An nShield Connect will accept an IPv6 address if it is entered in one of the forms shown below and if the address is valid for context in which it is used. There are two conventional forms for representing IPv6 addresses as text strings:

  • The long representation is x:x:x:x:x:x:x:x, where each x is a field containing hexadecimal characters (0 to ffff) for each 16 bits of the address.

    For example:

    1234:2345:3456:4567:5678:6789:789a:89ab

    1234:5678:0:0:0:0:9abc:abcd/64

  • If one or more consecutive fields are 0 then they can be replaced by ::.

    For example:

    1234:5678:0:0:0:0:9abc:abcd/64 can be written as 1234:5678::9abc:abcd/64

    :: can only appear once in an IPv6 address.

Unless the address is a link-local address, the nShield Connect front panel only allows lower-case letters in an IPv6 address.

IPv6 addresses keyed manually on the nShield Connect front panel are validated on entry by the nShield Connect. As well as checking that the format of the address is correct, the nShield Connect also validates that the address entered is valid for the context in which it will be used, see Acceptable IPv6 address by use case.

If Stateless Address Auto Configuration (SLAAC) is enabled the nShield Connect will automatically form IPv6 addresses from network prefixes contained in Router Advertisements (RAs). RAs are received directly by the nShield Connect Operating System and automatically forms IPv6 addresses by combining the network prefixes contained in the RA with the MAC address of the receiving Ethernet interface. As they are created by the Operating System, SLAAC IPv6 addresses are not subject to the same validation rules as addresses entered via the nShield Connect front panel. If SLAAC is to be used to configure nShield Connect IPv6 addresses in preference to statically entered addresses, then network planners must take care to ensure that prefixes advertised to the nShield Connect are of a suitable type, see Acceptable IPv6 address by use case.

IPv6 compliance

A new sub-menu (1-1-1-9 - Set IPv6 compliance) has been added to the nShield Connect front panel menu to permit the User to select an IPv6 compliance mode for an nShield Connect. Compliance with USGv6 or IPv6 ready can be selected.

Both these modes change the settings for the nShield Connect firewall so that it will pass-through packets which are discarded in the normal Default mode. This behaviour is required for compliance testing but is not recommended for normal use since allowing packets with invalid fields or parameters through the firewall increases the attack surface. When either USGv6 or IPv6 ready are selected, a confirmation message is displayed to reduce the likelihood that they are enabled by accident.

It is recommended that the IPv6 compliance mode is set to Default for all normal operations.

Acceptable IPv6 address by use case

The types of IPv6 which are acceptable as a static address are given in the table below For examples of valid IPv6 addresses, see Valid IPv6 Addresses.

Use Case Acceptable Address Type

Static IPv6 Address Entry

  • Global Unicast

  • Local Unicast

IPv6 Default Gateway

  • Global Unicast

  • Local Unicast

  • Link-local

IPv6 Route Entry - IP Range

  • Unknown

  • Loopback

  • Global Unicast

  • Local Unicast

  • Link local

  • Teredo

  • Benchmarking

  • Orchid

  • 6to4

  • Documentation

  • Multicast

IPv6 Route Entry - Gateway

  • Global Unicast

  • Local Unicast

  • Link-local

RFS Address

  • Global Unicast

  • Local Unicast

Client Address

  • Global Unicast

  • Local Unicast

Push Client Address

  • Global Unicast

  • Local Unicast

Ping

  • Unknown

  • Loopback

  • Global Unicast

  • Local Unicast

  • Link-local

  • Teredo

  • Benchmarking

  • Orchid

  • 6to4

  • Documentation

  • Multicast

Traceroute

  • Unknown

  • Loopback

  • Global Unicast

  • Local Unicast

  • Link-local

  • Teredo

  • Benchmarking

  • Orchid

  • 6to4

  • Documentation

  • Multicast

Stateless address auto-configuration (IPv6 only)

Unlike IPv4, IPv6 is designed to be auto-configuring. SLAAC is an IPv6 mechanism by which IPv6 hosts can configure their IPv6 addresses automatically when connected to an IPv6 network using the Neighbour Discovery Protocol (NDP). Using NDP IPv6 hosts are able to solicit advertisements from on-link routers and use the network prefix(es) contained in the advertisements to generate IPv6 address(es).

SLAAC is disabled by default in an nShield Connect, but can be selectively enabled for each Ethernet interface either using the nShield Connect front panel or by setting the appropriate configuration item and pushing an nShield Connect configuration file.

Configure Ethernet interface #1

To set up Ethernet interface #1 (default):

Enable/disable IPv4

To enable/disable IPv4:

  1. From the front panel menu, select System > System configuration > Network config > Set up interface #1 > Configure #1 IPv4 > IPv4 enable/disable.

    The following screen displays:

    Network configuration
    
    IPv4 enable/disable:
    
    ENABLE
    
    CANCEL    FINISH
  2. Set the ENABLE/DISABLE field to the required option.

  3. To accept, press the right-hand navigation button.

Set up IPv4 static address

To set up IPv4 static address:

  1. From the front panel menu, select System > System configuration > Network config > Set up interface #1 > Configure #1 IPv4 > Static IPv4 address.

    The following screen displays:

    Network configuration
    
    Enter IPv4 address
    for interface #1:
         0.  0.  0.  0
    Enter netmask:
         0.  0.  0.  0
    CANCEL           NEXT
  2. Set each field of the IP address and netmask for the interface (press the Select button to move to the next field).

  3. Once all fields have been set, press the right-hand navigation button to continue.

  4. To accept the changes, press the right-hand navigation button and then CONTINUE to go back to the Static IPv4 address menu.

Enable/disable IPv6

To enable/disable IPv6:

  1. From the front panel menu, select System > System configuration > Network config > Set up interface #1 > Configure #1 IPv6 > Enable/Disable IPv6.

    The following screen displays:

    Network configuration
    
    IPv6 enable/disable:
    DISABLE
    
    CANCEL    FINISH
  2. Set the ENABLE/DISABLE field to the required option.

  3. To accept, press the right-hand navigation button.

Set up IPv6 static address

To set up IPv6 static address:

  1. From the front panel menu, select System > System configuration > Network config > Set up interface #1 > Configure #1 IPv6 > Static addr/SLAAC > Select Static/SLAAC.

    The following screen is displayed:

    Network configuration
    Do you want to use a
    static address or
    SLAAC?

    Select static and press the right-hand navigation button.

    Then, select Static IPv6 address and press the right-hand navigation button.

    The following screen displays:

    Network configuration
    Enter IPv6 address
    For interface #1:
    
    
    
    CANCEL    NEXT
  2. Enter the required IPv6 address.

  3. When the IPv6 address is correct, press the right-hand navigation button. The following screen displays:

    Network configuration
    IPv6 address
    xxxx:xxxx:xxxx:xxxx:
    xxxx:xxxx:xxxx:xxxx
    
    Enter prefix length:
    64
    
    BACK    NEXT
  4. When the IPv6 address prefix details are correct, press the right-hand navigation button.

  5. You are asked whether you wish to accept the new interface. To accept, press the right-hand navigation button.

Enabling static IPv6 addresses on HSM’s network interface disables SLAAC on this interface. See Enable IPv6 SLAAC for SLAAC addresses.

To set up the link speed for interface #1:

  1. From the front panel menu, select System > System configuration > Network config > Set up interface #1 > Set link speed for #1.

  2. The following screen displays:

    Network configuration
    
    Select desired link
    speed:
    auto / 1Gb
    
    CANCEL    NEXT

    You can choose from auto / 1Gb, 10BaseT, 10BaseT-FDX, 100BaseTX, or 100BaseTX-FDX.

    Entrust recommends that you configure your network speed for automatic negotiation, using the auto / 1Gb or auto option. You will be asked to confirm the changes if auto / 1Gb is not selected. On the nShield Connect, selecting auto / 1Gb is the only means of achieving 1Gb link speed.
  3. Press the right-hand navigation button and you will be returned to the Set up interface #1 screen and you can then continue with the configuration.

Configure Ethernet interface #2

To set up the Ethernet interface #2, if required:

  1. From the front panel menu, select System > System configuration > Network config > Set up interface #2.

  2. Enter the details for interface #2 in the same manner that you entered the details for interface #1.

  3. Once the interface #2 details have been entered you need to explicitly enable interface #2. Select System > System configuration > Network config > Set up interface #2 > Enable/Disable Int #2.

  4. The following screen displays:

    Network configuration
    
    Interface #2
    DISABLE
    
    CANCEL    FINISH
  5. Select the ENABLE option.

  6. Press the right-hand navigation button to accept. A screen similar to that used for interface #1 is displayed.

Configure an Ethernet bond interface

Enable or disable the use of a bond interface

  1. From the front panel menu, select System > System configuration > Network config > Set up bond > Enable/disable bond.

    The following screen displays:

    Network configuration
    
    Bond Interface
    
    DISABLE
    
    CANCEL    FINISH
  2. Set the ENABLE/DISABLE field to the required option.

  3. To accept, press the right-hand navigation button.

Set up a bond interface

  1. From the front panel menu, select System > System configuration > Network config > Set up bond > Configure bond.

    The following screen displays:

    Bond interface config
    will use the eth0
    IPv4 and IPv6 config
    if they are enabled
    
    CANCEL    NEXT
  2. Press the right-hand navigation button.

    The following screen displays:

    Bond interface config
    Update parameter
    
    mode: 802.3ad
    
    BACK    NEXT
  3. Set the mode field to the required option, either 802.3ad or active-backup.

  4. To accept, press the right-hand navigation button.

    The following screen displays:

    Bond interface config
    Update parameter
    
    miimon: 100
    
    BACK    NEXT
  5. Set the miimon field to the required value, the range is 0 - 10000 milliseconds.

    Setting the miimon value to 0 disables it. This can prevent the bonding resilience from functioning correctly in active-backup mode.

  6. To accept, press the right-hand navigation button.

    The following screen displays:

    Bond interface config
    Update parameter
    
    lacp_rate: slow
    
    only valid for
    802.3ad (LACP) mode
    
    BACK    NEXT
  7. Set the lacp_rate field to the required option, either slow or fast.

    This parameter is only valid for 802.3ad mode. This setting is ignored in other modes.

    slow

    request LACPDUs to be transmitted every 30 seconds

    fast

    request LACPDUs to be transmitted every 1 second

  8. To accept, press the right-hand navigation button.

    The following screen displays:

    Bond interface config
    Update parameter
    xmit hash policy:
    layer2
    
    only valid for
    802.3ad (LACP) mode
    
    BACK    NEXT
  9. Set the xmit hash policy field to the required option.

    This parameter is only valid for 802.3ad mode. This setting is ignored in other modes.

    Options:

    • layer2

    • encap2+3

    • layer2+3.

  10. To accept, press the right-hand navigation button.

    The following screen displays:

    Bond interface config
    Update parameter
    
    primary device: eth0
    
    only valid for
    active-backup mode
    
    BACK    NEXT
  11. Set the primary device field to the required option, either eth0 or eth1.

    This parameter is only valid for active backup mode. This setting is ignored in other modes.

  12. To accept, press the right-hand navigation button.

    The following screen displays:

    Bond interface config
    Update parameter
    
    resend igmp: 1
    
    only valid for
    active-backup mode
    
    BACK    NEXT
  13. Set the resend igmp field to the required value. Range: 0 - 255.

    This parameter is only valid for active backup mode. This setting is ignored in other modes.

  14. To accept, press the right-hand navigation button.

    The following screen displays:

    Bond interface config
    
    Are you sure you wish
    to change the config ?
    
    CANCEL    CONFIRM
  15. To accept and apply changes to the bond config, press the right-hand navigation button.

    The following confirmation screen displays:

    Bond interface
    config completed OK
    
    CONFIRM

Default gateway

Set default gateway for IPv4

To set a default gateway for IPv4:

  1. From the front panel menu, select System > System configuration > Network config > Set default gateway > IPv4 Gateway.

    The following screen is displayed:

    Gateway configuration
    
    Enter IPv4 address of
    the default gateway:
    
    0. 0. 0. 0
    
    CANCEL    NEXT
  2. Enter the IPv4 address of the default gateway.

  3. Press the right-hand navigation button NEXT and then FINISH to accept.

Set default gateway for IPv6

To set a default gateway for IPv6:

  1. From the front panel menu, select System > System configuration > Network config > Set default gateway > IPv6 gateway.

    The following screen is displayed:

    Gateway configuration
    
    Enter IPv6 address of
    the default gateway:
    
    
    
    CANCEL    NEXT

    Enter the address for the gateway. Press the right-hand navigation button. The following screen is displayed if the address entered was a link-local address:

    Gateway configuration
    
    Select an interface for link-local address:
    
    ::
    
    CANCEL    NEXT

    Select the interface for the IPv6 gateway. Press the right-hand navigation button to accept.

Set up Routing

Set up routing for IPv4

To set a new route entry for IPv4:

  1. From the front panel menu, select System > System configuration > Network config > Set up routing > New IPv4 route entry.

    The following screen is displayed:

    Edit route entry
    
    Enter IP range
    and mask length:
    0.  0.  0.  0/ 0
    Enter the gateway:
    0.  0.  0.  0
    
    CANCEL    FINISH
  2. Enter the IPv4 address range details for the route. Press the right-hand navigation button to accept.

Set up routing for IPv6

To set a new route entry for IPv6:

  1. From the front panel menu, select System > System configuration > Network config > Set up routing > New IPv6 route entry.

    The following screen is displayed:

    Edit route entry
    
    Enter the IP range
    and prefix length:
    ::/64
    
    CANCEL    NEXT
  2. Enter the IPv6 address range details for the route. Press the right-hand navigation button to accept. The following screen is displayed:

    Edit route entry
    xxxx:xxxx:xxxx:xxxx:
     xxxx:xxxx:xxxx:xxxx
     /xxx
    
    Enter the gateway:
    ::
    
    
    BACK    NEXT
  3. Enter the gateway address; if it is a link local address, the following screen is displayed.

    Edit route entry
    
    Select an interface
    for link-local address:
    fe80:xxxx:xxxx:xxxx:
    xxxx:xxxx:xxxx:xxxx
      Interface #1
    BACK    NEXT
  4. Select the interface for the IPv6 gateway and press the right-hand navigation button to accept.

  5. If the new route entry entered for IPv6 is incorrect an error message is displayed on the next screen, select BACK to go to the route entry screen. The new IPv6 route entry will need to be entered again.

Edit route entry

Edit IPv4 route entry

To edit a route entry for IPv4:

  1. From the front panel menu, select System > System configuration > Network config > Set up routing > Edit route entry.

    The following screen is displayed:

    ►  1. 1. 1. 1/ 1
    3. 3. 3. 3/ 3
    1111:1111:1111:1111:
    1111:1111:1111:1111
     /128
    
    BACK    SELECT
  2. Select the IPv4 route to be edited. Press the right-hand navigation button. The following screen is displayed:

    Edit route entry
    
    Enter the IP range
    and mask length:
    1. 1. 1. 1/ 1
    Enter the gateway
    2. 2. 2. 2
    CANCEL    FINISH
  3. Edit the IPv4 route entry. Press the right-hand navigation button to accept the changes.

Edit IPv6 route entry

To edit a route entry for IPv6:

  1. From the front panel menu, select System > System configuration > Network config > Set up routing > Edit route entry.

    The following screen is displayed:

    Edit route entry
    ►  1. 1. 1. 1/ 1
    3. 3. 3. 3/ 3
    1111:1111:1111:1111:
    1111:1111:1111:1111
    /128
    
    
    BACK    SELECT
  2. Select the IPv6 route to be edited. Press the right-hand navigation button. The following screen is displayed:

    Edit route entry
    
    Enter the IP range
    and prefix length:
    1111:1111::1111:1111:
     1111:1111:1111:1111/128
    
    CANCEL    NEXT
  3. Edit the IPv6 route entry. Press the right-hand navigation button.

    Edit route entry
    1111:1111:1111:1111:
     1111:1111:1111:1111/128
    
    Enter the gateway
    2222:2222:2222:2222
    
    BACK  NEXT
  4. Enter the IPv6 route gateway. If a link-local address is entered for the IPv6 route gateway the screen below will be displayed.

    Edit route entry
    
    Select an interface
    for link-local address:
    fe80:2222:2222:2222:
    2222:2222:2222:2222
    Interface #1
    BACK    NEXT
  5. Select the interface for the IPv6 gateway. Press the right-hand navigation button to accept.

Remove route entry

To remove a route entry:

  1. From the front panel menu, select System > System configuration > Network config > Set up routing > Remove route entry.

    The following screen is displayed:

    ►  1. 1. 1. 1/ 1
    3. 3. 3. 3/ 3
    1111:1111:1111:1111:
    1111:1111:1111:1111
    /128
    
    
    BACK    SELECT
  2. Select the IPv4/IPv6 route to be removed. Press the right-hand navigation button.

  3. The selected route will be displayed. Press the right-hand navigation button to remove the route.

Enable IPv6 SLAAC

SLAAC can be enabled/disabled independently on each of the two interfaces.

To enable SLAAC:

  1. From the front panel menu, select System > System configuration > Network config > Set up interface #1 > Configure #1 IPv6 > Static addr/SLAAC > Select Static/SLAAC.

    The following screen is displayed:

    Network configuration
    Do you want to use a
    static address or
    SLAAC?
  2. Select SLAAC and press the right-hand navigation button.

  3. The IPv6 address config selected screen is displayed. Press the right-hand navigation button to accept.

  4. Select the required state and press the right-hand navigation button.

  5. The SLAAC configuration completed OK screen is displayed. Press the right-hand navigation button to accept.

Enabling SLAAC on the HSM’s network interface disables the use of static IPv6 addresses on this interface.

Configuring the Remote File System (RFS)

The RFS contains the master copy of the Security World data for backup purposes. The RFS can be a standalone machine, and can also dual role as a client. If the RFS duals as a client, a common file structure serves both the RFS and the configuration files for the client.

See the nShield Connect User Guide for more about the RFS and its contents.

The nShield Connect must be able to connect to TCP port 9004 of the RFS. If necessary, modify the firewall configuration to allow this connection on either the RFS itself, or on a router between the RFS and the nShield Connect, or both.

Obtain the following information about the nShield Connect before you set up an RFS for the first time:

  • The IP address.

    The following nShield Connect information can be obtained automatically (or manually):

  • The electronic serial number (ESN).

  • The hash of the KNETI key (HKNETI). The KNETI key authenticates the nShield Connect to clients. It is generated when the nShield Connect is first initialized from factory state.

If your network is secure and you know the IP address of the nShield Connect, you can use the anonkneti utility to obtain the ESN and hash of the KNETI key by giving the following command on the client computer. For guidance on network security, see the nShield Security Manual.

anonkneti <Unit IP>

In this command, <Unit IP> is the IP address of the nShield Connect, which could be one of the following:

  • An IPv4 address, for example 123.456.789.123.

  • An IPv6 address, for example fc00::1.

  • A link-local IPv6 address, for example, fe80::1%eth0.

  • A hostname.

The command returns output in the following form:

A285-4F5A-7500 2418ec85c86027eb2d5959fef35edc5e1b3b698f

In this example output, A285-4F5A-7500 is the ESN and 2418ec85c86027eb2d5959fef35edc5e1b3b698f is the hash of the KNETI key.

Alternatively, you can find this information on the nShield Connect startup screen. Use the touch wheel to scroll to the appropriate information.

When you have the necessary information, set up an RFS and nShield Connect in the following order:

  1. Prepare the RFS by running the following command on that computer:

    rfs-setup <Unit IP> A285-4F5A-7500 2418ec85c86027eb2d5959fef35edc5e1b3b698f

    In this command:

    • <Unit IP> is the IP address of the nShield Connect.

    • A285-4F5A-7500 is the ESN of the nShield Connect.

    • keyhash is the hash of the KNETI key.

  2. On the nShield Connect display screen, use the right-hand navigation button to select System > System configuration > Remote file system, and enter the IP address of the client computer on which you set up the RFS:

      Remote File System
    
    Enter IP address:
    
    
    
    CANCEL         CONTINUE
  3. The next screen asks for the port number on which the RFS is listening. Enter the port number and press the right-hand navigation button to continue:

      Remote File System
    
    Enter port number:
        9004
    
    CANCEL         CONTINUE
    Leave the port number at the default setting of 9004.
  4. Select the config push mode and press the right-hand navigation button to continue:

      Remote File System
    
    Set RFS config push
    mode to:
    
            AUTO
    
    CANCEL         CONTINUE

    Three options are available:

    • AUTO: The RFS is only allowed to push configuration files to the nShield Connect if secure authentication is enabled. This is the default value.

    • ON: The RFS is allowed to push configuration files to the nShield Connect.

    • OFF: The RFS is not allowed to push configuration files to the nShield Connect.

  5. You must then choose whether to enable or disable secure authentication when setting up the RFS. The following screen is displayed:

      Remote File System
    
    Do you want secure
    authentication enabled
    on the RFS?
    
              YES
    CANCEL         CONTINUE
    1. Select No and press the right-hand navigation button to configure the RFS without secure authentication. The authentication of the RFS will be based on the IP address only.

    2. Select Yes and press the right-hand navigation button to configure the RFS with secure authentication.

  6. Skip this step if you have not selected secure authentication.

    If an nToken is installed in the RFS, you will be asked to choose which authentication key to use. Select the desired option and press the right-hand navigation button:

    >0DA8-A5AE-BA0D
     Software Key
    
    
    BACK       SELECT
    1. The ESN of the nToken installed in the RFS.

    2. "Software Key" for software-based authentication.

    If no nToken is installed in the RFS, then software-based authentication is automatically selected.

  7. Skip this step if you have not selected secure authentication.

    The next screen will ask you to verify that the key hash displayed by the nShield Connect matches the RFS key hash:

    Remote 0DA8-A5AE-BA0D
    reported the key hash:
     9e0020264af732933574
     0cfe10446d33cea33f4a
    Is this EXACTLY right?
    
    CANCEL         CONFIRM

    The RFS key hash is obtained by running the commands described below. Take a copy of the returned key hash and compare it to the value reported on the nShield Connect display.

    With software-based authentication

    Run the following command on the RFS:

    enquiry -m0

    This command returns the software key hash, tagged as kneti hash, as part of its output, for example:

    Server:
      enquiry reply flags   none
      enquiry reply level   Six
      ...
      kneti hash            d4c3d757a67416cb9ba31f33febd6ead688629e5
      ...
    With nToken authentication

    Run the following command on the RFS:

    ntokenenroll -H

    This command produces output of the form:

    nToken module #1
    nToken ESN:      0DA8-A5AE-BA0D
    nToken key hash: 9e0020264af732933574
                     0cfe10446d33cea33f4a

    Check that the ESN also matches the one reported on the nShield Connect display.

    If the RFS key hash matches the one reported on the nShield Connect display, press the right-hand navigation button to continue the RFS configuration. Otherwise press the left-hand navigation button to cancel the operation.

  8. The nShield Connect displays "Transferring files…​" followed by a message reporting that the RFS has been set up. Press the right-hand navigation button again to exit.

After you have defined the RFS, the nShield Connect configuration files are exported automatically. See the nShield Connect User Guide for more about configuration files.

To modify the RFS at a later date, select System > System configuration > Remote file system, and then select the required action.

Systems configured for Remote Administration

Before using Remote Administration or configuring NTP, enable config push on the nShield Connect for the RFS or client computer you intend to use for configuration. The RFS config push is preferred unless the config push client is not actually the same machine as the RFS. The RFS config push is recommended at least when securely bootstrapping the configuration of the system from the nShield Connect front panel.

Enabling config push from the RFS

On the nShield Connect display, use the right-hand navigation button to select System > System configuration > Remote File System, and follow the steps described in Configuring the Remote File System (RFS). To enable config push from the RFS, set the push mode to AUTO with RFS secure authentication enabled (recommended), or to ON.

The RFS config push supports specifying secure authentication from the nShield Connect front panel, whereas the client config push only supports specifying authentication either from the nShield Connect Serial Console push command, or from the config file itself.

Enabling config push from a client computer

To enable config push from a client computer, on the nShield Connect display, use the right-hand navigation button to select System > System configuration > Config file options > Client config push > Config push mode, set ON or OFF, then select CONFIRM. A confirmation message will be displayed.

After enabling config push, specify the IP address of the client to push the configuration from. On the nShield Connect display, use the right-hand navigation button to select System > System configuration > Config file options > Client config push > Client address. Enter the IP address and select CONFIRM. A message is displayed confirming your chosen IP address. Select CONTINUE.

Any remote computer is allowed to push configuration files if no IP address or the 0.0.0.0 address is specified.

After enabling config push, complete the configuration steps by editing the configuration files, rather than by using nShield Connect front panel. See the nShield Connect User Guide for more about configuration files.

Basic configuration of the client to use the nShield Connect

Client configuration utilities

Entrust provides the following utilities for client configuration:

Utility Description

nethsmenroll

Used to configure the client to communicate with the nShield Connect.

config-serverstartup

Used to configure the hardserver of the client to enable TCP sockets.

nethsmenroll

The nethsmenroll command-line utility edits the client hardserver’s configuration file to add the specified nShield Connect. If the nShield Connect’s ESN and HKNETI are not specified, nethsmenroll attempts to contact the nShield Connect to determine what they are, and requests confirmation.

Usage:

nethsmenroll [Options] --privileged <hsm-ip> <hsm-esn> <hsm-kneti-hash>

Options:

-m|--module=MODULE

Specifies the local module number that should be used (default is 0 for dynamic configuration by hardserver).

-p|--privileged

Makes the hardserver request a privileged connection to the nShield Connect (default unprivileged).

-<hsm-ip>

The IP address of the nShield Connect, which could be one of the following:

  • An IPv4 address, for example 123.456.789.123.

  • An IPv6 address, for example fc00::1.

  • A link-local IPv6 address, for example fe80::1%eth0.

  • A hostname.

-r|--remove

Removes the configuration of the specified nShield Connect.

-f|--force

Forces reconfiguration of an nShield Connect already known.

--no-hkneti-confirmation

Does not request confirmation when automatically determining the nShield Connect’s ESN and HKNETI.

This option is potentially insecure and should only be used on secure networks where there is no possibility of a man-in-the-middle attack. For guidance on network security, see the nShield Security Manual.

-V|--verify-nethsm-details

When the ESN and HKNETI have been provided on the command line, verifies that the selected HSM is online, reachable and matches those details.

-P|--port=PORT

Specifies the port to use when connecting to the given nShield Connect (default 9004).

-n|--ntoken-esn=ESN

Specifies the ESN of the nToken to be used to authenticate this client. If the option is omitted, then software authentication will be used instead.

config-serverstartup

The config-serverstartup command-line utility automatically edits the [server_startup] section in the local hardserver configuration file in order to enable TCP ports for Java and KeySafe. Any fields for which values are not specified remain unchanged. After making any changes you are prompted to restart the hardserver.

Run config-serverstartup using the following commands:

config-serverstartup [OPTIONS]

For more information about the options available to use with config-serverstartup, run the command:

config-serverstartup --help

Configuring a client to communicate through an nToken

You can configure a client to use its nToken to communicate with an nShield Connect, if it has one installed. When this happens, the nShield Connect:

  • Examines the IP address of the client.

  • Requires the client to identify itself using a signing key.

If an nToken is installed in a client, it can be used to both generate and protect a key that is then used for the impath communication between the nShield Connect and the client. A strongly protected key is used at both ends of the impath as a result.

Enrolling the client from the command line

Complete the following steps to initially configure a client computer to communicate with and use an nShield Connect. See Basic HSM, RFS and client configuration for more about the available options.

Do the following:

  1. On the client, open a command line window, and run the command:

    nethsmenroll --help
  2. To retrieve the ESN and HKNETI of the nShield Connect, run the command:

    anonkneti <Unit IP>

    The following is an example of the output:

    3138-147F-2D64 691be427bb125f38768638a18bfd2eab75623320

    If the ESN and HKNETI are not specified, nethsmenroll attempts to contact the nShield Connect to determine what they are, and requests confirmation.

  3. Do one of the following:

    If you are enrolling a client with an nToken installed, run the command:

    nethsmenroll --ntoken-esn <nToken ESN> [Options] --privileged <Unit IP> <Unit ESN> <Unit KNETI HASH>

    If you are enrolling a client without an nToken installed, run the command:

    nethsmenroll [Options] --privileged < Unit IP> < Unit ESN> < Unit KNETI HASH>

    The following is an example of the output:

    OK configuring hardserver's nethsm imports.

Configure the TCP sockets on the client for Java applications

To configure the TCP sockets on the client for Java applications (for example, KeySafe):

  1. Run the command:

    config-serverstartup --enable-tcp --enable-privileged-tcp

Basic configuration of an nShield Connect to use a client

Do the following:

  1. On the nShield Connect front panel, use the right-hand navigation button to select System > System configuration > Client config > New client.

    The following screen is displayed:

    Client configuration
    
    Please enter your
    client IP address:
    
    
    
    CANCEL          NEXT

    Enter the IP address of the client, and press the right-hand navigation button.

  2. Use the touch wheel to confirm whether you want to save the IP or not, and press the right-hand navigation button.

    Client configuration
    
    Do you want to save
    the IP in the config?
    (No for dynamic client
    IPs)
              No
    BACK            NEXT
  3. Use the touch wheel to select the connection type between the nShield Connect and the client.

    Client configuration
    
    Please choose the
    client permissions
    
        Unprivileged
    
    BACK            NEXT

    The following options are available:

    Option Description

    Unprivileged

    Privileged connections are never allowed.

    Priv. on low ports

    Privileged connections are allowed only from ports numbered less than 1024. These ports are reserved for use by root on Linux.

    Priv. on any ports

    Privileged connections are allowed on all ports.

    A privileged connection is required to administer the nShield Connect, for example to initialize a Security World. If privileged connections are allowed, the client can issue commands (such as clearing the nShield Connect) which interfere with the normal operation of the nShield Connect. Entrust recommends that you allow only unprivileged connections unless you are performing administrative tasks.
  4. When you have selected a connection option, press the right-hand navigation button.

    The following screen is displayed:

    Client configuration
    
    Do you want secure
    authentication enabled
    on this client?
    
             Yes
    BACK             NEXT
    1. Select No and press the right-hand navigation button to configure the client without secure authentication. The authentication of the client will be based on the IP address only.

    2. Select Yes and press the right-hand navigation button to configure the client with secure authentication.

  5. On the nShield Connect, enter the number of the port on which the client is listening (the default is 9004), and press the right-hand navigation button. The following screen is displayed:

    Client configuration
    
    On what port is the
    client listening?
    
            9004
    
    CANCEL           NEXT
  6. Skip this step if you have not selected secure authentication.

    If an nToken is installed in the client, you will be asked to choose which authentication key to use. Select the desired option and press the right-hand navigation button:

    >3138-147F-2D64
     Software Key
    
    
    BACK       SELECT
    1. The ESN of the nToken installed in the client.

    2. "Software Key" for software-based authentication.

    If no nToken is installed in the client, then software-based authentication is automatically selected.

    Software-based authentication is only supported from version 12.60.
  7. Skip this step if you have not selected secure authentication.

    The next screen will ask you to verify that the key hash displayed by the nShield Connect matches the client key hash:

    Remote 3138-147F-2D64
    reported the key hash:
     691be427bb125f387686
     38a18bfd2eab75623320
    Is this EXACTLY right?
    
    CANCEL         CONFIRM

    The client key hash is obtained by running the commands described below. Take a copy of the returned key hash and compare it to the value reported on the nShield Connect display.

    With software-based authentication

    Run the following command on the client:

    enquiry -m0

    This command returns the software key hash, tagged as kneti hash, as part of its output, for example:

    Server:
      enquiry reply flags   none
      enquiry reply level   Six
      ...
      kneti hash            f8222fc007be38b78ebf442697e244dabded38a8
      ...
    With nToken authentication

    Run the following command on the client:

    ntokenenroll -H

    This command produces output of the form:

    nToken module #1
    nToken ESN:      3138-147F-2D64
    nToken key hash: 691be427bb125f387686
                     38a18bfd2eab75623320

    Check that the ESN also matches the one reported on the nShield Connect display.

    If the client key hash matches the one reported on the nShield Connect display, press the right-hand navigation button to continue the RFS configuration. Otherwise press the left-hand navigation button to cancel the operation.

  8. The nShield Connect displays a message reporting that the client has been configured. Press the right-hand navigation button again.

See the nShield Connect User Guide for more about modifying or deleting an existing client, configuring multiple clients, client licenses, pushing configuration files to the nShield Connect, and advanced configuration options.

Restarting the hardserver

In order to establish any configuration changes you may have entered, you must restart the hardserver (also called the nfast server).

  1. Do one of the following to stop and restart the hardserver, according to your operating system:

    1. Windows:

      net stop "nfast server"
      net start "nfast server"
    2. Linux:

      /opt/nfast/sbin/init.d-ncipher restart

Zero touch configuration of an nShield Connect

On a serial-enabled nShield Connect (see Model numbers in nShield Connect v13.3 Install Guide) you can configure the nShield Connect and set up the RFS by using the nShield Connect Serial Console rather than the front panel. See the nShield Connect User Guide for more information on the Serial Console.

Once the nShield Connect’s power, Ethernet and serial cables have been connected, to allow zero touch configuration of the nShield Connect (no further use of the front panel required), follow these steps:

Configuring the network interfaces via the Serial Console

  1. Log in to the nShield Connect Serial Console (see the nShield Connect User Guide).

  2. Configure networking on Ethernet Interface #1:

    1. Set the IP address and netmask of the interface:

      (cli) netcfg iface=0 addr=0.0.0.0 netmask=0.0.0.0
    2. Set the IP address of the gateway for the nShield Connect:

      (cli) gateway 0.0.0.0

      If your network environment requires you to configure static routes you may also use the nShield Connect Serial Console to configure static routes for the nShield Connect at this stage.

Allowing configuration files to be pushed to the nShield Connect via the Serial Console

To allow the Remote File System (RFS) to push configuration files to the nShield Connect, configure the RFS using the rfsaddr command. To allow other remote computers to push configuration files to the nShield Connect, use the push command.

Configuring the Remote File System (RFS) via the Serial Console

  1. Log in to the nShield Connect Serial Console (see Creating a serial console session in the nShield Connect User Guide), and run the following commands to obtain the nShield Connect ESN and KNETI hash, for example:

    (cli) esn
    ESN: 6B1D-03CE-2F9A
    (cli) kneti
    Kneti hash: 56304e3f752cd13d219fa47ad27d56bb6a6642aa
  2. Run the rfs-setup command on the RFS with the IP address of the nShield Connect and the values previously returned by the esn and kneti commands:

    rfs-setup <Unit IP address> <ESN> <KNETI hash>

    For information on running rfs-setup, see Configuring the Remote File System (RFS).

  3. In the nShield Connect Serial Console, configure the RFS using the rfsaddr command.

    (cli) rfsaddr address[:port] [keyhash [esn]] [push]

    In this command:

    • address is the RFS IP address.

    • port is the RFS port number (default is 9004).

    • keyhash is the RFS KNETI hash (default is 40 zeroes).

    • esn is the RFS nToken ESN (default is "", i.e. no ESN).

    • push specifies if the RFS can push configuration files to the nShield Connect:

      • ON: The RFS is allowed to push configuration files.

      • OFF: The RFS is not allowed to push configuration files.

      • AUTO: The RFS is allowed to push configuration files if RFS secure authentication is enabled. This is the default option.

    The keyhash and esn are optional, and can be used to enable the RFS secure authentication:

    1. No RFS secure authentication (not recommended): The keyhash and esn parameters are not specified.

    2. RFS software-based authentication: Only the keyhash parameter is specified. The RFS software KNETI hash is obtained by running the enquiry -m0 command on the RFS. The value is tagged as kneti hash in the command output.

    3. RFS nToken authentication: The keyhash and esn parameters are specified. The RFS nToken KNETI hash and ESN are obtained by running the ntokenenroll -H command on the RFS.

Allowing configuration files to be pushed to the nShield Connect from a remote computer via the Serial Console

In addition to the RFS, the push serial command can be used to allow a remote computer to push configuration files.

(cli) push ON [address] [keyhash]

In this command:

  • address is the remote computer IP address. It defaults to 0.0.0.0 which allows any address to push. It is not recommended to leave the IP address unrestricted, unless keyhash is specified for authentication.

  • keyhash is the hash of the key with which the authorized client is to authenticate itself (defaults to no key authentication required).

Enabling the push feature allows remote computers to change the HSM configuration file and make configuration changes that are normally only available through the HSM secure user interface.

After you enable the nShield Connect for zero touch configuration, everything that can be configured using the front panel can be configured remotely using one of the following methods:

  • The nShield Connect Serial Console.

  • The cfg-pushnethsm utility to push an updated configuration file to the nShield Connect (see the nShield Connect User Guide). From the configuration file you can configure the RFS, add clients, or change the network configuration.

  • The nethsmadmin utility (see the nShield Connect User Guide).

Checking the installation

To check that the module is installed and configured correctly on the client:

  1. Log in as a user and open a command window.

  2. Run the command:

    enquiry

    For an example of the output following a successful enquiry command. See Enquiry utility.

    If you are configuring a client belonging to an nShield Connect, the response to the enquiry command should be populated and the hardware status shown as OK.

    If the mode is operational the HSM has been installed correctly.

    If the mode is initialization, the HSM has been installed correctly, but you must change the mode to operational.

    If the output from the enquiry command says that the module is not found, first restart your computer, then re-run the enquiry command.

Using a Security World

See the nShield Connect User Guide for more about creating a Security World or loading an existing one.