Before you install the software

Before you install the software, you should:

If required, install an optional nToken in the client computer, see nToken Installation Guide for more information about the installation steps.
Uninstall any older versions of Security World Software. See Uninstalling existing software.
If the nShield Remote Administration Client is installed on the machine, remove it. You will also have to re-install it after you installed the new Security World software version. See the nShield Remote Administration User Guide.
Complete any other necessary preparatory tasks, as described in Preparatory tasks before installing software.

Preparatory tasks before installing software

Perform any of the necessary preparatory tasks described in this section before installing the Security World Software on the client computer.

Windows

Adjust your computer’s power saving setting to prevent sleep mode.

Install Microsoft security updates

Make sure that you have installed the latest Microsoft security updates. Information about Microsoft security updates is available from http://www.microsoft.com/security/.

Linux

Install operating environment patches

Make sure that you have installed:

kernel packages like gcc, kernel-headers, kernel-devel
the latest recommended patches for your environment in general

See the documentation supplied with your operating environment for information.

Users and groups

The installer automatically creates the following group and users if they do not exist. If you wish to create them manually, you should do so before running the installer.

Create the following, as required:

The nfast user in the nfast group, using /opt/nfast as the home directory.
If you are installing snmp, the ncsnmpd user in the ncsnmpd group, using /opt/nfast as the home directory.
If you are installing the Remote Administration Service, the raserv user in the raserv group, using /opt/nfast as the home directory.

All environments

Install Java with any necessary patches

The following versions of Java have been tested to work with, and are supported by, your nShield Security World Software:

Java7 (or Java 1.7x)
Java8 (or Java 1.8x)
Java11.

Entrust recommends that you ensure Java is installed before you install the Security World Software. The Java executable must be on your system path.

If you can do so, please use the latest Java version currently supported by Entrust that is compatible with your requirements. Java versions before those shown are no longer supported. If you are maintaining older Java versions for legacy reasons, and need compatibility with current nShield software, please contact Entrust nShield Support, https://nshieldsupport.entrust.com.

To install Java you may need installation packages specific to your operating system, which may depend on other pre-installed packages to be able to work.

Suggested links from which you may download Java software as appropriate for your operating system:

You must have Java installed to use KeySafe.

Identify software components to be installed

Entrust supply standard component bundles that contain many of the necessary components for your installation and, in addition, individual components for use with supported applications. To be sure that all component dependencies are satisfied, you can install either:

All the software components supplied.
Only the software components you require.

During the installation process, you are asked to choose which bundles and components to install. Your choice depends on a number of considerations, including:

The types of application that are to use the module.
The amount of disc space available for the installation.
Your company’s policy on installing software. For example, although it may be simpler to choose all software components, your company may have a policy of not installing any software that is not required.

On Windows, the nShield Hardware Support bundle and the nShield Core Tools bundle are mandatory, and are always installed.

The Core Tools bundle contains all the Security World Software command-line utilities, including:

generatekey.
Low level utilities.
Test programs.

The Core Tools bundle includes the Tcl run time component that installs a run-time Tcl installation within the nCipher directories. This is used by the tools for creating the Security World and by KeySafe. This does not affect any other installation of Tcl on your computer.

You need to install the Remote Administration Service component if you require remote administration functionality. See Preparatory tasks before installing software and the nShield Connect User Guide for more about the Remote Administration Service.

Always install all the nShield components you need in a single installation process to avoid subsequent issues should you wish to uninstall. You should not, for example, install the Remote Administration Service from the Security World installation media, then later install the Remote Administration Client from the client installation media.

Ensure that you have identified any optional components that you require before you install the Security World Software. See Software packages on the Security World software installation media for more about optional components.

Firewall settings

When setting up your firewall, you should ensure that the port settings are compatible with the HSMs and allow access to the system components you are using.

The following table identifies the ports used by the nShield system components. All listed ports are the default setting. Other ports may be defined during system configuration, according to the requirements of your organization.

Component	Default Port	Protocol	Use
Hardserver	9000	TCP	Internal non-privileged connections from Java applications including KeySafe
Hardserver	9001	TCP	Internal privileged connections from Java applications including KeySafe
Hardserver	9004	TCP	Incoming impath connections from other hardservers, for example: * From an HSM to the Remote File System (RFS). * From a non-attended HSM to an attended host machine when using Remote Operator.
Hardserver in the HSM	9004	TCP	Incoming impath connections from client machines
Remote Administration Service	9005	TCP	Incoming connections from Remote Administration Clients
Audit Logging syslog	514	UDP	If you plan to use the Audit Logging facility with remote syslog or SIEM applications, you need to allow outgoing connections to the configured UDP port

Component

Default Port

Protocol

Use

Hardserver

9000

TCP

Internal non-privileged connections from Java applications including KeySafe

Hardserver

9001

TCP

Internal privileged connections from Java applications including KeySafe

Hardserver

9004

TCP

Incoming impath connections from other hardservers, for example:

* From an HSM to the Remote File System (RFS).

* From a non-attended HSM to an attended host machine when using Remote Operator.

Hardserver in the HSM

9004

TCP

Incoming impath connections from client machines

Remote Administration Service

9005

TCP

Incoming connections from Remote Administration Clients

Audit Logging syslog

514

UDP

If you plan to use the Audit Logging facility with remote syslog or SIEM applications, you need to allow outgoing connections to the configured UDP port

If you are setting up an RFS or exporting a slot for Remote Operator functionality, you need to open port 9004. You may restrict the IP addresses to those you expect to use this port. You can also restrict the IP addresses accepted by the hardserver in the configuration file. See the nShield Connect User Guide for more about configuration files. Similarly if you are setting up the Remote Administration Service you need to open port 9005.