Basic HSM, RFS and client configuration
This chapter describes the initial nShield 5c, RFS and client computer configuration steps. For more about:
-
Security World Software installation and options, see Installing the software.
-
Installing the optional nToken, see the nToken Installation Guide.
-
The menu options, see Top-level menu.
-
Advanced nShield 5c and client configuration options, see the nShield 5c User Guide.
An installation will have only one RFS, but may have one or more Clients. The RFS can also dual role as a Client. Before you can continue with the following configuration, the RFS and every Client must have the Security World software installed, see Installing the software. |
About nShield 5c and client configuration
An nShield 5c and a client communicate using their hardservers. These handle secure transactions between the HSM and applications that run on the client. You must configure:
-
Each client hardserver to communicate with the hardserver of the nShield 5c that it needs to use.
-
The nShield 5c hardserver to communicate with the hardserver of the clients that are allowed to use it.
Multiple nShield HSMs can be configured to communicate with one client, just as multiple clients can be configured to communicate with one nShield 5c. |
Remote file system (RFS)
Each nShield 5c must have a remote file system (RFS) configured. This includes master copies of all the files that the nShield 5c needs. See the nShield 5c User Guide for more information about the RFS.
HSM configuration
The current configuration files for the hardserver of an nShield 5c are stored in its local file system. These files are automatically:
-
Updated when the nShield 5c is configured.
-
Exported to the appropriate RFS directory.
Each nShield 5c in a Security World has separate configuration files on the RFS. See the nShield 5c User Guide for more about nShield 5c configuration files and advanced configuration options.
Client configuration
The current configuration files for the hardserver of a client are stored in its local file system.
See the nShield 5c User Guide for more about client configuration files and advanced configuration options.
The following steps assume that you have added the path %NFAST_HOME%\bin (Windows) or /opt/nfast/bin/ (Linux) to the PATH system variable.
|
Basic nShield 5c and RFS configuration
After installing the Security World Software and the nShield 5c, you need to do the following:
-
Configure the nShield 5c Ethernet interfaces.
-
Configure the RFS.
You should complete the RFS tasks before:
-
Configuring the nShield 5c and client to work together.
-
Creating a Security World and an Operator Card Set (OCS). See the nShield 5c User Guide for more about creating a Security World and the OCS.
Configuring the Ethernet interfaces - IPv4 and IPv6
An nShield 5c communicates with one or more clients over an Ethernet network. You must supply IP addresses for the nShield 5c and the client. Contact your system administrator for this information if necessary.
There are two network interfaces on the nShield 5c. Three configurations are supported:
-
Single network interface.
-
Two independent network interfaces.
You must connect the interfaces to physically different networks.
-
The two network interfaces combined as a bond interface.
The bond interface can use:
-
Active backup mode.
-
802.3ad mode (requires a switch that supports 802.3ad).
-
You can configure the nShield 5c using the front panel Network config menu or by pushing a configuration file to the nShield 5c over the network. The following can be configured:
-
Interface addresses
-
Bond
-
Default gateway
-
Network routes
-
Network speed.
If the nShield 5c is already configured, you can update the displayed values.
If you ever change any of the IP addresses on the nShield 5c, you must update the configuration of all the clients that work with it to reflect the new IP addresses.
By default, the hardserver listens on all interfaces. However, you can choose to set specific network interfaces on which the hardserver listens. This may be useful in cases such as if one of the Ethernet interfaces is to be connected to external hosts. See the nShield 5c User Guide for more information. |
IPv4 and IPv6
Support for IPv6 is in addition to IPv4. Both Ethernet interfaces can be configured to support:
-
IPv4 only
-
IPv4 and IPv6
-
IPv6 only.
Interface#1 is enabled by default and cannot be disabled. Interface #2 is disabled by default and can be enabled and disabled. |
IPv6 addresses
An IPv4 address is 32 bits long and typically represented as 4 octets, for example 192.168.0.1. An IPv6 address is 128 bits long and is made up of a subnet prefix (n bits long) and an interface ID (128 - n bits long).
An IPv6 address and its associated subnet is typically represented by the notation ipv6-address/prefix-length, where:
-
ipv6-address is an IPv6 address represented in any of the notations described below.
-
prefix-length is a decimal value specifying how many of the leftmost contiguous bits of the address make up the prefix.
The IPv6 address notation mirrors the way subnets are represented in the IPv4 Classless Inter-Domain Routing (CIDR) notation.
IPv6 address notation
An nShield 5c will accept an IPv6 address if it is entered in one of the forms shown below and if the address is valid for context in which it is used. There are two conventional forms for representing IPv6 addresses as text strings:
-
The long representation is x:x:x:x:x:x:x:x, where each
x
is a field containing hexadecimal characters (0
toffff
) for each 16 bits of the address.For example:
1234:2345:3456:4567:5678:6789:789a:89ab
1234:5678:0:0:0:0:9abc:abcd/64
-
If one or more consecutive fields are 0 then they can be replaced by
::
.For example:
1234:5678:0:0:0:0:9abc:abcd/64
can be written as1234:5678::9abc:abcd/64
::
can only appear once in an IPv6 address.
Unless the address is a link-local address, the nShield 5c front panel only allows lower-case letters in an IPv6 address.
IPv6 addresses keyed manually on the nShield 5c front panel are validated on entry by the nShield 5c. As well as checking that the format of the address is correct, the nShield 5c also validates that the address entered is valid for the context in which it will be used, see Acceptable IPv6 address by use case.
If Stateless Address Auto Configuration (SLAAC) is enabled the nShield 5c will automatically form IPv6 addresses from network prefixes contained in Router Advertisements (RAs). RAs are received directly by the nShield 5c Operating System and automatically forms IPv6 addresses by combining the network prefixes contained in the RA with the MAC address of the receiving Ethernet interface. As they are created by the Operating System, SLAAC IPv6 addresses are not subject to the same validation rules as addresses entered via the nShield 5c front panel. If SLAAC is to be used to configure nShield 5c IPv6 addresses in preference to statically entered addresses, then network planners must take care to ensure that prefixes advertised to the nShield 5c are of a suitable type, see Acceptable IPv6 address by use case.
Acceptable IPv6 address by use case
The types of IPv6 which are acceptable as a static address are given in the table below For examples of valid IPv6 addresses, see Valid IPv6 Addresses.
Use Case | Acceptable Address Type |
---|---|
Static IPv6 Address Entry |
|
IPv6 Default Gateway |
|
IPv6 Route Entry - IP Range |
|
IPv6 Route Entry - Gateway |
|
RFS Address |
|
Client Address |
|
Push Client Address |
|
Ping |
|
Traceroute |
|
Stateless address auto-configuration (IPv6 only)
Unlike IPv4, IPv6 is designed to be auto-configuring. SLAAC is an IPv6 mechanism by which IPv6 hosts can configure their IPv6 addresses automatically when connected to an IPv6 network using the Neighbour Discovery Protocol (NDP). Using NDP IPv6 hosts are able to solicit advertisements from on-link routers and use the network prefix(es) contained in the advertisements to generate IPv6 address(es).
SLAAC is disabled by default in an nShield 5c, but can be selectively enabled for each Ethernet interface either using the nShield 5c front panel or by setting the appropriate configuration item and pushing an nShield 5c configuration file.
Configure Ethernet interface #1
To set up Ethernet interface #1 (default):
Enable/disable IPv4
To enable/disable IPv4:
-
From the front panel menu, select System > System configuration > Network config > Set up interface #1 > Configure #1 IPv4 > IPv4 enable/disable.
The following screen displays:
Network configuration IPv4 enable/disable: ENABLE CANCEL FINISH
-
Set the ENABLE/DISABLE field to the required option.
-
To accept, press the right-hand navigation button.
Set up IPv4 static address
To set up IPv4 static address:
-
From the front panel menu, select System > System configuration > Network config > Set up interface #1 > Configure #1 IPv4 > Static IPv4 address.
The following screen displays:
Network configuration Enter IPv4 address for interface #1: 0. 0. 0. 0 Enter netmask: 0. 0. 0. 0 CANCEL NEXT
-
Set each field of the IP address and netmask for the interface (press the Select button to move to the next field).
-
Once all fields have been set, press the right-hand navigation button to continue.
-
To accept the changes, press the right-hand navigation button and then CONTINUE to go back to the Static IPv4 address menu.
Enable/disable IPv6
To enable/disable IPv6:
-
From the front panel menu, select System > System configuration > Network config > Set up interface #1 > Configure #1 IPv6 > Enable/Disable IPv6.
The following screen displays:
Network configuration IPv6 enable/disable: DISABLE CANCEL FINISH
-
Set the ENABLE/DISABLE field to the required option.
-
To accept, press the right-hand navigation button.
Set up IPv6 static address
To set up IPv6 static address:
-
From the front panel menu, select System > System configuration > Network config > Set up interface #1 > Configure #1 IPv6 > Static addr/SLAAC > Select Static/SLAAC.
The following screen is displayed:
Network configuration Do you want to use a static address or SLAAC?
Select static and press the right-hand navigation button.
Then, select Static IPv6 address and press the right-hand navigation button.
The following screen displays:
Network configuration Enter IPv6 address For interface #1: CANCEL NEXT
-
Enter the required IPv6 address.
-
When the IPv6 address is correct, press the right-hand navigation button. The following screen displays:
Network configuration IPv6 address xxxx:xxxx:xxxx:xxxx: xxxx:xxxx:xxxx:xxxx Enter prefix length: 64 BACK NEXT
-
When the IPv6 address prefix details are correct, press the right-hand navigation button.
-
You are asked whether you wish to accept the new interface. To accept, press the right-hand navigation button.
Enabling static IPv6 addresses on HSM’s network interface disables SLAAC on this interface. See Enable IPv6 SLAAC for SLAAC addresses.
Set the link speed for interface #1
To set up the link speed for interface #1:
-
From the front panel menu, select System > System configuration > Network config > Set up interface #1 > Set link speed for #1.
-
The following screen displays:
Network configuration Select desired link speed: auto / 1Gb CANCEL NEXT
You can choose from auto / 1Gb, 10BaseT, 10BaseT-FDX, 100BaseTX, or 100BaseTX-FDX.
Entrust recommends that you configure your network speed for automatic negotiation, using the auto / 1Gb or auto option. You will be asked to confirm the changes if auto / 1Gb is not selected. On the nShield 5c, selecting auto / 1Gb is the only means of achieving 1Gb link speed. -
Press the right-hand navigation button and you will be returned to the Set up interface #1 screen and you can then continue with the configuration.
Configure Ethernet interface #2
To set up the Ethernet interface #2, if required:
-
From the front panel menu, select System > System configuration > Network config > Set up interface #2.
-
Enter the details for interface #2 in the same manner that you entered the details for interface #1.
-
Once the interface #2 details have been entered you need to explicitly enable interface #2. Select System > System configuration > Network config > Set up interface #2 > Enable/Disable Int #2.
-
The following screen displays:
Network configuration Interface #2 DISABLE CANCEL FINISH
-
Select the ENABLE option.
-
Press the right-hand navigation button to accept. A screen similar to that used for interface #1 is displayed.
Configure an Ethernet bond interface
Enable or disable the use of a bond interface
-
From the front panel menu, select System > System configuration > Network config > Set up bond > Enable/disable bond.
The following screen displays:
Network configuration Bond Interface DISABLE CANCEL FINISH
-
Set the ENABLE/DISABLE field to the required option.
-
To accept, press the right-hand navigation button.
Set up a bond interface
-
From the front panel menu, select System > System configuration > Network config > Set up bond > Configure bond.
The following screen displays:
Bond interface config will use the eth0 IPv4 and IPv6 config if they are enabled CANCEL NEXT
-
Press the right-hand navigation button.
The following screen displays:
Bond interface config Update parameter mode: 802.3ad BACK NEXT
-
Set the mode field to the required option, either
802.3ad
oractive-backup
. -
To accept, press the right-hand navigation button.
The following screen displays:
Bond interface config Update parameter miimon: 100 BACK NEXT
-
Set the
miimon
field to the required value, the range is0
-10000
milliseconds.Setting the
miimon
value to0
disables it. This can prevent the bonding resilience from functioning correctly inactive-backup
mode. -
To accept, press the right-hand navigation button.
The following screen displays:
Bond interface config Update parameter lacp_rate: slow only valid for 802.3ad (LACP) mode BACK NEXT
-
Set the
lacp_rate
field to the required option, eitherslow
orfast
.This parameter is only valid for 802.3ad mode. This setting is ignored in other modes.
slow request LACPDUs to be transmitted every 30 seconds
fast request LACPDUs to be transmitted every 1 second
-
To accept, press the right-hand navigation button.
The following screen displays:
Bond interface config Update parameter xmit hash policy: layer2 only valid for 802.3ad (LACP) mode BACK NEXT
-
Set the
xmit hash policy
field to the required option.This parameter is only valid for 802.3ad mode. This setting is ignored in other modes.
Options:
-
layer2
-
encap2+3
-
layer2+3.
For more information, see https://www.kernel.org/doc/Documentation/networking/bonding.txt
-
-
To accept, press the right-hand navigation button.
The following screen displays:
Bond interface config Update parameter primary device: eth0 only valid for active-backup mode BACK NEXT
-
Set the
primary device
field to the required option, eithereth0
oreth1
.This parameter is only valid for
active backup
mode. This setting is ignored in other modes. -
To accept, press the right-hand navigation button.
The following screen displays:
Bond interface config Update parameter resend igmp: 1 only valid for active-backup mode BACK NEXT
-
Set the
resend igmp
field to the required value. Range:0
-255
.This parameter is only valid for
active backup
mode. This setting is ignored in other modes. -
To accept, press the right-hand navigation button.
The following screen displays:
Bond interface config Are you sure you wish to change the config ? CANCEL CONFIRM
-
To accept and apply changes to the bond config, press the right-hand navigation button.
The following confirmation screen displays:
Bond interface config completed OK CONFIRM
Default gateway
Set default gateway for IPv4
To set a default gateway for IPv4:
-
From the front panel menu, select System > System configuration > Network config > Set default gateway > IPv4 Gateway.
The following screen is displayed:
Gateway configuration Enter IPv4 address of the default gateway: 0. 0. 0. 0 CANCEL NEXT
-
Enter the IPv4 address of the default gateway.
-
Press the right-hand navigation button NEXT and then FINISH to accept.
Set default gateway for IPv6
To set a default gateway for IPv6:
-
From the front panel menu, select System > System configuration > Network config > Set default gateway > IPv6 gateway.
The following screen is displayed:
Gateway configuration Enter IPv6 address of the default gateway: CANCEL NEXT
Enter the address for the gateway. Press the right-hand navigation button. The following screen is displayed if the address entered was a link-local address:
Gateway configuration Select an interface for link-local address: :: CANCEL NEXT
Select the interface for the IPv6 gateway. Press the right-hand navigation button to accept.
Set up Routing
Set up routing for IPv4
To set a new route entry for IPv4:
-
From the front panel menu, select System > System configuration > Network config > Set up routing > New IPv4 route entry.
The following screen is displayed:
Edit route entry Enter IP range and mask length: 0. 0. 0. 0/ 0 Enter the gateway: 0. 0. 0. 0 CANCEL FINISH
-
Enter the IPv4 address range details for the route. Press the right-hand navigation button to accept.
Set up routing for IPv6
To set a new route entry for IPv6:
-
From the front panel menu, select System > System configuration > Network config > Set up routing > New IPv6 route entry.
The following screen is displayed:
Edit route entry Enter the IP range and prefix length: ::/64 CANCEL NEXT
-
Enter the IPv6 address range details for the route. Press the right-hand navigation button to accept. The following screen is displayed:
Edit route entry xxxx:xxxx:xxxx:xxxx: xxxx:xxxx:xxxx:xxxx /xxx Enter the gateway: :: BACK NEXT
-
Enter the gateway address; if it is a link local address, the following screen is displayed.
Edit route entry Select an interface for link-local address: fe80:xxxx:xxxx:xxxx: xxxx:xxxx:xxxx:xxxx Interface #1 BACK NEXT
-
Select the interface for the IPv6 gateway and press the right-hand navigation button to accept.
-
If the new route entry entered for IPv6 is incorrect an error message is displayed on the next screen, select BACK to go to the route entry screen. The new IPv6 route entry will need to be entered again.
Edit route entry
Edit IPv4 route entry
To edit a route entry for IPv4:
-
From the front panel menu, select System > System configuration > Network config > Set up routing > Edit route entry.
The following screen is displayed:
► 1. 1. 1. 1/ 1 3. 3. 3. 3/ 3 1111:1111:1111:1111: 1111:1111:1111:1111 /128 BACK SELECT
-
Select the IPv4 route to be edited. Press the right-hand navigation button. The following screen is displayed:
Edit route entry Enter the IP range and mask length: 1. 1. 1. 1/ 1 Enter the gateway 2. 2. 2. 2 CANCEL FINISH
-
Edit the IPv4 route entry. Press the right-hand navigation button to accept the changes.
Edit IPv6 route entry
To edit a route entry for IPv6:
-
From the front panel menu, select System > System configuration > Network config > Set up routing > Edit route entry.
The following screen is displayed:
Edit route entry ► 1. 1. 1. 1/ 1 3. 3. 3. 3/ 3 1111:1111:1111:1111: 1111:1111:1111:1111 /128 BACK SELECT
-
Select the IPv6 route to be edited. Press the right-hand navigation button. The following screen is displayed:
Edit route entry Enter the IP range and prefix length: 1111:1111::1111:1111: 1111:1111:1111:1111/128 CANCEL NEXT
-
Edit the IPv6 route entry. Press the right-hand navigation button.
Edit route entry 1111:1111:1111:1111: 1111:1111:1111:1111/128 Enter the gateway 2222:2222:2222:2222 BACK NEXT
-
Enter the IPv6 route gateway. If a link-local address is entered for the IPv6 route gateway the screen below will be displayed.
Edit route entry Select an interface for link-local address: fe80:2222:2222:2222: 2222:2222:2222:2222 Interface #1 BACK NEXT
-
Select the interface for the IPv6 gateway. Press the right-hand navigation button to accept.
Remove route entry
To remove a route entry:
-
From the front panel menu, select System > System configuration > Network config > Set up routing > Remove route entry.
The following screen is displayed:
► 1. 1. 1. 1/ 1 3. 3. 3. 3/ 3 1111:1111:1111:1111: 1111:1111:1111:1111 /128 BACK SELECT
-
Select the IPv4/IPv6 route to be removed. Press the right-hand navigation button.
-
The selected route will be displayed. Press the right-hand navigation button to remove the route.
Enable IPv6 SLAAC
SLAAC can be enabled/disabled independently on each of the two interfaces.
To enable SLAAC:
-
From the front panel menu, select System > System configuration > Network config > Set up interface #1 > Configure #1 IPv6 > Static addr/SLAAC > Select Static/SLAAC.
The following screen is displayed:
Network configuration Do you want to use a static address or SLAAC?
-
Select SLAAC and press the right-hand navigation button.
-
The IPv6 address config selected screen is displayed. Press the right-hand navigation button to accept.
-
Select the required state and press the right-hand navigation button.
-
The SLAAC configuration completed OK screen is displayed. Press the right-hand navigation button to accept.
Enabling SLAAC on the HSM’s network interface disables the use of static IPv6 addresses on this interface. |
Configuring the Remote File System (RFS)
The RFS contains the master copy of the Security World data for backup purposes. The RFS can be a standalone machine, and can also dual role as a client. If the RFS duals as a client, a common file structure serves both the RFS and the configuration files for the client.
See the nShield 5c User Guide for more about the RFS and its contents.
The nShield 5c must be able to connect to TCP port 9004 of the RFS. If necessary, modify the firewall configuration to allow this connection on either the RFS itself, or on a router between the RFS and the nShield 5c, or both.
Obtain the following information about the nShield 5c before you set up an RFS for the first time:
-
The IP address.
The following nShield 5c information can be obtained automatically (or manually):
-
The electronic serial number (ESN).
-
The hash of the
K
NETI key (HK
NETI). TheK
NETI key authenticates the nShield 5c to clients. It is generated when the nShield 5c is first initialized from factory state.
If your network is secure and you know the IP address of the nShield 5c, you can use the anonkneti
utility to obtain the ESN and hash of the K
NETI key by giving the following command on the client computer.
For guidance on network security, see the nShield Security Manual.
anonkneti <Unit IP>
In this command, <Unit IP> is the IP address of the nShield 5c, which could be one of the following:
-
An IPv4 address, for example
123.456.789.123
. -
An IPv6 address, for example
fc00::1
. -
A link-local IPv6 address, for example,
fe80::1%eth0
. -
A hostname.
The command returns output in the following form:
A285-4F5A-7500 2418ec85c86027eb2d5959fef35edc5e1b3b698f
In this example output, A285-4F5A-7500
is the ESN and 2418ec85c86027eb2d5959fef35edc5e1b3b698f
is the hash of the K
NETI key.
Alternatively, you can find this information on the nShield 5c startup screen. Use the touch wheel to scroll to the appropriate information.
When you have the necessary information, set up an RFS and nShield 5c in the following order:
-
Prepare the RFS by running the following command on that computer:
rfs-setup <Unit IP> A285-4F5A-7500 2418ec85c86027eb2d5959fef35edc5e1b3b698f
In this command:
-
<Unit IP> is the IP address of the nShield 5c.
-
A285-4F5A-7500
is the ESN of the nShield 5c. -
keyhash
is the hash of theK
NETI key.
-
-
On the nShield 5c display screen, use the right-hand navigation button to select System > System configuration > Remote file system, and enter the IP address of the client computer on which you set up the RFS:
Remote File System Enter IP address: CANCEL CONTINUE
-
The next screen asks for the port number on which the RFS is listening. Enter the port number and press the right-hand navigation button to continue:
Remote File System Enter port number: 9004 CANCEL CONTINUE
Leave the port number at the default setting of 9004. -
Select the config push mode and press the right-hand navigation button to continue:
Remote File System Set RFS config push mode to: AUTO CANCEL CONTINUE
Three options are available:
-
AUTO
: The RFS is only allowed to push configuration files to the nShield 5c if secure authentication is enabled. This is the default value. -
ON
: The RFS is allowed to push configuration files to the nShield 5c. -
OFF
: The RFS is not allowed to push configuration files to the nShield 5c.
-
-
You must then choose whether to enable or disable secure authentication when setting up the RFS. The following screen is displayed:
Remote File System Do you want secure authentication enabled on the RFS? YES CANCEL CONTINUE
-
Select
No
and press the right-hand navigation button to configure the RFS without secure authentication. The authentication of the RFS will be based on the IP address only. -
Select
Yes
and press the right-hand navigation button to configure the RFS with secure authentication.
-
-
Skip this step if you have not selected secure authentication.
If an nToken is installed in the RFS, you will be asked to choose which authentication key to use. Select the desired option and press the right-hand navigation button:
>0DA8-A5AE-BA0D Software Key BACK SELECT
-
The ESN of the nToken installed in the RFS.
-
"Software Key" for software-based authentication.
If no nToken is installed in the RFS, then software-based authentication is automatically selected.
-
-
Skip this step if you have not selected secure authentication.
The next screen will ask you to verify that the key hash displayed by the nShield 5c matches the RFS key hash:
Remote 0DA8-A5AE-BA0D reported the key hash: 9e0020264af732933574 0cfe10446d33cea33f4a Is this EXACTLY right? CANCEL CONFIRM
The RFS key hash is obtained by running the commands described below. Take a copy of the returned key hash and compare it to the value reported on the nShield 5c display.
- With software-based authentication
-
Run the following command on the RFS:
enquiry -m0
This command returns the software key hash, tagged as
kneti hash
, as part of its output, for example:Server: enquiry reply flags none enquiry reply level Six ... kneti hash d4c3d757a67416cb9ba31f33febd6ead688629e5 ...
- With nToken authentication
-
Run the following command on the RFS:
ntokenenroll -H
This command produces output of the form:
nToken module #1 nToken ESN: 0DA8-A5AE-BA0D nToken key hash: 9e0020264af732933574 0cfe10446d33cea33f4a
Check that the ESN also matches the one reported on the nShield 5c display.
If the RFS key hash matches the one reported on the nShield 5c display, press the right-hand navigation button to continue the RFS configuration. Otherwise press the left-hand navigation button to cancel the operation.
-
The nShield 5c displays "Transferring files…" followed by a message reporting that the RFS has been set up. Press the right-hand navigation button again to exit.
After you have defined the RFS, the nShield 5c configuration files are exported automatically. See the nShield 5c User Guide for more about configuration files.
To modify the RFS at a later date, select System > System configuration > Remote file system, and then select the required action.
Systems configured for Remote Administration
Before using Remote Administration or configuring NTP, enable config push on the nShield 5c for the RFS or client computer you intend to use for configuration. The RFS config push is preferred unless the config push client is not actually the same machine as the RFS. The RFS config push is recommended at least when securely bootstrapping the configuration of the system from the nShield 5c front panel.
Enabling config push from the RFS
On the nShield 5c display, use the right-hand navigation button to select System > System configuration > Remote File System, and follow the steps described in Configuring the Remote File System (RFS). To enable config push from the RFS, set the push mode to AUTO with RFS secure authentication enabled (recommended), or to ON.
The RFS config push supports specifying secure authentication from the nShield 5c front panel, whereas the client config push only supports specifying authentication either from the nShield 5c Serial Console push command, or from the config file itself.
|
Enabling config push from a client computer
To enable config push from a client computer, on the nShield 5c display, use the right-hand navigation button to select System > System configuration > Config file options > Client config push > Config push mode, set ON or OFF, then select CONFIRM. A confirmation message will be displayed.
After enabling config push, specify the IP address of the client to push the configuration from. On the nShield 5c display, use the right-hand navigation button to select System > System configuration > Config file options > Client config push > Client address. Enter the IP address and select CONFIRM. A message is displayed confirming your chosen IP address. Select CONTINUE.
Any remote computer is allowed to push configuration files if no IP address or the 0.0.0.0 address is specified. |
After enabling config push, complete the configuration steps by editing the configuration files, rather than by using nShield 5c front panel. See the nShield 5c User Guide for more about configuration files.
Basic configuration of the client to use the nShield 5c
Client configuration utilities
Entrust provides the following utilities for client configuration:
Utility | Description |
---|---|
|
Used to configure the client to communicate with the nShield 5c. |
|
Used to configure the hardserver of the client to enable TCP sockets. |
nethsmenroll
The nethsmenroll
command-line utility edits the client hardserver’s configuration file to add the specified nShield 5c.
If the nShield 5c’s ESN
and HKNETI
are not specified, nethsmenroll
attempts to contact the nShield 5c to determine what they are, and requests confirmation.
Usage:
nethsmenroll [Options] --privileged <hsm-ip> <hsm-esn> <hsm-kneti-hash>
Options:
|
Specifies the local module number that should be used (default is |
||
|
Makes the hardserver request a privileged connection to the nShield 5c (default |
||
|
The IP address of the nShield 5c, which could be one of the following:
|
||
|
Removes the configuration of the specified nShield 5c. |
||
|
Forces reconfiguration of an nShield 5c already known. |
||
|
Does not request confirmation when automatically determining the nShield 5c’s
|
||
|
When the |
||
|
Specifies the port to use when connecting to the given nShield 5c (default |
||
|
Specifies the |
config-serverstartup
The config-serverstartup
command-line utility automatically edits the [server_startup]
section in the local hardserver configuration file in order to enable TCP ports for Java and KeySafe.
Any fields for which values are not specified remain unchanged.
After making any changes you are prompted to restart the hardserver.
Run config-serverstartup
using the following commands:
config-serverstartup [OPTIONS]
For more information about the options available to use with config-serverstartup
, run the command:
config-serverstartup --help
Configuring a client to communicate through an nToken
You can configure a client to use its nToken to communicate with an nShield 5c, if it has one installed. When this happens, the nShield 5c:
-
Examines the IP address of the client.
-
Requires the client to identify itself using a signing key.
If an nToken is installed in a client, it can be used to both generate and protect a key that is then used for the impath communication between the nShield 5c and the client. A strongly protected key is used at both ends of the impath as a result. |
Enrolling the client from the command line
Complete the following steps to initially configure a client computer to communicate with and use an nShield 5c. See Basic HSM, RFS and client configuration for more about the available options.
Do the following:
-
On the client, open a command line window, and run the command:
nethsmenroll --help
-
To retrieve the
ESN
andHKNETI
of the nShield 5c, run the command:anonkneti <Unit IP>
The following is an example of the output:
3138-147F-2D64 691be427bb125f38768638a18bfd2eab75623320
If the
ESN
andHKNETI
are not specified,nethsmenroll
attempts to contact the nShield 5c to determine what they are, and requests confirmation. -
Do one of the following:
If you are enrolling a client with an nToken installed, run the command:
nethsmenroll --ntoken-esn <nToken ESN> [Options] --privileged <Unit IP> <Unit ESN> <Unit KNETI HASH>
If you are enrolling a client without an nToken installed, run the command:
nethsmenroll [Options] --privileged < Unit IP> < Unit ESN> < Unit KNETI HASH>
The following is an example of the output:
OK configuring hardserver's nethsm imports.
Basic configuration of an nShield 5c to use a client
Do the following:
-
On the nShield 5c front panel, use the right-hand navigation button to select System > System configuration > Client config > New client.
The following screen is displayed:
Client configuration Please enter your client IP address: CANCEL NEXT
Enter the IP address of the client, and press the right-hand navigation button.
-
Use the touch wheel to confirm whether you want to save the IP or not, and press the right-hand navigation button.
Client configuration Do you want to save the IP in the config? (No for dynamic client IPs) No BACK NEXT
-
Use the touch wheel to select the connection type between the nShield 5c and the client.
Client configuration Please choose the client permissions Unprivileged BACK NEXT
The following options are available:
Option Description Unprivileged
Privileged connections are never allowed.
Priv. on low ports
Privileged connections are allowed only from ports numbered less than 1024. These ports are reserved for use by root on Linux.
Priv. on any ports
Privileged connections are allowed on all ports.
A privileged connection is required to administer the nShield 5c, for example to initialize a Security World. If privileged connections are allowed, the client can issue commands (such as clearing the nShield 5c) which interfere with the normal operation of the nShield 5c. Entrust recommends that you allow only unprivileged connections unless you are performing administrative tasks. -
When you have selected a connection option, press the right-hand navigation button.
The following screen is displayed:
Client configuration Do you want secure authentication enabled on this client? Yes BACK NEXT
-
Select
No
and press the right-hand navigation button to configure the client without secure authentication. The authentication of the client will be based on the IP address only. -
Select
Yes
and press the right-hand navigation button to configure the client with secure authentication.
-
-
On the nShield 5c, enter the number of the port on which the client is listening (the default is 9004), and press the right-hand navigation button. The following screen is displayed:
Client configuration On what port is the client listening? 9004 CANCEL NEXT
-
Skip this step if you have not selected secure authentication.
If an nToken is installed in the client, you will be asked to choose which authentication key to use. Select the desired option and press the right-hand navigation button:
>3138-147F-2D64 Software Key BACK SELECT
-
The ESN of the nToken installed in the client.
-
"Software Key" for software-based authentication.
If no nToken is installed in the client, then software-based authentication is automatically selected.
Software-based authentication is only supported from version 12.60. -
-
Skip this step if you have not selected secure authentication.
The next screen will ask you to verify that the key hash displayed by the nShield 5c matches the client key hash:
Remote 3138-147F-2D64 reported the key hash: 691be427bb125f387686 38a18bfd2eab75623320 Is this EXACTLY right? CANCEL CONFIRM
The client key hash is obtained by running the commands described below. Take a copy of the returned key hash and compare it to the value reported on the nShield 5c display.
- With software-based authentication
-
Run the following command on the client:
enquiry -m0
This command returns the software key hash, tagged as
kneti hash
, as part of its output, for example:Server: enquiry reply flags none enquiry reply level Six ... kneti hash f8222fc007be38b78ebf442697e244dabded38a8 ...
- With nToken authentication
-
Run the following command on the client:
ntokenenroll -H
This command produces output of the form:
nToken module #1 nToken ESN: 3138-147F-2D64 nToken key hash: 691be427bb125f387686 38a18bfd2eab75623320
Check that the ESN also matches the one reported on the nShield 5c display.
If the client key hash matches the one reported on the nShield 5c display, press the right-hand navigation button to continue the RFS configuration. Otherwise press the left-hand navigation button to cancel the operation.
-
The nShield 5c displays a message reporting that the client has been configured. Press the right-hand navigation button again.
See the nShield 5c User Guide for more about modifying or deleting an existing client, configuring multiple clients, client licenses, pushing configuration files to the nShield 5c, and advanced configuration options.
Restarting the hardserver
In order to establish any configuration changes you may have entered, you must restart the hardserver (also called the nfast server).
-
Do one of the following to stop and restart the hardserver, according to your operating system:
-
Windows:
net stop "nfast server" net start "nfast server"
-
Linux:
/opt/nfast/sbin/init.d-ncipher restart
-
Zero touch configuration of an nShield 5c
On a serial-enabled nShield 5c (see Model numbers in connect-intro.adoc) you can configure the nShield 5c and set up the RFS by using the nShield 5c Serial Console rather than the front panel. See the nShield 5c User Guide for more information on the Serial Console.
Once the nShield 5c’s power, Ethernet and serial cables have been connected, to allow zero touch configuration of the nShield 5c (no further use of the front panel required), follow these steps:
Configuring the network interfaces via the Serial Console
-
Log in to the nShield 5c Serial Console (see the nShield 5c User Guide).
-
Configure networking on Ethernet Interface #1:
-
Set the IP address and netmask of the interface:
(cli) netcfg iface=0 addr=0.0.0.0 netmask=0.0.0.0
-
Set the IP address of the gateway for the nShield 5c:
(cli) gateway 0.0.0.0
If your network environment requires you to configure static routes you may also use the nShield 5c Serial Console to configure static routes for the nShield 5c at this stage.
-
Allowing configuration files to be pushed to the nShield 5c via the Serial Console
To allow the Remote File System (RFS) to push configuration files to the nShield 5c, configure the RFS using the rfsaddr
command. To allow other remote computers to push configuration files to the nShield 5c, use the push
command.
Configuring the Remote File System (RFS) via the Serial Console
-
Log in to the nShield 5c Serial Console (see Creating a serial console session in the nShield 5c User Guide), and run the following commands to obtain the nShield 5c ESN and KNETI hash, for example:
(cli) esn ESN: 6B1D-03CE-2F9A (cli) kneti Kneti hash: 56304e3f752cd13d219fa47ad27d56bb6a6642aa
-
Run the
rfs-setup
command on the RFS with the IP address of the nShield 5c and the values previously returned by theesn
andkneti
commands:rfs-setup <Unit IP address> <ESN> <KNETI hash>
For information on running
rfs-setup
, see Configuring the Remote File System (RFS). -
In the nShield 5c Serial Console, configure the RFS using the
rfsaddr
command.(cli) rfsaddr address[:port] [keyhash [esn]] [push]
In this command:
-
address
is the RFS IP address. -
port
is the RFS port number (default is 9004). -
keyhash
is the RFS KNETI hash (default is 40 zeroes). -
esn
is the RFS nToken ESN (default is "", i.e. no ESN). -
push
specifies if the RFS can push configuration files to the nShield 5c:-
ON
: The RFS is allowed to push configuration files. -
OFF
: The RFS is not allowed to push configuration files. -
AUTO
: The RFS is allowed to push configuration files if RFS secure authentication is enabled. This is the default option.
-
The
keyhash
andesn
are optional, and can be used to enable the RFS secure authentication:-
No RFS secure authentication (not recommended): The
keyhash
andesn
parameters are not specified. -
RFS software-based authentication: Only the
keyhash
parameter is specified. The RFS software KNETI hash is obtained by running theenquiry -m0
command on the RFS. The value is tagged askneti hash
in the command output. -
RFS nToken authentication: The
keyhash
andesn
parameters are specified. The RFS nToken KNETI hash and ESN are obtained by running thentokenenroll -H
command on the RFS.
-
Allowing configuration files to be pushed to the nShield 5c from a remote computer via the Serial Console
In addition to the RFS, the push
serial command can be used to allow a remote computer to push configuration files.
(cli) push ON [address] [keyhash]
In this command:
-
address
is the remote computer IP address. It defaults to 0.0.0.0 which allows any address to push. It is not recommended to leave the IP address unrestricted, unlesskeyhash
is specified for authentication. -
keyhash
is the hash of the key with which the authorized client is to authenticate itself (defaults to no key authentication required).
Enabling the push feature allows remote computers to change the HSM configuration file and make configuration changes that are normally only available through the HSM secure user interface. |
After you enable the nShield 5c for zero touch configuration, everything that can be configured using the front panel can be configured remotely using one of the following methods:
-
The nShield 5c Serial Console.
-
The
cfg-pushnethsm
utility to push an updated configuration file to the nShield 5c (see the nShield 5c User Guide). From the configuration file you can configure the RFS, add clients, or change the network configuration. -
The
nethsmadmin
utility (see the nShield 5c User Guide).
Checking the installation
To check that the module is installed and configured correctly on the client:
-
Log in as a user and open a command window.
-
Run the command:
enquiry
For an example of the output following a successful
enquiry
command. See Enquiry utility.If you are configuring a client belonging to an nShield 5c, the response to the
enquiry
command should be populated and thehardware status
shown asOK
.If the
mode
isoperational
the HSM has been installed correctly.If the
mode
isinitialization
, the HSM has been installed correctly, but you must change the mode tooperational
.If the output from the
enquiry
command says that the module is not found, first restart your computer, then re-run theenquiry
command.