Installing the software

This chapter describes how to install the Security World Software on the host computer.

After you have installed the software, you must complete further Security World creation, configuration and setup tasks before you can use your nShield environment to protect and manage your keys. See the User Guide for your module and operating system for more about creating a Security World and the appropriate card sets, and further configuration or setup tasks.

If you are planning to use an nToken with a client, this should be physically installed in the client before installing the Security World software, see nToken Installation Guide.

Installing the Security World Software on Windows

For information about configuring silent installations and uninstallations on Windows, see the User Guide.

For a regular installation:

Installing Security World software on Windows via Remote Desktop Connection can result in a brief loss of RDP connection. If this happens, it will happen during the Status: part of the installation, towards the end. When the session reconnects, the installation carries on until completion.

  1. Sign in as an Administrator or as a user with local administrator rights.

    If the Found New Hardware Wizard appears and prompts you to install drivers, cancel this notification, and continue to install the Security World Software as normal. Drivers are installed during the installation of the Security World Software.

  2. Place the Security World Software installation media in the optical disc drive.

  3. Launch setup.msi manually when prompted.

  4. Follow the onscreen instructions.

  5. Accept the license terms and select Next to continue.

  6. Specify the installation directory and select Next to continue.

  7. Select all the components required for installation.

    By default, all components are selected. Use the drop-down menu to deselect the components that you do not want to install. nShield Hardware Support and Core Tools are necessary to install the Security World Software.

    See Software packages on the Security World installation media for more about the component bundles and the additional software supplied on your installation media.

  8. Select Install.

    The selected components are installed in the installation directory chosen above. The installer creates links to the following nShield Cryptographic Service Provider (CSP) setup wizards as well as remote management tools under Start > Entrust or Entrust nShield Security World (depending on the version of Windows or Windows Server you are running):

    • If nShield CSPs (CAPI, CNG) was selected: 32bit CSP install wizard, which sets up CSPs for 32-bit applications

    • If nShield CSPs (CAPI, CNG) was selected: 64bit CSP install wizard, which sets up CSPs for 64-bit applications

    • If nShield CSPs (CAPI, CNG) was selected: CNG configuration wizard, which sets up the CNG providers

    • If nShield Java was selected: KeySafe, which runs the key management application

    • If nShield Remote Administration Client Tools was selected: Remote Administration Client, which runs the remote administration client

    If selected, the SNMP agent will be installed, but will not be added to the Services area in Control Panel > Administrative Tools of the target Windows machine. If you wish to install the SNMP agent as a service, please consult the SNMP monitoring agent section in the User Guide for your module and operating system.

    Do not run any CSP installation wizard before installing the module hardware.

  9. Select Finish to complete the installation.

    The following global variables are set upon install:

    • %NFAST_CERTDIR%

    • %NFAST_HOME%

    • %NFAST_KMDATA%

    • %NFAST_LOGDIR%

    • %NFAST_SERVICES_HOME%

  10. Stop the nFast Server service.

  11. The nShield installer creates and enables an inbound rule called nShield 5s mDNS to allow UDP port 5353 for any program. This enables the discovery of nShield 5s modules. If enrollment fails to find any modules in the following step, check that this firewall rule is present and enabled; if it does not exist, create it manually and retry enrollment.

  12. Set up the secure communication channels between the host PC and the HSM:

    "%NFAST_HOME%\bin\hsmadmin" enroll

    The HSM must be in factory state or else the registered sshadmin key must be in place otherwise this command will fail. If you have a backup of your sshadmin key, you can restore it using hsmadmin keys restore. If this is not a first-time installation of this HSM, and the sshadmin key trusted by this HSM is no longer available, enter recovery mode and then retry enrollment.

  13. Start the nFast Server service.

  14. If Remote Administration is installed, also start the nFast Remote Administration service.

  15. Entrust recommends that you take a backup of your sshadmin key with hsmadmin keys backup path\to\backup_key for backups that will be restored to the same machine. Note that this key will not be usable on another machine or if the OS is re-installed as it has protections tied to the local machine. For backups that may be restored to a different machine or re-installed OS, use hsmadmin keys backup --passphrase path\to\backup_key to protect the key with a user-supplied passphrase. Replace path\to\backup_key with the actual path to where the backup key should be written in the example commands above.

You may additionally need to do the following after you have installed the software:

  • In Windows Device Manager > Network adapters, select the appropriate module.

  • Under Properties > Power Management, deselect Allow the computer to turn off this device to save power.

Installing the Security World Software on Linux

In the following instructions, disc-name is the name of the mount point of the installation media.

  1. Sign in as a user with root privileges.

  2. Mount the DVD/ISO image.

  3. Open a terminal window, and change to the root directory.

  4. Extract the required .tar.gz files to install all the software bundles by running commands of the form:

    sudo mkdir /opt/nfast
sudo tar zxf /<iso-mountpoint>/linux/amd64/<file>.tar.gz -C /opt/nfast/

    In this command, <file> is the name of a .tar.gz file for that component, for example hwsp.tar.gz.

    See Software packages on the Security World installation media for more about the component bundles and the additional software supplied on your installation media.

  5. To use an nShield module with your Linux system, you must build a kernel driver. Entrust supplies the source to the NFP and a makefile for building the driver as a loadable module.

    The kernel level driver is installed as part of the hwsp bundle. To build the driver with the supplied makefile, you must have the correct headers installed for the kernel that you are running. They must be headers for the same version of the kernel and must contain the kernel configuration options with which your kernel was built. You must also have appropriate versions of gcc, make, and your C library’s development package.

    The configuration script looks for the kernel headers in the default directory /lib/modules/'<uname -r>'/build/include/. If your kernel headers are located in a different directory, set the KERNEL_HEADERS environment variable so that they are in $KERNEL_HEADERS/include/. Historically, the headers have resided in /usr/src/linux/include/. If the headers for your kernel are not already installed, install them from your Linux distribution disc, or contact your kernel supplier.

    Build the driver as a loadable kernel module. When you have ensured the correct headers are in place, perform the following steps to use the makefile:

    1. Change directory to the nShield PCI driver directory by running the command:

      # cd /opt/nfast/driver-nshield5

    2. Make the driver by running the command:

      # make

      This produces a driver file that is automatically loaded as part of the normal installation process.

  6. Run the install script by using the following command:

    /opt/nfast/sbin/install

  7. Sign in to your normal account.

  8. Add /opt/nfast/bin to your PATH system variable:

    If you use the Bourne shell, add these lines to your system or personal profile:

    PATH=/opt/nfast/bin:$PATH
export PATH

    If you use the C shell, add this line to your system or personal profile:

    setenv PATH /opt/nfast/bin:$PATH

  9. Entrust recommends that you take a backup of your sshadmin key, e.g. with hsmadmin keys backup /root/.ssh/id_nshield5_sshadmin for backups that will be restored to the same machine. If the path /root/.ssh/id_nshield5_sshadmin is used, and the sshadmin key is missing from the usual installed location under /opt/nfast, then that key will be used automatically when running the nShield install script. Note that this key will not be usable on another machine or if the OS is re-installed as it has protections tied to the local machine. For backups that may be restored to a different machine or re-installed OS, use hsmadmin keys backup --passphrase /path/to/backup_key to protect the key with a user-supplied passphrase (replacing /path/to/backup_key with the actual path to where the backup key should be written).