Security World Remote Administration

Gathering a quorum of card holders to carry out card holder duties in a remote datacenter can be expensive and inconvenient. Remote Administration enables Administrators and Operators to present their cards remotely to authorize HSM operations without being physically present at the HSM.

When presenting a card, a secure channel is formed directly between the Remote Administration smart card and the target HSM before any token shares are read from or written to the smart card.

Remote Administration enables Administrators to use their remote access solution to perform administration operations and extends the operations that can be performed in this way.

Remote Administration enables:

  • Card holders to present smart cards to an HSM without being physically present at the HSM (e.g. the card holder may be in an office, while the HSM is in a datacenter)

  • All Administrator and Operator card operations to be carried out remotely

  • Security World programs and utilities to be run remotely when used in combination with a standard remote access solution

  • Full remote administration of Security Worlds and their HSMs including:

    • Remote mode change

    • Create/load/unload Security World

    • Firmware upgrade

    • Module status (SOS) reporting

Once the software has been installed and the hardware security modules have been configured, Remote Administration enables full remote administration of Security Worlds and their HSMs.

Remote Administration components

Remote Administration consists of a number of components:

Remote Administration software

The following software is needed to allow remote card readers to be associated with an HSM:

  • nShield Remote Administration Client software
    Must be installed on the computer that has the card reader attached. See Remote Administration Client for more information.

  • nShield Remote Administration Service software
    Must be installed where it can access the appropriate HSM to provide communications between the card in the card reader and the HSM. See the Installation Guide for your nShield HSM for more about where to install Remote Administration Service software.

    The Remote Administration Service should be installed on the host machine of your HSMs and this machine must be accessible to Remote Administration Clients.

    See Remote Administration Service for more information.

When a card is inserted in a reader that is associated with an HSM, the nShield Remote Administration Client and the Remote Administration Service convey messages between the card and the HSM, allowing a secure channel of communications to be established.

Security World programs and utilities

The Security World programs and utilities are typically installed on a computer within your datacentre. In such cases the Remote Administration feature assumes you will use your preferred remote access solution, e.g. SSH or Remote Desktop, to run the Security World programs and utilities remotely. This means you can run a utility like creatocs from a remote location and present the OCS to be created using a Remote Administration Client. The Remote Administration feature includes the ability to change the mode of HSMs remotely using the nopclearfail utility. This means it is possible to create a Security World remotely and perform firmware upgrades.

nShield Remote Administration smart cards

You must use nShield Remote Administration Cards with Remote Administration. These are smart cards that are capable of negotiating cryptographically secure connections with an HSM, using warrants as the root of trust. nShield Remote Administration Cards can also be used in the local slot of an HSM if required.

The nShield Remote Administration smart cards provide:

  • Storage and retrieval of logical token fragments, similar to the smart cards used with previous releases

  • Security mechanisms to ensure authentication and confidentiality of data transferred between itself and the HSM

The nShield Remote Administration smart cards are FIPS 140 Level 3 certified devices, supporting execution of a custom Java Applet developed by Entrust. The smart cards used with previous versions of Security World software and nShield HSMs are still useable but, as previously, only in an HSM’s local slot. Remote Administration smart cards can be used both remotely and in an HSM’s local slot.

The use of nShield Remote Administration Cards is controlled by an Authorized Card List. If a card does not appear in the list, it cannot be used. See Authorized Card List for more information.

smart cards

Existing Administrator smart cards can be migrated to new Remote Administration smart cards using the racs (replace administrator card set) utility.

When using the racs utility, you cannot redefine the quantities in a K of N relationship for an ACS. The K of N relationship defined in the original ACS persists in the new ACS.

Similarly, existing OCS can be migrated using the rocs (replace operator card set) utility, provided the Security World has recovery enabled and the keys protected by that OCS are recovery enabled.

Migrating Card Sets

Authorized Card List

The use of nShield Remote Administration smart cards, both remotely and in an HSM’s local slot, is controlled by an Authorized Card List. If the serial number of a card does not appear in the Authorized Card List, it cannot be used by the system. The list only applies to Remote Administration smart cards.

By default, the Authorized Card List is empty following software installation. The serial numbers of Remote Administration smart cards must be added to the list using a text editor before they can be used.

For more information on the Authorized Card List, see Authorized Card List.

Remote Administration Client

The Remote Administration Client (RAC) is a utility that enables you to select an HSM located elsewhere from a list provided by the Remote Administration Service (RAS), and associate an nShield Trusted Verification Device attached to your computer with the HSM.

The RAC GUI (usually running on a laptop or workstation) communicates with the RAS (in a datacenter) over a standard TCP/IP connection. If the RAC computer is not on the same local network as the RAS computer, Entrust recommend that the connection is made over a VPN.

choose hsm

In the example screen shown, an HSM will not be Remote Administration (RA) Ready until it has the appropriate firmware, and has one or more dynamic Slots configured.

For users who want to script the card presentation process, there is also a command line utility, raccmd.

See the nShield Remote Administration Client User Guide for more information on deploying and using the Remote Administration GUI or command line utility.

Windows 8.1 + only

If you disconnect the TVD while you are on the Use Card Reader screen the Windows Smart Card service SCardSvr displays an error and terminates.

Remote Administration Service

The Remote Administration Service (RAS) provides a bridge between the RAC and the back end HSMs (via the hardserver). Its functionality is to:

  • Manage connections from multiple RACs

  • Supply a list of available HSMs to the connected RACs

  • Negotiate a connection to an HSM via the hardserver and route messages between the RAC and destination HSM.

To use Remote Administration with an nShield HSM, the Remote Administration Service must be installed on the host where the hardserver or nShield HSM reside. If you have multiple HSM hosts in a Security World, the Remote Administration Service must be installed on each one. See the Installation Guide for the HSMs for further details.

nShield Trusted Verification Device

Entrust supply and recommend the use of the nShield Trusted Verification Device (TVD). This is an intelligent smart card reader that blocks any malware on the client machine from spoofing the HSM identity passed to the nShield Remote Administration smart card. The TVD allows the card holder to securely confirm the Electronic Serial Number (ESN) of the HSM to which they want to connect, using the Trusted Verification Device display.

For more information, see the Trusted Verification Device (TVD) User Guide.

Trusted Verification Device

Software installation

The Remote Administration Service with the nShield HSM

Deploying the Remote Administration Service

The Remote Administration Service must be installed on the host where the hardserver and the HSM reside. If you have multiple HSM hosts in a Security World, see the User Guide for the HSMs for further details.

nShield Remote Administration Cards cannot be used until their serial numbers have been added to the Authorized Card List. See the nShield Remote Administration User Guide for further details.

Remote Administration Service bundle

The Remote Administration Service (RAS) is provided through the Remote Administration Service bundle and needs to be installed in the default directory.

For information on installing the Remote Administration Service bundle, see the installation guide for your HSM.

Remote Administration Client

The Remote Administration Client is normally deployed on its own using the instructions in the nShield Remote Administration Client user guide but it can be deployed on a client at the same time as rest of nShield software

For more information on the Remote Administration Client, see the nShield Remote Administration Client user guide.

TVD

A nShield Remote Administration Client can connect to one nShield TVD during a session.

For information on installing the TVD driver and confirming the HSM Electronic Serial Number (ESN) using the nShield TVD, see the nShield Remote Administration Client user guide.

System configuration

Remote Administration Service port

The port used by Remote Administration Clients to access the Remote Administration Service can be changed by setting the port field in the remote_administration_service_slot_server_startup section of the hardserver configuration file, see [remote_administration_service_startup].

Stopping and restarting the Remote Administration Service

The Remote Administration Service can be stopped and started using a command window or the Window Control Panel.

$ systemctl stop nc_raserv
$ systemctl start nc_raserv

Firewall settings

Assuming there is a firewall to protect your Remote Administration Service, open the port given in the Firewall settings section of the Installation Guide for the HSM.

To support Remote Administration, HSMs have to be configured to support between 1 and 16 Dynamic Slots. These Dynamic Slots are virtual card slots that can be associated with a card reader connected to a remote computer. Dynamic Slots are in addition to the local slot of an HSM and any soft token slot that may be available.

The default number of slots is 0. This disables Remote Administration on the relevant HSM.
  1. Do the following:

    1. Use the dynamic_slots section in the hardserver configuration file to define the number of Dynamic Slots for each relevant HSM.

  2. Clear the HSM for the changes to take effect.

    For example, run the nopclearfail command:

    nopclearfail --clear --all

You can check that the HSM has Dynamic Slots by:

  • Running the command:

    slotinfo -m 1

    For example, if four Dynamic Slots have been configured, the output from this command includes the lines:

    Slot    Type            Token   IC  Flags   Details
    #0      Smartcard       -       1   A
    #1      Software Tkn    -       0
    #2      Smartcard       -       0   AD
    #3      Smartcard       -       0   AD
    #4      Smartcard       -       0   AD
    #5      Smartcard       -       0   AD
  • The D in the Flags column indicates that slots #2 to #5 are Dynamic Slots.

Depending upon your system configuration, it can take up to 30 seconds for the Dynamic Slots to appear.

Adjusting card removal detection timers to account for network characteristics

Depending upon the characteristics of the network between nShield Remote Administration Clients and HSMs, you may need to adjust the timers that determine how long the system waits for a response, before it regards a card as having been removed. This enables you to balance the assured card removal detection time and network traffic.

Do the following:

  • Use The dynamic_slot_timeouts section in the module configuration file to define the round trip (HSM to smartcard and back) time limit (the default is 10 seconds), and the card removal detection timeout (the default is 30 seconds).

  • Push the updated configuration file to the nShield HSM.

Using Remote Administration with applications requiring cards in slot 0

If you want to use Remote Administration, but have an application that expects cards to be presented in slot 0, you must configure a slot mapping for each affected HSM.

  1. Do the following:

    1. Use the dynamic_slots section in the hardserver configuration file to define the number of Dynamic Slots for each relevant HSM.

      See dynamic_slots for more about the dynamic_slots section.

You can check the mapping by:

  • Running the command:

    slotinfo -m 1

    For example, if dynamic slot #2 has been mapped to slot #0, the output from this command includes the lines:

    Slot Type Token IC Flags Details
    #0 Smartcard - 1 AD
    #1 Software Tkn - 0
    #2 smartcard - 0 A
  • The D in the Flags column indicates that slot #0 is now a Dynamic Slot

Authorized Card List

The use of nShield Remote Administration smart cards is controlled by an Authorized Card List. If the serial number of a card does not appear in the Authorized Card List, it is not recognized by the system and cannot be used. The list only applies to Remote Administration cards and is used when a card is inserted:

  • In the local slot of an HSM

  • In a card reader that is associated with a dynamic slot of the HSM, through the nShield Remote Administration Client

By default, the Authorized Card List is empty following software installation. The serial numbers of Remote Administration Cards must be added to the list before they can be used.

The Authorized Card List is a text file %NFAST_KMDATA%\config\cardlist on the RFS and each client computer. The file is read from the RFS by associated nShield HSMs as and when required for front panel operations. The list applies to all nShield network-attached HSMs associated with the RFS, regardless of the Security World to which an HSM may belong, including when creating a Security World from the front panel. For client initiated card operations the Authorized Card List file on that client computer is used. The RFS and client copies of the Authorized Card List have to be kept in step manually.

Adding cards to the Authorized Card List

Add the serial numbers (16 digits with no separators) of all Remote Administrator Cards you intend to use to the Authorized Card List, with a standard text editor. The serial numbers are printed on the smart cards and are reported by using slotinfo -m1 -s0 when the card is in a slot, where 1 is the number of the HSM and 0 is the number of the slot.

There is an option to allow any Remote Administration Card to be used, by including a wildcard (*) in the Authorized Card List. Entrust recommends that you do not use this option, except under controlled circumstances, as it effectively disables the Using Remote Administration control.

Using Remote Administration

A privileged client can run the Command Line Tools remotely to:

  • Change the mode of the HSM using nopclearfail –M/-O/-I to set the mode of the MOI switch, see Remote mode switch

Presenting nShield Remote Administration smart cards using the Remote Administration Client

With Remote Administration, you present a smartcard in a remote work station or laptop rather than locally at the nShield HSM. Remote Administration creates a separate secure connection from the Remote Administration smart card to the nShield HSM enabling remote card presentation.

For information on presenting nShield Remote Administration smart cards, see the nShield® Remote Administration Client user guide.

Remote Administration Configuration file sections

The following sections relevant to Remote Administration are included in the hardserver configuration file:

[dynamic_slot_timeouts]

# Start of the dynamic_slot_timeouts section
# Timeout values used to specify expected smartcard responsiveness for all
# modules on the network.
# Each entry has the following fields:
#
# Round trip time limit, in seconds, is how long to wait before giving up due
# to network delays. (default=10)
# round_trip_time_limit=INT
#
# Maximum time, in seconds, that can pass without a response from the
# smartcard before considering it removed and unloading all associated secrets
# (default=30)
# card_remove_detect_time_limit=INT
The dynamic_slot_timeout section is in the hardserver configuration file for the HSM.

[dynamic_slots]

# Start of the dynamic_slots section
# The dynamic smartcard slots that the modules should provide for the use of
# administrators who do not have physical access to the module hardware
# Each entry has the following fields:
#
# ESN of the module to be configured with dynamic slots.
# esn=ESN
#
# Number of dynamic slots the module will support. (default=0)
# slotcount=INT
The dynamic_slots section is in the hardserver configuration file for the HSM.

[slot_mapping]

# Start of the slot_mapping section
# Slot remapping configuration.
# Each entry has the following fields:
#
# ESN of the module on which slot 0 will be remapped with another.
# esn=ESN
#
# Slot to exchange with slot 0. Setting this value to 0 means do
# nothing.(default=0)
# slot=INT
The slot_mapping section is in the hardserver configuration file for the HSM.
Mapping a Dynamic Slot to slot 0 is needed if you want to use Remote Administration with applications that are not aware of slot numbers greater than zero. This applies to KeySafe and CNG Wizard but may also apply to your own applications.

[remote_administration_service_startup]

# Start of the remote_administration_service_startup section
# Remote Administration Service communication settings, these are only read at
# Remote Administration Service startup time
# Each entry has the following fields:
#
# The port for the Remote Administration Service to listen on for incoming TCP
# connections from remote administration clients (default=9005)
# port=PORT