Configuring and checking the installation

This section describes how to:

  • Configure the nShield Connect so that it can recognize the nToken installed on the client computer.

  • Check that the nToken is installed and configured correctly on the client.

For more information about configuring an nShield Connect to use clients, see the nShield Connect User Guide.

Adding the client to the nShield Connect

When the client is added to the nShield Connect, the client must use the nToken to communicate with the nShield Connect. If the client attempts to connect to the nShield Connect when a module is in use, the nShield Connect examines the IP address of the client and requires the client to identify itself using the authentication key of the module.

To add the client to the nShield Connect:

  1. Use the right-hand navigation button on the nShield Connect front panel to select System > System configuration > Client configuration > New client.

  2. Enter the IP address and netmask of the first client, and press the right-hand navigation button.

  3. To choose the permissions for the client, use the touch wheel to display the type of connection between the nShield Connect and the client. The table below lists the available options.

    Option Description

    Unprivileged

    Privileged connections are never allowed.

    Priv. on low ports

    Privileged connections are allowed only from ports numbered less than 1024. These ports are reserved for use by root on Linux.

    Priv. on any ports

    Privileged connections are allowed on all ports.

    You need a privileged connection to perform module administration tasks (for example, to create a Security World). If you are not going to perform module administration tasks, Entrust recommends that you allow only unprivileged connections. For more information, see the nShield Connect User Guide.

    When you have selected the type of connection, press the right-hand navigation button.

  4. To enroll the client with an nToken, enter the number of the port on which the client is listening (the default is 9004) and press the right-hand navigation button.

  5. Retrieve the ESN and authentication key hash of the nToken:

    1. Open a command window on the client. Navigate to the directory where the Security World Software has been installed, and enter the following command:

      ntokenenroll -H
    2. The ESN of the nToken and the hash of the nToken authentication key are displayed. Write down the ESN and the hash, or ensure that you can see the module as you work on the client.

  6. On the module, compare the ESN of the nToken and the hash of the nToken authentication key with the ESN and hash displayed on the following screen:

    Client reported the
    software key hash:
    
    691be427bb125f387686
    38a18bfd2eab75623320
    
    Is this EXACTLY right?
    
    CANCEL    CONFIRM

    If there is an exact match, select Yes, and press the right-hand navigation button to configure the client.

  7. When you see the confirmation message, press the right-hand navigation button again.

  8. To enroll the client with the nToken, run the following command:

    nethsmenroll [--ntoken-esn esn-of-ntoken] [Options]
    nethsm-IP [nethsm_ESN netHSM_HKNETI]

Checking the installation

To check that the module is installed and configured correctly on the client:

  1. Log in as a user and open a command window.

  2. Run the command:

    enquiry

The following is an example of the output following a successful enquiry command:

Module ##:
enquiry reply flags none
enquiry reply level Six
serial number ############-####
mode operational
version #.#.#
speed index ###
rec. queue ##..##
...
rec. LongJobs queue ##
SEE machine type ARMtype2
supported KML types DSAp1024s160 DSAp3072s256

If the mode is operational the HSM module has been installed correctly.

If the output from the enquiry command says that the module is not found, first restart your computer, then re-run the enquiry command.

If the operating system supports power saving, disable power saving. See Installing the module. Otherwise, if your system enters Sleep mode, the nToken may not be found when running enquiry. If this happens, you need to reboot your system.

Using a Security World

See the User Guide for your module and operating system for more about creating a Security World or loading an existing one.