Supporting legacy CodeSafe Direct

CodeSafe Direct is no longer available in CodeSafe 5. The following sections describe the usage of legacy CodeSafe Direct and how similar functionality is accomplished via CodeSafe 5.

Legacy CodeSafe Direct

Originally, the application would connect to the HSM through the Security World hardserver. With legacy CodeSafe Direct, the nShield Connect could be configured to receive direct socket connections to the SEE machine via see-sock-serv, removing the need for a client machine. You could do this by specifying postload_prog and postload_args in the load_seemachine section of the nShield Connect hardserver configuration file, located in NFAST_KMDATA/hsm-<ESN>, where <ESN> is the Electronic Serial Number of the HSM.

CodeSafe 5

The CodeSafe 5 modern architectural approach provides a container which has an IPC daemon (UNIX domain socket) that is used to send and receive nCore API commands and replies. The communication between the host application and CodeSafe 5 container is provided by a secure SSH daemon making use of port forwarding.

The Cmd_SEEJob nCore API command is no longer supported by the nCoreAPI service. Instead, the command is now requested directly from the client application on the host to the SEE machine using a direct TCP connection. A support library is needed to support this new connection, and this is part of the compatibility layer.

Containers listening on a specific port via the secure channel is a 'CodeSafe Direct' replacement.

There are cli commands using the 'csadmin' utility that can establish the secure SSHD port forwarding on the host client machine. The cs5-port-monitor will validate and then forward the ports specified in network-conf.json. See Build and sign example SEE machines on Linux for examples of using an SSH tunnel to communicate between the client and SEE machine directly through a TCP/IPv6 network connection to the container. Containers can be configured to listen to ports using the network-conf.json file.