Register the nShield CNG CSP

The DLL files that support the nShield CNG CSP are installed during product installation. However, you need to register the CNG CSP without removing the provider DLL files from your system.

You can unregister the nShield CNG CSP without removing the provider DLL files from your system. After unregistering, you can reregister the nShield CNG CSP, removing the files from your system. For more information, see Unregister or reregister the CNG CSP.

You can completely uninstall the nShield CNG CSP, removing the files from your system. After uninstalling, you must reinstall the files and then reregister the CNG CSP before you can use it. For more information, see Unregister or reregister the CNG CSP.

You can register the nShield CNG CSP with:

  • CNG configuration wizard

  • The cngregister command-line utility

To register the nShield CNG CSP, the hardserver must be running and able to communicate with at least one module. This requirement is normally fulfilled during the product installation process. You can check that this requirement is fulfilled by running the enquiry command-line utility and checking the output for details about the module.

Register the CNG CSP with the CNG configuration wizard

Entrust recommends using the CNG configuration wizard to register the nShield CNG CSP. The product installation process places a shortcut to the CNG configuration wizard in the Windows Start menu: Start > Entrust nShield Security World.

You can also perform the following actions with the CNG configuration wizard:

  • Load existing Security Worlds

  • Generate new Operator Card Sets (OCS)

  • Configure the set-up parameters of the CNG CSP, including HSM Pool mode.
    With module firmware version 2.65.2 or later, if your application only uses module protected keys, you can use HSM Pool mode with multiple hardware security modules. HSM Pool mode exposes a single pool of HSMs and supports returning or adding a hardware security module to the pool without restarting the system. With a FIPS 140 Level 3 Security World, keys cannot be created in HSM Pool mode, however keys created outside HSM Pool mode can be used in HSM Pool mode.

To register the CNG CSP with the CNG configuration wizard, you must have already created a Security World and chosen a key protection method, either module-protection or OCS-protection. If you chose OCS-protection, you must also have already created an OCS before you can register the nShield CNG CSP with the CNG configuration wizard.

The CNG configuration wizard is not suitable for creating complex Security World setups. When used with network-attached HSMS, it is not suitable for creating Security Worlds with the unit. When creating such Security Worlds, or if you require more flexibility than the CNG configuration wizard provides, refer to the User Guide for your HSM.

If you use the CNG configuration wizard to create a Security World (and, if appropriate, an OCS), the wizard automatically prompts you to register the CNG CSP after you have fulfilled the necessary prerequisites.

You can also use the CNG configuration wizard to change an existing configuration at any time by running the wizard as usual and choosing the Use the existing security world option on the Initial setup screen.

To register the CNG CSP with the CNG configuration wizard after the necessary key-protection prerequisites have been fulfilled:

  1. If the wizard is not already running:

    1. Run the wizard by double-clicking its shortcut in the Windows Start menu: Start > Entrust nShield Security World.

      The wizard displays the welcome window.

    2. Click the Next button.

      The wizard allows you to configure HSM Pool mode for CNG.

    3. Click the Next button.

      If the prerequisite to create a Security World has been fulfilled, the wizard displays a confirmation screen.

    4. Click the Next button.

      The wizard displays a screen confirming that your Security World and (if you chose to create an OCS) an OCS have been created.

      If you chose module-protection for your keys, the wizard does not confirm that an OCS has been created.
  2. When the wizard has confirmed that it is ready to register the nShield CNG providers, click the Next button.

    The wizard registers the nShield CNG CSP.

    You cannot use the CNG configuration wizard to configure the nShield CNG providers for use as defaults. We recommend that you always use the nShield CNG providers by selecting them directly with the application that is using CNG.

When configuration of your nShield CNG CSP is complete, the wizard displays a confirmation screen.

Register the CNG CSP with cngregister

You can use the cngregister command-line utility to register the nShield CNG CSP manually even if you have not already created a Security World (or, if you choose OCS-protection for your keys, even if you have not already created an OCS).

To register the nShield CNG CSP with the cngregister command-line utility, run the command without specifying any options:

cngregister
You cannot use the cngregister command-line utility to configure the nShield CNG providers for use as defaults. We recommend that you always use the cngregister command-line utility, see Utilities.

Unregister or reregister the CNG CSP

You can use the cngregister command-line utility to unregister or reregister the nShield CNG CSP manually.

To unregister the nShield CNG CSP, run the command:

cngregister -U

This command unregisters the CNG CSP, but does not remove the provider DLL files from your system. For information about removing these files, see Uninstall or reinstall the CNG CSP.

If any applications or services are using the nShield CNG providers for key storage or cryptography, unregistering the CNG CSP, you can reregister it at any time as long as the files have not been uninstalled from your system.

After unregistering the nShield CNG CSP, you can reregister it at any time as long as the files have not been uninstalled from your system. To reregister the nShield CNG CSP on your system, run the command:

cngregister
You cannot use the cngregister command-line utility to configure the nShield CNG providers for use as defaults. We recommend that you always use the nShield CNG providers by selecting them directly with the application that is using CNG.

For more information about these command-line utilities, see [UtilitiesCNG].

Uninstall or reinstall the CNG CSP

To uninstall the nShield CNG CSP:

  1. To remove any and all dependencies that you have set, run the command:

    ncsvcdep -x
    Always run ncsvcdep as a user with full administrative privileges.
  2. Unregister the nShield CNG CSP on your system by running the command:

    cngregister -U

    This command unregisters the CNG CSP, but does not remove the provider DLL files from your system.

  3. Uninstall the nShield CNG DLLs from your system:

    • On 32-bit versions of Windows, run the command:

      cnginstall32 -U
    • On 64-bit versions of Windows, run the command:

      cnginstall -U

To reinstall the nShield CNG CSP after you have previously uninstalled it:

  1. Reinstall the nShield CNG CSP files on your system:

    • On 32-bit versions of Windows, run the command:

      cnginstall32 -i
    • On 64-bit versions of Windows, run the command:

      cnginstall -i
  2. Reregister the nShield CNG CSP on your system by running the command:

    cngregister

For more information about these command-line utilities, see Utilities