Basic HSM, RFS and client configuration

This guide covers the following HSMs:

  • nShield Connect

  • nShield 5c

The nShield nToken has been discontinued. If you already have one installed in your RFS, you can use the nToken options as described here. If you do not currently use an nToken, you must use software-based authentication.

This guide describes the initial nShield HSM, RFS and client computer configuration steps. For more about:

An installation will have only one RFS, but may have one or more Clients. The RFS can also dual role as a Client. Before you can continue with the following configuration, the RFS and every Client must have the Security World software installed, see Install the Security World software.

About nShield HSMs and client configuration

An nShield HSM and a client communicate using their hardservers. These handle secure transactions between the HSM and applications that run on the client. To enable the secure transmission of data between an nShield HSM and each client, the hardserver uses an impath. You must configure:

  • Each client hardserver to communicate with the hardserver of the HSM that it needs to use.

  • The HSM hardserver to communicate with the hardserver of the clients that are allowed to use it.

Multiple nShield HSMs can be configured to communicate with one client, just as multiple clients can be configured to communicate with one HSM.

Any nShield HSM on the network can load a Security World securely over the network, and access its keys, wherever the HSM is installed.

Security World and key data is stored on the file system of the nShield HSM, where it is updated whenever card or key operations are performed on the HSM. The data is also automatically transferred to the remote file system (RFS). If required, you can also share the data with client computers that use the Security World.

Remote file system (RFS)

Each HSM must have a remote file system (RFS) configured. This includes master copies of all the files that the HSM needs. See the User Guide for your HSM for more information about the RFS.

HSM configuration

The current configuration files for the hardserver of an HSM are stored in its local file system. These files are automatically:

  • Updated when the HSM is configured.

  • Exported to the appropriate RFS directory.

Each HSM in a Security World has separate configuration files on the RFS. See the User Guide for your HSM for more about configuration files and advanced configuration options.

Client configuration

The current configuration files for the hardserver of a client are stored in its local file system.

See the User Guide for your HSM for more about client configuration files and advanced configuration options.

The following steps assume that you have added the path %NFAST_HOME%\bin (Windows) or /opt/nfast/bin/ (Linux) to the PATH system variable.

Basic HSM and RFS configuration

After installing the Security World Software and the HSM, you need to do the following:

  • Configure the HSM Ethernet interfaces.

  • Configure the RFS.

You should complete the RFS tasks before:

  • Configuring the HSM and client to work together.

  • Creating a Security World and an Operator Card Set (OCS). See the User Guide for your HSM for more about creating a Security World and the OCS.

Configuring the Ethernet interfaces - IPv4 and IPv6

An HSM communicates with one or more clients over an Ethernet network. You must supply IP addresses for the HSM and the client. Contact your system administrator for this information if necessary.

There are two network interfaces on the HSM. Three configurations are supported:

  • Single network interface.

  • Two independent network interfaces.

    You must connect the interfaces to physically different networks.

  • The two network interfaces combined as a bond interface.

    The bond interface can use:

    • Active backup mode.

    • 802.3ad mode (requires a switch that supports 802.3ad).

You can configure the HSM using the front panel Network config menu or by pushing a configuration file to the HSM over the network. The following can be configured:

  • Interface addresses

  • Bond

  • Default gateway

  • Network routes

  • Network speed.

If the HSM is already configured, you can update the displayed values.

If you ever change any of the IP addresses on the HSM, you must update the configuration of all the clients that work with it to reflect the new IP addresses.

By default, the hardserver listens on all interfaces. However, you can choose to set specific network interfaces on which the hardserver listens. This may be useful in cases such as if one of the Ethernet interfaces is to be connected to external hosts. See the User Guide for your HSM for more information.

IPv4 and IPv6

Support for IPv6 is in addition to IPv4. Both Ethernet interfaces can be configured to support:

  • IPv4 only

  • IPv4 and IPv6

  • IPv6 only.

Interface#1 is enabled by default and cannot be disabled. Interface #2 is disabled by default and can be enabled and disabled.
IPv6 addresses

An IPv4 address is 32 bits long and typically represented as 4 octets, for example 192.168.0.1. An IPv6 address is 128 bits long and is made up of a subnet prefix (n bits long) and an interface ID (128 - n bits long).

An IPv6 address and its associated subnet is typically represented by the notation ipv6-address/prefix-length, where:

  • ipv6-address is an IPv6 address represented in any of the notations described below.

  • prefix-length is a decimal value specifying how many of the leftmost contiguous bits of the address make up the prefix.

The IPv6 address notation mirrors the way subnets are represented in the IPv4 Classless Inter-Domain Routing (CIDR) notation.

IPv6 address notation

An HSM will accept an IPv6 address if it is entered in one of the forms shown below and if the address is valid for context in which it is used. There are two conventional forms for representing IPv6 addresses as text strings:

  • The long representation is x:x:x:x:x:x:x:x, where each x is a field containing hexadecimal characters (0 to ffff) for each 16 bits of the address.

    For example:

    1234:2345:3456:4567:5678:6789:789a:89ab

    1234:5678:0:0:0:0:9abc:abcd/64

  • If one or more consecutive fields are 0 then they can be replaced by ::.

    For example:

    1234:5678:0:0:0:0:9abc:abcd/64 can be written as 1234:5678::9abc:abcd/64

    :: can only appear once in an IPv6 address.

Unless the address is a link-local address, the HSM front panel only allows lower-case letters in an IPv6 address.

IPv6 addresses keyed manually on the HSM front panel are validated on entry by the HSM. As well as checking that the format of the address is correct, the HSM also validates that the address entered is valid for the context in which it will be used, see Acceptable IPv6 address by use case.

If Stateless Address Auto Configuration (SLAAC) is enabled the HSM will automatically form IPv6 addresses from network prefixes contained in Router Advertisements (RAs). RAs are received directly by the HSM Operating System and automatically forms IPv6 addresses by combining the network prefixes contained in the RA with the MAC address of the receiving Ethernet interface. As they are created by the Operating System, SLAAC IPv6 addresses are not subject to the same validation rules as addresses entered via the HSM front panel. If SLAAC is to be used to configure HSM IPv6 addresses in preference to statically entered addresses, then network planners must take care to ensure that prefixes advertised to the HSM are of a suitable type, see Acceptable IPv6 address by use case.

(nShield Connect only) IPv6 compliance

The sub-menu (1-1-1-9 - Set IPv6 compliance) on the nShield Connect front panel menu permits the User to select an IPv6 compliance mode for an HSM. Compliance with USGv6 or IPv6 ready can be selected.

Both these modes change the settings for the HSM firewall so that it will pass-through packets which are discarded in the normal Default mode. This behaviour is required for compliance testing but is not recommended for normal use since allowing packets with invalid fields or parameters through the firewall increases the attack surface. When either USGv6 or IPv6 ready are selected, a confirmation message is displayed to reduce the likelihood that they are enabled by accident.

It is recommended that the IPv6 compliance mode is set to Default for all normal operations.

Acceptable IPv6 address by use case

The types of IPv6 which are acceptable as a static address are given in the table below For examples of valid IPv6 addresses, see Valid IPv6 Addresses.

Use Case Acceptable Address Type

Static IPv6 Address Entry

  • Global Unicast

  • Local Unicast

IPv6 Default Gateway

  • Global Unicast

  • Local Unicast

  • Link-local

IPv6 Route Entry - IP Range

  • Unknown

  • Loopback

  • Global Unicast

  • Local Unicast

  • Link local

  • Teredo

  • Benchmarking

  • Orchid

  • 6to4

  • Documentation

  • Multicast

IPv6 Route Entry - Gateway

  • Global Unicast

  • Local Unicast

  • Link-local

RFS Address

  • Global Unicast

  • Local Unicast

Client Address

  • Global Unicast

  • Local Unicast

Push Client Address

  • Global Unicast

  • Local Unicast

Ping

  • Unknown

  • Loopback

  • Global Unicast

  • Local Unicast

  • Link-local

  • Teredo

  • Benchmarking

  • Orchid

  • 6to4

  • Documentation

  • Multicast

Traceroute

  • Unknown

  • Loopback

  • Global Unicast

  • Local Unicast

  • Link-local

  • Teredo

  • Benchmarking

  • Orchid

  • 6to4

  • Documentation

  • Multicast

Stateless address auto-configuration (IPv6 only)

Unlike IPv4, IPv6 is designed to be auto-configuring. SLAAC is an IPv6 mechanism by which IPv6 hosts can configure their IPv6 addresses automatically when connected to an IPv6 network using the Neighbour Discovery Protocol (NDP). Using NDP IPv6 hosts are able to solicit advertisements from on-link routers and use the network prefix(es) contained in the advertisements to generate IPv6 address(es).

SLAAC is disabled by default in the HSM, but can be selectively enabled for each Ethernet interface either using the front panel or by setting the appropriate configuration item and pushing a configuration file.

Configure Ethernet interface #1

To set up Ethernet interface #1 (default):

Enable/disable IPv4

To enable/disable IPv4:

  1. From the front panel menu, select System > System configuration > Network config > Set up interface #1 > Configure #1 IPv4 > IPv4 enable/disable.

    The following screen displays:

    Network configuration
    
    IPv4 enable/disable:
    
    ENABLE
    
    CANCEL    FINISH
  2. Set the ENABLE/DISABLE field to the required option.

  3. To accept, press the right-hand navigation button.

Set up IPv4 static address

To set up IPv4 static address:

  1. From the front panel menu, select System > System configuration > Network config > Set up interface #1 > Configure #1 IPv4 > Static IPv4 address.

    The following screen displays:

    Network configuration
    
    Enter IPv4 address
    for interface #1:
         0.  0.  0.  0
    Enter netmask:
         0.  0.  0.  0
    CANCEL           NEXT
  2. Set each field of the IP address and netmask for the interface (press the Select button to move to the next field).

  3. Once all fields have been set, press the right-hand navigation button to continue.

  4. To accept the changes, press the right-hand navigation button and then CONTINUE to go back to the Static IPv4 address menu.

Enable/disable IPv6

To enable/disable IPv6:

  1. From the front panel menu, select System > System configuration > Network config > Set up interface #1 > Configure #1 IPv6 > Enable/Disable IPv6.

    The following screen displays:

    Network configuration
    
    IPv6 enable/disable:
    DISABLE
    
    CANCEL    FINISH
  2. Set the ENABLE/DISABLE field to the required option.

  3. To accept, press the right-hand navigation button.

Set up IPv6 static address

To set up IPv6 static address:

  1. From the front panel menu, select System > System configuration > Network config > Set up interface #1 > Configure #1 IPv6 > Static addr/SLAAC > Select Static/SLAAC.

    The following screen is displayed:

    Network configuration
    Do you want to use a
    static address or
    SLAAC?

    Select static and press the right-hand navigation button.

    Then, select Static IPv6 address and press the right-hand navigation button.

    The following screen displays:

    Network configuration
    Enter IPv6 address
    For interface #1:
    
    
    
    CANCEL    NEXT
  2. Enter the required IPv6 address.

  3. When the IPv6 address is correct, press the right-hand navigation button. The following screen displays:

    Network configuration
    IPv6 address
    xxxx:xxxx:xxxx:xxxx:
    xxxx:xxxx:xxxx:xxxx
    
    Enter prefix length:
    64
    
    BACK    NEXT
  4. When the IPv6 address prefix details are correct, press the right-hand navigation button.

  5. You are asked whether you wish to accept the new interface. To accept, press the right-hand navigation button.

Enabling static IPv6 addresses on HSM’s network interface disables SLAAC on this interface. See Enable IPv6 SLAAC for SLAAC addresses.

To set up the link speed for interface #1:

  1. From the front panel menu, select System > System configuration > Network config > Set up interface #1 > Set link speed for #1.

  2. The following screen displays:

    Network configuration
    
    Select desired link
    speed:
    auto / 1Gb
    
    CANCEL    NEXT

    You can choose from auto / 1Gb, 10BaseT, 10BaseT-FDX, 100BaseTX, or 100BaseTX-FDX.

    Entrust recommends that you configure your network speed for automatic negotiation, using the auto / 1Gb or auto option. You will be asked to confirm the changes if auto / 1Gb is not selected. Selecting auto / 1Gb is the only means of achieving 1Gb link speed.
  3. Press the right-hand navigation button and you will be returned to the Set up interface #1 screen and you can then continue with the configuration.

Configure Ethernet interface #2

To set up the Ethernet interface #2, if required:

  1. From the front panel menu, select System > System configuration > Network config > Set up interface #2.

  2. Enter the details for interface #2 in the same manner that you entered the details for interface #1.

  3. Once the interface #2 details have been entered you need to explicitly enable interface #2. Select System > System configuration > Network config > Set up interface #2 > Enable/Disable Int #2.

  4. The following screen displays:

    Network configuration
    
    Interface #2
    DISABLE
    
    CANCEL    FINISH
  5. Select the ENABLE option.

  6. Press the right-hand navigation button to accept. A screen similar to that used for interface #1 is displayed.

Configure an Ethernet bond interface

Enable or disable the use of a bond interface

  1. From the front panel menu, select System > System configuration > Network config > Set up bond > Enable/disable bond.

    The following screen displays:

    Network configuration
    
    Bond Interface
    
    DISABLE
    
    CANCEL    FINISH
  2. Set the ENABLE/DISABLE field to the required option.

  3. To accept, press the right-hand navigation button.

Set up a bond interface

  1. From the front panel menu, select System > System configuration > Network config > Set up bond > Configure bond.

    The following screen displays:

    Bond interface config
    will use the eth0
    IPv4 and IPv6 config
    if they are enabled
    
    CANCEL    NEXT
  2. Press the right-hand navigation button.

    The following screen displays:

    Bond interface config
    Update parameter
    
    mode: 802.3ad
    
    BACK    NEXT
  3. Set the mode field to the required option, either 802.3ad or active-backup.

  4. To accept, press the right-hand navigation button.

    The following screen displays:

    Bond interface config
    Update parameter
    
    miimon: 100
    
    BACK    NEXT
  5. Set the miimon field to the required value, the range is 0 - 10000 milliseconds.

    Setting the miimon value to 0 disables it. This can prevent the bonding resilience from functioning correctly in active-backup mode.

  6. To accept, press the right-hand navigation button.

    The following screen displays:

    Bond interface config
    Update parameter
    
    lacp_rate: slow
    
    only valid for
    802.3ad (LACP) mode
    
    BACK    NEXT
  7. Set the lacp_rate field to the required option, either slow or fast.

    This parameter is only valid for 802.3ad mode. This setting is ignored in other modes.

    slow

    request LACPDUs to be transmitted every 30 seconds

    fast

    request LACPDUs to be transmitted every 1 second

  8. To accept, press the right-hand navigation button.

    The following screen displays:

    Bond interface config
    Update parameter
    xmit hash policy:
    layer2
    
    only valid for
    802.3ad (LACP) mode
    
    BACK    NEXT
  9. Set the xmit hash policy field to the required option.

    This parameter is only valid for 802.3ad mode. This setting is ignored in other modes.

    Options:

    • layer2

    • encap2+3

    • layer2+3.

  10. To accept, press the right-hand navigation button.

    The following screen displays:

    Bond interface config
    Update parameter
    
    primary device: eth0
    
    only valid for
    active-backup mode
    
    BACK    NEXT
  11. Set the primary device field to the required option, either eth0 or eth1.

    This parameter is only valid for active backup mode. This setting is ignored in other modes.

  12. To accept, press the right-hand navigation button.

    The following screen displays:

    Bond interface config
    Update parameter
    
    resend igmp: 1
    
    only valid for
    active-backup mode
    
    BACK    NEXT
  13. Set the resend igmp field to the required value. Range: 0 - 255.

    This parameter is only valid for active backup mode. This setting is ignored in other modes.

  14. To accept, press the right-hand navigation button.

    The following screen displays:

    Bond interface config
    
    Are you sure you wish
    to change the config ?
    
    CANCEL    CONFIRM
  15. To accept and apply changes to the bond config, press the right-hand navigation button.

    The following confirmation screen displays:

    Bond interface
    config completed OK
    
    CONFIRM

Default gateway

Set default gateway for IPv4

To set a default gateway for IPv4:

  1. From the front panel menu, select System > System configuration > Network config > Set default gateway > IPv4 Gateway.

    The following screen is displayed:

    Gateway configuration
    
    Enter IPv4 address of
    the default gateway:
    
    0. 0. 0. 0
    
    CANCEL    NEXT
  2. Enter the IPv4 address of the default gateway.

  3. Press the right-hand navigation button NEXT and then FINISH to accept.

Set default gateway for IPv6

To set a default gateway for IPv6:

  1. From the front panel menu, select System > System configuration > Network config > Set default gateway > IPv6 gateway.

    The following screen is displayed:

    Gateway configuration
    
    Enter IPv6 address of
    the default gateway:
    
    
    
    CANCEL    NEXT

    Enter the address for the gateway. Press the right-hand navigation button. The following screen is displayed if the address entered was a link-local address:

    Gateway configuration
    
    Select an interface for link-local address:
    
    ::
    
    CANCEL    NEXT

    Select the interface for the IPv6 gateway. Press the right-hand navigation button to accept.

Set up Routing

Set up routing for IPv4

To set a new route entry for IPv4:

  1. From the front panel menu, select System > System configuration > Network config > Set up routing > New IPv4 route entry.

    The following screen is displayed:

    Edit route entry
    
    Enter IP range
    and mask length:
    0.  0.  0.  0/ 0
    Enter the gateway:
    0.  0.  0.  0
    
    CANCEL    FINISH
  2. Enter the IPv4 address range details for the route. Press the right-hand navigation button to accept.

Set up routing for IPv6

To set a new route entry for IPv6:

  1. From the front panel menu, select System > System configuration > Network config > Set up routing > New IPv6 route entry.

    The following screen is displayed:

    Edit route entry
    
    Enter the IP range
    and prefix length:
    ::/64
    
    CANCEL    NEXT
  2. Enter the IPv6 address range details for the route. Press the right-hand navigation button to accept. The following screen is displayed:

    Edit route entry
    xxxx:xxxx:xxxx:xxxx:
     xxxx:xxxx:xxxx:xxxx
     /xxx
    
    Enter the gateway:
    ::
    
    
    BACK    NEXT
  3. Enter the gateway address; if it is a link local address, the following screen is displayed.

    Edit route entry
    
    Select an interface
    for link-local address:
    fe80:xxxx:xxxx:xxxx:
    xxxx:xxxx:xxxx:xxxx
      Interface #1
    BACK    NEXT
  4. Select the interface for the IPv6 gateway and press the right-hand navigation button to accept.

  5. If the new route entry entered for IPv6 is incorrect an error message is displayed on the next screen, select BACK to go to the route entry screen. The new IPv6 route entry will need to be entered again.

Edit route entry

Edit IPv4 route entry

To edit a route entry for IPv4:

  1. From the front panel menu, select System > System configuration > Network config > Set up routing > Edit route entry.

    The following screen is displayed:

    ►  1. 1. 1. 1/ 1
    3. 3. 3. 3/ 3
    1111:1111:1111:1111:
    1111:1111:1111:1111
     /128
    
    BACK    SELECT
  2. Select the IPv4 route to be edited. Press the right-hand navigation button. The following screen is displayed:

    Edit route entry
    
    Enter the IP range
    and mask length:
    1. 1. 1. 1/ 1
    Enter the gateway
    2. 2. 2. 2
    CANCEL    FINISH
  3. Edit the IPv4 route entry. Press the right-hand navigation button to accept the changes.

Edit IPv6 route entry

To edit a route entry for IPv6:

  1. From the front panel menu, select System > System configuration > Network config > Set up routing > Edit route entry.

    The following screen is displayed:

    Edit route entry
    ►  1. 1. 1. 1/ 1
    3. 3. 3. 3/ 3
    1111:1111:1111:1111:
    1111:1111:1111:1111
    /128
    
    
    BACK    SELECT
  2. Select the IPv6 route to be edited. Press the right-hand navigation button. The following screen is displayed:

    Edit route entry
    
    Enter the IP range
    and prefix length:
    1111:1111::1111:1111:
     1111:1111:1111:1111/128
    
    CANCEL    NEXT
  3. Edit the IPv6 route entry. Press the right-hand navigation button.

    Edit route entry
    1111:1111:1111:1111:
     1111:1111:1111:1111/128
    
    Enter the gateway
    2222:2222:2222:2222
    
    BACK  NEXT
  4. Enter the IPv6 route gateway. If a link-local address is entered for the IPv6 route gateway the screen below will be displayed.

    Edit route entry
    
    Select an interface
    for link-local address:
    fe80:2222:2222:2222:
    2222:2222:2222:2222
    Interface #1
    BACK    NEXT
  5. Select the interface for the IPv6 gateway. Press the right-hand navigation button to accept.

Remove route entry

To remove a route entry:

  1. From the front panel menu, select System > System configuration > Network config > Set up routing > Remove route entry.

    The following screen is displayed:

    ►  1. 1. 1. 1/ 1
    3. 3. 3. 3/ 3
    1111:1111:1111:1111:
    1111:1111:1111:1111
    /128
    
    
    BACK    SELECT
  2. Select the IPv4/IPv6 route to be removed. Press the right-hand navigation button.

  3. The selected route will be displayed. Press the right-hand navigation button to remove the route.

Enable IPv6 SLAAC

SLAAC can be enabled/disabled independently on each of the two interfaces.

To enable SLAAC:

  1. From the front panel menu, select System > System configuration > Network config > Set up interface #1 > Configure #1 IPv6 > Static addr/SLAAC > Select Static/SLAAC.

    The following screen is displayed:

    Network configuration
    Do you want to use a
    static address or
    SLAAC?
  2. Select SLAAC and press the right-hand navigation button.

  3. The IPv6 address config selected screen is displayed. Press the right-hand navigation button to accept.

  4. Select the required state and press the right-hand navigation button.

  5. The SLAAC configuration completed OK screen is displayed. Press the right-hand navigation button to accept.

Enabling SLAAC on the HSM’s network interface disables the use of static IPv6 addresses on this interface.

Configuring the Remote File System (RFS)

The RFS contains the master copy of the Security World data for backup purposes. The RFS can be a standalone machine, and can also dual role as a client. If the RFS duals as a client, a common file structure serves both the RFS and the configuration files for the client.

See the User Guide for your HSM for more about the RFS and its contents.

The HSM must be able to connect to TCP port 9004 of the RFS. If necessary, modify the firewall configuration to allow this connection on either the RFS itself, or on a router between the RFS and the HSM, or both.

Obtain the following information about the HSM before you set up an RFS for the first time:

  • The IP address.

    The following information can be obtained automatically (or manually):

  • The electronic serial number (ESN).

  • The hash of the KNETI key (HKNETI). The KNETI key authenticates the HSM to clients. It is generated when the HSM is first initialized from factory state.

If your network is secure and you know the IP address of the HSM, you can use the anonkneti utility to obtain the ESN and hash of the KNETI key.

Alternatively, you can find this information on the HSM startup screen. Use the touch wheel to scroll to the appropriate information.

When you have the necessary information, set up an RFS and HSM in the following order:

  1. Prepare the RFS by running the following command on that computer:

    rfs-setup <Unit IP> A285-4F5A-7500 2418ec85c86027eb2d5959fef35edc5e1b3b698f

    In this command:

    • <Unit IP> is the IP address of the HSM.

    • A285-4F5A-7500 is the ESN of the HSM.

    • keyhash is the hash of the KNETI key.

  2. On the HSM display screen, use the right-hand navigation button to select System > System configuration > Remote file system, and enter the IP address of the client computer on which you set up the RFS:

      Remote File System
    
    Enter IP address:
    
    
    
    CANCEL         CONTINUE
  3. The next screen asks for the port number on which the RFS is listening. Enter the port number and press the right-hand navigation button to continue:

      Remote File System
    
    Enter port number:
        9004
    
    CANCEL         CONTINUE
    Leave the port number at the default setting of 9004.
  4. Select the config push mode and press the right-hand navigation button to continue:

      Remote File System
    
    Set RFS config push
    mode to:
    
            AUTO
    
    CANCEL         CONTINUE

    Three options are available:

    • AUTO: The RFS is only allowed to push configuration files to the HSM if secure authentication is enabled. This is the default value.

    • ON: The RFS is allowed to push configuration files to the HSM.

    • OFF: The RFS is not allowed to push configuration files to the HSM.

  5. You must then choose whether to enable or disable secure authentication when setting up the RFS. The following screen is displayed:

      Remote File System
    
    Do you want secure
    authentication enabled
    on the RFS?
    
              YES
    CANCEL         CONTINUE
    1. Select No and press the right-hand navigation button to configure the RFS without secure authentication. The authentication of the RFS will be based on the IP address only.

    2. Select Yes and press the right-hand navigation button to configure the RFS with secure authentication.

  6. Skip this step if you have not selected secure authentication.

    If an nToken is installed in the RFS, you will be asked to choose which authentication key to use. Select the desired option and press the right-hand navigation button:

    >0DA8-A5AE-BA0D
     Software Key
    
    
    BACK       SELECT
    1. The ESN of the nToken installed in the RFS.

    2. "Software Key" for software-based authentication.

    If no nToken is installed in the RFS, then software-based authentication is automatically selected.

  7. Skip this step if you have not selected secure authentication.

    The next screen will ask you to verify that the key hash displayed by the HSM matches the RFS key hash:

    Remote 0DA8-A5AE-BA0D
    reported the key hash:
     9e0020264af732933574
     0cfe10446d33cea33f4a
    Is this EXACTLY right?
    
    CANCEL         CONFIRM

    The RFS key hash is obtained by running the commands described below. Take a copy of the returned key hash and compare it to the value reported on the HSM display.

    With software-based authentication

    Run the following command on the RFS:

    enquiry -m0

    This command returns the software key hash, tagged as kneti hash, as part of its output, for example:

    Server:
      enquiry reply flags   none
      enquiry reply level   Six
      ...
      kneti hash            d4c3d757a67416cb9ba31f33febd6ead688629e5
      ...
    With nToken authentication

    Run the following command on the RFS:

    ntokenenroll -H

    This command produces output of the form:

    nToken module #1
    nToken ESN:      0DA8-A5AE-BA0D
    nToken key hash: 9e0020264af732933574
                     0cfe10446d33cea33f4a

    Check that the ESN also matches the one reported on the HSM display.

    If the RFS key hash matches the one reported on the HSM display, press the right-hand navigation button to continue the RFS configuration. Otherwise press the left-hand navigation button to cancel the operation.

  8. The HSM displays "Transferring files…​" followed by a message reporting that the RFS has been set up. Press the right-hand navigation button again to exit.

After you have defined the RFS, the HSM configuration files are exported automatically. See the User Guide for your HSM for more about configuration files.

To modify the RFS at a later date, select System > System configuration > Remote file system, and then select the required action.

Systems configured for Remote Administration

Before using Remote Administration or configuring NTP, enable config push on the HSM for the RFS or client computer you intend to use for configuration. The RFS config push is preferred unless the config push client is not actually the same machine as the RFS. The RFS config push is recommended at least when securely bootstrapping the configuration of the system from the HSM front panel.

Enabling config push from the RFS

On the HSM display, use the right-hand navigation button to select System > System configuration > Remote File System, and follow the steps described in Configuring the Remote File System (RFS). To enable config push from the RFS, set the push mode to AUTO with RFS secure authentication enabled (recommended), or to ON.

The RFS config push supports specifying secure authentication from the HSM front panel, whereas the client config push only supports specifying authentication either from the HSM Serial Console push command, or from the config file itself.

Enabling config push from a client computer

To enable config push from a client computer, on the HSM display, use the right-hand navigation button to select System > System configuration > Config file options > Client config push > Config push mode, set ON or OFF, then select CONFIRM. A confirmation message will be displayed.

After enabling config push, specify the IP address of the client to push the configuration from. On the HSM display, use the right-hand navigation button to select System > System configuration > Config file options > Client config push > Client address. Enter the IP address and select CONFIRM. A message is displayed confirming your chosen IP address. Select CONTINUE.

Any remote computer is allowed to push configuration files if no IP address or the 0.0.0.0 address is specified.

After enabling config push, complete the configuration steps by editing the configuration files, rather than by using HSM front panel. See the User Guide for your HSM for more about configuration files.

Basic configuration of the client to use the HSM

Client configuration utilities

Entrust provides the following utilities for client configuration:

Utility Description

nethsmenroll

Used to configure the client to communicate with the HSM.

config-serverstartup

Used to configure the hardserver of the client to enable TCP sockets.

nethsmenroll

The nethsmenroll command-line utility edits the client hardserver’s configuration file to add the specified HSM. If the HSM’s ESN and HKNETI are not specified, nethsmenroll attempts to contact the HSM to determine what they are, and requests confirmation.

Usage:

nethsmenroll [Options] --privileged <hsm-ip> <hsm-esn> <hsm-kneti-hash>

Options:

-m|--module=MODULE

Specifies the local module number that should be used (default is 0 for dynamic configuration by hardserver).

-p|--privileged

Makes the hardserver request a privileged connection to the HSM (default unprivileged).

-<hsm-ip>

The IP address of the HSM, which could be one of the following:

  • an IPv4 address

  • an IPv6 address, including a link-local IPv6 address

  • a hostname

-r|--remove

Removes the configuration of the specified HSM.

-f|--force

Forces reconfiguration of an HSM already known.

--no-hkneti-confirmation

Does not request confirmation when automatically determining the HSM’s ESN and HKNETI.

This option is potentially insecure and should only be used on secure networks where there is no possibility of a man-in-the-middle attack. For guidance on network security, see the nShield Security Manual.

-V|--verify-nethsm-details

When the ESN and HKNETI have been provided on the command line, verifies that the selected HSM is online, reachable and matches those details.

-P|--port=PORT

Specifies the port to use when connecting to the given HSM (default 9004).

-n|--ntoken-esn=ESN

Specifies the ESN of the nToken to be used to authenticate this client. If the option is omitted, then software authentication will be used instead.

config-serverstartup

The config-serverstartup command-line utility automatically edits the [server_startup] section in the local hardserver configuration file in order to enable TCP ports for Java and KeySafe. Any fields for which values are not specified remain unchanged. After making any changes you are prompted to restart the hardserver.

Run config-serverstartup using the following commands:

config-serverstartup [OPTIONS]

For more information about the options available to use with config-serverstartup, run the command:

config-serverstartup --help

Configuring a client to communicate through an nToken

You can configure a client to use its nToken to communicate with an HSM, if it has one installed. When this happens, the HSM:

  • Examines the IP address of the client.

  • Requires the client to identify itself using a signing key.

If an nToken is installed in a client, it can be used to both generate and protect a key that is then used for the impath communication between the HSM and the client. A strongly protected key is used at both ends of the impath as a result.

Enrolling the client from the command line

Complete the following steps to initially configure a client computer to communicate with and use an HSM. See Basic HSM, RFS and client configuration for more about the available options.

Do the following:

  1. On the client, open a command line window, and run the command:

    nethsmenroll --help
  2. Retrieve the ESN and HKNETI of the HSM:

    anonkneti <ip-address>

    If the ESN and HKNETI are not specified, nethsmenroll attempts to contact the HSM to determine what they are, and requests confirmation.

  3. Do one of the following:

    If you are enrolling a client with an nToken installed, run the command:

    nethsmenroll --ntoken-esn <nToken ESN> [Options] --privileged <Unit IP> <Unit ESN> <Unit KNETI HASH>

    If you are enrolling a client without an nToken installed, run the command:

    nethsmenroll [Options] --privileged < Unit IP> < Unit ESN> < Unit KNETI HASH>

    The following is an example of the output:

    OK configuring hardserver's nethsm imports.

Configure the TCP sockets on the client for Java applications

To configure the TCP sockets on the client for Java applications (for example, KeySafe):

  1. Run the command:

    config-serverstartup --enable-tcp --enable-privileged-tcp

Basic configuration of an HSM to use a client

Do the following:

  1. On the HSM front panel, use the right-hand navigation button to select System > System configuration > Client config > New client.

    The following screen is displayed:

    Client configuration
    
    Please enter your
    client IP address:
    
    
    
    CANCEL          NEXT

    Enter the IP address of the client, and press the right-hand navigation button.

  2. Use the touch wheel to confirm whether you want to save the IP or not, and press the right-hand navigation button.

    Client configuration
    
    Do you want to save
    the IP in the config?
    (No for dynamic client
    IPs)
              No
    BACK            NEXT
  3. Use the touch wheel to select the connection type between the HSM and the client.

    Client configuration
    
    Please choose the
    client permissions
    
        Unprivileged
    
    BACK            NEXT

    The following options are available:

    Option Description

    Unprivileged

    Privileged connections are never allowed.

    Priv. on low ports

    Privileged connections are allowed only from ports numbered less than 1024. These ports are reserved for use by root on Linux.

    Priv. on any ports

    Privileged connections are allowed on all ports.

    A privileged connection is required to administer the HSM, for example to initialize a Security World. If privileged connections are allowed, the client can issue commands (such as clearing the HSM) which interfere with the normal operation of the HSM. Entrust recommends that you allow only unprivileged connections unless you are performing administrative tasks.
  4. When you have selected a connection option, press the right-hand navigation button.

    The following screen is displayed:

    Client configuration
    
    Do you want secure
    authentication enabled
    on this client?
    
             Yes
    BACK             NEXT
    1. Select No and press the right-hand navigation button to configure the client without secure authentication. The authentication of the client will be based on the IP address only.

    2. Select Yes and press the right-hand navigation button to configure the client with secure authentication.

  5. On the HSM, enter the number of the port on which the client is listening (the default is 9004), and press the right-hand navigation button. The following screen is displayed:

    Client configuration
    
    On what port is the
    client listening?
    
            9004
    
    CANCEL           NEXT
  6. Skip this step if you have not selected secure authentication.

    If an nToken is installed in the client, you will be asked to choose which authentication key to use. Select the desired option and press the right-hand navigation button:

    >3138-147F-2D64
     Software Key
    
    
    BACK       SELECT
    1. The ESN of the nToken installed in the client.

    2. "Software Key" for software-based authentication.

    If no nToken is installed in the client, then software-based authentication is automatically selected.

    Software-based authentication is only supported from version 12.60.
  7. Skip this step if you have not selected secure authentication.

    The next screen will ask you to verify that the key hash displayed by the HSM matches the client key hash:

    Remote 3138-147F-2D64
    reported the key hash:
     691be427bb125f387686
     38a18bfd2eab75623320
    Is this EXACTLY right?
    
    CANCEL         CONFIRM

    The client key hash is obtained by running the commands described below. Take a copy of the returned key hash and compare it to the value reported on the HSM display.

    With software-based authentication

    Run the following command on the client:

    enquiry -m0

    This command returns the software key hash, tagged as kneti hash, as part of its output, for example:

    Server:
      enquiry reply flags   none
      enquiry reply level   Six
      ...
      kneti hash            f8222fc007be38b78ebf442697e244dabded38a8
      ...
    With nToken authentication

    Run the following command on the client:

    ntokenenroll -H

    This command produces output of the form:

    nToken module #1
    nToken ESN:      3138-147F-2D64
    nToken key hash: 691be427bb125f387686
                     38a18bfd2eab75623320

    Check that the ESN also matches the one reported on the HSM display.

    If the client key hash matches the one reported on the HSM display, press the right-hand navigation button to continue the RFS configuration. Otherwise press the left-hand navigation button to cancel the operation.

  8. The HSM displays a message reporting that the client has been configured. Press the right-hand navigation button again.

See the User Guide for your HSM for more about modifying or deleting an existing client, configuring multiple clients, client licenses, pushing configuration files to the HSM, and advanced configuration options.

Restarting the hardserver

In order to establish any configuration changes you may have entered, you must restart the hardserver (also called the nfast server).

  1. Do one of the following to stop and restart the hardserver, according to your operating system:

    1. Windows:

      net stop "nfast server"
      net start "nfast server"
    2. Linux:

      /opt/nfast/sbin/init.d-ncipher restart

Zero touch configuration of an HSM

On a serial-enabled HSM (see Model numbers in Prerequisites and product information) you can configure the HSM and set up the RFS by using the HSM Serial Console rather than the front panel. See the User Guide for your HSM for more information on the Serial Console.

Once the HSM’s power, Ethernet and serial cables have been connected, to allow zero touch configuration of the HSM (no further use of the front panel required), follow these steps:

Configuring the network interfaces via the Serial Console

  1. Log in to the HSM Serial Console (see the User Guide for your HSM).

  2. Configure networking on Ethernet Interface #1:

    1. Set the IP address and netmask of the interface:

      (cli) netcfg iface=0 addr=0.0.0.0 netmask=0.0.0.0
    2. Set the IP address of the gateway for the HSM:

      (cli) gateway 0.0.0.0

      If your network environment requires you to configure static routes you may also use the HSM Serial Console to configure static routes for the HSM at this stage.

Allowing configuration files to be pushed to the HSM via the Serial Console

To allow the Remote File System (RFS) to push configuration files to the HSM, configure the RFS using the rfsaddr command. To allow other remote computers to push configuration files to the HSM, use the push command.

Configuring the Remote File System (RFS) via the Serial Console

  1. Log in to the HSM Serial Console (see Creating a serial console session in the User Guide for your HSM), and run the following commands to obtain the HSM ESN and KNETI hash, for example:

    (cli) esn
    ESN: 6B1D-03CE-2F9A
    (cli) kneti
    Kneti hash: 56304e3f752cd13d219fa47ad27d56bb6a6642aa
  2. Run the rfs-setup command on the RFS with the IP address of the HSM and the values previously returned by the esn and kneti commands:

    rfs-setup <Unit IP address> <ESN> <KNETI hash>

    For information on running rfs-setup, see Configuring the Remote File System (RFS).

  3. In the HSM Serial Console, configure the RFS using the rfsaddr command.

    (cli) rfsaddr address[:port] [keyhash [esn]] [push]

    In this command:

    • address is the RFS IP address.

    • port is the RFS port number (default is 9004).

    • keyhash is the RFS KNETI hash (default is 40 zeroes).

    • esn is the RFS nToken ESN (default is "", i.e. no ESN).

    • push specifies if the RFS can push configuration files to the HSM:

      • ON: The RFS is allowed to push configuration files.

      • OFF: The RFS is not allowed to push configuration files.

      • AUTO: The RFS is allowed to push configuration files if RFS secure authentication is enabled. This is the default option.

    The keyhash and esn are optional, and can be used to enable the RFS secure authentication:

    1. No RFS secure authentication (not recommended): The keyhash and esn parameters are not specified.

    2. RFS software-based authentication: Only the keyhash parameter is specified. The RFS software KNETI hash is obtained by running the enquiry -m0 command on the RFS. The value is tagged as kneti hash in the command output.

    3. RFS nToken authentication: The keyhash and esn parameters are specified. The RFS nToken KNETI hash and ESN are obtained by running the ntokenenroll -H command on the RFS.

Allowing configuration files to be pushed to the HSM from a remote computer via the Serial Console

In addition to the RFS, the push serial command can be used to allow a remote computer to push configuration files.

(cli) push ON [address] [keyhash]

In this command:

  • address is the remote computer IP address. It defaults to 0.0.0.0 which allows any address to push. It is not recommended to leave the IP address unrestricted, unless keyhash is specified for authentication.

  • keyhash is the hash of the key with which the authorized client is to authenticate itself (defaults to no key authentication required).

Enabling the push feature allows remote computers to change the HSM configuration file and make configuration changes that are normally only available through the HSM secure user interface.

After you enable the HSM for zero touch configuration, everything that can be configured using the front panel can be configured remotely using one of the following methods:

  • The HSM Serial Console.

  • The cfg-pushnethsm utility to push an updated configuration file to the HSM. From the configuration file you can configure the RFS, add clients, or change the network configuration.

  • The nethsmadmin utility (see the User Guide for your HSM).

Checking the installation

To check that the module is installed and configured correctly on the client:

  1. Log in as a user and open a command window.

  2. Run the command:

    enquiry

    For an example of the output following a successful enquiry command. See Enquiry utility.

    If you are configuring a client belonging to an HSM, the response to the enquiry command should be populated and the hardware status shown as OK.

    If the mode is operational the HSM has been installed correctly.

    If the mode is initialization, the HSM has been installed correctly, but you must change the mode to operational.

    If the output from the enquiry command says that the module is not found, first restart your computer, then re-run the enquiry command.

Using a Security World

You can update the Security World on the host using:

  • The nShield HSM front panel controls

  • The command-line utilities

  • The Cryptographic Service Provider wizard

  • KeySafe.

You can also use these tools to create keys or cards. If you perform such tasks on a client other than the computer on which the RFS is installed, you must transfer the updated files to the RFS before they are available to the HSM.

For more about using Security Worlds, refer to nShield Security World v13.6.3 Management Guide.