As an alternative to hand-editing a client’s hardserver configuration file, you can run nethsmenroll on a client to configure it to access an nShield HSM. For example:

  • Enroll an HSM, without needing to restart the hardserver

  • Unenroll an HSM (nethsmenroll -r), then restart the hardserver to update the information about the HSM estate

A network-attached HSM for this kind of configuration file editing can be either an nShield Connect or nShield 5c, or a remote hardserver that has been configured to export a local HSM. If the network-attached HSM’s ESN and HKNETI are not specified, attempts to contact the HSM to determine them and requests confirmation. ESN and HKNETI must be specified if the HSM is a remote hardserver with more than one HSM.

For more information, see:

Option Description

-f, --force

Forces reconfiguration of an already known HSM.

-n, --ntoken-esn=ESN

Specifies the ESN of the nToken to be used to authenticate this client. If the option is omitted, then software authentication will be used instead.


Does not request confirmation when automatically determining the nethsm’s ESN and HKNETI.

Only use this option on secure networks.

-p, --privileged

Causes the hardserver to request a privileged connection to the HSM.
Default: unprivileged.

-P, --port=PORT

Specifies the port to use when connecting to the HSM.
Default 9004.

-r, --remove

Deconfigures the HSM.

-V, --verify-nethsm-details

When the ESN and HKNETI have been provided on the command line, verifies that the HSM is alive, reachable and matches those details.

Option to address HSMs

-m, --module=MODULE

Specifies the number of the module whose hardserver configuration file to use.
If you only have one module, <MODULE> is 1.
Default: 0 for dynamic configuration by the hardserver.

Help options

-h, --help

Displays help for nethsmenroll.

-u, --usage

Displays a brief usage summary for nethsmenroll.

-v, --version

Displays the version number of the Security World Software that deploys nethsmenroll.