Install the Security World software

This chapter describes how to install the Security World Software on the computer, client, or RFS associated with your nShield HSM.

After you have installed the software, you must complete further Security World creation, configuration and setup tasks before you can use your nShield environment to protect and manage your keys.

Installing the Security World Software on Windows

For information about configuring silent installations and uninstallations on Windows, see Using silent installations.

For a regular installation:

(nShield 5s only) Installing Security World software on Windows via Remote Desktop Connection can result in a brief loss of RDP connection. If this happens, it will happen during the Status: part of the installation, towards the end. When the session reconnects, the installation carries on until completion.

If the Found New Hardware Wizard appears and prompts you to install drivers, cancel this notification, and continue to install the Security World Software as normal. Drivers are installed during the installation of the Security World Software.

Place the Security World Software installation media in the optical disc drive.
Launch setup.msi manually when prompted.
Follow the onscreen instructions.
Accept the license terms and select Next to continue.
Specify the installation directory and select Next to continue.
Select all the components required for installation.

By default, all components are selected. Use the drop-down menu to deselect the components that you do not want to install. nShield Hardware Support and Core Tools are necessary to install the Security World Software.

See Software packages on the installation media for more about the component bundles and the additional software supplied on your installation media.
Select Install.
The selected components are installed in the installation directory chosen above. The installer creates links to the following nShield Cryptographic Service Provider (CSP) setup wizards as well as remote management tools under Start > Entrust or Entrust nShield Security World (depending on the version of Windows or Windows Server you are running):
- If nShield CSPs (CAPI, CNG) was selected: 32bit CSP install wizard, which sets up CSPs for 32-bit applications
- If nShield CSPs (CAPI, CNG) was selected: 64bit CSP install wizard, which sets up CSPs for 64-bit applications
- If nShield CSPs (CAPI, CNG) was selected: CNG configuration wizard, which sets up the CNG providers
- If nShield Java was selected: KeySafe, which runs the key management application
- If nShield Remote Administration Client Tools was selected: Remote Administration Client, which runs the remote administration client
If selected, the SNMP agent will be installed, but will not be added to the Services area in Control Panel > Administrative Tools of the target Windows machine. If you wish to install the SNMP agent as a service, consult the nShield SNMP Monitor v13.6.5 Install and User guide.

(PCIe HSMs only) Do not run any CSP installation wizard before installing the module hardware.
Select Finish to complete the installation.
The following global variables are set upon install:
- %NFAST_CERTDIR%
- %NFAST_HOME%
- %NFAST_KMDATA%
- %NFAST_LOGDIR%
- %NFAST_SERVICES_HOME% (nShield 5s only)
Add C:\Program Files\nCipher\nfast\bin to the Windows system path.
(nShield 5s only) If you are using an nShield 5s, complete the additional steps for nShield 5s.
(PCIe HSMs only) If you are using a PCIe HSM, you might need to update the power saving settings:
1. In Windows Device Manager > Security Accelerator (nShield Solo) or Windows Device Manager > Network adapters (nShield 5s), select the appropriate module.
2. Under Properties > Power Management, deselect Allow the computer to turn off this device to save power.

Additional steps for nShield 5s

Stop the nFast Server service.
The nShield installer creates and enables an inbound rule called nShield 5s mDNS to allow UDP port 5353 for any program. This enables the discovery of nShield 5s modules. If enrollment fails to find any modules in the following step, check that this firewall rule is present and enabled; if it does not exist, create it manually and retry enrollment.

Set up the secure communication channels between the host PC and the HSM:

"%NFAST_HOME%\bin\hsmadmin" enroll

The HSM must be in factory state or else the registered sshadmin key must be in place otherwise this command will fail. If you have a backup of your sshadmin key, you can restore it using hsmadmin keys restore. If this is not a first-time installation of this HSM, and the sshadmin key trusted by this HSM is no longer available, enter recovery mode and then retry enrollment.

From firmware versions 13.5 onwards, the secure communication channels between the host PC and the HSM are protected by internally generated certificates. The hsmadmin enroll command automatically validates certificates as part of the enrollment process and produces a warning if it fails to find a certificate for any service. This warning is expected if the HSM:

is in recovery mode
is running a firmware version prior to 13.5
has been upgraded to a firmware version of 13.5 or later but has not performed a factory state operation since the upgrade.

If you receive this warning in any other circumstance you should contact Entrust support.

Start the nFast Server service.
If Remote Administration is installed, also start the nFast Remote Administration service.
Entrust recommends that you take a backup of your sshadmin key with hsmadmin keys backup path\to\backup_key for backups that will be restored to the same machine. Note that this key will not be usable on another machine or if the OS is re-installed as it has protections tied to the local machine. For backups that may be restored to a different machine or re-installed OS, use hsmadmin keys backup --passphrase path\to\backup_key to protect the key with a user-supplied passphrase. Replace path\to\backup_key with the actual path to where the backup key should be written in the example commands above.

Install the Security World software on Linux

Sign in as a user with root privileges.
Mount the DVD/ISO image.
Open a terminal window, and change to the root directory.

Extract the required files if you are using .tar or install the rpm packages if you are using the rpm utility.

<disc-name>	Name of the mount point of the installation media
<ver>	Architecture of the operating system, for example, `i386` or `amd64`
<file.tar>	Name of the `.tar.gz` file for the component
<file.rpm>	Name of the `.rpm` file for the component

From .tar

Install all the software bundles by running tar:

tar -xf <disc-name>/linux/<ver>/<file>.tar.gz

From .rpm

Import the public key in <disc-name>/linux-rpms/<ver>/pubkey.asc into rpm:
```
rpm --import disc-name/linux-rpms/<ver>/pubkey.asc
```

Verify that the .rpm files are signed by Entrust:

rpm --checksig <disc-name>/linux-rpms/<ver>/<file>.rpm

Install all the software bundles by running rpm.

If a subset of the packages is already installed and you have to install more packages, uninstall the installed packages, then install all the .rpm packages that you need from fresh. See Uninstalling Security World Software for more information.

You must install the hwsp package first. If you have to re-install hwsp, uninstall it last, then re-install it first.
```
rpm -i disc-name/linux-rpms/<ver>/<file>.rpm
```

To use an nShield module with your Linux system, you must build a kernel driver. Entrust supplies the source to the NFP and a makefile for building the driver as a loadable module.

The kernel level driver is installed as part of the hwsp bundle. To build the driver with the supplied makefile, you must have the correct headers installed for the kernel that you are running. They must be headers for the same version of the kernel and must contain the kernel configuration options with which your kernel was built. You must also have appropriate versions of gcc, make, and your C library’s development package.

The configuration script looks for the kernel headers in the default directory /lib/modules/'<uname -r>'/build/include/. If your kernel headers are located in a different directory, set the KERNEL_HEADERS environment variable so that they are in $KERNEL_HEADERS/include/. Historically, the headers have resided in /usr/src/linux/include/. If the headers for your kernel are not already installed, install them from your Linux distribution disc, or contact your kernel supplier.

Build the driver as a loadable kernel module. When you have ensured the correct headers are in place, perform the following steps to use the makefile:
1. (PCIe HSMs only) Change directory to the nShield PCI driver directory by running the command:
  nShield Solo or Solo XC
  
  # cd /opt/nfast/driver/
  
  nShield 5s
  
  # cd /opt/nfast/driver-nshield5
2. (nShield Solo and Solo XC only) Configure the source by running the command:
  ./configure
3. Make the driver by running the command:
  # make
  This produces a driver file that is automatically loaded as part of the normal installation process.
Run the install script by using the following command:
```
/opt/nfast/sbin/install
```
(nShield 5s only) The install script will automatically run the hsmadmin enroll command. From firmware versions 13.5 onwards the secure communication channels between the host PC and the HSM are protected by internally generated certificates. The hsmadmin enroll command automatically validates certificates as part of the enrollment process and produces a warning if it fails to find a certificate for any service. This warning is expected if the HSM:
- is in recovery mode
- is running a firmware version prior to 13.5
- has been upgraded to a firmware version of 13.5 or later but has not performed a factory state operation since the upgrade.
  
  If you receive this warning in any other circumstance you should contact Entrust support.
Sign in to your normal account.

Add /opt/nfast/bin to your PATH system variable:

Bourne shell

PATH=/opt/nfast/bin:$PATH
export PATH

C shell

setenv PATH /opt/nfast/bin:$PATH

(nShield 5s only) Entrust recommends that you take a backup of your sshadmin key.

For example, you could use hsmadmin keys backup /root/.ssh/id_nshield5_sshadmin for backups that will be restored to the same machine. If the path /root/.ssh/id_nshield5_sshadmin is used, and the sshadmin key is missing from the usual installed location under /opt/nfast, then that key will be used automatically when running the nShield install script.

Note that this key will not be usable on another machine or if the OS is re-installed as it has protections tied to the local machine. For backups that may be restored to a different machine or re-installed OS, use hsmadmin keys backup --passphrase /path/to/backup_key to protect the key with a user-supplied passphrase (replacing /path/to/backup_key with the actual path to where the backup key should be written).

After installing the software

After you have successfully installed the Security World Software, complete the following steps to finish preparing your HSM for use:

Ensure that your public firewall is set up correctly.
See Before you install the software.
nShield 5s: If the SSH keys have not been set up, create the communication path between the host machine and the HSM, as described in Set up communication between host and module (nShield 5s HSMs).

If you followed all the steps in the installation instructions when installing the software, this should already be set up.
Network-attached HSMs: Perform the necessary basic HSM-client configuration tasks, as described in Basic HSM and remote file system (RFS) configuration.
PCIe and USB HSMs: If necessary, perform additional software and HSM configuration tasks, as described in Client software and module configuration: PCIe and USB HSMs:
- Set up client configuration, as described in Client cooperation
- Set nShield specific environment variables, as described in Setting environment variables.
- Configure logging and debugging parameters, as described in Logging and debugging
- Configure Audit Logging, as described in Configuring audit logging
- Configure Java support for KeySafe, as described in Configuring Java support for KeySafe
- Configure the hardserver, as described in Configuring the hardserver
Create and configure a Security World, as described in Create a new Security World.
Create an OCS, as described in Creating Operator Card Sets (OCSs).

Network-attached HSMs: Complete additional necessary HSM-client configuration tasks:

To configure the unit so that it works with the client machine, see Configuring the nShield HSM to use the client.

To configure client computers so that they work with the unit, see Configuring client computers to use the nShield HSM.

For this release, you must generate a new client configuration file to take advantage of new functionality. To generate a new client configuration file, back up your existing configuration file and run cfg-mkdefault. This generates a template for the configuration file into which you can copy the settings from your old configuration file.

To enable the TCP sockets for Java applications (including KeySafe), run the command:
```
config-serverstartup -sp
```
For more information, see Client configuration utilities.

When all additional HSM configuration tasks are completed, you can:
1. Stop and then restart the hardserver, as described in Stopping and restarting the hardserver.
2. Test the installation and configuration.