Before you install the software
This guide covers the following HSMs:
-
nShield Solo
-
nShield Solo XC
-
nShield 5s
-
nShield Connect
-
nShield 5c
-
nShield Edge
Before you install the Security World software:
-
(PCIe HSMs only) Install the module. See Install a PCIe HSM.
-
Uninstall any older versions of Security World Software. See Uninstalling Security World Software
-
If the nShield Remote Administration Client is installed on the machine, remove it. You will also have to re-install it after you installed the new Security World software version. See Remote Administration v13.6.5 User Guide.
-
Complete the preparatory tasks.
Preparatory tasks before installing software
Windows
Install Microsoft security updates
Make sure that you have installed the latest Microsoft security updates. Information about Microsoft security updates is available from http://www.microsoft.com/security/.
(PCIe HSMs only) Add %NFAST_HOME%\bin\ to the PATH environment variable
The default location for %NFAST_HOME%\bin\
is C:\Program Files\nCipher\nfast
.
Because of the space in Program Files
, nShield commands could fail if NFAST_HOME\bin\
is not in PATH
.
If you cannot change PATH
, you will have to enclose all file names and paths that use variable between double quotation marks (" ").
For example:
"%NFAST_HOME%\toolkits\pkcs11\cknfast.dll"
Linux
Install operating environment patches
Make sure that you have installed:
-
kernel packages like
gcc
,kernel-headers
,kernel-devel
-
the latest recommended patches for your environment in general
See the documentation supplied with your operating environment for information.
Users and groups
The installer automatically creates the following group and users if they do not exist. If you wish to create them manually, you should do so before running the installer.
Create the following, as required:
-
The
nfast
user in thenfast
group, using/opt/nfast
as the home directory.(USB HSMs only) The nfast
user must also be a member of thedialout
group.dialout
grants access to the serial ports, including those that the nShield Edge uses (/dev/ttyUSB*
).For example, on Linux, run:
useradd -a -G dialout nfast
-
If you are installing snmp, the
ncsnmpd
user in thencsnmpd
group, using/opt/nfast
as the home directory. -
If you are installing the Remote Administration Service, the
raserv
user in theraserv
group, using/opt/nfast
as the home directory.
(nShield 5s only) Network configuration
The nShield 5s appears to the host operating system as a network interface. Communication with the HSM is performed over this interface using IPv6. The install process automatically configures the nShield 5s and any relevant operating system network settings, with the HSM and host-software using link-local communication.
After the installation process has been completed, the nShield 5s network interfaces should have a link-local IPv6 address. On Windows and Linux, this is assigned automatically. On Linux, the installation process will also detect the following network management services and create appropriate configuration files:
Network management service | Configuration file path |
---|---|
|
|
|
|
These files instruct the network management service not to configure the nShield 5s interfaces. They will be configured by the nShield host software. This covers all of our supported distributions, and more. If your distribution is not using one of these network management services, you will need to configure the interfaces to have a link-local IPv6 address manually.
The following network configuration must be present for the host software and HSM to function:
-
The HSM’s network interface must be assigned a link-local IPv6 address (https://tools.ietf.org/html/rfc4862).
-
Multicast DNS must be possible for the host software to discover the services running on the HSM (https://tools.ietf.org/html/rfc6762).
This requires inbound UDP packets on port 5353, to receive service advertisement responses from the HSM.
-
The following ports must be accessible on the HSM from the host to access management and crypto services.
Outbound SSH traffic on TCP ports:
-
2201
-
2202
-
2203
-
2204
-
2206
-
All environments
Install Java with any necessary patches
The following versions of Java have been tested to work with, and are supported by, your nShield Security World Software:
-
Java7 (or Java 1.7x)
-
Java8 (or Java 1.8x)
-
Java11
Entrust recommends that you ensure Java is installed before you install the Security World Software. The Java executable must be on your system path.
If you can do so, please use the latest Java version currently supported by Entrust that is compatible with your requirements. Java versions before those shown are no longer supported. If you are maintaining older Java versions for legacy reasons, and need compatibility with current nShield software, please contact Entrust nShield Support, https://nshieldsupport.entrust.com.
To install Java you may need installation packages specific to your operating system, which may depend on other pre-installed packages to be able to work.
Suggested links from which you may download Java software as appropriate for your operating system:
You must have Java installed to use KeySafe. |
Identify software components to be installed
Entrust supply standard component bundles that contain many of the necessary components for your installation and, in addition, individual components for use with supported applications. To be sure that all component dependencies are satisfied, you can install either:
-
All the software components supplied.
-
Only the software components you require.
During the installation process, you are asked to choose which bundles and components to install. Your choice depends on a number of considerations, including:
-
The types of application that are to use the module.
-
The amount of disc space available for the installation.
-
Your company’s policy on installing software. For example, although it may be simpler to choose all software components, your company may have a policy of not installing any software that is not required.
- Network-attached HSMs
-
On Windows, the nShield Hardware Support bundle and the nShield Core Tools bundle are mandatory, and are always installed.
- PCIe HSMs
-
On Windows, the nShield Hardware Support bundle and the nShield Core Tools bundle are mandatory, and are always installed.
On Windows, the Windows device drivers component is installed as part of the Hardware Support bundle. On Linux, the Kernel device drivers component is installed.
On Linux, you must install the
hwsp
component and, for nShield 5s HSMs thenshield5_net
component. - USB HSMs
-
You must install the Hardware Support bundle. If the Hardware Support bundle is not installed, your module cannot function.
The Core Tools bundle contains all the Security World Software command-line utilities, including:
-
generatekey
-
Low level utilities
-
Test programs
The Core Tools bundle includes the Tcl run time component that installs a run-time Tcl installation within the nCipher directories. This is used by the tools for creating the Security World and by KeySafe. This does not affect any other installation of Tcl on your computer.
- Network-attached and PCIe HSMs only
-
You need to install the Remote Administration Service component if you require remote administration functionality. See [prep] and Remote Administration v13.6.5 User Guide for more about the Remote Administration Service.
Always install all the nShield components you need in a single installation process to avoid subsequent issues should you wish to uninstall. You should not, for example, install the Remote Administration Service from the Security World installation media, then later install the Remote Administration Client from the client installation media.
Ensure that you have identified any optional components that you require before you install the Security World Software. See Software packages on the installation media for more about optional components.
Firewall settings
When setting up your firewall, you should ensure that the port settings are compatible with the HSMs and allow access to the system components you are using.
The following table identifies the ports used by the nShield system components. All listed ports are the default setting. Other ports may be defined during system configuration, according to the requirements of your organization.
Component | Default Port | Protocol | Use |
---|---|---|---|
Hardserver |
9000 |
TCP |
Internal non-privileged connections from Java applications including KeySafe |
Hardserver |
9001 |
TCP |
Internal privileged connections from Java applications including KeySafe |
Hardserver |
9004 |
TCP |
Incoming impath connections from other hardservers, for example:
|
Hardserver in the HSM (network-attached HSMs only) |
9004 |
TCP |
Incoming impath connections from client machines |
Remote Administration Service |
9005 |
TCP |
Incoming connections from Remote Administration Clients |
Audit Logging syslog |
514 |
UDP |
If you plan to use the Audit Logging facility with remote syslog or SIEM applications, you need to allow outgoing connections to the configured UDP port |
mDNS (nShield 5s only) |
5353 |
UDP |
Send out mDNS Service Discovery requests and receive responses |
If you are setting up an RFS or exporting a slot for Remote Operator functionality (network-attached HSMs) or using an nShield Edge as a Remote Operator slot for an HSM located elsewhere (PCIe and USB HSMs), you need to open port 9004. You may restrict the IP addresses to those you expect to use this port. You can also restrict the IP addresses accepted by the hardserver in the configuration file. See see HSM and client configuration files (network-attached HSMs) or Hardserver configuration files (PCIe and USB HSMs) for more about configuration files. Similarly, if you are setting up the Remote Administration Service you need to open port 9005.