Nshield Connect Front Panel; Configuring The Nshield Connect To Use A Client - Entrust nShield Security Manual

threat analysis will determine what ACL settings are required for a particular key.
5.3.1. ACL restrictions for key wrapping/encapsulation keys
Care must be taken with setting the ACL for all key wrapping/de-encapsulation keys, that
they are assigned the single purpose of key wrapping/de-encapsulation, and not allowed
to be used for any other purpose. If a wrapping (or de-encapsulation) key is also
assigned the decrypt permission, this could lead to a wrapped/encapsulated key being
exposed in plaintext in the client/host platform.
The ACL will allow other conditions to be specified for a wrapping/de-encapsulation key,
that would further restrict its use to:
• A specific wrapping/de-encapsulation mechanism.
• A specific application key that can be wrapped/de-encapsulated.
• Specific parameters used for the wrapping/de-encapsulation mechanism.

5.4. nShield Connect front panel

In the case of the nShield Connect, HSM configuration can occur through the front panel.
You can control access to the menus on the unit and the Power button on the front panel
by using System > System configuration > Login settings.
When UI Lockout with OCS has been enabled, you must log in with an authorized
Operator Card before you can access the menus. You can still view information about the
unit on the startup screen. When you are logged in, you can log out and leave the unit
locked. An OCS to be used to authorize login on a unit must be persistent and not
loadable remotely. As the OCS protects physical access to the nShield Connect HSM, it
should not be used to protect application keys as well as a compromise of the OCS
would then provide complete access to the Front Panel and Security World.
When UI Lockout without OCS has been enabled, you cannot access the menus, but you
can still view information about the nShield Connect on the start-up screen.
The power button lockout can be enabled and disabled independently when UI Lockout
allows access to the menus.
Customer security procedures should identify the settings for the front panel based on a
threat analysis of the environment.

5.5. Configuring the nShield Connect to use a client

In terms of configuring a client to access an nShield Connect a privileged connection is
required to administer the nShield Connect, for example to initialize a Security World. If
nShield® Security Manual 38 of 90