Entrust nShield Connect Installation Manual
  1. Manuals
  2. Brands
  3. Entrust Manuals
  4. Control Unit
  5. nShield
  6. Installation manual

Entrust nShield Connect Installation Manual

Hide thumbs Also See for nShield Connect:
Table of Contents

Advertisement

Quick Links

Download this manual
nShield® Connect
Installation Guide
12.80
17 Nov 2021

Advertisement

Table of Contents
loading
Need help?

Need help?

Do you have a question about the nShield Connect and is the answer not in the manual?

Questions and answers

Related Manuals for Entrust nShield Connect

Summary of Contents for Entrust nShield Connect

  • Page 1 nShield® Connect Installation Guide 12.80 17 Nov 2021...

  • Page 2: Table Of Contents

      ......6. Installing an nShield Connect in a rack, cabinet, or shelf  ...
  • Page 3 11. nShield Connect maintenance ..........

  • Page 4: Introduction

    Ethernet network. A client is a computer using the nShield Connect for cryptography. You can also configure clients to use other nShield Connects on the network, as well as locally installed HSMs.
  • Page 5 Model number Used for NH2047 Connect 6000 NH2040 Connect 1500 NH2033 Connect 500 NH2068 Connect 6000+ NH2061 Connect 1500+ NH2054 Connect 500+ NH2075-B Connect XC Base NH2075-M Connect XC Medium NH2075-H Connect XC High NH2082 Connect XC SCAP NH2089-B Connect XC Base - Serial Console NH2089-M Connect XC Mid - Serial Console NH2089-H...

  • Page 6: Additional Documentation

    Read this guide in conjunction with the nShield product’s Warnings and Cautions documentation (available in multiple languages). 1.2.1. Terminology The nShield Connect is referred to as the nShield Connect, the hardware security module, or the HSM. 1.3. Handling an nShield Connect An nShield Connect contains solid-state devices that can withstand normal handling.

  • Page 7: Environmental Requirements

    In the unlikely event that the internal encryption module overheats, the module shuts down (see Module Overheating). If the whole nShield Connect overheats, the orange warning LED on the front panel illuminates (see Orange warning LED) and a critical error message is shown on the display.

  • Page 8: Physical Location Considerations

    1.5. Physical location considerations Entrust nShield HSMs are certified to NIST FIPS 140-2 Level 2 and 3. In addition to the intrinsic protection provided by an nShield HSM, customers must exercise due diligence to ensure that the environment within which the nShield HSMs are deployed is configured properly and is regularly examined as part of a comprehensive risk mitigation program to assess both logical and physical threats.

  • Page 9: Recycling And Disposal Information

    2. Recycling and disposal information For recycling and disposal guidance, see the nShield product’s Warnings and Cautions documentation. nShield® Connect Installation Guide 9 of 73...

  • Page 10: Before You Install The Software

    3. Before you install the software Before you install the software, you should: • If required, install an optional nToken in the client computer, see nToken Installation Guide for more information about the installation steps. • Uninstall any older versions of Security World Software. See Uninstalling existing software.
  • Page 11 You must have Java installed to use KeySafe. 3.1.3.2. Identify software components to be installed Entrust supply standard component bundles that contain many of the necessary components for your installation and, in addition, individual components for use with supported applications. To be sure that all component dependencies are satisfied, you can install either: •...

  • Page 12: Firewall Settings

    During the installation process, you are asked to choose which bundles and components to install. Your choice depends on a number of considerations, including: • The types of application that are to use the module • The amount of disc space available for the installation •...
  • Page 13 Internal privileged connections from Java applications including KeySafe Hardserver 9004 Incoming impath connections from other hardservers, e.g.: • From a nShield Connect to the Remote File System (RFS) • From a non-attended nShield Connect to an attended host machine when using Remote Operator Hardserver in...

  • Page 14: Installing The Software

    4. Installing the software This chapter describes how to install the Security World Software on the computer, client, or RFS associated with your nShield HSM. After you have installed the software, you must complete further Security World creation, configuration and setup tasks before you can use your nShield environment to protect and manage your keys.

  • Page 15: Installing The Security World Software On Linux

    ◦ If nShield CSPs (CAPI, CNG) was selected: 32bit CSP install wizard, which sets up CSPs for 32-bit applications ◦ If nShield CSPs (CAPI, CNG) was selected: 64bit CSP install wizard, which sets up CSPs for 64-bit applications ◦ If nShield CSPs (CAPI, CNG) was selected: CNG configuration wizard, which sets up the CNG providers ◦...
  • Page 16 /opt/nfast/sbin/install 6. Log in to your normal account. 7. Add /opt/nfast/bin PATH to your system variable: ◦ If you use the Bourne shell, add these lines to your system or personal profile: PATH=/opt/nfast/bin:$PATH export PATH ◦ If you use the C shell, add this line to your system or personal profile: setenv PATH /opt/nfast/bin:$PATH nShield®...

  • Page 17: Before Installing An Nshield Connect

    If any optional components are missing, contact Support. 5.3. Check the physical security of the nShield Connect See the nShield Connect Physical Security Checklist, provided in the box with an nShield document Connect and available in the folder on the installation media.

  • Page 18: Installing An Nshield Connect In A Rack, Cabinet, Or Shelf

    To install the nShield Connect in a 19” rack, follow the instructions supplied with your rack mounting kit. To install the nShield Connect in a cabinet or a shelf, fit the four self-adhesive rubber feet (supplied with the HSM) to the bottom of the HSM. An is scored into the chassis at each of the four corners on the bottom of the HSM as a guide to placing the feet.
  • Page 19 Connect is viewed from the back RJ45 port for a serial console cable If you connect only one Ethernet cable to the nShield Connect, we recommend that you connect it to Ethernet port 1. This is the left-hand ...

  • Page 20: Connecting The Serial Console

    Connect (See the nShield Connect User Guide). The RJ45 connector for the serial cable is at the rear of the nShield Connect and is labelled Console (Connecting Ethernet, console and power cables.

  • Page 21: Connecting The Optional Usb Keyboard

    6.3. Connecting the optional USB keyboard Instead of using the controls on the front panel to configure the nShield Connect, you can use a US or UK keyboard. You might find a keyboard easier for entering dates and IP addresses. You connect the keyboard to the USB connector on the front of the nShield Connect.

  • Page 22: Front Panel Controls

    USB connector For more information about the user interface, including the front panel controls, see the nShield Connect User Guide. Use the touch wheel to change values or move the cursor on the display screen. To confirm a value, press the Select button.

  • Page 23: Top-Level Menu

    8. Top-level menu If you select an option, the module displays the menu options in the level below. If you cancel a selected option, you return to level above. * Submenus depend on the settings of the module. 1 System  ...
  • Page 24   2‑3 HSM feature enable   2‑3‑1 Read FEM from card   2‑3‑2 Read from a file   2‑3‑3 View current state   2‑3‑4 Write state to file   2‑4 Set HSM mode   2‑4‑1 Operational   2‑4‑2 Initialization 3 Security World mgmt  ...

  • Page 25: Basic Nshield Connect, Rfs And Client Configuration

    9.1.1. Remote file system (RFS) Each nShield Connect must have a remote file system (RFS) configured. This includes master copies of all the files that the nShield Connect needs. See the User Guide for your HSM for more information about the RFS.

  • Page 26: Basic Nshield Connect And Rfs Configuration

    (Windows) or (Linux) to the system variable. 9.2. Basic nShield Connect and RFS configuration After installing the Security World Software and the nShield Connect, you need to do the following: • Configure the nShield Connect Ethernet interfaces. • Configure the RFS.
  • Page 27 If the nShield Connect is already configured, you can update the displayed values. If you ever change any of the IP addresses on the nShield Connect, you must update the configuration of all the clients that work with it to reflect the new IP addresses.
  • Page 28 Inter-Domain Routing (CIDR) notation. 9.2.1.1.2. IPv6 Address notation An nShield Connect will accept an IPv6 address if it is entered in one of the forms shown below and if the address is valid for context in which it is used. There are two conventional forms for representing IPv6 addresses as text strings: •...
  • Page 29 Operating System, SLAAC IPv6 addresses are not subject to the same validation rules as addresses entered via the nShield Connect front panel. If SLAAC is to be used to configure nShield Connect IPv6 addresses in preference to statically entered...
  • Page 30 Use Case Acceptable Address Type IPv6 Route Entry - IP • Unknown Range • Loopback • Global Unicast • Local Unicast • Link local • Teredo • Benchmarking • Orchid • 6to4 • Documentation • Multicast IPv6 Route Entry - • Global Unicast Gateway •...
  • Page 31 IPv6 address(es). SLAAC is disabled by default in an nShield Connect, but can be selectively enabled for each Ethernet interface either using the nShield Connect front panel or by setting the appropriate configuration item and pushing an nShield Connect configuration file.
  • Page 32 9.2.2. Configure Ethernet Interface #1 To set up Ethernet interface #1 (default): 9.2.2.1. Enable/disable IPv4 To enable/disable IPv4: 1. From the front panel menu, select System > System configuration > Network config > Set up interface #1 > Configure #1 IPv4 > IPv4 enable/disable. The following screen displays: Network configuration IPv4 enable/disable:...
  • Page 33 9.2.2.3. Enable/disable IPv6 To enable/disable IPv6: 1. From the front panel menu, select System > System configuration > Network config > Set up interface #1 > Configure #1 IPv6 > Enable/Disable IPv6. The following screen displays: Network configuration IPv6 enable/disable: DISABLE CANCEL FINISH...
  • Page 34  asked to confirm the changes if auto / 1Gb is not selected. On the nShield Connect, selecting auto / 1Gb is the only means of achieving 1Gb link speed. 3. Press the right-hand navigation button and you will be returned to the Set up interface #1 screen and you can then continue with the configuration.
  • Page 35 9.2.3. Configure Ethernet Interface #2 To set up the Ethernet interface #2, if required: 1. From the front panel menu, select System > System configuration > Network config > Set up interface #2. 2. Enter the details for interface #2 in the same manner that you entered the details for interface #1.
  • Page 36 9.2.4.2. Set up a bond interface 1. From the front panel menu, select System > System configuration > Network config > Set up bond > Configure bond. The following screen displays: Bond interface config will use the eth0 IPv4 and IPv6 config if they are enabled CANCEL NEXT...
  • Page 37 Bond interface config Update parameter lacp_rate: slow only valid for 802.3ad (LACP) mode BACK NEXT 7. Set the lacp_rate slow or fast. field to the required option, either 802.3ad This parameter is only valid for mode. This setting is ignored in other modes. slow request LACPDUs to be transmitted every 30 seconds fast...
  • Page 38 Bond interface config Update parameter primary device: eth0 only valid for active-backup mode BACK NEXT 11. Set the primary device eth0 or eth1. field to the required option, either active backup This parameter is only valid for mode. This setting is ignored in other modes.
  • Page 39 9.2.5. Default gateway 9.2.5.1. Set default gateway for IPv4 To set a default gateway for IPv4: 1. From the front panel menu, select System > System configuration > Network config > Set default gateway > IPv4 Gateway. The following screen is displayed: Gateway configuration Enter IPv4 address of the default gateway:...
  • Page 40 Select the interface for the IPv6 gateway. Press the right-hand navigation button to accept. 9.2.6. Set up Routing 9.2.6.1. Set up routing for IPv4 To set a new route entry for IPv4: 1. From the front panel menu, select System > System configuration > Network config >...
  • Page 41 Edit route entry xxxx:xxxx:xxxx:xxxx:  xxxx:xxxx:xxxx:xxxx  /xxx Enter the gateway: BACK NEXT 3. Enter the gateway address; if it is a link local address, the following screen is displayed. Edit route entry Select an interface for link-local address: fe80:xxxx:xxxx:xxxx: xxxx:xxxx:xxxx:xxxx   Interface #1 BACK NEXT 4.
  • Page 42 Edit route entry Enter the IP range and mask length: 1. 1. 1. 1/ 1 Enter the gateway 2. 2. 2. 2 CANCEL FINISH 3. Edit the IPv4 route entry Press the right-hand navigation button to accept the changes. 9.2.7.2. Edit IPv6 route entry To edit a route entry for IPv6: 1.
  • Page 43 4. Enter the IPv6 route gateway If a link-local address is entered for the IPv6 route gateway the screen below will be displayed. Edit route entry Select an interface for link-local address: fe80:2222:2222:2222: 2222:2222:2222:2222 Interface #1 BACK NEXT 5. Select the interface for the IPv6 gateway. Press the right-hand navigation button to accept.
  • Page 44 See the User Guide for more about the RFS and its contents. The nShield Connect must be able to connect to TCP port 9004 of the RFS. If necessary, modify the firewall configuration to allow this connection on either the RFS itself, or on a router between the RFS and the nShield Connect, or both.
  • Page 45 <Unit IP> In this command, <Unit IP> is the IP address of the nShield Connect, which could be one of the following: • An IPv4 address, for example 123.456.789.123. • An IPv6 address, for example fc00::1. • A link-local IPv6 address, for example, fe80::1%eth0.

  • Page 46: Basic Configuration Of The Client To Use The Nshield Connect

    9.2.10.1. Systems configured for Remote Administration If you are planning to use Remote Administration or to configure NTP, you should enable auto push on the nShield Connect for the client computer you intend to use for configuration. On the nShield Connect display, use the right-hand navigation button to select System >...
  • Page 47 [Options] --privileged <nShield Connect IP> <nShield Connect ESN> <nShield Connect KNETI HASH> Options: --module=MODULE Specifies the local module number that should be used (default is for dynamic configuration by hardserver). --privileged Makes the hardserver request a privileged connection to the nShield Connect (default unprivileged).
  • Page 48 --help 9.3.2. Configuring a client to communicate through an nToken You can configure a client to use its nToken to communicate with an nShield Connect, if it has one installed. When this happens, the nShield Connect: • Examines the IP address of the client.
  • Page 49 1. On the client, open a command line window, and run the command: nethsmenroll --help 2. To retrieve the HKNETI of the nShield Connect, run the command: anonkneti <Unit IP> The following is an example of the output: 3138-147F-2D64 691be427bb125f38768638a18bfd2eab75623320...

  • Page 50: Basic Configuration Of An Nshield Connect To Use A Client

    Do you want to save the IP in the config? (No for dynamic client IPs)    Back Next 4. Use the touch wheel to select the connection type between the nShield Connect and the client. Client configuration Please choose the client permissions Unprivileged BACK...
  • Page 51  BACK NEXT The next steps in the configuration process vary slightly depending on whether the client uses an nToken to communicate with the nShield Connect, or not. 6. Do one of the following: To enroll the client without secure authentication: a.

  • Page 52: Restarting The Hardserver

    Ensure that you write down the hash or have it otherwise available for the next steps. d. On the nShield Connect, enter the number of the port on which the client is listening and press the right-hand navigation button. (The default port is 9004.) The following is an example of the information displayed by the nShield Connect.

  • Page 53: Zero Touch Configuration Of An Nshield Connect

    You can optionally set the IP address of the client that is allowed to push config files. By default any IP address that is configured as a client of the nShield Connect is allowed to push configuration files. If you set an IP address you can optionally set the hash of the key with which the authorized client is to authenticate itself (defaults to no key authentication required).

  • Page 54: Checking The Installation

    For an example of the output following a successful command. See Enquiry utility. If you are configuring a client belonging to an nShield Connect, the response to the enquiry hardware status shown as OK. command should be populated and the...

  • Page 55: Troubleshooting

    10. Troubleshooting This chapter describes what to do if you have an issue with your HSM, or your Security World Software. 10.1. Checking operational status Use the following methods to check the operational status of the module. 10.1.1. Enquiry utility enquiry enquiry Run the...
  • Page 56 Existing Security World data on the module has been erased. The module is automatically placed in Initialization mode after a Security World is created. For more information, see the nShield Connect User Guide. Flashes two long pulses followed Status: Maintenance mode by a pause.
  • Page 57 Status LED Description Flashes SOS, the Morse code Status: Error mode distress code (three short pulses, If the module encounters an unrecoverable error, it three long pulses, three short enters Error mode. In Error mode, the module does pulses). not respond to commands and does not write data After flashing SOS, the Status LED to the bus.
  • Page 58 The physical security measures implemented on the module include tamper detection. This warns you of tampering in an operational environment. For more information about tamper detection, including the tamper warning messages, see the nShield Connect Physical Security Checklist or the nShield Connect User Guide.
  • Page 59 Power button Display screen Status On, displaying menus and The module is operational. dialogs On, displaying messages but The module is running an not displaying labels for the upgrade. A color-coded navigation buttons footer indicates the specific status: yellow for initialization, red (maintenance) for upgrade.

  • Page 60: Module Overheating

    On, green and orange Indicates a 1Gb Ethernet link. 10.2. Module overheating If the internal module of the nShield Connect exceeds the safe operating temperature, SOS‑T the unit stops operating and displays the error message on the Status LED. See SOS‑T...
  • Page 61 10.3.2. Notice This type of message is sent for information only: nFast server: Notice: message 10.3.3. Client This type of message indicates that the server has detected an error in the data sent by the client (but other clients are unaffected): nFast server: Detected error in client behaviour: message 10.3.4.

  • Page 62: Utility Error Messages

    Real Time Clock (RTC) operation when the module is powered down. This battery normally lasts for up to two weeks if no power is supplied to the nShield Connect unit. If the module is without power for an extended period, the RTC time is lost. When this...

  • Page 63: Nshield Connect Maintenance

    Connect, or result in a tamper event. However, in the very rare event that a PSU or fan tray module requires replacement, contact Support before carrying out the replacement procedure. Do not allow a fan tray to be removed from the nShield Connect for  longer than 30 minutes, otherwise a tamper event will occur.

  • Page 64: Approved Accessories

    12. Approved accessories The following parts can be ordered with the HSM or separately. Part Part number Comments Slide rail assembly AC2050 Optional slide rail assembly and fixing kit. For details of contents, see the nShield Connect Slide Rails Instructions. USB keyboard M-030099-L For more information about using a USB...

  • Page 65: Appendix A: Uninstalling Existing Software

    Appendix A: Uninstalling existing software Entrust recommends that you uninstall any existing older versions of Security World Software before you install new software. In Windows environments, if the installer detects an existing Security World Software installation, it asks you if you want to install the new components.

  • Page 66: Uninstalling The Security World Software On Windows

    Entrust recommends that you do not uninstall the Security World  Software unless you are either certain it is no longer required, or you intend to upgrade it. A.1. Uninstalling the Security World Software on Windows %NFAST_HOME% Before uninstalling the Security World software, you should back up your directory.
  • Page 67 5. If you are not planning to re-install the product, delete the configuration file /etc/nfast.conf if it exists. Do not delete the configuration file if you are planning to re-install  the product 6. Unless needed for a subsequent installation, remove the user nfast and, if it exists, the user ncsnmpd:...

  • Page 68: Appendix B: Software Packages On The Security World Software Installation Media

    Installing the software. Entrust supply the hardserver and associated software as bundles of common components that provide much of the required software for your installation. In addition to the component bundles, provide individual components for use with specific applications and features supported by certain ncversions command-line utility.

  • Page 69: Components Required For Particular Functionality

    Linux Windows Feature in the Content Package Installer nShield Device Drivers Device drivers for PCI and USB attached hwsp nShield devices, included in for Linux. javasp nShield Java nCipherKM JCA/JCE Provider, associated classes (including nFast Java generic stub classes) and the KeySafe application. nShield Java Developer Java developer libraries and documentation for the nCore API and...

  • Page 70: Ncipherkm Jca/Jce Cryptographic Service Provider

    • The appropriate third-party integration guide for your application We have produced Integration Guides for many supported applications. The Integration Guides describe how to install and configure an application so that it works with Entrust hardware security modules and Security Worlds. For more information about the Entrust range of Integration Guides: •...

  • Page 71: Snmp Monitoring Agent

    B.4. SNMP monitoring agent If you want to use the SNMP monitoring agent to monitor your modules, install the nShield SNMP component (ncsnmp on Linux). During the first installation process of the SNMP agent, the agent displays the following message: If this is a first time install, the {product_family} SNMP Agent will not run by default.

  • Page 72: Appendix C: Valid Ipv6 Addresses

    Appendix C: Valid IPv6 Addresses This appendix provides a list of valid IPv6 addresses for each of the types of addresses recognized by certain parts of the system. For information on setting up IPv6 addresses, Configuring the Ethernet interfaces - IPv4 and IPv6.
  • Page 73 nShield® Connect Installation Guide 73 of 73...

Table of Contents