Entrust nShield Solo Installation Manual
  1. Manuals
  2. Brands
  3. Entrust Manuals
  4. Control Unit
  5. nShield Solo
  6. Installation manual

Entrust nShield Solo Installation Manual

Hide thumbs Also See for nShield Solo:
Table of Contents

Advertisement

Quick Links

Download this manual
nShield® Solo and nShield®
Solo XC
Installation Guide
12.80
17 Nov 2021

Advertisement

Table of Contents
loading
Need help?

Need help?

Do you have a question about the nShield Solo and is the answer not in the manual?

Questions and answers

Related Manuals for Entrust nShield Solo

Summary of Contents for Entrust nShield Solo

  • Page 1 nShield® Solo and nShield® Solo XC Installation Guide 12.80 17 Nov 2021...

  • Page 2: Table Of Contents

    Contents ..............1.
  • Page 3 A.1. Uninstalling the Security World Software on Windows ..... . .   ......A.2.

  • Page 4: Introduction

    1. Introduction The Entrust nShield Solo and Solo XC are Hardware Security Modules (HSM) for servers and appliances. 1.1. About this guide This guide includes: • Installing the nShield Solo and nShield Solo XC. See Installing the module. • Installing the Security World Software. See Installing the software.

  • Page 5: Additional Documentation

    1.2.1. Terminology The nShield Solo and nShield Solo XC are referred to as a the nShield Solo and nShield Solo XC, the hardware security module, or the HSM in this guide. nShield® Solo and nShield® Solo XC Installation Guide...

  • Page 6: Hardware Security Modules

    2. Hardware security modules 2.1. Power requirements Module Maximum power Solo 9.9W Solo XC Make sure that the power supply in your computer is rated to supply  the required electric power. The Solo and Solo XC nToken modules are intended for installation into a certified personal computer, server or similar equipment.

  • Page 7: Module Operational Temperature And Humidity Specifications

    flow, use a PCIe slot with no neighboring modules if possible. If air flow is limited, consider fitting extra cooling fans to your computer case. Failure to provide adequate cooling can result in damage to the module  or the computer into which the module is fitted. Always handle the module correctly.

  • Page 8: Cooling Requirements

    2.6. Physical location considerations Entrust nShield HSMs are certified to NIST FIPS 140-2 Level 2 and 3. In addition to the intrinsic protection provided by an nShield HSM, customers must exercise due diligence to ensure that the environment within which the nShield HSMs are deployed is configured properly and is regularly examined as part of a comprehensive risk mitigation program to assess both logical and physical threats.

  • Page 9: Regulatory Notices

    3. Regulatory notices 3.1. FCC class A notice The nShield Solo and nShield Solo XC HSMs comply with Part 15 of the FCC rules. Operation is subject to the following two conditions: 1. The device may not cause harmful interference, and 2. The device must accept any interference received, including interference that may cause undesired operation.

  • Page 10: Before Installing The Module

    4. Before installing the module 4.1. Back panel and jumper switches Label Description Status LED Recessed clear button Physical mode switch Physical mode override jumper switch, in the off position. When set to on, the mode switch (C) is deactivated. See the User Guide for more information. Remote mode override jumper switch, in the off position.

  • Page 11: Module Pre-Installation Steps

    Both full height and low profile brackets are supplied with the module. Do not touch the nShield Solo or nShield Solo XC connector pins, or the exposed area of the module without taking ESD precautions.

  • Page 12: Replace Solo Xc Fan

    To fit the full height bracket to the module: 1. Remove the two screws from the solder side of the module. 2. Remove the low profile bracket. 3. Fit the full height bracket to the component side of the module. 4.

  • Page 13: Replace Solo Xc Battery

    6. Using the #0 Phillips screwdriver, remove the four fan retaining screws. 7. Remove the defective fan from the Solo XC and install the replacement fan with the power cable positioned towards the P3 power connector. Ensure that the fan lays flat against the heatsink.
  • Page 14 1. Power off the system and while taking ESD precautions, remove the Solo XC card. 2. Place the Solo XC on a flat surface. 3. Using the tweezers, gently remove the battery from the BT1 connector. 4. Observing the polarity, install the replacement battery in the BT1 connector. 5.

  • Page 15: Installing The Module

    2. Open the computer case and locate an empty PCIe slot. If necessary, follow the instructions that your computer manufacturer supplied. The nShield Solo must be fitted to a PCIex1 slot and the nShield Solo XC must be fitted to a PCIEx4 slot .

  • Page 16: Before You Install The Software

    6.1.1.1. Power saving options Adjust your computers power saving setting to prevent sleep mode. You may also need to set power management properties of the nShield Solo, once the Security World Software is installed. See Installing the Security World Software on Windows for more information.
  • Page 17 You must have Java installed to use KeySafe. 6.1.3.2. Identify software components to be installed Entrust supply standard component bundles that contain many of the necessary components for your installation and, in addition, individual components for use with supported applications. To be sure that all component dependencies are satisfied, you can install either: nShield®...
  • Page 18 • All the software components supplied • Only the software components you require During the installation process, you are asked to choose which bundles and components to install. Your choice depends on a number of considerations, including: • The types of application that are to use the module •...

  • Page 19: Firewall Settings

    6.2. Firewall settings When setting up your firewall, you should ensure that the port settings are compatible with the HSMs and allow access to the system components you are using. The following table identifies the ports used by the nShield system components. All listed ports are the default setting.

  • Page 20: Installing The Software

    7. Installing the software This chapter describes how to install the Security World Software on the host computer. After you have installed the software, you must complete further Security World creation, configuration and setup tasks before you can use your nShield environment to protect and manage your keys.

  • Page 21: Installing The Security World Software On Linux

    ◦ If nShield CSPs (CAPI, CNG) was selected: 64bit CSP install wizard, which sets up CSPs for 64-bit applications ◦ If nShield CSPs (CAPI, CNG) was selected: CNG configuration wizard, which sets up the CNG providers ◦ If the nShield Java package was selected: KeySafe, which runs the key management application ◦...
  • Page 22 5. To use an nShield module with your Linux system, you must build a kernel driver. Entrust supplies the source to the (nfp) and a makefile for building the driver as a loadable module.
  • Page 23 6. Run the install script by using the following command: /opt/nfast/sbin/install 7. Log in to your normal account. 8. Add /opt/nfast/bin PATH to your system variable: If you use the Bourne shell, add these lines to your system or personal profile: PATH=/opt/nfast/bin:$PATH export PATH If you use the C shell, add this line to your system or personal profile:...

  • Page 24: Checking The Installation

    C:\Program Files\nCipher\nfast for Windows • /opt/nfast for Linux enquiry If the module is working correctly, the utility returns a message similar to the following: nShield Solo Server: enquiry reply flags none enquiry reply level serial number ############-#### mode operational version #.#.#...
  • Page 25 Installing the module  for more information. Otherwise, if your system enters Sleep mode, the nShield Solo module may not be found when running enquiry. If this happens, you need to reboot your system. 8.1.2. nFast server (hardserver) Communication can only be established with a module if the nFast server is running. If...

  • Page 26: Mode Switch And Jumper Switches

    HSM. You can set the physical mode override jumper switch on the circuit board of the nShield Solo to the On position, to prevent accidental operation of the Mode switch. If this override jumper switch is on, the nShield Solo and nShield XC Solo XC will ignore the position of the Mode switch (see...
  • Page 27 8.3.2. Notice This type of message is sent for information only: nFast server: Notice: message 8.3.3. Client This type of message indicates that the server has detected an error in the data sent by the client (but other clients are unaffected): nFast server: Detected error in client behaviour: message 8.3.4.

  • Page 28: Utility Error Messages

    8.3.7. Fatal errors This type of message indicates a fatal error for which no further reporting is available: nFast server: Fatal internal error nFast server: Fatal runtime error If you receive either of these errors, contact Support. 8.4. Utility error messages 8.4.1.

  • Page 29: Status Indicators

    PCIe slot, then restart the computer. Status: Operational mode occasionally The nShield Solo module is accepting commands. The more frequently blinks off. the Status LED blinks off, the greater the load on the module. Flashes two...
  • Page 30 Use the Mode switch to move between Maintenance, Operational, and  Initialization modes. See Mode switch and jumper switches for more information. nShield® Solo and nShield® Solo XC Installation Guide 30 of 49...

  • Page 31: Appendix A: Uninstalling Existing Software

    Appendix A: Uninstalling existing software Entrust recommends that you uninstall any existing older versions of Security World Software before you install new software. In Windows environments, if the installer detects an existing Security World Software installation, it asks you if you want to install the new components.

  • Page 32: Uninstalling The Security World Software On Windows

      Entrust recommends that you do not uninstall the Security World  Software unless you are either certain it is no longer required, or you intend to upgrade it. A.1. Uninstalling the Security World Software on Windows %NFAST_HOME% Before uninstalling the Security World software, you should back up your directory.
  • Page 33 5. If you are not planning to re-install the product, delete the configuration file /etc/nfast.conf if it exists. Do not delete the configuration file if you are planning to re-install  the product 6. Unless needed for a subsequent installation, remove the user nfast and, if it exists, the user ncsnmpd:...

  • Page 34: Appendix B: Software Packages On The Security World Installation Media

    Installing the software. Entrust supply the hardserver and associated software as bundles of common components that provide much of the required software for your installation. In addition to the component bundles, provide individual components for use with specific applications and features supported by certain Entrust modules.

  • Page 35: Components Required For Particular Functionality

    Linux Windows Feature in the Content Package Installer nShield Debug PDB and .map files for nShield libraries and executables. nShield Device Drivers Device drivers for PCI and USB attached hwsp nShield devices, included in for Linux. javasp nShield Java nCipherKM JCA/JCE Provider, associated classes (including nFast Java generic stub classes) and the KeySafe application.

  • Page 36: Ncipherkm Jca/Jce Cryptographic Service Provider

    • The appropriate User Guide for your module and operating system • The appropriate third-party integration guide for your application Integration guides for third-party applications are available from https://nshieldsupport.entrust.com. B.3. nCipherKM JCA/JCE cryptographic service provider If you want to use the nCipherKM JCA/JCE cryptographic service provider, you must install: •...

  • Page 37: Snmp Monitoring Agent

    B.4. SNMP monitoring agent If you want to use the SNMP monitoring agent to monitor your modules, install the nShield SNMP component (ncsnmp on Linux). During the first installation process of the SNMP agent, the agent displays the following message: If this is a first time install, the {product_family} SNMP Agent will not run by default.

  • Page 38: Appendix C: Virtualization Remote Server

    Appendix C: Virtualization Remote Server The nShield Solo XC is compatible with the leading server virtualization and hypervisor management platforms, including: Virtualization provides an environment where multiple operating systems can run at the same time on one physical computer. Each virtual machine is an isolated, virtualized computer system that can run its own operating system.

  • Page 39: Virtualization And Xenserver/Vmware Vsphere Hypervisor, Esxi

    After installing VMware ESXI, the VM guest can be remotely managed and the PCI passthrough of the Solo module configured using vSphere. PCI passthrough allows a VM guest direct access to the nShield Solo XC. C.3.1. Set up a basic single-node vCenter server instance Follow the steps below to use the vCenter Simple Install to set up a basic single-node vCenter Server instance.
  • Page 40 7. Select the check box to mark the endpoint for passthrough. For example, the check mark box for 02:00.0 will be Freescale Semiconductor Inc <class> Power PC. 8. Select OK. ESXi will now be successfully installed and the Solo PCIe module has been configured for passthrough.

  • Page 41: Xenserver Environments

    Install the XenServer, follow the instructions in the Citrix XenServer Quick Start Guide. see https://docs.citrix.com/en-us/xenserver. C.4.1. Configure the XenCenter client To remotely manage VM guests and configure PCI passthrough of the nShield Solo XC: 1. Enter the XenServer web client IP address. 2. Select XenCenter installer. The XenCenter software will auto install.
  • Page 42 A detailed list of all the PCI buses and devices in the system is displayed, for example: 02:00.0 Power PC: Freescale Semiconductor Inc Device 082c (rev11)02:00:0 represents the nShield Solo XC card endpoint 6. Open the file /boot/extlinux.conf and scroll to the dom0 linux kernel append section.
  • Page 43 xe vm-param-set other-config:pci=0/0000:<endpoint of the NG solo card> uuid: <uuid> This command adds the PCI device to the selected VM, for example: xe vm-param-set other-config:pci=0/0000:02:00.0 uuid: 4a4ab965-a91d-70e7-2ec-a4c0004e1e8d If a PCI passthrough needs to be removed from a specific guest VM, run ...

  • Page 44: Hyper-V Environment

    Verify that the Solo XC card is located on the same slot that was selected for the passthrough to the guest VM. C.5. Hyper-V environment The instructions assume there is a single nShield Solo XC module in the  system.
  • Page 45 C.5.1.2. Add the Hyper-V role to the server To add the Hyper-V role in Windows server: 1. Logon as Administrator. 2. Open Server Manager. 3. Select Manage. 4. Select Add Roles and Features. 5. Select Next. 6. Select the Role-based or feature-based installation button. 7.
  • Page 46 PS C:\> Disable-PnpDevice -Verbose -InstanceId $instanceId -Confrm:$false $instanceId To find the run the command:  PS C:\> $instanceId = (Get-PnpDevice -PresentOnly).Where{ $_.InstanceId -like '*VEN_1957*' } | select -expand InstanceId 3. Dismount the device. Run the command: PS C:\> $locationPath = Dismount-VmHostAssignableDevice -LocationPath $locationPath -Force -Verbose $locationPath To find the run the command:...
  • Page 47 6. Select Next. 7. Select the button next to the OS generation to be installed on the new guest VM instance. For example, Generation 2 is selected. Generation 2 is valid for  products such as Windows 8 and beyond and with Windows Server 2016.
  • Page 48 PS C:\> Add-VMAssignableDevice -VM $vmName -LocationPath $locationPath -Verbose PS C:\> Start-VM -VMName $vmName To find the $locationPath run the command:  PS C:\> $locationPath = (Get-PnpDeviceProperty -KeyName DEVPKEY_Device_LocationPaths -InstanceId $instanceId).Data[0] It is possible to assign the same device to a single VM guest instance multiple times.
  • Page 49 $locationPath To find the run the command:  PS C:\> $locationPath = (Get-PnpDeviceProperty -KeyName DEVPKEY_Device_LocationPaths -InstanceId $instanceId).Data[0] nShield® Solo and nShield® Solo XC Installation Guide 49 of 49...

This manual is also suitable for:

Nshield solo xc

Table of Contents