Entrust nShield 5s Installation Manual
  1. Manuals
  2. Brands
  3. Entrust Manuals
  4. Control Unit
  5. nShield 5s
  6. Installation manual

Entrust nShield 5s Installation Manual

Hide thumbs Also See for nShield 5s:
Table of Contents

Advertisement

Quick Links

Download this manual
nShield® 5s
Installation Guide
13.3
04 May 2023

Advertisement

Table of Contents
loading
Need help?

Need help?

Do you have a question about the nShield 5s and is the answer not in the manual?

Questions and answers

Subscribe to Our Youtube Channel

Related Manuals for Entrust nShield 5s

Summary of Contents for Entrust nShield 5s

  • Page 1 nShield® 5s Installation Guide 13.3 04 May 2023...

  • Page 2: Table Of Contents

    Contents ..............1.
  • Page 3 A.2. Uninstalling the Security World Software on Linux ......  ... . Appendix B: Software packages on the Security World installation media  ...

  • Page 4: Introduction

    5s Base NC5536E-M nShield 5s Medium NC5536E-H nShield 5s High 1.1.2. Terminology The nShield nShield 5s is referred to as the nShield nShield 5s, the Hardware Security Module, or the HSM in this guide. nShield® 5s Installation Guide 4 of 37...

  • Page 5: Hardware Security Modules

    Make sure that the power supply in your computer is rated to supply  the required electric power. The PCIe card, nShield 5s, is intended for installation into a certified personal computer, server, or similar equipment. If your computer can supply the required electric power and sufficient cooling, you can install multiple modules in your computer.

  • Page 6: Cooling Requirements

    To maximize airflow, use a PCIe slot with no neighboring modules if possible. If airflow is limited, consider fitting extra cooling fans. The nShield 5s module is a passively cooled PCIe card that requires the ...

  • Page 7: Physical Location Considerations

    2.5. Physical location considerations For the certification of Entrust nShield HSM, refer to the Security Manual. In addition to the intrinsic protection provided by an nShield HSM, customers must exercise due diligence to ensure that the environment within which the nShield HSMs are deployed is configured properly and is regularly examined as part of a comprehensive risk mitigation program to assess both logical and physical threats.

  • Page 8: Regulatory Notices

    3. Regulatory notices 3.1. FCC class A notice The nShield nShield 5s HSMs comply with Part 15 of the FCC rules. Operation is subject to the following two conditions: 1. The device may not cause harmful interference, and 2. The device must accept any interference received, including interference that may cause undesired operation.

  • Page 9: Before Installing The Module

    4. Before installing the module 4.1. Back panel Label Description Status LED Recovery mode button A mini-DIN connector for connecting a smart card reader. 4.2. Module pre-installation steps Check the module to ensure that there is no sign of damage or tampering: •...

  • Page 10: Fitting A Module Bracket

    4.3. Fitting a module bracket Before installing a module in a PCI Express card slot, you may have to replace the bracket if it is not the same height as the slot. Both full height and low profile brackets are supplied with the module. Do not touch the connector pins, or the exposed area of the module without taking electrostatic discharge (ESD) precautions.
  • Page 11 4.4.1. Replace the battery  Please follow battery disposal guidelines in the installation manual. Required tools • Small non-conductive tweezers Required part • Orderable part number: SOLOXC-REP-BATT (Replacement battery) To remove and replace the battery: 1. Power off the system and while taking ESD precautions, remove the module. 2.

  • Page 12: Installing The Module

    2. Open the computer case and locate an empty PCIe slot. If necessary, follow the instructions that your computer manufacturer supplied. You must only install your nShield nShield 5s module into a PCIe  slot. See the instructions that your computer manufacturer supplied to correctly identify the slots on your computer.
  • Page 13 User Guide for your module and operating system. If the new module has been supplied from the factory it will already be  in factory state. nShield® 5s Installation Guide 13 of 37...

  • Page 14: Before You Install The Software

    6. Before you install the software Before you install the software, you should: • Install the module. See Installing the module. • Uninstall any older versions of Security World Software. See Uninstalling existing software. • If the nShield Remote Administration Client is installed on the machine, remove it. You will also have to re-install it after you installed the new Security World software version.
  • Page 15 6.1.2.3. Network configuration The nShield nShield 5s appears to the host operating system as a network interface. Communication with the HSM is performed over this interface using IPv6. The install process automatically configures the nShield nShield 5s and any relevant operating system network settings, with the HSM and host-software using link-local communication.
  • Page 16 World Software. The Java executable must be on your system path. If you can do so, please use the latest Java version currently supported by Entrust that is compatible with your requirements. Java versions before those shown are no longer supported.
  • Page 17 You must have Java installed to use KeySafe. 6.1.3.2. Identify software components to be installed Entrust supply standard component bundles that contain many of the necessary components for your installation and, in addition, individual components for use with supported applications. To be sure that all component dependencies are satisfied, you can install either: •...

  • Page 18: Firewall Settings

    • Test programs The Core Tools bundle includes the Tcl run time component that installs a run-time Tcl installation within the nCipher directories. This is used by the tools for creating the Security World and by KeySafe. This does not affect any other installation of Tcl on your computer.
  • Page 19 Component Default Protocol Port Hardserver 9004 Incoming impath connections from other hardservers, for example: * From a cooperating client to the remote file system it is configured to access * From a non-attended host machine to an attended host machine when using Remote Operator Remote Administration 9005...

  • Page 20: Installing The Software

    7. Installing the software This chapter describes how to install the Security World Software on the host computer. After you have installed the software, you must complete further Security World creation, configuration and setup tasks before you can use your nShield environment to protect and manage your keys.
  • Page 21 10. Stop the nFast Server service. 11. The nShield installer creates and enables an inbound rule called nShield 5s mDNS allow UDP port 5353 for any program. This enables the discovery of nShield 5s nShield® 5s Installation Guide 21 of 37...

  • Page 22: Installing The Security World Software On Linux

    13. Start the nFast Server service. 14. If Remote Administration is installed, also start the nFast Remote Administration service. 15. Entrust recommends that you take a backup of your sshadmin hsmadmin keys key with backup path\to\backup_key for backups that will be restored to the same machine.
  • Page 23 5. To use an nShield module with your Linux system, you must build a kernel driver. Entrust supplies the source to the NFP and a makefile for building the driver as a loadable module.
  • Page 24 If you use the Bourne shell, add these lines to your system or personal profile: PATH=/opt/nfast/bin:$PATH export PATH If you use the C shell, add this line to your system or personal profile: setenv PATH /opt/nfast/bin:$PATH 9. Entrust recommends that you take a backup of your sshadmin hsmadmin key, e.g. with keys backup /root/.ssh/id_nshield5_sshadmin for backups that will be restored to the /root/.ssh/id_nshield5_sshadmin...

  • Page 25: Setting The System Clock

    Linux or the privileges of the built-in local Administrators group on Windows: /opt/nfast/bin/hsmadmin settime When you are setting time at the very first time on an nShield 5s HSM, --adjust it is recommended to avoid the optional parameter. This parameter is intended to be used when the HSM is already in ...

  • Page 26: Checking The Installation

    9. Checking the installation This section describes what to do if you have an issue with the module or the software. The facilities described below are only available if the software has  been installed successfully. 9.1. Checking operational status 9.1.1.

  • Page 27: Log Message Types

    If the mode is initialization or maintenance, the module has been installed correctly, but you must change the mode to operational. See the User Guide for your module and operating system for more about changing the module mode. enquiry If the output from the command says that the module is not found, first restart enquiry your computer, then re-run the...
  • Page 28 9.2.2. Notice This type of message is sent for information only: nFast server: Notice: message 9.2.3. Client This type of message indicates that the server has detected an error in the data sent by the client (but other clients are unaffected): nFast server: Detected error in client behaviour: message 9.2.4.
  • Page 29 9.2.7. Fatal errors This type of message indicates a fatal error for which no further reporting is available: nFast server: Fatal internal error nFast server: Fatal runtime error If you receive either of these errors, contact Support. nShield® 5s Installation Guide 29 of 37...

  • Page 30: Status Indicators

    10. Status indicators The nShield nShield 5s HSM is fitted with a tri-color LED on the back panel. This LED shows information about the status of the HSM as shown in the following table. 10.1. Normal operation Colour Pattern Meaning...

  • Page 31: Appendix A: Uninstalling Existing Software

    Appendix A: Uninstalling existing software Entrust recommends that you uninstall any existing older versions of Security World Software before you install new software. In Windows environments, if the installer detects an existing Security World Software installation, it asks you if you want to install the new components.

  • Page 32: Uninstalling The Security World Software On Windows

    Configuring the nShield Connect to use the client section in the nShield Connect User Guide for more information. Entrust recommends that you do not uninstall the Security World  Software unless you are either certain it is no longer required, or you intend to upgrade it.
  • Page 33 $ su - 2. Type your password, then press Enter. 3. To remove drivers, install fragments, and scripts and to stop services, run the command: /opt/nfast/sbin/install -u 4. Delete all the files (including those in subdirectories) in /opt/nfast /dev/nfast/ running the following commands: rm -rf /opt/nfast rm -rf /dev/nfast 5.

  • Page 34: Appendix B: Software Packages On The Security World Installation Media

    Installing the software. Entrust supply the hardserver and associated software as bundles of common components that provide much of the required software for your installation. In addition to the component bundles, provide individual components for use with specific applications and features supported by certain Entrust modules.

  • Page 35: Components Required For Particular Functionality

    Linux Windows Feature in the Content Package Installer nShield Debug PDB and .map files for nShield libraries and executables. nShield Device Drivers Device drivers for PCI and USB attached hwsp nShield devices, included in for Linux. javasp nShield Java nCipherKM JCA/JCE Provider, associated classes (including nFast Java generic stub classes) and the KeySafe application.

  • Page 36: Ncipherkm Jca/Jce Cryptographic Service Provider

    • The appropriate User Guide for your module and operating system • The appropriate third-party integration guide for your application Integration guides for third-party applications are available from https://nshieldsupport.entrust.com. B.3. nCipherKM JCA/JCE cryptographic service provider If you want to use the nCipherKM JCA/JCE cryptographic service provider, you must install: •...

  • Page 37: Snmp Monitoring Agent

    B.4. SNMP monitoring agent If you want to use the SNMP monitoring agent to monitor your modules, install the nShield SNMP component (ncsnmp on Linux). During the first installation process of the SNMP agent, the agent displays the following message: If this is a first time install, the nShield SNMP Agent will not run by default.

This manual is also suitable for:

Nshield 5s baseNshield 5s mediumNshield 5s highNc5536e-bNc5536e-mNc5536e-h

Table of Contents