1. Manuals
  2. Brands
  3. Entrust Manuals
  4. Network Hardware
  5. nShield 5c
  6. Installation manual

Entrust nShield 5c Installation Manual

Hide thumbs Also See for nShield 5c:
Table of Contents

Advertisement

Quick Links

nShield® 5c
Installation Guide
13.3
04 May 2023

Advertisement

Table of Contents
loading
Need help?

Need help?

Do you have a question about the nShield 5c and is the answer not in the manual?

Questions and answers

Related Manuals for Entrust nShield 5c

Summary of Contents for Entrust nShield 5c

  • Page 1 nShield® 5c Installation Guide 13.3 04 May 2023...

  • Page 2: Table Of Contents

      ....9.3. Basic configuration of the client to use the nShield nShield 5c   ....
  • Page 3 11.1. Flash testing the module .......... ...

  • Page 4: Introduction

    5c is configured to communicate with one or more client computers over an Ethernet network. A client is a computer using the nShield nShield 5c for cryptography. You can also configure clients to use other nShield HSMs on the network, as well as locally installed HSMs.

  • Page 5: Handling An Nshield Nshield 5C

     supplies. 1.1.3. Terminology The nShield nShield 5c is referred to as the nShield nShield 5c, the Hardware Security Module, or the HSM. 1.2. Handling an nShield nShield 5c An nShield nShield 5c contains solid-state devices that can withstand normal handling.

  • Page 6: Environmental Requirements

    1.3.1. Temperature and humidity recommendations Entrust recommends that your module operates within the following environmental conditions. Environmental conditions Operating range Comments (Min.  |  Max.)

  • Page 7: Physical Location Considerations

    1.4. Physical location considerations Entrust nShield HSMs are certified to NIST FIPS 140 Level 2 and 3. In addition to the intrinsic protection provided by an nShield HSM, customers must exercise due diligence to ensure that the environment within which the nShield HSMs are deployed is configured properly and is regularly examined as part of a comprehensive risk mitigation program to assess both logical and physical threats.

  • Page 8: Recycling And Disposal Information

    2. Recycling and disposal information For recycling and disposal guidance, see the nShield product’s Warnings and Cautions documentation. nShield® 5c Installation Guide 8 of 77...

  • Page 9: Before You Install The Software

    3. Before you install the software Before you install the software, you should: • If required, install an optional nToken in the client computer, see nToken Installation Guide for more information about the installation steps. • Uninstall any older versions of Security World Software. See Uninstalling existing software.
  • Page 10 World Software. The Java executable must be on your system path. If you can do so, please use the latest Java version currently supported by Entrust that is compatible with your requirements. Java versions before those shown are no longer supported.
  • Page 11 Preparatory tasks before installing software and the nShield nShield 5c User Guide for more about the Remote Administration Service. Always install all the nShield components you need in a single installation process to avoid subsequent issues should you wish to uninstall.

  • Page 12: Firewall Settings

    software installation media for more about optional components. 3.2. Firewall settings When setting up your firewall, you should ensure that the port settings are compatible with the HSMs and allow access to the system components you are using. The following table identifies the ports used by the nShield system components. All listed ports are the default setting.
  • Page 13 You can also restrict the IP addresses accepted by the hardserver in the configuration file. See the nShield nShield 5c User Guide for more about configuration files. Similarly if you are setting up the Remote Administration Service you need to open port 9005.

  • Page 14: Installing The Software

    See the nShield nShield 5c User Guide for more about creating a Security World and the appropriate Card Sets, and further configuration or setup tasks.

  • Page 15: Installing The Security World Software On Linux

    Control Panel → Administrative Tools of the target Windows machine. If you wish to install the SNMP agent as a service, please consult the SNMP monitoring agent section in the nShield nShield 5c User Guide. 9. Select Finish to complete the installation.
  • Page 16 tar xf disc-name/linux/ver/<file>.tar.gz In this command, is the architecture of the operating system (for example, i386 file.tar .tar.gz or amd64), and is the name of a file for that component. Software packages on the Security World software installation media for more about the component bundles and the additional software supplied on your installation media.

  • Page 17: Before Installing An Hsm

    Support. 5.3. Check the physical security of the HSM See the nShield Connect and nShield 5c Physical Security Checklist, provided in the box with the HSM. Breaking the security seal or dismantling the HSM voids your warranty cover, and any existing maintenance and support agreements.

  • Page 18: Installing An Hsm

    To install the nShield nShield 5c in a 19” rack, follow the instructions supplied with your rack mounting kit. To install the nShield nShield 5c in a cabinet or a shelf, fit the four self-adhesive rubber feet (supplied with the HSM) to the bottom of the HSM. An is scored into the chassis at each of the four corners on the bottom of the HSM as a guide to placing the feet.
  • Page 19 5c is viewed from the back RJ45 port for a serial console cable If you connect only one Ethernet cable to the nShield nShield 5c, Entrust recommends that you connect it to Ethernet port 1. This is the ...

  • Page 20: Connecting The Serial Console

    5c (See the nShield nShield 5c User Guide). The RJ45 connector for the serial cable is at the rear of the nShield nShield 5c and is labelled Console (Connecting Ethernet, console and power cables.

  • Page 21: Connecting The Optional Usb Keyboard

    6.3. Connecting the optional USB keyboard Instead of using the controls on the front panel to configure the nShield nShield 5c, you can use a US or UK keyboard. You might find a keyboard easier for entering dates and IP addresses.

  • Page 22: Front Panel Controls

    USB connector For more information about the user interface, including the front panel controls, see the nShield nShield 5c User Guide. Use the touch wheel to change values or move the cursor on the display screen. To confirm a value, press the Select button.

  • Page 23: Top-Level Menu

    8. Top-level menu If you select an option, the module displays the menu options in the level below. If you cancel a selected option, you return to level above. * Submenus depend on the settings of the module. 1 System  ...
  • Page 24   2-3-2 Read from a file   2-3-3 View current state   2-3-4 Write state to file   2-4 Set HSM mode   2-4-1 Operational   2-4-2 Initialization 3 Security World mgmt   3-1 Display World info   3-2 Module initialization  ...

  • Page 25: Basic Hsm, Rfs And Client Configuration

    9.1.1. Remote file system (RFS) Each nShield nShield 5c must have a remote file system (RFS) configured. This includes master copies of all the files that the nShield nShield 5c needs. See the nShield nShield 5c User Guide for more information about the RFS.

  • Page 26: Basic Nshield Nshield 5C And Rfs Configuration

    • Updated when the nShield nShield 5c is configured. • Exported to the appropriate RFS directory. Each nShield nShield 5c in a Security World has separate configuration files on the RFS. See the nShield nShield 5c User Guide for more about nShield nShield 5c configuration files and advanced configuration options.
  • Page 27 If the nShield nShield 5c is already configured, you can update the displayed values. If you ever change any of the IP addresses on the nShield nShield 5c, you must update the configuration of all the clients that work with it to reflect the new IP addresses.
  • Page 28 9.2.1.1.2. IPv6 address notation An nShield nShield 5c will accept an IPv6 address if it is entered in one of the forms shown below and if the address is valid for context in which it is used. There are two conventional forms for representing IPv6 addresses as text strings: •...
  • Page 29 Operating System, SLAAC IPv6 addresses are not subject to the same validation rules as addresses entered via the nShield nShield 5c front panel. If SLAAC is to be used to configure nShield nShield 5c IPv6 addresses in preference to statically...
  • Page 30 Use Case Acceptable Address Type IPv6 Route Entry - • Global Unicast Gateway • Local Unicast • Link-local RFS Address • Global Unicast • Local Unicast Client Address • Global Unicast • Local Unicast Push Client Address • Global Unicast •...
  • Page 31 IPv6 address(es). SLAAC is disabled by default in an nShield nShield 5c, but can be selectively enabled for each Ethernet interface either using the nShield nShield 5c front panel or by setting the appropriate configuration item and pushing an nShield nShield 5c configuration file.
  • Page 32 Network configuration IPv4 enable/disable: ENABLE CANCEL FINISH 2. Set the ENABLE/DISABLE field to the required option. 3. To accept, press the right-hand navigation button. 9.2.2.2. Set up IPv4 static address To set up IPv4 static address: 1. From the front panel menu, select System > System configuration > Network config >...
  • Page 33 2. Set the ENABLE/DISABLE field to the required option. 3. To accept, press the right-hand navigation button. 9.2.2.4. Set up IPv6 static address To set up IPv6 static address: 1. From the front panel menu, select System > System configuration > Network config >...
  • Page 34  be asked to confirm the changes if auto / 1Gb is not selected. On the nShield nShield 5c, selecting auto / 1Gb is the only means of achieving 1Gb link speed. 3. Press the right-hand navigation button and you will be returned to the Set up interface #1 screen and you can then continue with the configuration.
  • Page 35 Network configuration Interface #2 DISABLE CANCEL FINISH 5. Select the ENABLE option. 6. Press the right-hand navigation button to accept. A screen similar to that used for interface #1 is displayed. 9.2.4. Configure an Ethernet bond interface 9.2.4.1. Enable or disable the use of a bond interface 1.
  • Page 36 Bond interface config Update parameter mode: 802.3ad BACK NEXT 3. Set the mode field to the required option, either 802.3ad or active-backup. 4. To accept, press the right-hand navigation button. The following screen displays: Bond interface config Update parameter miimon: 100 BACK NEXT 5.
  • Page 37 Bond interface config Update parameter xmit hash policy: layer2 only valid for 802.3ad (LACP) mode BACK NEXT 9. Set the xmit hash policy field to the required option. This parameter is only valid for 802.3ad mode. This setting is ignored in other modes. Options: ◦...
  • Page 38 13. Set the resend igmp - 255. field to the required value. Range: active backup This parameter is only valid for mode. This setting is ignored in other modes. 14. To accept, press the right-hand navigation button. The following screen displays: Bond interface config Are you sure you wish to change the config ?
  • Page 39 9.2.5.2. Set default gateway for IPv6 To set a default gateway for IPv6: 1. From the front panel menu, select System > System configuration > Network config > Set default gateway > IPv6 gateway. The following screen is displayed: Gateway configuration Enter IPv6 address of the default gateway: CANCEL...
  • Page 40 2. Enter the IPv4 address range details for the route. Press the right-hand navigation button to accept. 9.2.6.2. Set up routing for IPv6 To set a new route entry for IPv6: 1. From the front panel menu, select System > System configuration > Network config >...
  • Page 41 9.2.7. Edit route entry 9.2.7.1. Edit IPv4 route entry To edit a route entry for IPv4: 1. From the front panel menu, select System > System configuration > Network config > Set up routing > Edit route entry. The following screen is displayed: ►...
  • Page 42 2. Select the IPv6 route to be edited. Press the right-hand navigation button. The following screen is displayed: Edit route entry Enter the IP range and prefix length: 1111:1111::1111:1111:  1111:1111:1111:1111/128 CANCEL NEXT 3. Edit the IPv6 route entry. Press the right-hand navigation button. Edit route entry 1111:1111:1111:1111:  1111:1111:1111:1111/128...
  • Page 43 ► 1. 1. 1. 1/ 1 3. 3. 3. 3/ 3 1111:1111:1111:1111: 1111:1111:1111:1111 /128 BACK SELECT 2. Select the IPv4/IPv6 route to be removed. Press the right-hand navigation button. 3. The selected route will be displayed. Press the right-hand navigation button to remove the route.
  • Page 44 NETI clients. It is generated when the nShield nShield 5c is first initialized from factory state. If your network is secure and you know the IP address of the nShield nShield 5c, you can anonkneti use the utility to obtain the ESN and hash of the...
  • Page 45 CONTINUE Three options are available: ◦ AUTO: The RFS is only allowed to push configuration files to the nShield nShield 5c if secure authentication is enabled. This is the default value. ◦ ON: The RFS is allowed to push configuration files to the nShield nShield 5c.
  • Page 46 ◦ OFF: The RFS is not allowed to push configuration files to the nShield nShield 5c. 5. You must then choose whether to enable or disable secure authentication when setting up the RFS. The following screen is displayed:   Remote File System...
  • Page 47 Check that the ESN also matches the one reported on the nShield nShield 5c display. If the RFS key hash matches the one reported on the nShield nShield 5c display, press the right-hand navigation button to continue the RFS configuration. Otherwise press the left-hand navigation button to cancel the operation.
  • Page 48 9.2.12. Enabling config push from a client computer To enable config push from a client computer, on the nShield nShield 5c display, use the right-hand navigation button to select System > System configuration > Config file options >...

  • Page 49: Basic Configuration Of The Client To Use The Nshield Nshield 5C

    TCP sockets. 9.3.1.1. nethsmenroll nethsmenroll command-line utility edits the client hardserver’s configuration file to HKNETI add the specified nShield nShield 5c. If the nShield nShield 5c’s are not nethsmenroll specified, attempts to contact the nShield nShield 5c to determine what they are, and requests confirmation.
  • Page 50 -<hsm-ip> The IP address of the nShield nShield 5c, which could be one of the following: • An IPv4 address, for example 123.456.789.123. • An IPv6 address, for example fc00::1. • A link-local IPv6 address, for example fe80::1%eth0. • A hostname.
  • Page 51 --help 9.3.2. Configuring a client to communicate through an nToken You can configure a client to use its nToken to communicate with an nShield nShield 5c, if it has one installed. When this happens, the nShield nShield 5c: • Examines the IP address of the client.

  • Page 52: Basic Configuration Of An Nshield Nshield 5C To Use A Client

    9.4. Basic configuration of an nShield nShield 5c to use a client Do the following: 1. On the nShield nShield 5c front panel, use the right-hand navigation button to select System > System configuration > Client config > New client. The following screen is displayed:...
  • Page 53 IP in the config? (No for dynamic client IPs)   BACK NEXT 3. Use the touch wheel to select the connection type between the nShield nShield 5c and the client. Client configuration Please choose the client permissions   Unprivileged...
  • Page 54 5. On the nShield nShield 5c, enter the number of the port on which the client is listening (the default is 9004), and press the right-hand navigation button. The...
  • Page 55 Check that the ESN also matches the one reported on the nShield nShield 5c display. If the client key hash matches the one reported on the nShield nShield 5c display, press the right-hand navigation button to continue the RFS configuration. Otherwise press the left-hand navigation button to cancel the operation.

  • Page 56: Restarting The Hardserver

    On a serial-enabled nShield nShield 5c (see Model numbers in Introduction) you can configure the nShield nShield 5c and set up the RFS by using the nShield nShield 5c Serial Console rather than the front panel. See the nShield nShield 5c User Guide for more information on the Serial Console.
  • Page 57 9.6.2.1. Configuring the Remote File System (RFS) via the Serial Console 1. Log in to the nShield nShield 5c Serial Console (see Creating a serial console session in the nShield nShield 5c User Guide), and run the following commands to obtain the...
  • Page 58 -H RFS nToken KNETI hash and ESN are obtained by running the command on the RFS. 9.6.2.2. Allowing configuration files to be pushed to the nShield nShield 5c from a remote computer via the Serial Console push In addition to the RFS, the serial command can be used to allow a remote computer to push configuration files.

  • Page 59: Checking The Installation

    For an example of the output following a successful command. See Enquiry utility. If you are configuring a client belonging to an nShield nShield 5c, the response to the enquiry hardware status shown as OK. command should be populated and the...

  • Page 60: Troubleshooting

    10. Troubleshooting This chapter describes what to do if you have an issue with your HSM, or your Security World Software. 10.1. Checking operational status Use the following methods to check the operational status of the module. 10.1.1. Enquiry utility enquiry enquiry Run the...
  • Page 61 Existing Security World data on the module has been erased. The module is automatically placed in Initialization mode after a Security World is created. For more information, see the nShield nShield 5c User Guide. Blue LED. Status: Maintenance mode Used for reprogramming the module with new firmware.
  • Page 62 Errors screen. The orange warning LED remains on until you resolve the issue. For more information about identifying and replacing a failed PSU, see the nShield nShield 5c Power Supply Unit Installation Sheet. 10.1.4. Orange warning LED If the orange warning LED is on, the module has encountered a critical error (for example, overheating or PSU failure) that may require immediate action.
  • Page 63 This warns you of tampering in an operational environment. For more information about tamper detection, including the tamper warning messages, see the nShield {product- family} Physical Security Checklist or the nShield nShield 5c User Guide. 10.1.6. Display screen When the module is in Maintenance or Initialization mode, there is a color-coded footer at the bottom of the display screen.
  • Page 64 Power button Display screen Status On, displaying menus and The module is operational. dialogs On, displaying messages but The module is running an not displaying labels for the upgrade. A color-coded navigation buttons footer indicates the specific status: yellow for initialization, red (maintenance) for upgrade.

  • Page 65: Module Overheating

    Ethernet LEDs Status Flashes regularly The status of the Ethernet link is currently unknown (the Ethernet LEDs flash when the module is powering up). There is no Ethernet link. The Ethernet cable is either not connected to the module or the cable is not connected to a functioning Ethernet device.
  • Page 66 10.3.2. Notice This type of message is sent for information only: nFast server: Notice: message 10.3.3. Client This type of message indicates that the server has detected an error in the data sent by the client (but other clients are unaffected): nFast server: Detected error in client behaviour: message 10.3.4.

  • Page 67: Utility Error Messages

    Real Time Clock (RTC) operation when the module is powered down. This battery normally lasts for up to two weeks if no power is supplied to the nShield nShield 5c unit. If the module is without power for an extended period, the RTC time is lost. When this...

  • Page 68: Hsm Maintenance

    However, in the very rare event that a PSU or fan tray module requires replacement, contact Support before carrying out the replacement procedure. Do not allow a fan tray to be removed from the nShield nShield 5c for ...

  • Page 69: Approved Accessories

    Comments Slide rail assembly AC2050 Optional slide rail assembly and fixing kit. For details of contents, see the nShield Connect and nShield 5c Slide Rails Instructions. USB keyboard M-030099-L For more information about using a USB keyboard with the HSM, see...

  • Page 70: Appendix A: Uninstalling Existing Software

    Appendix A: Uninstalling existing software Entrust recommends that you uninstall any existing older versions of Security World Software before you install new software. In Windows environments, if the installer detects an existing Security World Software installation, it asks you if you want to install the new components.

  • Page 71: Uninstalling The Security World Software On Windows

    Entrust recommends that you do not uninstall the Security World  Software unless you are either certain it is no longer required, or you intend to upgrade it. A.1. Uninstalling the Security World Software on Windows %NFAST_HOME% Before uninstalling the Security World software, you should back up your directory.
  • Page 72 5. If you are not planning to re-install the product, delete the configuration file /etc/nfast.conf if it exists. Do not delete the configuration file if you are planning to re-install  the product. 6. Unless needed for a subsequent installation, remove the user nfast and, if it exists, the user ncsnmpd:...

  • Page 73: Appendix B: Software Packages On The Security World Software Installation Media

    Installing the software. Entrust supply the hardserver and associated software as bundles of common components that provide much of the required software for your installation. In addition to the component bundles, provide individual components for use with specific applications and features supported by certain ncversions command-line utility.

  • Page 74: Components Required For Particular Functionality

    Linux Windows Feature in the Content Package Installer nShield Device Drivers Device drivers for PCI and USB attached hwsp nShield devices, included in for Linux. javasp nShield Java nCipherKM JCA/JCE Provider, associated classes (including nFast Java generic stub classes) and the KeySafe application. nShield Java Developer Java developer libraries and documentation for the nCore API and...

  • Page 75: Ncipherkm Jca/Jce Cryptographic Service Provider

    See the nShield nShield 5c User Guide for more about configuring the nCipherKMJCA/JCE cryptographic service provider. nShield® 5c Installation Guide 75 of 77...

  • Page 76: Snmp Monitoring Agent

    If this is a first time install, the nShield SNMP Agent will not run by default. Please see the manual for further instructions. See the nShield nShield 5c User Guide for more about how to activate the SNMP agent after installation.

  • Page 77: Appendix C: Valid Ipv6 Addresses

    Appendix C: Valid IPv6 Addresses This appendix provides a list of valid IPv6 addresses for each of the types of addresses recognized by certain parts of the system. For information on setting up IPv6 addresses, Configuring the Ethernet interfaces - IPv4 and IPv6 Address type Address Range (inclusive) Example...

Table of Contents