Entrust nShield 5c Quick Start Manual

To teach the nShield 5c about a client, use the front panel:
1. Using the front panel screen and controls (or keyboard), add a new client:
System (1) > System configuration (1-1) > Client config (1-1-4) > New client (1-1-4-1)
Enter the client IP address and continue.
2. Choose if you want to store the client IP address in the config file. For a dynamically-allocated IP
address on the client, you will typically reply No and continue.
3. Select your required permissions. The default is Unprivileged. If you want a privileged connection to
the client, select Priv. on any port.
4. Choose if you want secure authentication enabled on the client, and configure as described in the
nShield 5c Installation Guide.
5. If you selected secure authentication, enter the port number for the client, and continue.
The nShield 5c will search for the client and display an nToken ESN and/or a software key.
6. Choose either the nToken ESN or the software key. A hash is displayed for your selection.
7. Leave the information on screen and enrol the client as described below.
To enrol an nToken client on the nShield 5c, you must use Security World software commands:
1. Log in to the nToken client machine and access a command prompt.
2. Retrieve the client ESN and client hash from the client using the following Security World command:
ntokenenroll --hashes
This command produces output that includes the nToken ESN and the hash for the nToken.
3. Return to the nShield 5c front panel and confirm the hash displayed there matches the nToken hash.
4. Enrol the client into the nShield 5c using the following Security World command:
nethsmenroll --ntoken-esn <ntoken_esn> --privileged <5c_ip_addr> <5c_esn> <5c_hash>
In the above command, --privileged is optional.
To enrol a non-nToken client on the nShield 5c, you must use Security World commands:
1. Log in to the machine/VM containing the client and access a command line.
2. Retrieve the client hash using the following Security World command:
enquiry -m0
This command produces output that includes the kneti hash for the client.
3. Return to the nShield 5c front panel and confirm the hash displayed there matches the kneti hash.
4. Enrol the client into the nShield 5c using the following Security World commands:
nethsmenroll --privileged <5c_ip_addr> <5c_esn> <5c_hash>
In the above command, --privileged is optional.
For all client types:
1. Retrieve details for all installed modules using the
following Security World command:
enquiry
2. Confirm that the command output includes a module
section for the nShield 5c. The section will list the
nShield 5c ESN and indicate an operational state.
For example:
Module #1:
enquiry reply flags none
enquiry reply level Six
serial number <5c_esn>
mode operational
This completes the installation and essential configuration
of the nShield 5c.
MAN10003-00-01 10 May 2022
Product documentation
https://nshielddocs.entrust.com
Copyright © 2022 Entrust Corporation
Entrust nShield® 5c Quick Start Guide
This guide shows how to set up an nShield 5c, with or without access to an installed nToken client, on a
Remote File System (RFS) machine for the first time. For more detailed information about setup
procedures and options, see the Entrust nShield 5c Installation Guide and the appropriate chapters of the
Entrust nShield 5c User Guide.
Check the physical security of the nShield 5c
See the Entrust nShield Connect Physical Security Checklist provided in the box with an nShield 5c and in
the document folder on the installation media.
Install and configure an nToken to act as a client (Optional)
If you intend to use an nToken in another machine to act as a client for the nShield 5c, you can choose to
install and configure the nToken now. This process is described in the nToken Installation Guide. The IP
address of the nToken client will be used later, to add a new client to the nShield 5c.
Install and physically connect the nShield 5c
1. To install the nShield 5c in a 19" rack, follow the instructions supplied with the Entrust nShield Connect
Slide Rail Kit.
To install the nShield 5c in a cabinet or a shelf, fit the four self-adhesive rubber feet (supplied with the
HSM) to the bottom of the HSM. An X is scored into the chassis at each of the four corners as a guide
to placing the feet. Then place the nShield 5c in its required location.
2. On the rear of the nShield 5c:
•
After ensuring the rocker switches (A) for both power sockets are set to OFF, connect the two
power cables (B). The green lights will illuminate, indicating that power is available even though
the unit is OFF.
• Connect the Ethernet cable for the main subnet to the lower-left Ethernet port (C). Optionally,
connect the Ethernet cable for a secondary subnet to the lower-right Ethernet port (D).
• If you are using a rack with a serial
port aggregator, connect the Ethernet
cable from the aggregator (make a
note of the port number) to the
serial console port (E).
• Set both rocker switches (F) to ON.
The nShield 5c will power up.
3. On the front of the nShield 5c:
• The power switch (G) flashes blue until the boot sequence completes. It then shows solid blue.
•
The details of the boot sequence appear on the screen (H).
You interact with the screen using the
options buttons (J, K), the scroll wheel
(L) and the select button (M).
• The status LED (N) shows steady
blue after the boot completes, and
then varies with activity.
• Optionally, connect a keyboard to
the USB serial console port (P).
This enables you to bypass the option buttons (left/right arrow), the scroll wheel
(up/down arrows) and the Select button (Enter). Numbers can be typed directly.
Page 4 of 4 MAN10003-00-01 10 May 2022 Copyright © 2022 Entrust Corporation Page 1 of 4