Download
Share
Print this page
  1. Manuals
  2. Brands
  3. Entrust Manuals
  4. Network Hardware
  5. nShield Connect v13.4.5
  6. Install manual

Entrust nShield Connect v13.4.5 Install Manual

Hide thumbs

Advertisement

Quick Links

Download this manual
nShield Security World
nShield Connect v13.4.5
Install Guide
17 October 2024

Advertisement

loading
Need help?

Need help?

Do you have a question about the nShield Connect v13.4.5 and is the answer not in the manual?

Questions and answers

Related Manuals for Entrust nShield Connect v13.4.5

Summary of Contents for Entrust nShield Connect v13.4.5

  • Page 1 Security World nShield Connect v13.4.5 Install Guide 17 October 2024...

  • Page 2: Table Of Contents

    Table of Contents 1. Introduction ................ ...
  • Page 3 9.1.2. HSM configuration ............ ...
  • Page 4 10.3. Log messages for the module .......... ...

  • Page 5: Introduction

    Chapter 1. Introduction 1. Introduction The Entrust nShield Connect is a Hardware Security Module (HSM) that provides secure cryptographic processing within a tamper-resistant casing. Each nShield Connect is configured to communicate with one or more client computers over an Ethernet network. A client is a computer using the nShield Connect for cryptography.

  • Page 6: Power And Safety Requirements

    The module draws up to 220 watts: • Voltage: 100 VAC -240 VAC • Current: 2.0 A - 1.0 A • Frequency: 50 Hz - 60 Hz. The module PSUs are compatible with international mains voltage  supplies. nShield Connect v13.4.5 Install Guide 2/72...

  • Page 7: Terminology

    Ensure that there is an air gap around the module, and that the rack itself is located in a position with good air flow. 1.7.1. Temperature and humidity recommendations Entrust recommends that your module operates within the following environmental conditions. nShield Connect v13.4.5 Install Guide...

  • Page 8: Requirements

    1.8. Physical location considerations Entrust nShield HSMs are certified to NIST FIPS 140 Level 2 and 3. In addition to the intrinsic protection provided by an nShield HSM, customers must exercise due diligence to ensure that the environment within which the nShield HSMs are deployed is configured properly and is regularly examined as part of a comprehensive risk mitigation program to assess both logical and physical threats.

  • Page 9: Recycling And Disposal Information

    Chapter 2. Recycling and disposal information 2. Recycling and disposal information For recycling and disposal guidance, see the nShield product’s Warnings and Cautions documentation. nShield Connect v13.4.5 Install Guide 5/72...

  • Page 10: Before You Install The Software

    3.1.2.1. Install operating environment patches Make sure that you have installed: • kernel packages like gcc, kernel-headers, kernel-devel • the latest recommended patches for your environment in general See the documentation supplied with your operating environment for information. nShield Connect v13.4.5 Install Guide 6/72...

  • Page 11: All Environments

    Entrust recommends that you ensure Java is installed before you install the Security World Software. The Java executable must be on your system path. If you can do so, please use the latest Java version currently supported by Entrust that is compatible with your requirements. Java versions before those shown are no longer supported.
  • Page 12 Chapter 3. Before you install the software 3.1.3.2. Identify software components to be installed Entrust supply standard component bundles that contain many of the necessary components for your installation and, in addition, individual components for use with supported applications. To be sure that all component dependencies are satisfied, you can install either: •...

  • Page 13: Firewall Settings

    You can also restrict the IP addresses accepted by the hardserver in the configuration file. See the nShield Connect User Guide for more about configuration files. Similarly if you are setting up the Remote Administration Service you need to open port 9005. nShield Connect v13.4.5 Install Guide 9/72...

  • Page 14: Installing The Software

    8. Select Install. The selected components are installed in the chosen installation directory. The installer creates links to the following nShield Cryptographic Service Provider (CSP) setup nShield Connect v13.4.5 Install Guide 10/72...

  • Page 15: Linux

    2. Place the installation media in the optical disc drive, and mount the drive. 3. Open a terminal window, and change to the root directory. 4. Extract the required files to install all the software bundles by running commands .tar of the form: tar xf disc-name/linux/ver/<file>.tar.gz nShield Connect v13.4.5 Install Guide 11/72...
  • Page 16 ◦ If you use the Bourne shell, add these lines to your system or personal profile: PATH=/opt/nfast/bin:$PATH export PATH ◦ If you use the C shell, add this line to your system or personal profile: setenv PATH /opt/nfast/bin:$PATH nShield Connect v13.4.5 Install Guide 12/72...

  • Page 17: Before Installing An Hsm

    See the nShield Connect and nShield 5c Physical Security Checklist, provided in the box with the HSM. Breaking the security seal or dismantling the HSM voids your warranty cover, and any existing maintenance and support agreements. nShield Connect v13.4.5 Install Guide 13/72...

  • Page 18: Installing An Hsm

    Connect when selecting a location for  storage or installation. For more information, see Handling an nShield Connect in nShield Security World: nShield Connect v13.4.5 Install Guide.  You cannot install or configure the nShield Connect remotely.
  • Page 19 Connect is viewed from the back RJ45 port for a serial console cable If you connect only one Ethernet cable to the nShield Connect, Entrust recommends that you connect it to Ethernet port 1. This is the left-hand ...

  • Page 20: Connecting The Serial

    6.2. Connecting the Serial Console On supported nShield Connect hardware variants (see see Model numbers in nShield Security World: nShield Connect v13.4.5 Install Guide) there is a serial console port that provides access to a serial console command line interface that enables remote configuration of the nShield Connect (See the nShield Connect User Guide).

  • Page 21: Configuring An Nshield Connect For Your Keyboard Type

    • The nShield Connect is safely and securely installed. • The mains cables and Ethernet cable are securely fitted. • The nShield Connect powers up successfully when you turn on the power supply at the rear of the HSM. nShield Connect v13.4.5 Install Guide 17/72...

  • Page 22: Front Panel Controls

    For more information about the user interface, including the front panel controls, see the nShield Connect User Guide. Use the touch wheel to change values or move the cursor on the display screen. To confirm a value, press the Select button. nShield Connect v13.4.5 Install Guide 18/72...

  • Page 23: Top-Level Menu

    1-5 Factory state   1-6 Shutdown/Reboot   1-6-1 Shutdown   1-6-2 Reboot 2 HSM   2-1 HSM information   2-1-1 Display details   2-1-2 Display secure RTC   2-1-3 Speed test   2-1-4 Display statistics nShield Connect v13.4.5 Install Guide 19/72...
  • Page 24 3-7 Keys   3-7-1 List keys   3-7-2 Verify key ACLs   3-8 Set up remote slots *   3-9 Set up dynamic slots   3-9-1 Dynamic Slots   3-9-2 Slot mapping 4 CodeSafe * nShield Connect v13.4.5 Install Guide 20/72...

  • Page 25: Basic Hsm, Rfs And Client Configuration

    Each nShield Connect must have a remote file system (RFS) configured. This includes master copies of all the files that the nShield Connect needs. See the nShield Connect User Guide for more information about the RFS. nShield Connect v13.4.5 Install Guide 21/72...

  • Page 26: Hsm Configuration

    9.2.1. Configuring the Ethernet interfaces - IPv4 and IPv6 An nShield Connect communicates with one or more clients over an Ethernet network. You must supply IP addresses for the nShield Connect and the client. Contact your system nShield Connect v13.4.5 Install Guide 22/72...
  • Page 27 See the nShield Connect User Guide for more information. 9.2.1.1. IPv4 and IPv6 Support for IPv6 is in addition to IPv4. Both Ethernet interfaces can be configured to support: • IPv4 only nShield Connect v13.4.5 Install Guide 23/72...
  • Page 28 • If one or more consecutive fields are 0 then they can be replaced by ::. For example: can be written as 1234:5678:0:0:0:0:9abc:abcd/64 1234:5678::9abc:abcd/64 can only appear once in an IPv6 address. Unless the address is a link-local address, the nShield Connect front panel only allows nShield Connect v13.4.5 Install Guide 24/72...
  • Page 29 The types of IPv6 which are acceptable as a static address are given in the table below For examples of valid IPv6 addresses, see Valid IPv6 Addresses. Use Case Acceptable Address Type Static IPv6 Address Entry • Global Unicast nShield Connect v13.4.5 Install Guide 25/72...
  • Page 30 Push Client Address • Global Unicast • Local Unicast Ping • Unknown • Loopback • Global Unicast • Local Unicast • Link-local • Teredo • Benchmarking • Orchid • 6to4 • Documentation • Multicast nShield Connect v13.4.5 Install Guide 26/72...

  • Page 31: Configure Ethernet Interface #1

    1. From the front panel menu, select System > System configuration > Network config > Set up interface #1 > Configure #1 IPv4 > IPv4 enable/disable. The following screen displays: Network configuration IPv4 enable/disable: nShield Connect v13.4.5 Install Guide 27/72...
  • Page 32 1. From the front panel menu, select System > System configuration > Network config > Set up interface #1 > Configure #1 IPv6 > Enable/Disable IPv6. The following screen displays: Network configuration IPv6 enable/disable: DISABLE CANCEL FINISH nShield Connect v13.4.5 Install Guide 28/72...
  • Page 33 3. When the IPv6 address is correct, press the right-hand navigation button. The following screen displays: Network configuration IPv6 address xxxx:xxxx:xxxx:xxxx: xxxx:xxxx:xxxx:xxxx Enter prefix length: BACK NEXT 4. When the IPv6 address prefix details are correct, press the right-hand navigation button. nShield Connect v13.4.5 Install Guide 29/72...

  • Page 34: Configure Ethernet Interface #2

    NEXT You can choose from auto / 1Gb, 10BaseT, 10BaseT-FDX, 100BaseTX, or 100BaseTX- FDX. Entrust recommends that you configure your network speed for automatic negotiation, using the auto / 1Gb or auto option. You will  be asked to confirm the changes if auto / 1Gb is not selected. On the nShield Connect, selecting auto / 1Gb is the only means of achieving 1Gb link speed.

  • Page 35: Configure An Ethernet Bond Interface

    1. From the front panel menu, select System > System configuration > Network config > Set up bond > Configure bond. The following screen displays: Bond interface config will use the eth0 IPv4 and IPv6 config if they are enabled nShield Connect v13.4.5 Install Guide 31/72...
  • Page 36 This parameter is only valid for 802.3ad mode. This setting is ignored in other modes. slow request LACPDUs to be transmitted every 30 seconds nShield Connect v13.4.5 Install Guide 32/72...
  • Page 37 This parameter is only valid for mode. This setting is ignored in other active backup modes. 12. To accept, press the right-hand navigation button. The following screen displays: nShield Connect v13.4.5 Install Guide 33/72...

  • Page 38: Default Gateway

    To set a default gateway for IPv4: 1. From the front panel menu, select System > System configuration > Network config > Set default gateway > IPv4 Gateway. The following screen is displayed: Gateway configuration nShield Connect v13.4.5 Install Guide 34/72...

  • Page 39: Set Up Routing

    CANCEL NEXT Select the interface for the IPv6 gateway. Press the right-hand navigation button to accept. 9.2.6. Set up Routing 9.2.6.1. Set up routing for IPv4 To set a new route entry for IPv4: nShield Connect v13.4.5 Install Guide 35/72...
  • Page 40 The following screen is displayed: Edit route entry xxxx:xxxx:xxxx:xxxx:  xxxx:xxxx:xxxx:xxxx  /xxx Enter the gateway: BACK NEXT 3. Enter the gateway address; if it is a link local address, the following screen is displayed. nShield Connect v13.4.5 Install Guide 36/72...

  • Page 41: Edit Route Entry

    Enter the IP range and mask length: 1. 1. 1. 1/ 1 Enter the gateway 2. 2. 2. 2 CANCEL FINISH 3. Edit the IPv4 route entry. Press the right-hand navigation button to accept the changes. nShield Connect v13.4.5 Install Guide 37/72...
  • Page 42 4. Enter the IPv6 route gateway. If a link-local address is entered for the IPv6 route gateway the screen below will be displayed. Edit route entry Select an interface for link-local address: fe80:2222:2222:2222: 2222:2222:2222:2222 Interface #1 BACK NEXT nShield Connect v13.4.5 Install Guide 38/72...

  • Page 43: Remove Route Entry

    Do you want to use a static address or SLAAC? 2. Select SLAAC and press the right-hand navigation button. 3. The IPv6 address config selected screen is displayed. Press the right-hand navigation button to accept. nShield Connect v13.4.5 Install Guide 39/72...

  • Page 44: Configuring The Remote File System (Rfs)

    <Unit IP> In this command, <Unit IP> is the IP address of the nShield Connect, which could be one of the following: • an IPv4 address • an IPv6 address, including a link-local IPv6 address nShield Connect v13.4.5 Install Guide 40/72...
  • Page 45 3. The next screen asks for the port number on which the RFS is listening. Enter the port number and press the right-hand navigation button to continue:   Remote File System Enter port number:   9004 CANCEL CONTINUE nShield Connect v13.4.5 Install Guide 41/72...
  • Page 46 If an nToken is installed in the RFS, you will be asked to choose which authentication key to use. Select the desired option and press the right-hand navigation button: >0DA8-A5AE-BA0D  Software Key BACK SELECT nShield Connect v13.4.5 Install Guide 42/72...
  • Page 47   enquiry reply level   ...   kneti hash d4c3d757a67416cb9ba31f33febd6ead688629e5   ... With nToken authentication Run the following command on the RFS: ntokenenroll -H This command produces output of the form: nToken module #1 nToken ESN: 0DA8-A5AE-BA0D nShield Connect v13.4.5 Install Guide 43/72...

  • Page 48: Enabling Config Push From The Rfs

    9.2.12. Enabling config push from a client computer To enable config push from a client computer, on the nShield Connect display, use the right-hand navigation button to select System > System configuration > Config file nShield Connect v13.4.5 Install Guide 44/72...

  • Page 49: Basic Configuration Of The Client To Use The Nshield Connect

    9.3. Basic configuration of the client to use the nShield Connect 9.3.1. Client configuration utilities Entrust provides the following utilities for client configuration: Utility Description nethsmenroll Used to configure the client to communicate with the nShield Connect.
  • Page 50 TCP ports for Java and KeySafe. Any fields for which values are not specified remain unchanged. After making any changes you are prompted to restart the hardserver. using the following commands: config-serverstartup nShield Connect v13.4.5 Install Guide 46/72...

  • Page 51: Configuring A Client To Communicate Through An Ntoken

    2. To retrieve the of the nShield Connect, run the command: HKNETI anonkneti <Unit IP> The following is an example of the output: 3138-147F-2D64 691be427bb125f38768638a18bfd2eab75623320 If the are not specified, attempts to contact the nShield HKNETI nethsmenroll nShield Connect v13.4.5 Install Guide 47/72...

  • Page 52: Configure The Tcp Sockets On The Client For Java Applications

    System > System configuration > Client config > New client. The following screen is displayed: Client configuration Please enter your client IP address: CANCEL NEXT Enter the IP address of the client, and press the right-hand navigation button. nShield Connect v13.4.5 Install Guide 48/72...
  • Page 53 (such as  clearing the nShield Connect) which interfere with the normal operation of the nShield Connect. Entrust recommends that you allow only unprivileged connections unless you are performing administrative tasks. 4. When you have selected a connection option, press the right-hand navigation button.
  • Page 54 Software-based authentication is only supported from version  12.60. 7. Skip this step if you have not selected secure authentication. The next screen will ask you to verify that the key hash displayed by the nShield nShield Connect v13.4.5 Install Guide 50/72...
  • Page 55 If the client key hash matches the one reported on the nShield Connect display, press the right-hand navigation button to continue the RFS configuration. Otherwise press the left-hand navigation button to cancel the operation. nShield Connect v13.4.5 Install Guide 51/72...

  • Page 56: Restarting The Hardserver

    9.6.1. Configuring the network interfaces via the Serial Console 1. Log in to the nShield Connect Serial Console (see the nShield Connect User Guide). 2. Configure networking on Ethernet Interface #1: a. Set the IP address and netmask of the interface: nShield Connect v13.4.5 Install Guide 52/72...

  • Page 57: Allowing Configuration Files To Be Pushed To The Nshield Connect Via The Serial Console

    For information on running rfs-setup, see Configuring the Remote File System (RFS). 3. In the nShield Connect Serial Console, configure the RFS using the command. rfsaddr (cli) rfsaddr address[:port] [keyhash [esn]] [push] In this command: nShield Connect v13.4.5 Install Guide 53/72...
  • Page 58 (defaults to no key authentication required). Enabling the push feature allows remote computers to change the HSM  configuration file and make configuration changes that are normally only available through the HSM secure user interface. nShield Connect v13.4.5 Install Guide 54/72...

  • Page 59: Checking The Installation

    9.8. Using a Security World See the nShield Connect User Guide for more about creating a Security World or loading an existing one. nShield Connect v13.4.5 Install Guide 55/72...

  • Page 60: Troubleshooting

     supported KML types DSAp1024s160 DSAp3072s256  hardware status If the output from the utility does not show operational, you can use the enquiry mode Status LED to discover the status of the module. 10.1.2. Status LED nShield Connect v13.4.5 Install Guide 56/72...
  • Page 61 If a command does not complete successfully, the module normally writes an error message to the log file and continues to accept further commands. It does not enter Error mode. For information about error codes, see the nShield Connect User Guide. nShield Connect v13.4.5 Install Guide 57/72...

  • Page 62: Audible Warning

    Text in footer Meaning Yellow Initialization The system is rebooting or waiting for an Administrator Card to be inserted. Blue Maintenance An administrative task is being performed. This mode is only entered during firmware upgrades. nShield Connect v13.4.5 Install Guide 58/72...

  • Page 63: Power Button

    The module is unable to start-up or has failed. The error message describes the problem. If you can remedy the problem, do so, and press the Power button to restart the module. Otherwise, contact Support. nShield Connect v13.4.5 Install Guide 59/72...

  • Page 64: Ethernet Leds

    1. Select System > System information. 2. Select either: ◦ View system log. ◦ View hardserver log. The client can store logs, and can configure them to contain different types of message. 10.3.1. Information nShield Connect v13.4.5 Install Guide 60/72...

  • Page 65: Notice

    These messages indicate a failure of either the module or the server: nFast server: Serious internal error, trying to continue: message If you receive a serious internal error, contact Support. 10.3.6. Start-up errors nShield Connect v13.4.5 Install Guide 61/72...

  • Page 66: Utility Error Messages

    The correct procedure in this case is to leave the nShield Connect powered up for at least 10 hours to recharge the battery, and then reset the clock. No other nonvolatile data is lost when this occurs. nShield Connect v13.4.5 Install Guide 62/72...

  • Page 67: Hsm Maintenance

    Because the module is fitted with radio frequency interference suppressors, it is recommended that only a DC test be performed.  Repeated application of the flash test can damage safety insulation. nShield Connect v13.4.5 Install Guide 63/72...

  • Page 68: Approved Accessories

    HSM, see Connecting the optional USB keyboard. Replacement fan tray AC2064 Includes installation instructions. module Replacement PSU AC2057 Includes installation instructions. If you have an enquiry about any of the parts listed, contact Support. nShield Connect v13.4.5 Install Guide 64/72...

  • Page 69: Uninstalling Existing Software

    Chapter 13. Uninstalling existing software 13. Uninstalling existing software Entrust recommends that you uninstall any existing older versions of Security World Software before you install new software. In Windows environments, if the installer detects an existing Security World Software installation, it asks you if you want to install the new components.

  • Page 70: Uninstalling The Security World Software On Windows

    Chapter 13. Uninstalling existing software Entrust recommends that you do not uninstall the Security World  Software unless you are either certain it is no longer required, or you intend to upgrade it. 13.1. Uninstalling the Security World Software on Windows...
  • Page 71 -r nfast userdel -r ncsnmpd will remove the groups. groupdel nfast groupdel ncsnmpd If required, you can safely remove the module after shutting down all connected hardware. nShield Connect v13.4.5 Install Guide 67/72...

  • Page 72: Software Packages On The Security World Software Installation Media

    Installing the software. Entrust supply the hardserver and associated software as bundles of common components that provide much of the required software for your installation. In addition to the component bundles, provide individual components for use with specific applications and features supported by certain ncversions command-line utility.

  • Page 73: Components Required For Particular Functionality

    Linux) and the nShield Java (javasp on Linux) components. 14.2.2. Microsoft CAPI CSP and Microsoft Cryptography API: Next Generation (CNG) If you require the Microsoft CAPI CSP, you must install the nShield CSPs (CAPI, CNG) nShield Connect v13.4.5 Install Guide 69/72...

  • Page 74: Ncipherkm Jca/Jce Cryptographic Service Provider

    • The appropriate third-party integration guide for your application. Entrust has produced Integration Guides for many supported applications. The Integration Guides describe how to install and configure an application so that it works with Entrust Hardware Security Modules and Security Worlds. For more information about the Entrust range of Integration Guides: •...
  • Page 75 Chapter 14. Software packages on the Security World software installation media Please see the manual for further instructions. See the nShield Connect User Guide for more about how to activate the SNMP agent after installation. nShield Connect v13.4.5 Install Guide 71/72...

  • Page 76: Valid Ipv6 Addresses

    :ffff 6to4 2002:: 2002:ffff:ffff:ffff:ffff:ffff:f 2002:cb0a:3cdd:1::1 fff:ffff Documentation 2001:db8:: 2001:db8:ffff:ffff:ffff:ffff:f 2001:db8:8:4::2 fff:ffff Global Unicast 2000:: 3fff:ffff:ffff:ffff:ffff:ffff:fff 20ab:45:fa::adb5 f:ffff Multicast ff00:: ffff:ffff:ffff:ffff:ffff:ffff:ffff ff01::2 :ffff  The available addresses in the Global Unicast range are not contiguous. nShield Connect v13.4.5 Install Guide 72/72...