Entrust nShield Connect 6000 Install Manual

Hide thumbs Also See for nShield Connect 6000:

Installation manual (89 pages)

Hardware and setup manual (28 pages)

page of 81

/ 81
Bookmarks

Quick Links

Download this manual

nShield Security World

nShield Connect v13.3

Install Guide

05 April 2024

Need help?

Do you have a question about the nShield Connect 6000 and is the answer not in the manual?

Questions and answers

Summary of Contents for Entrust nShield Connect 6000

Page 1 nShield Security World nShield Connect v13.3 Install Guide 05 April 2024...
Page 2 Table of Contents 1. Introduction ............. ...
Page 3 9.1.2. HSM configuration .......... ...
Page 4 10.3. Log messages for the module ........ ...
Page 5 Chapter 1. Introduction 1. Introduction The Entrust nShield Connect is a Hardware Security Module (HSM) that provides secure cryptographic processing within a tamper-resistant casing. Each nShield Connect is configured to communicate with one or more client computers over an Ethernet network. A client is a computer using the nShield Connect for cryptography.
Page 6 Chapter 1. Introduction Model numbering conventions are used to distinguish different nShield hardware security devices. Model number Used for NH2047 nShield Connect 6000 NH2040 nShield Connect 1500 NH2033 nShield Connect 500 NH2068 nShield Connect 6000+ NH2061 nShield Connect 1500+ NH2054...
Page 7 Chapter 1. Introduction • Current: 2.0 A - 1.0 A • Frequency: 50 Hz - 60 Hz. The module PSUs are compatible with international mains  voltage supplies. 1.4. Terminology The nShield Connect is referred to as the nShield Connect, the Hardware Security Module, or the HSM.
Page 8 1.8. Physical location considerations Entrust nShield HSMs are certified to NIST FIPS 140 Level 2 and 3. In addition to the intrinsic protection provided by an nShield HSM, customers must exercise due...
Page 9 Chapter 1. Introduction comprehensive risk mitigation program to assess both logical and physical threats. Applications running in the environment shall be authenticated to ensure their legitimacy and to thwart possible proliferation of malware that could infiltrate these as they access the HSMs’ cryptographic services. The deployed environment must adopt 'defense in depth' measures and carefully consider the physical location to prevent detection of electromagnetic emanations that might otherwise inadvertently disclose cryptographic material.
Page 10 Chapter 2. Recycling and disposal information 2. Recycling and disposal information For recycling and disposal guidance, see the nShield product’s Warnings and Cautions documentation. nShield Connect v13.3 Install Guide 6/77...
Page 11 Chapter 3. Before you install the software 3. Before you install the software Before you install the software, you should: • If required, install an optional nToken in the client computer, see nToken Installation Guide for more information about the installation steps. •...
Page 12 Entrust recommends that you ensure Java is installed before you install the Security World Software. The Java executable must be on your system path. If you can do so, please use the latest Java version currently supported by Entrust that is compatible with your requirements. Java versions before those shown are no longer supported.
Page 13 You must have Java installed to use KeySafe. 3.1.3.2. Identify software components to be installed Entrust supply standard component bundles that contain many of the necessary components for your installation and, in addition, individual components for use with supported applications. To be sure that all component dependencies are satisfied, you can install either: •...
Page 14 Chapter 3. Before you install the software installation process to avoid subsequent issues should you wish to uninstall. You should not, for example, install the Remote Administration Service from the Security World installation media, then later install the Remote Administration Client from the client installation media.
Page 15 Chapter 3. Before you install the software Component Default Port Protocol Audit Logging syslog If you plan to use the Audit Logging facility with remote syslog or SIEM applications, you need to allow outgoing connections to the configured UDP port If you are setting up an RFS or exporting a slot for Remote Operator functionality, you need to open port 9004.
Page 16 Chapter 4. Installing the software 4. Installing the software This chapter describes how to install the Security World Software on the computer, client, or RFS associated with your nShield HSM. After you have installed the software, you must complete further Security World creation, configuration and setup tasks before you can use your nShield environment to protect and manage your keys.
Page 17 Cryptographic Service Provider (CSP) setup wizards as well as remote management tools under the Windows Start menu: Start > Entrust nShield Security World: ◦ If nShield CSPs (CAPI, CNG) was selected: 32bit CSP install wizard, which sets up CSPs for 32-bit applications.
Page 18 Chapter 4. Installing the software 2. Place the installation media in the optical disc drive, and mount the drive. 3. Open a terminal window, and change to the root directory. 4. Extract the required .tar files to install all the software bundles by running commands of the form: tar xf disc-name/linux/ver/<file>.tar.gz In this command,...
Page 19 Chapter 5. Before installing an HSM 5. Before installing an HSM 5.1. Carefully unpack the HSM Retain all parts of the HSM packaging, including the outer (brown) shipping carton, in case you have to return the HSM. Your warranty or maintenance agreement does not cover returned modules that are damaged due to shipping in non-approved packaging.
Page 20 Chapter 6. Installing an HSM 6. Installing an HSM This chapter describes how to install the nShield Connect in a rack, cabinet, or shelf. For more information about connecting the nShield Connect to the network, and configuring it for connection to one or more clients on the network, see the nShield Connect User Guide.
Page 21 RJ45 port for a serial console cable If you connect only one Ethernet cable to the nShield Connect, Entrust recommends that you connect it to Ethernet port 1. This  is the left-hand Ethernet connector on the rear of the nShield Connect (shaded in the image).
Page 22 Chapter 6. Installing an HSM • Identifying and replacing a faulty PSU, see the nShield Connect Power Supply Unit Installation Sheet. 6.2. Connecting the Serial Console On supported nShield Connect hardware variants (see see Model numbers in nShield Security World: nShield Connect v13.3 Install Guide) there is a serial console port that provides access to a serial console command line interface that enables remote configuration of the nShield Connect (See the nShield Connect...
Page 23 Chapter 6. Installing an HSM 6.3. Connecting the optional USB keyboard Instead of using the controls on the front panel to configure the nShield Connect, you can use a US or UK keyboard. You might find a keyboard easier for entering dates and IP addresses.
Page 24 Chapter 7. Front panel controls 7. Front panel controls Description Power button Warning LED (orange) Display screen Touch wheel Status indicator LED (blue) Display navigation button (left) Display navigation button (right) Select button Slot for smart cards Clear button USB connector For more information about the user interface, including the front panel controls, see the nShield Connect User Guide.
Page 25 Chapter 8. Top-level menu 8. Top-level menu If you select an option, the module displays the menu options in the level below. If you cancel a selected option, you return to level above. * Submenus depend on the settings of the module. 1 System ...
Page 26 Chapter 8. Top-level menu 2-2 HSM reset 2-3 HSM feature enable 2-3-1 Read FEM from card 2-3-2 Read from a file 2-3-3 View current state 2-3-4 Write state to file 2-4 Set HSM mode ...
Page 27 Chapter 9. Basic HSM, RFS and client configuration 9. Basic HSM, RFS and client configuration This chapter describes the initial nShield Connect, RFS and client computer configuration steps. For more about: • Security World Software installation and options, see Installing the software.
Page 28 Chapter 9. Basic HSM, RFS and client configuration 9.1.2. HSM configuration The current configuration files for the hardserver of an nShield Connect are stored in its local file system. These files are automatically: • Updated when the nShield Connect is configured. •...
Page 29 Chapter 9. Basic HSM, RFS and client configuration Contact your system administrator for this information if necessary. There are two network interfaces on the nShield Connect. Three configurations are supported: • Single network interface. • Two independent network interfaces. You must connect the interfaces to physically different networks. •...
Page 30 Chapter 9. Basic HSM, RFS and client configuration • IPv4 only • IPv4 and IPv6 • IPv6 only. Interface#1 is enabled by default and cannot be disabled.  Interface #2 is disabled by default and can be enabled and disabled. 9.2.1.1.1.
Page 31 Chapter 9. Basic HSM, RFS and client configuration 1234:5678:0:0:0:0:9abc:abcd/64 1234:5678::9abc:abcd/64 can be written as can only appear once in an IPv6 address. Unless the address is a link-local address, the nShield Connect front panel only allows lower-case letters in an IPv6 address. IPv6 addresses keyed manually on the nShield Connect front panel are validated on entry by the nShield Connect.
Page 32 Chapter 9. Basic HSM, RFS and client configuration 9.2.1.1.4. Acceptable IPv6 address by use case The types of IPv6 which are acceptable as a static address are given in the table below For examples of valid IPv6 addresses, see Valid IPv6 Addresses.
Page 33 Chapter 9. Basic HSM, RFS and client configuration Use Case Acceptable Address Type Ping • Unknown • Loopback • Global Unicast • Local Unicast • Link-local • Teredo • Benchmarking • Orchid • 6to4 • Documentation • Multicast Traceroute • Unknown •...
Page 34 Chapter 9. Basic HSM, RFS and client configuration To set up Ethernet interface #1 (default): 9.2.2.1. Enable/disable IPv4 To enable/disable IPv4: 1. From the front panel menu, select System > System configuration > Network config > Set up interface #1 > Configure #1 IPv4 > IPv4 enable/disable. The following screen displays: Network configuration IPv4 enable/disable:...
Page 35 Chapter 9. Basic HSM, RFS and client configuration 9.2.2.3. Enable/disable IPv6 To enable/disable IPv6: 1. From the front panel menu, select System > System configuration > Network config > Set up interface #1 > Configure #1 IPv6 > Enable/Disable IPv6. The following screen displays: Network configuration IPv6 enable/disable:...
Page 36 NEXT You can choose from auto / 1Gb, 10BaseT, 10BaseT-FDX, 100BaseTX, or 100BaseTX-FDX. Entrust recommends that you configure your network speed for automatic negotiation, using the auto / 1Gb or auto  option. You will be asked to confirm the changes if auto / 1Gb is not selected.
Page 37 Chapter 9. Basic HSM, RFS and client configuration 3. Press the right-hand navigation button and you will be returned to the Set up interface #1 screen and you can then continue with the configuration. 9.2.3. Configure Ethernet interface #2 To set up the Ethernet interface #2, if required: 1.
Page 38 Chapter 9. Basic HSM, RFS and client configuration 2. Set the ENABLE/DISABLE field to the required option. 3. To accept, press the right-hand navigation button. 9.2.4.2. Set up a bond interface 1. From the front panel menu, select System > System configuration > Network config >...
Page 39 Chapter 9. Basic HSM, RFS and client configuration Bond interface config Update parameter lacp_rate: slow only valid for 802.3ad (LACP) mode BACK NEXT 7. Set the lacp_rate slow or fast. field to the required option, either This parameter is only valid for 802.3ad mode. This setting is ignored in other modes.
Page 40 Chapter 9. Basic HSM, RFS and client configuration Bond interface config Update parameter primary device: eth0 only valid for active-backup mode BACK NEXT 11. Set the primary device eth0 or eth1. field to the required option, either active backup This parameter is only valid for mode.
Page 41 Chapter 9. Basic HSM, RFS and client configuration CONFIRM 9.2.5. Default gateway 9.2.5.1. Set default gateway for IPv4 To set a default gateway for IPv4: 1. From the front panel menu, select System > System configuration > Network config > Set default gateway > IPv4 Gateway. The following screen is displayed: Gateway configuration Enter IPv4 address of...
Page 42 Chapter 9. Basic HSM, RFS and client configuration Gateway configuration Select an interface for link-local address: CANCEL NEXT Select the interface for the IPv6 gateway. Press the right-hand navigation button to accept. 9.2.6. Set up Routing 9.2.6.1. Set up routing for IPv4 To set a new route entry for IPv4: 1.
Page 43 Chapter 9. Basic HSM, RFS and client configuration ::/64 CANCEL NEXT 2. Enter the IPv6 address range details for the route. Press the right-hand navigation button to accept. The following screen is displayed: Edit route entry xxxx:xxxx:xxxx:xxxx: xxxx:xxxx:xxxx:xxxx /xxx Enter the gateway: BACK NEXT 3.
Page 44 Chapter 9. Basic HSM, RFS and client configuration 3. 3. 3. 3/ 3 1111:1111:1111:1111: 1111:1111:1111:1111 /128 BACK SELECT 2. Select the IPv4 route to be edited. Press the right-hand navigation button. The following screen is displayed: Edit route entry Enter the IP range and mask length: 1.
Page 45 Chapter 9. Basic HSM, RFS and client configuration 3. Edit the IPv6 route entry. Press the right-hand navigation button. Edit route entry 1111:1111:1111:1111: 1111:1111:1111:1111/128 Enter the gateway 2222:2222:2222:2222 BACK NEXT 4. Enter the IPv6 route gateway. If a link-local address is entered for the IPv6 route gateway the screen below will be displayed.
Page 46 Chapter 9. Basic HSM, RFS and client configuration 9.2.9. Enable IPv6 SLAAC SLAAC can be enabled/disabled independently on each of the two interfaces. To enable SLAAC: 1. From the front panel menu, select System > System configuration > Network config > Set up interface #1 > Configure #1 IPv6 > Static addr/SLAAC > Select Static/SLAAC.
Page 47 Chapter 9. Basic HSM, RFS and client configuration The following nShield Connect information can be obtained automatically (or manually): • The electronic serial number (ESN). • The hash of the ). The key authenticates the nShield NETI NETI NETI Connect to clients. It is generated when the nShield Connect is first initialized from factory state.
Page 48 Chapter 9. Basic HSM, RFS and client configuration ◦ <Unit IP> is the IP address of the nShield Connect. ◦ A285-4F5A-7500 is the ESN of the nShield Connect. ◦ keyhash is the hash of the key. NETI 2. On the nShield Connect display screen, use the right-hand navigation button to select System >...
Page 49 Chapter 9. Basic HSM, RFS and client configuration 5. You must then choose whether to enable or disable secure authentication when setting up the RFS. The following screen is displayed: Remote File System Do you want secure authentication enabled on the RFS? ...
Page 50 Chapter 9. Basic HSM, RFS and client configuration Take a copy of the returned key hash and compare it to the value reported on the nShield Connect display. With software-based authentication Run the following command on the RFS: enquiry -m0 kneti hash, as part This command returns the software key hash, tagged as...
Page 51 Chapter 9. Basic HSM, RFS and client configuration To modify the RFS at a later date, select System > System configuration > Remote file system, and then select the required action. 9.2.10.1. Systems configured for Remote Administration Before using Remote Administration or configuring NTP, enable config push on the nShield Connect for the RFS or client computer you intend to use for configuration.
Page 52 Connect User Guide for more about configuration files. 9.3. Basic configuration of the client to use the nShield Connect 9.3.1. Client configuration utilities Entrust provides the following utilities for client configuration: Utility Description nethsmenroll Used to configure the client to communicate with the nShield Connect.
Page 53 Chapter 9. Basic HSM, RFS and client configuration -<hsm-ip> The IP address of the nShield Connect, which could be one of the following: • An IPv4 address, for example 123.456.789.123. • An IPv6 address, for example fc00::1. • A link-local IPv6 address, for example fe80::1%eth0. •...
Page 54 Chapter 9. Basic HSM, RFS and client configuration For more information about the options available to use with config-serverstartup, run the command: config-serverstartup --help 9.3.2. Configuring a client to communicate through an nToken You can configure a client to use its nToken to communicate with an nShield Connect, if it has one installed.
Page 55 Chapter 9. Basic HSM, RFS and client configuration 3. Do one of the following: If you are enrolling a client with an nToken installed, run the command: nethsmenroll --ntoken-esn <nToken ESN> [Options] --privileged <Unit IP> <Unit ESN> <Unit KNETI HASH> If you are enrolling a client without an nToken installed, run the command: nethsmenroll [Options] --privileged <...
Page 56 (such as clearing the nShield Connect) which interfere with the normal operation of the nShield Connect. Entrust recommends that you allow only unprivileged connections unless you are performing administrative tasks. 4. When you have selected a connection option, press the right-hand navigation button.
Page 57 Chapter 9. Basic HSM, RFS and client configuration Client configuration Do you want secure authentication enabled on this client? BACK NEXT a. Select and press the right-hand navigation button to configure the client without secure authentication. The authentication of the client will be based on the IP address only.
Page 58 Chapter 9. Basic HSM, RFS and client configuration 7. Skip this step if you have not selected secure authentication. The next screen will ask you to verify that the key hash displayed by the nShield Connect matches the client key hash: Remote 3138-147F-2D64 reported the key hash: 691be427bb125f387686...
Page 59 Chapter 9. Basic HSM, RFS and client configuration If the client key hash matches the one reported on the nShield Connect display, press the right-hand navigation button to continue the RFS configuration. Otherwise press the left-hand navigation button to cancel the operation.
Page 60 Chapter 9. Basic HSM, RFS and client configuration 9.6.1. Configuring the network interfaces via the Serial Console 1. Log in to the nShield Connect Serial Console (see the nShield Connect User Guide). 2. Configure networking on Ethernet Interface #1: a. Set the IP address and netmask of the interface: (cli) netcfg iface=0 addr=0.0.0.0 netmask=0.0.0.0 b.
Page 61 Chapter 9. Basic HSM, RFS and client configuration For information on running rfs-setup, see Configuring the Remote File System (RFS). 3. In the nShield Connect Serial Console, configure the RFS using the rfsaddr command. (cli) rfsaddr address[:port] [keyhash [esn]] [push] In this command: ◦...
Page 62 Chapter 9. Basic HSM, RFS and client configuration (cli) push ON [address] [keyhash] In this command: • address is the remote computer IP address. It defaults to 0.0.0.0 which allows any address to push. It is not recommended to leave the IP address keyhash unrestricted, unless is specified for authentication.
Page 63 Chapter 9. Basic HSM, RFS and client configuration mode operational If the the HSM has been installed correctly. mode is initialization, the HSM has been installed correctly, but you must If the change the mode to operational. enquiry If the output from the command says that the module is not found, enquiry first restart your computer, then re-run the...
Page 64 Chapter 10. Troubleshooting 10. Troubleshooting This chapter describes what to do if you have an issue with your HSM, or your Security World Software. 10.1. Checking operational status Use the following methods to check the operational status of the module. 10.1.1.
Page 65 Chapter 10. Troubleshooting 10.1.2. Status LED The blue Status LED indicates the operational status of the module. Status LED Description Off. Status: Power off or Standby mode There is either no power supply to the module or the module is in Standby mode. If you suspect that there is no power supply, check that the module is properly connected and switched on.
Page 66 Chapter 10. Troubleshooting Status LED Description Flashes SOS, the Morse code distress Status: Error mode code (three short pulses, three long If the module encounters an unrecoverable error, it enters pulses, three short pulses). Error mode. In Error mode, the module does not respond After flashing SOS, the Status LED to commands and does not write data to the bus.
Page 67 Chapter 10. Troubleshooting the cause of a critical error, navigate to System information > View h/w diagnostics > Critical Errors. 10.1.5. Checking the physical security of the module The physical security measures implemented on the module include tamper detection. This warns you of tampering in an operational environment. For more information about tamper detection, including the tamper warning messages, see the nShield Connect Physical Security Checklist or the nShield Connect User Guide.
Page 68 Chapter 10. Troubleshooting Power button Display screen Status On, displaying menus and The module is operational. dialogs On, displaying messages but The module is running an not displaying labels for the upgrade. A color-coded footer navigation buttons indicates the specific status: yellow for initialization, red (maintenance) for upgrade.
Page 69 Chapter 10. Troubleshooting Ethernet LEDs Status On, green only Indicates a 10Mb or 100Mb Ethernet link. On, green and orange Indicates a 1Gb Ethernet link. 10.2. Module overheating If the internal module of the HSM exceeds the safe operating temperature, the unit SOS-T stops operating and displays the error message on the Status LED.
Page 70 Chapter 10. Troubleshooting 10.3.3. Client This type of message indicates that the server has detected an error in the data sent by the client (but other clients are unaffected): nFast server: Detected error in client behaviour: message 10.3.4. Serious error This type of message indicates a serious error, such as a communications or memory failure: nFast server: Serious error, trying to continue: message...
Page 71 Chapter 10. Troubleshooting nFast server: Fatal internal error nFast server: Fatal runtime error If you receive either of these errors, contact Support. 10.4. Utility error messages This type of message might indicate an error status when you run a command line utility.
Page 72 Chapter 11. HSM maintenance 11. HSM maintenance The nShield Connect contains only two user-replaceable parts: • The PSUs. • The fan tray module. Replacing a PSU or fan tray module does not affect FIPS 140 validations for the HSM, or result in a tamper event. However, in the very rare event that a PSU or fan tray module requires replacement, contact Support before carrying out the replacement procedure.
Page 73 Chapter 12. Approved accessories 12. Approved accessories The following parts can be ordered with the HSM or separately. Part Part number Comments Slide rail assembly AC2050 Optional slide rail assembly and fixing kit. For details of contents, see the nShield Connect and nShield 5c Slide Rails Instructions.
Page 74 Chapter 13. Uninstalling existing software 13. Uninstalling existing software Entrust recommends that you uninstall any existing older versions of Security World Software before you install new software. In Windows environments, if the installer detects an existing Security World Software installation, it asks you if you want to install the new components.
Page 75 Chapter 13. Uninstalling existing software "Configuring the nShield Connect to use the client", for more information. Entrust recommends that you do not uninstall the Security  World Software unless you are either certain it is no longer required, or you intend to upgrade it.
Page 76 Chapter 13. Uninstalling existing software 2. Type your password, then press Enter. 3. To remove drivers, install fragments, and scripts and to stop services, run the command: /opt/nfast/sbin/install -u 4. Delete all the files (including those in subdirectories) in /opt/nfast /dev/nfast/ by running the following commands: rm -rf /opt/nfast...
Page 77 Installing the software. Entrust supply the hardserver and associated software as bundles of common components that provide much of the required software for your installation. In addition to the component bundles, provide individual components for use with specific applications and features supported by certain ncversions command-line utility.
Page 78 Chapter 14. Software packages on the Security World software installation media Linux Package Windows Feature in the Content Installer javasp nShield Java nCipherKM JCA/JCE Provider, associated classes (including nFast Java generic stub classes) and the KeySafe application. nShield Java Developer Java developer libraries and documentation for the nCore API and generic stub.
Page 79 Entrust has produced Integration Guides for many supported applications. The Integration Guides describe how to install and configure an application so that it works with Entrust Hardware Security Modules and Security Worlds. For more information about the Entrust range of Integration Guides: •...
Page 80 Chapter 14. Software packages on the Security World software installation media nShield SNMP component (ncsnmp on Linux). During the first installation process of the SNMP agent, the agent displays the following message: If this is a first time install, the nShield SNMP Agent will not run by default. Please see the manual for further instructions.
Page 81 Chapter 15. Valid IPv6 Addresses 15. Valid IPv6 Addresses This appendix provides a list of valid IPv6 addresses for each of the types of addresses recognized by certain parts of the system. For information on setting up IPv6 addresses, see Configuring the Ethernet interfaces - IPv4 and IPv6 Address type Address Range (inclusive)

This manual is also suitable for:

Nshield connect 1500 Nshield connect 500 Nshield connect 6000+Nshield connect xc base Nshield connect xc mediumNshield connect xc high ... Show all