Download
Share
Print this page
  1. Manuals
  2. Brands
  3. Entrust Manuals
  4. Network Hardware
  5. nShield 5s
  6. Install manual

Entrust nShield 5s Install Manual

V13.5.1
Hide thumbs Also See for nShield 5s:

Advertisement

Quick Links

Download this manual
nShield Security World
nShield 5s v13.5.1 Install
Guide
16 February 2024

Advertisement

loading
Need help?

Need help?

Do you have a question about the nShield 5s and is the answer not in the manual?

Questions and answers

Subscribe to Our Youtube Channel

Related Manuals for Entrust nShield 5s

Summary of Contents for Entrust nShield 5s

  • Page 1 Security World nShield 5s v13.5.1 Install Guide 16 February 2024...

  • Page 2: Table Of Contents

    Table of Contents 1. Introduction ................ ...
  • Page 3 8. Setting the system clock ............ ...

  • Page 4: Introduction

    Model number Used for NC5536E-B nShield 5s Base NC5536E-M nShield 5s Medium NC5536E-H nShield 5s High 1.1.2. Terminology The nShield 5s is referred to as the nShield 5s, the Hardware Security Module, or the HSM nShield 5s v13.5.1 Install Guide 1/40...
  • Page 5 Chapter 1. Introduction in this guide. nShield 5s v13.5.1 Install Guide 2/40...

  • Page 6: Hardware Security Modules

    Make sure that the power supply in your computer is rated to supply the  required electric power. The PCIe card, nShield 5s, is intended for installation into a certified personal computer, server, or similar equipment. If your computer can supply the required electric power and sufficient cooling, you can install multiple modules in your computer.

  • Page 7: Cooling Requirements

    To maximize airflow, use a PCIe slot with no neighboring modules if possible. If airflow is limited, consider fitting extra cooling fans. The nShield 5s module is a passively cooled PCIe card that requires the ...

  • Page 8: Cooling Recommendations For A Desktop Installation

    2.5. Physical location considerations For the certification of Entrust nShield HSM, refer to the Security Manual. In addition to the intrinsic protection provided by an nShield HSM, customers must exercise due diligence to ensure that the environment within which the nShield HSMs are deployed is configured properly and is regularly examined as part of a comprehensive risk mitigation program to assess both logical and physical threats.

  • Page 9: Notices

    Chapter 3. Regulatory notices 3. Regulatory notices 3.1. FCC class A notice The nShield 5s HSMs comply with Part 15 of the FCC rules. Operation is subject to the following two conditions: 1. The device may not cause harmful interference, and 2. The device must accept any interference received, including interference that may cause undesired operation.

  • Page 10: Module Pre-Installation Steps

    • Check the epoxy resin security coating for obvious signs of damage. • If you intend to install the module with an external smart card reader, check the cable for signs of tampering. If evidence of tampering is present, do not use and request a nShield 5s v13.5.1 Install Guide 7/40...

  • Page 11: Fitting A Module Bracket

    4.4. User Replaceable items If the module has been removed so that a part can be replaced, follow these procedures before installing the module. If no parts need replacing, proceed to Installing the module. nShield 5s v13.5.1 Install Guide 8/40...

  • Page 12: Replace The Battery

    2. Place the module on a flat surface. 3. Using the tweezers, gently remove the battery from the BT1 connector. 4. Observing the polarity, install the replacement battery in the BT1 connector. 5. Re-install the module into the PCIe slot. nShield 5s v13.5.1 Install Guide 9/40...

  • Page 13: Installing The Module

    2. Open the computer case and locate an empty PCIe slot. If necessary, follow the instructions that your computer manufacturer supplied. You must only install your nShield 5s module into a PCIe slot. See  the instructions that your computer manufacturer supplied to correctly identify the slots on your computer.
  • Page 14 Set up communication between host and module in the User Guide for your module and operating system. If the new module has been supplied from the factory it will already be  in factory state. nShield 5s v13.5.1 Install Guide 11/40...

  • Page 15: Before You Install The Software

    %NFAST_HOME%\bin\ C:\Program the space in Files, nShield commands could fail if is not in PATH. Program NFAST_HOME\bin\ If you cannot change PATH, you will have to enclose all file names and paths that use nShield 5s v13.5.1 Install Guide 12/40...

  • Page 16: Linux

    /opt/nfast 6.1.2.3. Network configuration The nShield 5s appears to the host operating system as a network interface. Communication with the HSM is performed over this interface using IPv6. The install process automatically configures the nShield 5s and any relevant operating system network settings, with the HSM and host-software using link-local communication.

  • Page 17: All Environments

    /etc/systemd/network/nshield.network These files instruct the network management service not to configure the the nShield 5s interfaces. They will be configured by the nShield host software. This covers all of our supported distributions, and more. If your distribution is not using one of these network management services, you will need to configure the interfaces to have a link-local IPv6 address manually.
  • Page 18 Entrust recommends that you ensure Java is installed before you install the Security World Software. The Java executable must be on your system path. If you can do so, please use the latest Java version currently supported by Entrust that is compatible with your requirements. Java versions before those shown are no longer supported.

  • Page 19: Settings

    HSMs and allow access to the system components you are using. The following table identifies the ports used by the nShield system components. All listed ports are the default setting. Other ports may be defined during system configuration, according to the requirements of your organization. nShield 5s v13.5.1 Install Guide 16/40...
  • Page 20 You can also restrict the IP addresses accepted by the hardserver in the configuration file. See the User Guide for your module and operating system for more about configuration files. Similarly, if you are setting up the Remote Administration Service you need to open port 9005. nShield 5s v13.5.1 Install Guide 17/40...

  • Page 21: Installing The Software

    By default, all components are selected. Use the drop-down menu to deselect the components that you do not want to install. nShield Hardware Support and Core Tools are necessary to install the Security World Software. nShield 5s v13.5.1 Install Guide 18/40...
  • Page 22 The selected components are installed in the installation directory chosen above. The installer creates links to the following nShield Cryptographic Service Provider (CSP) setup wizards as well as remote management tools under Start > Entrust or Entrust nShield Security World (depending on the version of Windows or Windows Server you are running): ◦...
  • Page 23 Chapter 7. Installing the software allow UDP port 5353 for any program. This enables the discovery of nShield 5s modules. If enrollment fails to find any modules in the following step, check that this firewall rule is present and enabled; if it does not exist, create it manually and retry enrollment.

  • Page 24: Installing The Security World Software On Linux

    (see Uninstalling Security World software), then install all the packages that you need from fresh. .rpm You must install the package first. If you have to re-install hwsp, uninstall it hwsp nShield 5s v13.5.1 Install Guide 21/40...
  • Page 25 -i disc-name/linux-rpms/<ver>/<file>.rpm 5. To use an nShield module with your Linux system, you must build a kernel driver. Entrust supplies the source to the NFP and a makefile for building the driver as a loadable module. The kernel level driver is installed as part of the bundle.

  • Page 26: Problems During Installation And Commissioning

    ◦ has been upgraded to a firmware version of 13.5 or later but has not performed a factory state operation since the upgrade. If you receive this warning in any other circumstance you should contact Entrust support. 7. Sign in to your normal account.
  • Page 27 When the command is executed it will run a series of diagnostics tests and store the results in a file on the client PC. The information in the file is primarily intended for use by Entrust Support but you may be able to use the information to diagnose the issue yourself. If you are unable to do so, contact Entrust Support and send them a copy of the results file.

  • Page 28: Setting The System Clock

    Linux or the privileges of root the built-in local Administrators group on Windows: /opt/nfast/bin/hsmadmin settime When you are setting time at the very first time on an nShield 5s HSM, it is recommended to avoid the optional parameter. This --adjust parameter is intended to be used when the HSM is already in ...

  • Page 29: Installation

    ##..## module type code product name #######/####### rec. LongJobs queue ## SEE machine type None supported KML types DSAp1024s160 DSAp3072s256 active modes none physical serial 48-U50104 hardware part no PCA10005-01 revision 03 hardware status nShield 5s v13.5.1 Install Guide 26/40...

  • Page 30: Enquiry Utility

    NFAST_SERVERLOGLEVEL, see the User Guide for your module and operating system.  is a legacy debug variable. NFAST_SERVERLOGLEVEL 9.2.1. Information This type of message indicates routine events: nFast Server service: about to start nFast Server service version starting nShield 5s v13.5.1 Install Guide 27/40...

  • Page 31: Notice

    If you receive a serious internal error, contact Support. 9.2.6. Start-up errors This type of message indicates that the server was unable to start: nFast server: Fatal error during startup: message nFast Server service version failed init. nShield 5s v13.5.1 Install Guide 28/40...

  • Page 32: Fatal Errors

    This type of message indicates a fatal error for which no further reporting is available: nFast server: Fatal internal error nFast server: Fatal runtime error If you receive either of these errors, contact Support. nShield 5s v13.5.1 Install Guide 29/40...

  • Page 33: Hsm Status And Error Codes

    Chapter 10. HSM status and error codes 10. HSM status and error codes The Entrust nShield 5s HSM is fitted with a tri-color LED on the back panel. This LED will typically indicate the operational state of the HSM, see status.

  • Page 34: Error Codes Shown On The Led

    Chapter 10. HSM status and error codes If the Entrust nShield 5s HSM encounters an unrecoverable error, it enters an error state. In an error state, the HSM does not respond to commands and does not write data to the bus.
  • Page 35 Library signature verification failed 2-3-3 . . - - - . . . I O S FPGA initialisation failed 2-3-4 . . - - - ..I O H Init script failed nShield 5s v13.5.1 Install Guide 32/40...

  • Page 36: Error Codes Accessed Remotely

    O L K SIGOSERROR: runtime library internal error. O L L SIGUNKNOWN: invalid signal raised. 10.3.2. Hardware driver errors The hardware driver error codes described in the following table indicate one of the following: nShield 5s v13.5.1 Install Guide 33/40...
  • Page 37 • Some form of automatic hardware detection has failed. • There is a bug in the firmware. • The wrong firmware has been loaded. If any of these errors is indicated, contact Entrust Support. Code Meaning M48T37 NVRAM (or battery) failed.

  • Page 38: Operational Mode Errors

    Audit logging: key problem or FIPS Contact Entrust Support. incompatibility (therefore failed to sign audit log message). I J D Audit logging: NVRAM problem (therefore Contact Entrust Support. failed to configure or send audit log message). nShield 5s v13.5.1 Install Guide 35/40...

  • Page 39: Uninstalling Security World Software

    Chapter 11. Uninstalling Security World software 11. Uninstalling Security World software Refer to the User Guide for your HSM for instructions on how to uninstall Security World software. nShield 5s v13.5.1 Install Guide 36/40...

  • Page 40: Software Packages On The Security World Installation Media

    Installing the software. Entrust supply the hardserver and associated software as bundles of common components that provide much of the required software for your installation. In addition to the component bundles, provide individual components for use with specific applications and features supported by certain Entrust modules.

  • Page 41: Components Required For Particular Functionality

    You must install the component if you are using an nShield PCI card. hwsp 12.2.1. KeySafe To use KeySafe, install the nShield Core Tools (ctls on Linux) and the nShield Java (javasp on Linux) components. nShield 5s v13.5.1 Install Guide 38/40...

  • Page 42: Microsoft Capi Csp And Microsoft Cryptography Api: Next Generation (Cng)

    During the first installation process of the SNMP agent, the agent displays the following message: If this is a first time install, the nShield SNMP Agent will not run by default. Please see the manual for further instructions. nShield 5s v13.5.1 Install Guide 39/40...
  • Page 43 Chapter 12. Software packages on the Security World installation media See the User Guide for your module and operating system for more about how to activate the SNMP agent after installation. nShield 5s v13.5.1 Install Guide 40/40...