Install and configure the Entrust nShield HSM

OCS, Softcard, or Module protection can be used to authorize access to the keys protected by the HSM. Follow your organization’s security policy to select an authorization access method.

Install the HSM

Install the nShield Connect HSM locally, remotely, or remotely via the serial console. See the following nShield Support articles and the Installation Guide for the HSM:

How to locally set up a new or replacement nShield Connect
How to remotely set up a new or replacement nShield Connect
How to remotely set up a new or replacement nShield Connect XC Serial Console model

Access to the Entrust nShield Support Portal is available to customers under maintenance. To request an account, contact nshield.support@entrust.com.

Install the nShield Security World Software and create the Security World

To install the nShield Security World Software and create the Security World:

Install the Security World software as described in Installation Guide and the User Guide for the HSM. This is supplied on the installation disc.
Add the Security World utilities path C:\Program Files\nCipher\nfast\bin to the system path.
Open the firewall port 9004 for the HSM connections.
Open a command window and run the following to confirm the HSM is operational .

# enquiry Server: enquiry reply flags none enquiry reply level Six serial number 530E-02E0-D947 7724-8509-81E3 09AF-0BE9-53AA 9E10-03E0-D947 mode operational . Module #1: enquiry reply flags none enquiry reply level Six serial number 530E-02E0-D947 mode operational .

ACS cards cannot be duplicated after the Security World is created.

# nfkminfo World generation 2 state 0x37270008 Initialised Usable . . Module #1 generation 2 state 0x2 Usable .

Generate the OCS or Softcard in the CA server

The OCS or Softcard and associated passphrase will be used to authorize access to the keys protected by the HSM. Typically, one or the other will be used, but rarely both.

When selecting your protection method take into consideration:

Your organization’s security policy.
Unattended startup requirements.

The OCS or Softcard needs to the presented initially when configuring the Entrust Authority Security Manager. In production, unattended startup is possible in some scenarios.

Create the OCS

To create the OCS:

Ensure file C:\ProgramData\nCipher\Key Management Data\config\cardlist contains the serial number of the card(s) to be presented, or the wildcard "*".
Open a command window as an administrator.
Run the createocs command as described below, entering a passphrase or password at the prompt.

Create one card for each person with access privilege, plus the spares.

The --persist option allows for removal of the OCS for save storage. Otherwise, the authentication provided by the OCS is only available while the OCS card is inserted in the HSM front panel slot, or the TVD. Note that slot 2 , remote via a Trusted Verification Device (TVD), is used to present the card.

After an Operator Card Set has been created, the cards cannot be duplicated.

# createocs -m1 -s2 -N testOCS -Q 1/1 --persist FIPS 140-2 level 3 auth obtained. Creating Cardset: Module 1: 0 cards of 1 written Module 1 slot 0: Admin Card #1 Module 1 slot 2: empty Module 1 slot 3: empty Module 1 slot 2: blank cardSteps: Module 1 slot 2:- passphrase specified - writing card Card writing complete. cardset created; hkltu = a165a26f929841fe9ff2acdf4bb6141c1f1a2eed

# nfkminfo -c Cardset list - 1 cardsets: (P)ersistent/(N)ot, (R)emoteable/(L)ocal-only Operator logical token hash k/n timeout name 02466cfb08d1115802ebe39920bc562b43b0d43b 1/1 none-PL testOCS

The rocs utility also shows the OCS was created:

# rocs `rocs' key recovery tool Useful commands: `help', `help intro', `quit'. rocs> list cardset No. Name Keys (recov) Sharing 1 testOCS 2 (2) 1 of 1; persistent rocs> quit

Create a Softcard

To create a Softcard:

Run the following command, and enter a passphrase or password at the prompt:

# ppmk -n EntrustSNSoftcard Enter new pass phrase: Enter new pass phrase again: New softcard created: HKLTU d9414ed688c6405aab675471d3722f8c70f5d864

# nfkminfo -s SoftCard summary - 1 softcards: Operator logical token hash name d9414ed688c6405aab675471d3722f8c70f5d864 testSC

The rocs utility also shows that the OCS and Softcard were created:

# rocs `rocs' key recovery tool Useful commands: `help', `help intro', `quit'. rocs> list cards No. Name Keys (recov) Sharing 1 testOCS 2 (2) 1 of 1; persistent 2 testSC 0 (0) (softcard) rocs> quit

This website was last updated on