Entrust nShield Edge, Installation Manual

Page 1: ...nShield Edge Installation Guide 12 80 17 Nov 2021 ...

Page 2: ...onal features 15 6 4 Disconnecting and reconnecting the nShield Edge 15 6 5 Checking the installation 16 6 6 Using a Security World 16 7 Using the nShield Edge 17 7 1 Mode LEDs 17 7 2 Changing the mode 18 7 3 Status LED 18 8 Troubleshooting 19 8 1 None of the LEDs are lit 19 8 2 The Mode LED is amber or red 19 8 3 The Status LED is flashing irregularly and the nShield Edge is unresponsive for more...

Page 3: ...rity World Software on Linux 23 Appendix B Software packages 25 B 1 Security World installation media 25 B 2 Components required for particular functionality 26 B 3 nCipherKM JCA JCE cryptographic service provider 27 B 4 SNMP monitoring agent 27 nShield Edge Installation Guide 3 of 29 ...

Page 4: ...orld Software See Installing the software Steps to set up an nShield Edge See Setting up the nShield Edge How to use an nShield Edge See Using the nShield Edge Troubleshooting information See Troubleshooting nShield Edge compatibility considerations See nShield Edge Windows compatibility issues and considerations Instructions to uninstall existing software See Uninstalling existing software Softwa...

Page 5: ...1 2 1 Terminology The nShield Edge is referred to as the nShield Edge the hardware security module or the HSM nShield Edge Installation Guide 5 of 29 ...

Page 6: ... nShield Edge Developer Edition does not have a hologram and tamper window If there are any signs of tampering do not use the cable and the nShield Edge Where possible use the lock slot of the nShield Edge to secure it to a desk with a compatible lock not supplied Never store or carry smart cards with the nShield Edge Protect your pass phrase in line with your organization s security policy 2 1 FI...

Page 7: ... reasonable protection against harmful interference when the equipment is operated in a commercial environment This equipment generates uses and can radiate radio frequency energy and if not installed and used in accordance with the instruction manual may cause harmful interference to radio communications Operation of this equipment in a residential area is likely to cause harmful interference in ...

Page 8: ...es is available from http www microsoft com security 4 1 2 Linux 4 1 2 1 Install operating environment patches Make sure that you have installed the latest recommended patches See the documentation supplied with your operating environment for information 4 1 2 2 Users and Groups The installer automatically creates the following group and users if they do not exist If you wish to create them manual...

Page 9: ...ages specific to your operating system which may depend on other pre installed packages to be able to work Suggested links from which you may download Java software as appropriate for your operating system http www oracle com technetwork java index html http www oracle com technetwork java all 142825 html You must have Java installed to use KeySafe 4 1 3 2 Identify software components to be instal...

Page 10: ...e compatible with the HSMs and allow access to the system components you are using The following table identifies the ports used by the nShield system components All listed ports are the default setting Other ports may be defined during system configuration according to the requirements of your organization Component Default Port Use Hardserver 9000 Internal non privileged connections from Java ap...

Page 11: ...ed 3 Follow the onscreen instructions Accept the license terms Click Next to continue 4 Specify the installation directory Click Next to continue 5 Select all the components required for installation and then click Install All components will be selected by default Unselect via dropdown menu for individual component that you do not wish to install nShield Hardware Support and Core Tools are necess...

Page 12: ..._LOGDIR 5 2 Installing the Security World Software on Linux 1 Log in as a user with root privileges 2 Place the installation media in the optical disc drive and mount the drive 3 Open a terminal window and change to the root directory 4 Extract the required tar files to install all the software bundles by running commands of the form tar xf disc name linux ver file tar gz In this command ver is th...

Page 13: ... If you use the C shell add this line to your system or personal profile setenv PATH opt nfast bin PATH nShield Edge Installation Guide 13 of 29 ...

Page 14: ...Control Panel select Power Option Change plan settings 2 For Put the computer to sleep select Never Linux Set power options to never put computer to sleep 6 2 Connecting an nShield Edge Do the following 6 2 1 Windows Connect the nShield Edge to your computer using the supplied USB cable If your operating system detects the nShield Edge automatically allow it to finish A message appears reporting t...

Page 15: ...s putting the nShield Edge into Initialization I mode See Changing the mode for more information 6 3 Enabling optional features The nShield Edge supports a range of optional features which can be enabled with a certificate or Activator card that you order from Entrust The features that are suitable for the nShield Edge are listed in the Release Notes To enable optional features follow the instruct...

Page 16: ...level Six serial number mode operational version speed index rec queue rec LongJobs queue SEE machine type ARMtype2 supported KML types DSAp1024s160 DSAp3072s256 If the mode is operational the HSM has been installed correctly If the output from the enquiry command says that the module is not found first restart your computer then re run the enquiry command Ensure that the Windows power saving feat...

Page 17: ...t For inserting the required smart card E Card slot LED Lights green when a smart card is inserted F Status LED Shows the status of the nShield Edge G Clear button Clears the memory of the nShield Edge and changes the selected mode When using this button press and hold it for a couple of seconds 7 1 Mode LEDs Red In Maintenance mode Red flashing Maintenance mode selected Amber In Initialization mo...

Page 18: ...hanges the new mode s LED stops flashing and remains lit The Status LED might flash irregularly for a few seconds and then flashes regularly when the nShield Edge is ready Otherwise the nShield Edge remains in the current mode with the appropriate mode LED lit 7 3 Status LED Long blue flash In Operational mode Short blue flash In Maintenance or Initialization mode Irregular flash Changing mode or ...

Page 19: ... couple of seconds Wait a few seconds before using the nShield Edge 8 3 The Status LED is flashing irregularly and the nShield Edge is unresponsive for more than a few minutes The nShield Edge has encountered an error Disconnect the nShield Edge wait a few seconds and then reconnect it 8 4 The Security World Software does not detect the connected nShield Edge Disconnect the nShield Edge wait a few...

Page 20: ... via Window Update If you are unable to find the drivers you may need to install the Security World Software on the Host If you do so make sure to stop and disable the nFast Server and nFast Edge services on the Host so they do not prevent the Guest from using of the unit Make a note of the COM port number of the port 3 Edit the settings of the Virtual machine in Workstation Player Disable the set...

Page 21: ...t the environment within which the nShield HSMs are deployed is configured properly and is regularly examined as part of a comprehensive risk mitigation program to assess both logical and physical threats Applications running in the environment shall be authenticated to ensure their legitimacy and to thwart possible proliferation of malware that could infiltrate these as they access the HSMs crypt...

Page 22: ...more information If you do delete Security World data it cannot be restored unless you have an up to date backup and a quorum of the Administrator Card Set ACS is available The file nCipherKM jar if present is located in the extensions folder of your local Java Virtual Machine The uninstall process may not delete this file Before reinstalling over an old installation remove the nCipherKM jar file ...

Page 23: ... software back up your NFAST_HOME directory This preserves your key management data hardserver d and any data customizations When upgrading the Security World restore the backup to preserve your PKCS 11 and Soft KNETI authentication settings and any customizations If you delete the opt nfast directory without making a copy of it you will lose these configuration settings When restoring a Security ...

Page 24: ...ast and if it exists the user ncsnmpd a Open the file etc group with a text editor b Remove the line that begins with the form nfast x n In this line n is an integer c Open the file etc passwd with a text editor d Remove the line that begins with the form nfast x e If it exists remove the line that begins with the form ncsnmpd x If required you can safely remove the module after shutting down all ...

Page 25: ...dditional components are supplied on the Security World installation media B 1 1 Component bundles Linux Package Windows Feature in the Installer Content hwsp nShield Hardware Support Hardware Support package including the nShield Server and device driver ctls nShield Core Tools Management utilities including generatekey diagnostic and performance tools Remote Administration Client tools and the P...

Page 26: ...munication between remote clients and their Type3 smartcards and this machine B 2 Components required for particular functionality Some functionality requires particular component bundles or individual components to be installed Support for nShield Edge is shipped by default as part of the nShield Hardware Support component Ensure that you have installed the Hardware Support mandatory and Core Too...

Page 27: ...re information about the Entrust range of Integration Guides Visit https www entrust com documentation Contact Support https nshieldsupport entrust com B 3 nCipherKM JCA JCE cryptographic service provider If you want to use the nCipherKM JCA JCE cryptographic service provider you must install The nShield Java bundle An additional JCE provider nCipherRSAPrivateEncrypt is supplied that is required f...

Page 28: ...e If this is a first time install the product_family SNMP Agent will not run by default Please see the manual for further instructions See the User Guide for your module and operating system for more about how to activate the SNMP agent after installation nShield Edge Installation Guide 28 of 29 ...

Page 29: ... nShield Edge Installation Guide 29 of 29 ...