Entrust nShield Specific Information

This additional integration describes the Entrust nShield Hardware Security Module installation considerations.

Install the Entrust nShield HSM

Install the nShield HSM and its driver according to the instructions in the formal vendor installation guide. The Validation Authority is compatible with nShield Connect and nShield Solo on Windows and Linux. When the hardware and driver installation is complete, there will be an nCipher directory that contains the nCipher drivers and security worlds. The location of this directory is typically specified through the NFAST_HOME environment variable and may be C:\nfast on Windows or /opt/nfast on Linux systems, depending on installation choices.
If your Validation Authority is not installed as a root user, then follow these steps:
- Give all permissions to the log directory under the following:
  Copy
```
/opt/nfast chmod -R 777 log/
```
- Give all permission to local folder under the following:
  Copy
```
/opt/nfast/kmdata chmod -R 777 local/
```
Configure the following port for the JCE use in the nCipher configuration file:

Open the file /opt/nfast/kmdata/config/config. In the [server_startup] section, add the following:
- nonpriv_port=9000
- priv_port=9001
Once the HSM is installed, you must create a Security World in order to securely store your Validation Authority keys. The security world is created using the CSP Install Wizard, as documented in the nShield User Guide. The CSP Install Wizard allows a variety of configurations that can be used to provide strong protection for the Validation Authority keys.

HID Global recommend the following configuration options when initializing the security world:
- Configure password protection on the Administrator Card Set (ACS). The ACS can be configured with any desired k-of-n.
- Configure a FIPS Level 3 security policy.
- Require an Operator Card Set (OCS) for use of the Security World, with password protection on the OCS usage. Remember the password that is used to configure the OCS. This password must be presented during the configuration and execution of the Validation Authority server. The OCS must be configured with k-of-n using a value of k=1, meaning that one card (with password) is used to execute applications.
- Require the presence of two different operators for configuration and execution of the Validation Authority. Each individual should choose half the OCS password. Subsequent uses of the Security World will require the presence of both operators who must type one half of the password.
- The Security World may be configured with a Persistent Security World if the OCS card(s) will not be left with the server after start-up. Read the nShield User Guide for a discussion on the security implications of Persistent versus non-Persistent security worlds.

When the CSP Installation Wizard is done, you should be able to access the HSM and view the security world using the low-level enquiry command line tool and the high-level KeySafe application. You should also be able to run the nCipher KeyTool application successfully. Use these tools to determine whether the nCipher environment is running properly before installing Validation Authority.

Note: To run Validation Authority as a LOCAL SERVICE, it must have read and write access to the kmdata directory. If you use an administrator account (for example, the Windows Administrator account) to install and configure the nCipher software, then you must set permissions for the kmdata directory (for example, c:\nfast\kmdata) and all of its contents to permit everyone to read from and write to the directory.

The enquiry application is located in the nfast bin directory:

%NFAST_HOME%\bin\enquiry.exe (Win32)
${NFAST_HOME}/bin/enquiry (Linux)

When this application is executed, you should see something like the following output:

./enquiry

Server:

enquiry reply flags none

enquiry reply level Six

serial number CA93-8905-E6C3

mode operational

version 2.59.6

speed index 2196

rec. queue 430..630

level one flags Hardware HasTokens

version string 2.59.6cam1, 2.51.10cam7 built on Sep 11 2012 14:18:04, 2.59.2cam67

checked in 00000000487debd5 Wed Jul 16 05:38:45 2008

level two flags none

max. write size 8192

level three flags KeyStorage

level four flags OrderlyClearUnit HasRTC HasNVRAM HasNSOPermsCmd ServerHasPollCmds FastPollSlotList HasSEE HasKLF HasShareACL HasFeatureEnable HasFileOp HasPCIPush HasKernelInterface HasLongJobs ServerHasLongJobs AESModuleKeys NTokenCmds JobFragmentation LongJobsPreferred Type2Smartcard ServerHasCreateClient HasInitialiseUnitEx

module type code 0

product name nFast server

device name

EnquirySix version 4

impath kx groups

feature ctrl flags none

features enabled none

version serial 0

remote server port 9004

Module #1:

enquiry reply flags UnprivOnly

enquiry reply level Six

serial number CA93-8905-E6C3

mode operational

version 2.51.10

speed index 2196

rec. queue 15..152

level one flags Hardware HasTokens

version string 2.51.10cam7 built on Sep 11 2012 14:18:04, 2.59.2cam67

checked in 000000004856847b Mon Jun 16 08:19:23 2008

level two flags none

max. write size 8192

level three flags KeyStorage

module type code 7

product name nC1003P/nC3023P/nC3033P

device name Rt1

EnquirySix version 6

impath kx groups DHPrime1024 DHPrime3072

feature ctrl flags LongTerm

features enabled ForeignTokenOpen RemoteShare StandardKM PayShield EllipticCurve ECCMQV AcceleratedECC

version serial 25

connection status OK

connection info esn = CA93-8905-E6C3; addr = INET/10.0.3.133/9004; ku hash = db3e76634024e5195e5bd8c16ae2c3c0c09b7976, mech = Any; time-limit = 24h; data-limit = 8MB

max exported modules 20

rec. LongJobs queue 14

SEE machine type PowerPCSXF

supported KML types DSAp1024s160 DSAp3072s256

using impath kx grp DHPrime3072

Before proceeding, inspect the output of this message for any errors. At least one module should be listed in the output.

The bin directory also contains other test programs which may be useful for troubleshooting, such as:

cspcheck
cklist
ckinfo
chkserv
floodtest

When you are satisfied that the nShield HSM is operating properly, you can install Validation Authority and configure it to operate with the HSM as described in the remainder of this chapter.

Install and Configure HSM Support on Validation Authority

Note:

If you are reconfiguring Validation Authority to use the Entrust nShield HSM after the initial installation and configuration, then the following files must be copied from the NFAST_HOME/java/classes/ directory:

kmjava.jar
nCipherKM.jar
jutils.jar
nfjava.jar
rsaprivenc.jar

Install Validation Authority. See section Installing Validation Authority for Windows or Installing Validation Authority for Linux.
When prompted, enable the Install Support for an HSM option. Then, click Choose to choose the library directory that contains the nShield library files, such as NFAST_HOME/java/classes. Then, click Next.

The Validation Authority Installation will copy the required nCipher library files into the Validation Authority library directories server\WEB-INF\lib and setup\server\WEB-INF\lib.
Continue the remaining Validation Authority installation steps and begin Validation Authority configuration as described in sections Configure Validation Authority for Automatic Start-Up and Shut Down for Windows and Configure Validation Authority for Automatic Start-Up and Shut Down for Linux.
When you are prompted to configure the Keystore, select the option Entrust nShield option.
Select the Use an Oracle SunJCE keystore for SSL Key option if you want to store the SSL keys in an Oracle SunJCE keystore. The other keys will be stored in the keystore associated with the provider you selected.
Select the option Regenerate Keys if you want to create new keys or update existing keys. The Validation Authority Configuration utility will create a new set of security keys that are protected by the nShield HSM. For more information on how to regenerate keys, see section Configuring the Keystore.
Click Next and continue with the Validation Authority configuration.