Entrust nShield HSM Integration Guide

Prerequisites

Cloud Client Software Setup

Note: If you are setting up an on-premises HSM, skip to prerequisite step 2.

  1. Download the Client Software from the Entrust Support Portal.

  2. Unzip the zip file.

  3. Run the installer as an administrator.

  4. Select Client Installation only.

  5. Unpack and Configure the Cloud HSM Bundle which should include

    • nshield-cloud.conf

    • cloud.cert

    • client.key

    • client.cert

    • Optionally: module.nkn, module.dns

  6. Place them in the C:\ProgramData\nCipher\Security World\cloud

On-Premises HSM Client Software Setup

  1. Download the Client Software from the Entrust Support Portal.

  2. Unzip the zip file.

  3. Run the installer as an administrator.

  4. Select the options you need to install.

Security World Configuration

  1. The following steps require access to an elevated command prompt or root.

  2. Test access to nSRES with the following command:

    anonkneti --port 9014 [Assigned HSM IP Address]

    Note: To check the version of security world installed on the client issue the following command. 

    anonkneti –v

    Entrust recommends using the latest Security World Client for integration testing.

  3. The command should return two numbers, a Serial Number (ESN) and KNETI HASH.

    [ESN] [KNETI HASH]

  4. Export the world and module files from the email and into the Security World client's kmdata/local folder:

    • Windows: C:\ProgramData\nCipher\Key Management Data\local
    • Linux: /opt/nfast/kmdata/local

  5. If switching to new nSRES‐nSRTL module(s) you must unregister the previous module(s). 

    nethsmenroll --remove --port (Port Assignment) [Assigned HSM IP Address] ESN KNETI-HASH

  6. To enroll, use the following command for each ip address:

    nethsmenroll --port 9014 [Assigned HSM IP Address]

    Note: Repeat steps 1-6 above as necessary to enroll each IP address for HA testing.

  7. To test HSM connectivity, use the following diagnostic command(s): 

    enquiry

    Note: enquiry will confirm that the module is connected and provide a list of available nShield features.

    and/or

    nfkminfo

    Note: nkfminfo will display information about the Security World.

  8. To test benchmarking and verify the consistency of the Security World, use the following command(s): 

    perfcheck -m1 signing:287

    Note: perfcheck performs a test of the module.

    and/or

    nfkmcheck

    Note: nfkmcheck will check the consistency of the Security World data.