Set Up Thales nShield

Prior to Installation

Refer to the Thales setup guide for instructions on configuring your HSM device, setting up a new security world, and registering the BeyondInsight application as a client of the HSM. Take note of the following values, as they are used during the client configuration step:

  • <HSM IP>: The IP address given to your nShield Connect
  • <HSM ESN>: The serial number of your nShield Connect
  • <HSM HKNETI>: The HKNETI of your nShield Connect
  • <RFS IP>: The IP address of the client hosting the Remote File System (RFS)

You should have received a copy of the Thales Security World client software installation media with your HSM. Copy the ISO file to the target machine.


  1. Double-click to mount the Security World ISO on the BeyondInsight application server.
  2. Run setup.exe and complete the wizard using the default install options.

The BeyondInsight server firewall does not allow incoming connections. Therefore, remote administration and RFS facilities are not available from this server.

Verify Installation

  • During installation this variable must be set to C:\Program Files (x86)\nCipher\nfast.
  • This can be verified in Control Panel > System and Security > System > Advanced System Settings > Environment Variables.
  • The variable must be set under System Variables (not the user’s environment variables).

Configure the Software

  1. Edit the System Variable PATH, appending ;%NFAST_HOME\bin to the existing value. The variable can be edited from the same location in Control Panel that was used to verify %NFAST_HOME% above.
  2. After editing the System PATH, open CMD as administrator and run the enquiry command.
  3. If the output is:
    'enquiry' is not recognized as an internal or external command, operable program or batch file

    then either %NFAST_HOME% or %PATH% was not set properly.

  4. Create a new cknfastrc file in the %NFAST_HOME% directory.
  5. Add the following line to this file:

Initialize Security World

This guide assumes a Thales Security World exists. This can be created on an external RFS machine. Copy the relevant world and module files in %NFAST_KMDATA%/local folder on RFS into a corresponding folder on the BeyondInsight server.

BeyondTrust has successfully tested FIPS 140-2 Level 3 compliant (strictFIPS) security world with relevant FIPS authorization.

Connect to nShield

Use the commands in the following steps to configure the server as an HSM client:

  1. Open CMD as administrator on the BeyondInsight application server.
  2. Enroll the BeyondInsight application server as a client of the HSM:
    nethsmenroll -f <Unit IP> <HSM ESN> <HSM HKNETI>
  3. Repeat anonkneti and nethsmenroll commands for the number of HSMs that you have configured in the pod.
  4. Set up the local copy of the Remote File System:
    rfs-setup -–gang-client –-write-noauth <BeyondInsight IP>
  5. Sync the RFS:
    rfs-sync –-setup –-no-authenticate <RFS IP>
    rfs-sync --update

This integration has been fully tested using the softcard key protection mechanism. Support for module and Operator Card Set (OCS) key protection modes are being considered for inclusion in future releases.

  1. Create the softcard:
    ppmk --new –recoverable softcard

Back Up and Restore HSM Configuration

  • You must back up the %NFAST_KMDATA%\local directory regularly. These application token files are encrypted.
  • A full restore of this directory's contents are required for a BeyondInsight high availability configuration or while configuring a secondary BeyondInsight server for recovery purposes.
  • Due to the restricted external connections, BeyondTrust recommends a manual copy of the application token files.