Install and Configure Entrust nShield HSM

Install the HSM

The HSM must be installed and configured using the tools provided as part of the HSM client software suite. Install the nShield HSM before configuring the Security World Software with your BeyondInsight server, following the instructions in the Installation Guide provided by Entrust. Take note of the following values, as they are used during the client configuration step:

  • <HSM IP>: The IP address given to your nShield Connect
  • <HSM ESN>: The serial number of your nShield Connect
  • <HSM HKNETI>: The HKNETI of your nShield Connect
  • <RFS IP>: The IP address of the client hosting the Remote File System (RFS)

Install Security World Software and Create Security World

The BeyondInsight server firewall does not allow incoming connections. Therefore, remote administration and RFS facilities are not available from this server.

We recommend uninstalling any existing nShield software before installing the new nShield software.

  1. On your BeyondInsight server, install the latest version of the Security World Software as described in Entrust's Installation Guide for the HSM.
  2. Create the Security World as described in Entrust's User Guide for the HSM.
  3. Create the ACS and Softcards you require.
  4. Configure the cknfastrc environment variables:
    • Open the C:\Program Files (x86)\nCipher\nfast\cknfastrc file.
    • Add the following environment variables to the file:
  5. Update the cardlist file:
    • Go to the C:\ProgramData\nCipher\Key Management Data\Config folder.
    • Open the cardlist file in a text editor and add an asterisk (*) to authorize all Java Cards for dynamic slots.
  6. When configuring BeyondInsight, you must use Softcard protection or module protection. If using a Softcard, you must create it first. Perform the following steps on the BeyondInsight server in a PowerShell terminal as Administrator:
    • Create the Softcard:
      cd c:\Program Files\nCipher\nfast\bin
      ./ppmk -n beyondtrustsoftcard
    • Check for the Softcard:
      ./nfkminfo -s

For more information on the integration of nShield HSMs and nShield as a Service with Password Safe, please see the content available from the BeyondTrust nFinity HSM Partner Program page .