Perform the following configuration steps if any solution requires an Entrust nShield HSM (Hardware Security Module). Skip them if you intend to use an HSM from another vendor.
- Selecting the platform for creating the Entrust nShield Security World
- Selecting the drivers for creating the Entrust nShield Security World
- Adding a cknfastrc file to the Entrust nShield Security World
- Configuring kmdata/config/config in Entrust nShield Security World
- Registering Entrust PKI Hub nodes as Entrust nShield clients
For a complete guide on Security World, see https://nshielddocs.entrust.com/security-world-docs/v12.80/connect-ug-nix/create-manage-security-world.html#CreatingSecurityWorld
Selecting the platform for creating the Entrust nShield Security World
You can create the Entrust nShield Security World on the machine running the Timestamping Authority solution, or on another machine of your choice.
Selecting the drivers for creating the Entrust nShield Security World
Section HSM requirements details the version of the built-in client drivers Entrust solutions use to connect with Entrust nShield HSMs. To avoid potential incompatibilities, use client drivers of the same version when creating the Entrust nShield Security World.
Adding a cknfastrc file to the Entrust nShield Security World
To use the cknfastrc
file in Timestamping Authority:
- Copy the file into the Security World
kmdata
folder that will be imported later as part of the Timestamping Authority configuration. Edit the file and add the following line:
CKNFAST_LOADSHARING=1
- Save the file changes.
Configuring kmdata/config/config in Entrust nShield Security World
The following parameters in the kmdata/config/config
file only support the default value.
Parameter | Default |
---|---|
impath_addr | 0.0.0.0 |
impath_port | 9004 |
To use these default values, simply omit the parameters in the configuration.
Registering Entrust PKI Hub nodes as Entrust nShield clients
Entrust nShield requires registering each Entrust PKI Hub node as a client. When using an Entrust nShield HSM, repeat the below steps for each node.
To register an Entrust PKI Hub node as Entrust nShield client
- Run the client registration wizard as explained in https://nshielddocs.entrust.com/security-world-docs/v12.80/connect-ug-nix/configure.html#ConfigureConnectClient
- When prompted Please enter your client IP address, type the node IP address and click Yes.
- When prompted Do you want to save the IP in the config? click Yes.
- When prompted Please choose the client permissions click Unprivileged.
- When prompted Do you want secure authentication enabled on this client? click No.