Perform the following configuration steps if any solution requires an Entrust nShield HSM (Hardware Security Module). Skip them if you intend to use an HSM from another vendor.

Selecting the platform for creating the Entrust nShield Security World

You can create the Entrust nShield Security World on the machine running the Timestamping Authority solution, or on another machine of your choice. 

Selecting the drivers for creating the Entrust nShield Security World

Section HSM requirements details the version of the built-in client drivers Entrust solutions use to connect with Entrust nShield HSMs. To avoid potential incompatibilities, use client drivers of the same version when creating the Entrust nShield Security World.

Adding a cknfastrc file to the Entrust nShield Security World

To use the cknfastrc file in Timestamping Authority: 

  1. Copy the file into the Security World kmdata folder that will be imported later as part of the Timestamping Authority configuration.
  2. Edit the file and add the following line:

    CKNFAST_LOADSHARING=1
  3. Save the file changes.

Configuring kmdata/config/config in Entrust nShield Security World

The following parameters in the ​kmdata/config/config file only support the indicated values. 

Section

Parameter

Mandatory value

Comment

server_remotecomms

impath_addr 

0.0.0.0

You can omit this parameter, as the mandatory value is also the default value


impath_port

9004

You can omit this parameter, as the mandatory value is also the default value

server_remotecomms_ipv6

impath_addr 

You can skip this parameter, as it is not evaluated when disabling IPv6


impath_port

0

This value disables IPv6, as it is not supported

Therefore, the only mandatory contents in this file are the following.

[server_remotecomms_ipv6]
impath_port=0

Registering Cryptographic Security Platform nodes as Entrust nShield clients

Entrust nShield requires registering each Cryptographic Security Platform node as a client. When using an Entrust nShield HSM, repeat the below steps for each node.

To register a Cryptographic Security Platform node as Entrust nShield client

  1. Run the client registration wizard as explained in https://nshielddocs.entrust.com/security-world-docs/v12.80/connect-ug-nix/configure.html#ConfigureConnectClient
  2. When prompted Please enter your client IP address, type the node IP address and click Yes.
  3. When prompted ​Do you want to save the IP in the config? click Yes.
  4. When prompted Please choose the client permissions click Unprivileged.
  5. When prompted Do you want secure authentication enabled on this client? click No.

Integrating an nShield Trusted Verification Device

The nShield Trusted Verification Device (TVD) is a USB-connected smart card reader that facilitates the authentication between the smart card and the HSM. 

To integrate an nShield TVD

  1. Set up the TVD as explained in https://nshielddocs.entrust.com/security-world-docs/tvd/intro.html
  2. Redeploy the solutions using an HSM to make changes effective. You can either use the Management Console or run the clusterctl solution deploy command.