Installation Guide - NShield Connect
Installation Guide - NShield Connect
Installation Guide - NShield Connect
com
Thales e-Security
nShield® Connect
Installation Guide
Version: 7.4
Copyright in this document is the property of Thales UK Limited. It is not to be reproduced, modified,
adapted, published, translated in any material form (including storage in any medium by electronic
means whether or not transiently or incidentally) in whole or in part nor disclosed to any third party
without the prior written permission of Thales UK Limited neither shall it be used otherwise than for the
purpose for which it is supplied.
Words and logos marked with ® or ™ are trademarks of Thales UK Limited or its affiliates in the EU and
other countries.
Mac and OS X are trademarks of Apple Inc., registered in the U.S. and other countries.
Microsoft and Windows are either registered trademarks or trademarks of Microsoft Corporation in
the United States and/or other countries.
Linux® is the registered trademark of Linus Torvalds in the U.S. and other countries.
Thales UK Limited makes no warranty of any kind with regard to this information, including, but not
limited to, the implied warranties of merchantability and fitness for a particular purpose. Thales UK
Limited shall not be liable for errors contained herein or for incidental or consequential damages
concerned with the furnishing, performance or use of this material.
Where translations have been made in this document English is the canonical language.
Model numbers 10
Additional documentation 10
Terminology 10
Typographical conventions 11
Environmental requirements 13
Cooling requirements 14
FCC class A notice 15
Avis juridiques 15
Classe A de la FCC 15
Rechtliche Informationen 16
Hinweis FCC-Klasse A 16
Notificaciones reglamentarias 17
Windows environments 18
Unix Environments 18
All environments 19
Firewall settings 24
Installing on Solaris 26
Installing on AIX 27
Installing on HP-UX 29
Client configuration 40
Default gateway 48
Set up Routing 50
Configure the TCP sockets on the client for Java applications (for example, KeySafe) 59
1 System 66
2 HSM 67
Enquiry utility 69
Status LED 70
Audible warning 71
Display screen 71
Power button 72
Ethernet LEDs 72
Information 73
Notice 73
Client 74
Serious error 74
Start-up errors 74
Fatal errors 74
Uninstalling on Solaris 79
Uninstalling on AIX 80
Uninstalling on HP-UX 81
Uninstalling on Linux 82
Component bundles 83
Component bundles 84
Individual components 85
Component bundles 85
Individual components 86
KeySafe 92
Internet addresses 95
l Installing the Security World Software. See Chapter 4: Installing the software on page 25.
l Physically installing an nShield Connect. See Chapter 6: Installing an nShield Connect in a rack,
cabinet, or shelf on page 34.
l Configuring an nShield Connect and client. See Chapter 7: Basic nShield Connect and client
configuration on page 39.
l The nShield Connect front panel controls. See Chapter 8: Front panel controls on page 63.
l The top-level menu of an nShield Connect. See Chapter 9: Top-level menu on page 65.
l Troubleshooting information. See Chapter 10: Troubleshooting on page 69.
l nShield Connect maintenance. See Chapter 11: nShield Connect maintenance on page 76.
l Accessories. See Chapter 12: Approved accessories on page 77.
l Instructions to uninstall existing software. See Appendix A: Uninstalling existing software on page
78.
l Software components and bundles. See Appendix B: Components on Security World Software
installation media (Windows and Unix) on page 83.
See the nShield Connect User Guide for more about, for example:
For information on integrating Thales products with third-party enterprise applications, see
http://www.thales-esecurity.com/knowledge-base/.
Note: The module PSUs are compatible with international mains voltage supplies.
Additional documentation
You can find additional documentation in the document directory of the installation media for your
product.
For information about enabling additional features (such as client licences), see the User Guide.
We strongly recommend that you read the release notes in the release directory of your installation
disc before you use the module. These notes contain the latest information about your product.
Terminology
The nShield Connect is referred to as the nShield Connect, the hardware security module, or the HSM.
The internal security module of the nShield Connect is referred to as the internal security module.
When Thales hardware security products are referred to in general, the term hardware security module
or HSM is used.
Pay particular attention to any warnings and cautions accompanied by the following symbols:
N’effectuez de branchement qu’à une prise d’alimentation électrique présentant une tension
correspondant à celle indiquée sur la plaque signalétique. La plaque signalétique est située en
dessous du produit.
Pour déconnecter le nShield Connect, assurez-vous que les cordons secteur IEC ou les prises
électriques sont facilement accessibles.
Pour isoler le courant, retirez tous les câbles électriques du nShield Connect (reportez-vous
aux instructions affichées à l’arrière de l’unité, au dessus de chaque bloc d’alimentation).
Le goujon M4 situé sur le panneau arrière du nShield Connect constitue une mise à la terre
fonctionnelle destinée à la CEM. Ne branchez pas de conducteurs protecteurs de mise à la
terre à ce terminal.
Ne branchez pas les prises RJ45 à un équipement réseau situé à l’extérieur du bâtiment ou à
l’équipement de télécommunications.
Nur mit geerdeten Anschlussbuchsen verbinden. Das nShield Connect hat die Bauklasse 1
und muss geerdet werden.
Nur mit Steckdosen verbinden, deren elektrische Spannung der Angabe auf dem
Leistungsschild entspricht. Das Leistungsschild ist an der Unterseite des Gerätes nahe der
Rückseite angebracht.
Stellen Sie sicher, dass die IEC-Buchsen des Kabelsets bzw. die Netzstecker gut zugänglich
sind, damit Sie das nShield Connect jederzeit abtrennen können.
Um das Modul von der Stromversorgung abzutrennen, entfernen Sie alle Netzkabel von dem
nShield Connect — siehe hierzu Anweisungen auf der Rückseite der Einheit über den
einzelnen Stromversorgungseinheiten (PSUs).
Der M4-Stift auf der Rückseite des nShield Connect ist ein Funktionserdungsterminal zur
EMV-Filterung. Verbinden Sie keine Schutzerdungsleiter mit diesem Terminal.
Verbinden Sie RJ45-Stecker nie mit Netzwerkgeräten außerhalb des Gebäudes oder mit
Telekommunikationsausrüstung.
If you are installing the module in a 19” rack, make sure that you follow the nShield Connect
Slide Rails Instructions provided with the rails. In particular, be careful of sharp edges.
Only experienced personnel should handle or install an nShield Connect. Always consult your company
health and safety policy before attempting to lift and carry the module. Two competent persons are
required if it is necessary to lift the module to a level above head height (for example, during installation
in a rack or when placing the module on a high shelf).
Measurements given are height x width x length/depth. If the inner slide rails are attached, the width
of the unpackaged module is 448mm.
Environmental requirements
To ensure good air flow through and around the module after installation, do not obstruct either the fans
and vents at the rear or the vent at the front. Ensure that there is an air gap around the module, and
that the rack itself is located in a position with good air flow.
Operating range
Environmental conditions Comments
Min. Max.
The nShield Connect is designed to operate in moderate climates only. Never operate the
module in dusty, damp, or excessively hot conditions.
Never install, store, or operate the module at locations where it might be subject to dripping
or splashing liquids.
In the unlikely event that the internal encryption module overheats, the module shuts down (see Module
overheating on page 73). If the whole nShield Connect overheats, the orange warning LED on the
front panel illuminates (see Orange warning LED on page 71) and a critical error message is shown on
the display.
To help ensure adequate cooling, check that the front and the rear vents on the module are
not blocked.
2. This device must accept any interference received, including interference that may cause
undesired operation.
This equipment has been tested and found to comply with the limits for a Class A digital device, pursuant
to Part 15 of the FCC Rules. These limits are designed to provide reasonable protection against harmful
interference when the equipment is operated in a commercial environment. This equipment generates,
uses, and can radiate radio frequency energy and, if not installed and used in accordance with the
instruction manual, may cause harmful interference to radio communications. Operation of this
equipment in a residential area is likely to cause harmful interference in which case the user will be
required to correct the interference at his own expense.
Avis juridiques
Classe A de la FCC
Ce HSM Solo nShield répond aux exigences de la partie 15 du règlement de la FCC. Le
fonctionnement est soumis aux deux conditions suivantes:
Cet équipement a été testé et respecte les limites pour les appareils numériques de classe A, selon la
partie 15 du règlement de la FCC. Ces limites sont conçues pour fournir une protection raisonnable
contre les interférences nuisibles lorsque l'équipement fonctionne dans un environnement commercial.
Cet équipement génère, utilise et peut émettre de l'énergie radio fréquence et, s'il n'est pas installé et
utilisé conformément au manuel d'instruction, peut causer des interférences nuisibles à la
radiocommunication. Le fonctionnement de cet équipement dans une zone résidentielle est susceptible
de causer des interférences nuisibles auquel cas l'utilisateur devra corriger les interférences à ses
propres frais.
Rechtliche Informationen
Hinweis FCC-Klasse A
Das nShield Solo-HSM erfüllt die Anforderungen von Teil 15 der FCC-Bestimmungen. Der Betrieb des
Geräts unterliegt den folgenden zwei Bedingungen:
Dieses Gerät wurde gemäß Teil 15 der FCC-Bestimmungen getestet und erfüllt die Grenzwerte für
Digitalgeräte der Klasse A. Diese Grenzwerte sollen einen geeigneten Schutz gegen störende
Interferenzen bereitstellen, wenn das Gerät in einer industriellen Umgebung betrieben wird. Dieses
Gerät erzeugt, nutzt und kann Hochfrequenzenergie ausstrahlen und kann, sofern es nicht gemäß den
Anweisungen im Nutzerhandbuch installiert und verwendet wird, Funkverbindungen stören. Der
Betrieb dieses Geräts in Wohngegenden kann möglicherweise störende Interferenzen verursachen. In
einem solchen Fall muss der Nutzer die Interferenzen auf seine eigenen Kosten abstellen.
Notificaciones reglamentarias
Notificación clase A de la FCC
Este HSM nShield Solo cumple con la parte 1 5 de la reglamentación de la Comisión Federal de
Comunicaciones (Federal Communications Commission, FCC) La operación está sujeta a las dos
siguientes condiciones:
Este equipo ha sido probado y se ha encontrado que cumple los límites para dispositivos digitales Clase
A, según la parte 15 de la reglamentación de la FCC. Estos límites están diseñados para proporcionar
una protección razonable contra interferencias dañinas cuando el equipo opere en un ambiente
comercial. Este equipo genera, utiliza y puede emitir energía de radiofrecuencia y, de no ser instalado
y utilizado de acuerdo con el manual de instrucciones, puede causar interferencia dañina a las
radiocomunicaciones. Es probable que la operación de este equipo en un área residencial cause
interferencia dañina, y en este caso el usuario está obligado a remediar la interferencia por sus
propios medios.
l Install an optional nToken in the client computer, if required see nToken Installation Guide for more
information about the installation steps.
l Uninstall any older versions of Security World Software. See Appendix A: Uninstalling existing
software on page 78.
l Complete any other necessary preparatory tasks, as described in Preparatory tasks before installing
software.
Windows environments
Adjust your computers power saving setting to prevent sleep mode.
Make sure that you have installed the latest Microsoft security updates. Information about Microsoft
security updates is available from http://www.microsoft.com/security/.
Unix Environments
Make sure that you have installed the latest recommended patches. See the documentation supplied
with your operating environment for information.
On Unix platforms, if you have applications built against previous versions of nflibs, to maintain
backwards compatibility you must request the creation of the symbolic link /dev/nfast which points to
/opt/nfast/sockets.
During the startup sequence, you must create /etc/nfast.conf with the entry:
NFAST_CREATEDEVNFAST=1
The installer automatically creates the following group and users if they do not exist. If you wish to
create them manually, you should do so before running the installer.
l The nfast user in the nfast group, using /opt/nfast as the home directory.
l If you are installing snmp, the ncsnmpd user in the ncsnmpd group, using /opt/nfast as the home
directory.
l If you are installing the Remote Administration Service, the raserv user in the raserv group, using
/opt/nfast as the home directory.
All environments
The following versions of Java have been tested to work with, and are supported by, your Thales
Security World Software:
Make sure Java is installed before you install the Security World Software. The Java executable must be
on your system path
If you can do so, please use the latest Java version currently supported by Thales that is compatible with
your requirements. Java versions before those shown are no longer supported. If you are maintaining
older Java versions for legacy reasons, and need compatibility with current Thales software, please
contact Thales support.
To install Java you may need installation packages specific to your operating system, which may depend
on other pre-installed packages to be able to work.
Operating
Download site
System
AIX http://www.ibm.com/developerworks/systems/library/es-JavaOnAix_install.html
https://h20392.www2.hp.com/portal/swdepot/displayProductInfo.do?product
HPUX
Number=HPUXJAVAHOME
various http://www.oracle.com/technetwork/java/index.html
various http://www.oracle.com/technetwork/java/all-142825.html
Thales supply standard component bundles that contain many of the necessary components for your
installation and, in addition, individual components for use with supported applications. To be sure that
all component dependencies are satisfied, you can install either:
During the installation process, you are asked to choose which bundles and components to install. Your
choice depends on a number of considerations, including:
Note: In Windows environments, you must install the Hardware Support bundle. If the Hardware
Support bundle is not installed, your module cannot function.
Thales recommends that you always install the Core Tools bundle. This bundle contains all the Security
World Software command-line utilities, including:
l generatekey
l Low level utilities
l Test programs
You need to install the Remote Administration Service component if you require remote administration
functionality. See Planning to use the Remote Administration Service on page 21 and the User Guide
for more about the Remote Administration Service.
Note: Always install all the nShield components you need in a single installation process to avoid
subsequent issues should you wish to uninstall. You should not, for example, install the Remote
Administration Service from the Security World installation media, then later install the
Remote Administration Client from the client installation media.
Ensure that you have identified any optional components that you require before you install the Security
World Software. See Appendix B: Components on Security World Software installation media
(Windows and Unix) on page 83 for more about optional components.
The remote access solution that your organization normally uses, such as SSH or a remote desktop
application is also required (illustrated by Remote Access Server in Figure 1. Deploying the Remote
Administration Service with nShield Connects on page 22 ).
A secure private communications channel, such as VPN, should always be used for the connection
between the Remote Administration Client and the Remote Administration Service if they are on
separate computers.
To use Remote Administration with nShield Connects, the Remote Administration Service must be
installed on a client, which may also be the RFS. The client must allow privileged connections.
A privileged connection is required to carry out privileged operations, such as, for example, changing
the mode of the nShield Connect.
Remote Administration Cards cannot be used until their serial numbers have been added to the
Authorized Card List. See the User Guide for further details.
The following table identifies the ports used by the nShield system components. All listed ports are the
default setting. Other ports may be defined during system configuration, according to the requirements
of your organization.
Default
Component Use
Port
Hardserver 9004 l From a nShield Connect to the Remote File System (RFS)
l From a non-attended nShield Connect to an attended host
machine when using Remote Operator
Hardserver in nShield
9004 Incoming impath connections from client machines
Connect
Remote Administration
9005 Incoming connections from Remote Administration Clients
Service
If you are setting up an RFS or exporting a slot for Remote Operator functionality, you need to open
port 9004. You may restrict the IP addresses to the addresses you expect to use this port. You can also
restrict the IP addresses accepted by the hardserver in the configuration file. See the User Guide for
your module and operating system for more about configuration files. Similarly if you are setting up the
Remote Administration Service you need to open port 9005.
After you have installed the software, you must complete further Security World creation, configuration
and setup tasks before you can use your nShield environment to protect and manage your keys. See the
User Guide for more about creating a Security World and the appropriate card sets, and further
configuration or setup tasks.
See the User Guide for more about configuring silent installations and uninstallations under Windows.
Note: In the following instructions, disc-name is the name of the mount point of the installation
media.
Installing on Solaris
To install the Security World Software for Solaris:
/usr/sbin/pkgadd -d /cdrom/disc-name/solaris/ver/type/nfast/nfast.pkg
In this example, disc-name is the mount point of the installation media, ver is the version of
Solaris (for example, use 11 for Solaris version 11) and type is amd64 for Solaris x86 and
sparc for Solaris Sparc.
4. From the list of packages available for installation, select all required packages, press Enter and
follow the on-screen instructions.
5. Run the install script by using the following command:
/opt/nfast/sbin/install
After the software is installed, you are returned to the shell prompt.
PATH=/opt/nfast/bin:$PATH
export PATH
l If you use the C shell, add this line to your system or personal profile:
Note: See Create a symbolic link to /opt/nfast/sockets on page 19 for information about
maintaining backwards compatability if you have applications built against previous versions
of nflibs.
Installing on AIX
To install the Security World Software for AIX:
smit install_latest
4. Select List to display the input device or directory for the software, and select the location that
contains the installation image.
5. For SOFTWARE to install , select List, and then select all required file sets See Appendix B:
Components on Security World Software installation media (Windows and Unix) on page 83 for
more about the component bundles and the additional software supplied on your installation
media.
6. Press Enter to confirm the file set selection.
When additional installation options are displayed, leave the default settings enabled. Press
Enter to confirm these settings, and then press Enter again to begin the installation.
7. After software installation is complete, run the install script with the following command:
/opt/nfast/sbin/install
PATH=/opt/nfast/bin:$PATH
export PATH
l If you use the C shell, add this line to your system or personal profile:
Note: See Create a symbolic link to /opt/nfast/sockets on page 19 for more about maintaining
backwards compatability if you have applications built against previous versions of nflibs.
swinstall -s disc-name/hpux/ver/nfast/nfast.dep
In this example, disc-name is the mount point of the installation media and ver is the version of
HP-UX (for example, use 11_31 for HP-UX version 11.31).
4. Select all the required software bundles and components for installation. See Appendix B:
Components on Security World Software installation media (Windows and Unix) on page 83 for
more about the component bundles and the additional software supplied on your installation
media.
5. Select Install from the Actions menu.
6. When the installation analysis is complete, click OK. If the installer reports any errors, click
Logfile to display them.
7. Click Yes to confirm you want to install.
8. The installer now installs the selected products. When it is complete, click the Done button.
9. Log in as root.
10. Run the install script by using the following command:
/opt/nfast/sbin/install
PATH=/opt/nfast/bin:$PATH
export PATH
l If you use the C shell, add this line to your system or personal profile:
Note: See Create a symbolic link to /opt/nfast/sockets on page 19for information about
maintaining backwards compatability if you have applications built against previous versions
of nflibs.
tar xf disc-name/linux/ver/nfast/bundle/file.tar
In this command, ver is the version of the operating system (for example, libc6_11), bundle is
the directory name of a given bundle (for example, hwsp or ctls), and file.tar is the name of a
.tar file within a bundle directory.
Note: Some directories contain more than one .tar file.
See Appendix B: Components on Security World Software installation media (Windows and
Unix) on page 83 for more about the component bundles and the additional software supplied
on your installation media.
5. Run the install script by using the following command:
/opt/nfast/sbin/install
PATH=/opt/nfast/bin:$PATH
export PATH
l If you use the C shell, add this line to your system or personal profile:
Note: See Create a symbolic link to /opt/nfast/sockets on page 19 for information about
maintaining backwards compatability if you have applications built against previous versions
of nflibs.
enquiry
Module ##:
enquiry reply flags none
enquiry reply level Six
serial number ####-####-####
mode operational
version #.#.#
speed index ####
rec. queue ##..##
...
version serial ##
connection status OK
connection info esn = ####-####-####; addr =
####/###.##.##.###/####; ku hash = xxxxx, mech = Any; time-limit = 24h;
data-limit = 8MB
image version #.#.#######
max exported modules 3
rec. LongJobs queue ##
SEE machine type PowerPCSXF
supported KML types DSAp1024s160 DSAp3072s256
using impath kx grp DHPrime3072
hardware status OK
Note: Any optional parts ordered, for example slide rail components, might not appear on the
packing list. If any optional components are missing, contact Support.
Breaking the security seal or dismantling the nShield Connect voids your warranty cover, and
any existing maintenance and support agreements.
Always handle modules correctly. For more information, see Handling an nShield Connect on
page 12.
Take due account of the weight and dimensions of the nShield Connect when selecting a
location for storage or installation ( see Handling an nShield Connect on page 12).
To install the nShield Connect in a 19” rack, follow the instructions supplied with your rack mounting kit.
To install the nShield Connect in a cabinet or a shelf, fit the four self-adhesive rubber feet (supplied with
the HSM) to the bottom of the HSM. An X is scored into the chassis at each of the four corners on the
bottom of the HSM as a guide to placing the feet.
Figure 2. Connecting Ethernet and power cables (nShield Connect back view)
Key Description
Green LED (if on, confirms power is on and unit is not in standby
A
mode).
B Rocker switch (to turn PSU on and off).
Ethernet cable. Two Ethernet ports are available. Port 1 is the left-
C
hand connector when the nShield Connect is viewed from the back.
D Mains power cables.
The connectors for Ethernet cables and mains power cables are at the rear of the nShield Connect (see
Figure 2). Ensure that:
Note: If you connect only one Ethernet cable to the nShield Connect, we recommend that you
connect it to Ethernet port 1. This is the left-hand Ethernet connector on the rear of the
nShield Connect (shaded in Figure 2).
If the green LED is on, the PSU is operational and receiving power, and is not in standby mode. If a
power cable is not fitted correctly, or a rocker switch is not turned on, an audible warning is given and
the orange warning LED on the front panel is turned on.
Ensure all power cables are routed to avoid sharp bends, hot surfaces, pinches, and abrasion.
Instead of using the controls on the front panel to configure the nShield Connect, you can use a US or
UK keyboard (see Figure 3). You might find a keyboard easier for entering dates and IP addresses. You
connect the keyboard to the USB connector on the front of the nShield Connect.
When you have connected a keyboard and configured the nShield Connect for its use, you can enter
numbers and characters directly into the display. See the User Guide for more about using a keyboard
and keystroke shortcuts.
l Security World Software installation and options, see Chapter 4: Installing the software on page
25
l Installing the optional nToken and software, see the nToken Installation Guide
l The menu options, see Top-level menu on page 65
l Advanced nShield Connect and client configuration options, see the User Guide
l Each client hardserver to communicate with the hardserver of the nShield Connect that it needs to
use.
l The nShield Connect hardserver to communicate with the hardserver of the clients that are allowed
to use it.
Note: Multiple nShield Connects can be configured to communicate with one client, just as multiple
clients can be configured to communicate with one nShield Connect.
Each nShield Connect in a Security World has separate configuration files on the RFS. See the User
Guide for more about nShield Connect configuration files and advanced configuration options.
Client configuration
The current configuration files for the hardserver of a client are stored in its local file system. You must
load the configuration file for it to be used.
See the User Guide for more about client configuration files and advanced configuration options.
Note: The following steps assume that you have added the path %NFAST_HOME%\bin (Windows) or
/opt/nfast/bin/ (Unix-based systems) to the PATH system variable.
You can specify up to two network interfaces for the nShield Connect.
Note: If you are configuring both network interfaces, you should not use the same subnet for both
interfaces.
l Interface addresses
l Default gateway
l Network routes
l Network speed.
If the nShield Connect is already configured, you can update the displayed values.
If you ever change any of the IP addresses on the nShield Connect, you must update the configuration
of all the clients that work with it to reflect the new IP addresses.
Note: By default, the hardserver listens on all interfaces. However, you can choose to set specific
network interfaces on which the hardserver listens. This may be useful in cases such as if one
of the Ethernet interfaces is to be connected to external hosts. See the User Guide for more
information.
Support for IPv6 is in addition to IPv4. Both Ethernet interfaces can be configured to support:
l IPv4 only
l IPv4 and IPv6 – dual stack
l IPv6 only.
Note: Interface#1 is enabled by default and cannot be disabled. Interface #2 is disabled by default
and can be enabled and disabled.
IPv6 Addresses
An IPv4 address is 32 bits long and typically represented as 4 octets, for example 192.168.0.1. An
IPv6 address is 128 bits long and is made up of a subnet prefix (n bits long) and an interface ID (128 -
n bits long).
An IPv6 address and its associated subnet is typically represented by the notation ipv6-address/prefix-
length, where:
The IPv6 address notation mirrors the way subnets are represented in the IPv4 Classless Inter-Domain
Routing (CIDR) notation.
An nShield Connect will accept an IPv6 address if it is entered in one of the forms shown below and if
the address is valid for context in which it is used. There are two conventional forms for representing
IPv6 addresses as text strings:
1. The long representation is x:x:x:x:x:x:x:x,where the x's are fields containing the hexadecimal
characters (0 to ffff) for each 16 bits of the address. For example:
l 1234:2345:3456:4567:5678:6789:789a:89ab
l 1234:5678:0:0:0:0:9abc:abcd/64
2. If one or more consecutive fields are 0 then they can be replaced by ::. For example:
l 1234:5678:0:0:0:0:9abc:abcd/64 can be written as 1234:5678::9abc:abcd/64
Note: The nShield Connect front panel only allows lower case hexadecimal characters (a-f) in an
IPv6 address.
IPv6 addresses keyed manually on the nShield Connect front panel are validated on entry by the
nShield Connect. As well as checking that the format of the address is correct, the nShield Connect also
validates that the address entered is valid for the context in which it will be used, see Acceptable IPv6
Address by Use Case on page 43.
If Stateless Address Auto Configuration (SLAAC) is enabled the nShield Connect will automatically form
IPv6 addresses from network prefixes contained in Router Advertisements (RAs). RAs are received
directly by the nShield Connect Operating System and automatically forms IPv6 addresses by combining
the network prefixes contained in the RA with the MAC address of the receiving Ethernet interface. As
they are created by the Operating System, SLAAC IPv6 addresses are not subject to the same
validation rules as addresses entered via the nShield Connect front panel. If SLAAC is to be used to
configure nShield Connect IPv6 addresses in preference to statically entered addresses then network
planners must take care to ensure that prefixes advertised to the nShield Connect are of a suitable type,
see Acceptable IPv6 Address by Use Case on page 43.
IPv6 Compliance
A new sub-menu (1-1-1-8 - Set IPv6 compliance) has been added to the nShield Connect front panel
menu to permit the User to select an IPv6 compliance mode for an nShield Connect. Compliance with
USGv6 or IPv6 ready can be selected.
Both these modes change the settings for the nShield Connect firewall so that it will pass-through
packets which are discarded in the normal Default mode. This behaviour is required for compliance
testing but is not recommended for normal use since allowing packets with invalid fields or parameters
through the firewall increases the attack surface. When either USGv6 or IPv6 ready are selected, a
confirmation message is displayed to reduce the likelihood that they are enabled by accident.
It is recommended that the IPv6 compliance mode is set to Default for all normal operations.
The types of IPv6 which are acceptable as a static address are given in the table below. For examples
of valid IPv6 addresses, see Appendix C: Valid IPv6 Addresses on page 94 .
l Global Unicast
Static IPv6 Address Entry l IPv4 Mapped
l Local Unicast
l Global Unicast
l IPv4 Mapped
IPv6 Default Gateway
l Local Unicast
l Link-local
l Unknown
l Loopback
l Global Unicast
l IPv4 Mapped
l Local Unicast
l Link local
IPv6 Route Entry - IP Range
l Teredo
l Benchmarking
l Orchid
l 6to4
l Documentation
l Multicast
l Global Unicast
l IPv4 Mapped
IPv6 Route Entry - Gateway
l Local Unicast
l Link-local
l Global Unicast
l IPv4 Mapped
l Local Unicast
RFS Address l Unspecified address
l Global Unicast
Client Address l IPv4 Mapped
l Local Unicast
l Global Unicast
Push Client Address l IPv4 Mapped
l Local Unicast
l Unknown
l Loopback
l Global Unicast
l IPv4 Mapped
l Local Unicast
l Link-local
Ping
l Teredo
l Benchmarking
l Orchid
l 6to4
l Documentaion
l Multicast
l Unknown
l Loopback
l Global Unicast
l IPv4 Mapped
l Local Unicast
l Link-local
Traceroute
l Teredo
l Benchmarking
l Orchid
l 6to4
l Documentation
l Multicast
Unlike IPv4, IPv6 is designed to be auto-configuring. SLAAC is an IPv6 mechanism by which IPv6 hosts
can configure their IPv6 addresses automatically when connected to an IPv6 network using the
Neighbour Discovery Protocol (NDP). Using NDP IPv6 hosts are able to solicit advertisements from on-
link routers and use the network prefix(es) contained in the advertisements to generate IPv6 address
(es).
SLAAC is disabled by default in an nShield Connect, but can be selectively enabled for each Ethernet
interface either using the nShield Connect front panel or by setting the appropriate configuration item
and pushing an nShield Connect configuration file.
Enable/disable IPv4
To enable/disable IPv4:
1. From the front panel menu, select System > System configuration > Network config > Set up
interface #1 > Configure #1 IPv4 > IPv4 enable/disable.
The following screen displays:
Network configuration
IPv4 enable/disable:
ENABLE
CANCEL FINISH
1. From the front panel menu, select System > System configuration > Network config > Set up
interface #1 > Configure #1 IPv4 > Static IPv4 address.
The following screen displays:
Network configuration
2. Set each field of the IP address and netmask for the interface (press the Select button to move to
the next field).
3. Once all fields have been set, press the right-hand navigation button to continue.
4. To accept the changes, press the right-hand navigation button and then CONTINUE to go back
to the Static IPv4 address menu.
To enable/disable IPv6:
1. From the front panel menu, select System > System configuration > Network config > Set up
interface #1 > Configure #1 IPv6 > IPv6 Enable/Disable.
The following screen displays:
Network configuration
IPv6 enable/disable:
DISABLE
CANCEL FINISH
1. From the front panel menu, select System > System configuration > Network config > Set up
interface #1 > Configure #1 IPv6 > Static IPv6 address > IPv6 address entry .
The following screen displays:
Network configuration
Enter IPv6 address
For interface #1:
::
CANCEL NEXT
4. When the IPv6 address prefix details are correct, press the right-hand navigation button.
5. You are asked whether you wish to accept the new interface. To accept, press the right-hand
navigation button..
6. From the front panel, select System > System configuration > Network config > Set up
interface #1 > Configure #1 IPv6 > Static IPv6 address > Static IPv6 Enab/Dis.
The following screen displays:
Network configuration
CANCEL FINISH
1. From the front panel menu, select System > System configuration > Network config > Set up
interface #1 > Set link speed for #1.
2. The following screen displays:
Network configuration
CANCEL NEXT
1. From the front panel menu, select System > System configuration > Network config > Set up
interface #2.
2. Enter the details for interface #2 in the same manner that you entered the details for interface
#1.
3. Once the interface #2 details have been entered you need to explicitly enable interface #2.
Select System > System configuration > Network config > Set up interface #2 >
Enable/Disable Int #2 .
4. The following screen displays:
Network configuration
Interface #2
DISABLE
CANCEL FINISH
Default gateway
1. From the front panel menu, select System > System configuration > Network config > Set
default gateway > IPv4 Gateway.
The following screen is displayed:
0. 0. 0. 0
CANCEL NEXT
1. From the front panel menu, select System > System configuration > Network config > Set
default gateway > IPv6 gateway.
The following screen is displayed:
Gateway configuration
CANCEL NEXT
Enter the address for the gateway. Press the right-hand navigation button. The following screen
is displayed if the address entered was a link-local address:
Gateway configuration
Select an interface
for link-local address:
fe80:xxxx:xxxx:xxxx:
xxxx:xxxx:xxxx:xxxx
Interface #1
CANCEL NEXT
Select the interface for the IPv6 gateway. Press the right-hand navigation button to accept.
1. From the front panel menu, select System > System configuration > Network config > Set up
routing > New IPv4 route entry.
The following screen is displayed:
Enter IP range
and mask length:
0. 0. 0. 0/ 0
Enter the gateway:
0. 0. 0. 0
CANCEL FINISH
2. Enter the IPv4 address range details for the route. Press the right-hand navigation button to
accept.
1. From the front panel menu, select System > System configuration > Network config > Set up
routing > New IPv6 route entry.
The following screen is displayed:
CANCEL NEXT
2. Enter the IPv6 address range details for the route. Press the right-hand navigation button to
accept. The following screen is displayed:
BACK NEXT
3. Enter the gateway address; if it is a link local address, the following screen is displayed.
Select an interface
for link-local address:
fe80:xxxx:xxxx:xxxx:
xxxx:xxxx:xxxx:xxxx
Interface #1
BACK NEXT
4. Select the interface for the IPv6 gateway and press the right-hand navigation button to accept.
5. If the new route entry entered for IPv6 is incorrect an error message is displayed on the next
screen, select BACK to go to the route entry screen. The new IPv6 route entry will need to be
entered again.
1. From the front panel menu, select System > System configuration > Network config > Set up
routing > Edit route entry .
The following screen is displayed:
BACK SELECT
2. Select the IPv4 route to be edited. Press the right-hand navigation button. The following screen is
displayed:
3. Edit the IPv4 route entry. Press the right-hand navigation button to accept the changes.
1. From the front panel menu, select System > System configuration > Network config > Set up
routing > Edit route entry .
The following screen is displayed:
BACK SELECT
CANCEL NEXT
3. Edit the IPv6 route entry. Press the right-hand navigation button.
BACK NEXT
4. Enter the IPv6 route gateway. If a link-local address is entered for the IPv6 route gateway the
screen below will be displayed.
Select an interface
for link-local address:
fe80:2222:2222:2222:
2222:2222:2222:2222
Interface #1
BACK NEXT
5. Select the interface for the IPv6 gateway. Press the right-hand navigation button to accept.
1. From the front panel menu, select System > System configuration > Network config > Set up
routing > Remove route entry .
The following screen is displayed:
► 1. 1. 1. 1/ 1
3. 3. 3. 3/ 3
1111:1111:1111:1111:
1111:1111:1111:1111
/128
BACK SELECT
2. Select the IPv4/IPv6 route to be removed. Press the right-hand navigation button.
3. The selected route will be displayed. Press the right-hand navigation button to remove the route.
To enable SLAAC:
1. From the front panel menu, select System > System configuration > Network config > Set up
interface #1 > Configure #1 IPv6 > IPv6 SLAAC.
The following screen is displayed:
Network configuration
SLAAC State
Disabled
CANCEL FINISH
2. Select the required state and press the right-hand navigation button.
3. The SLAAC configuration completed OK screen is displayed. Press the right-hand navigation
button to accept.
Note: Enable SLAAC for interface #2 in the same manner that you entered the details for interface
#1 but select select System > System configuration > Network config > Set up interface
#2 > Configure #2 IPv6 > IPv6 SLAAC.
We recommend that you regularly back up the entire contents of the RFS. Either the
%NFAST_KMDATA%directory under Windows, or the kmdata directory under Unix, is
required to restore an nShield Connect or its replacement, to the current state in case of
failure.
You can specify a new RFS, and modify or delete an existing RFS configuration. To create or modify a
remote file system configuration, specify the IP address of the computer on which the RFS resides.
Note: You must have created an RFS on the client computer before you specify the IP address of the
client.
See the User Guide for more about the RFS and its contents.
The nShield Connect must be able to connect to TCP port 9004 of the RFS. If necessary, modify the
firewall configuration to allow this connection on either the RFS itself or on a router between the RFS
and the nShield Connect.
Obtain the following information about the nShield Connect before you set up an RFS for the first time:
l The IP address
The following nShield Connect information can be obtained automatically (or manually):
l The electronic serial number (ESN)
l The hash of the K key (HK ). The K key authenticates the nShield Connect to clients. It is
NETI NETI NETI
generated when the nShield Connect is first initialized from factory state.
If your network is secure and you know the IP address of the nShield Connect, you can use the
anonkneti utility to obtain the ESN and hash of the K key by giving the following command on the
NETI
client computer:
anonkneti mmm.mmm.mmm.mmm
In this command, mmm.mmm.mmm.mmm is the IP address of the nShield Connect. The command returns
output in the following form:
A285-4F5A-7500 2418ec85c86027eb2d5959fef35edc5e1b3b698f
1. Prepare the RFS on the client computer (or another appropriate computer) by running the
following command on that computer:
In this command:
l mmm.mmm.mmm.mmm is the IP address of the nShield Connect
l EEEE-SSSS-NNNN is the ESN of the nShield Connect
l keyhash is the hash of the K key
NETI
2. On the nShield Connect display screen, use the right-hand navigation button to select System >
System configuration > Remote file system > Define IPv4 RFS and enter the IP address of the
client computer on which you set up the RFS.
Note: Leave the port number at the default setting of 9004.
To modify an RFS at a later date, select System configuration > Remote file system > Define IPv4
RFS, and then select the required action.
Note: You can allow non-nShield Connect hardware security modules to access the remote file
system and share Security World and key data that is stored in the %NFAST_KMDATA%
directory under Windows, or the kmdata directory under Unix, in the same way as an
nShield Connect. Clients that access data in this way are described as cooperating clients.
To configure client cooperation, you need to know the details of each client including IP
address and ESN.
After you have defined the RFS, the nShield Connect configuration files are exported automatically to it.
See the User Guide for more about configuration files.
If you are planning to use Remote Administration, you should enable auto push on the nShield Connect,
once you have configured the RFS.
On the nShield Connect display, use the right-hand navigation button to select System > System
configuration > Config file options > Setup auto push > Auto push mode and select IPv4.
Once auto push is enabled, you can complete the configuration steps by editing the configuration files,
rather than by using the front panel of the nShield Connect. See the User Guide for more about
configuration files.
Utility Description
nethsmenroll Used to configure the client to communicate with the nShield Connect.
config-serverstartup Used to configure the hardserver of the client to enable TCP sockets.
nethsmenroll
The nethsmenroll command-line utility is used to edit the configuration file of the client hardserver to
add an nShield Connect.If the ESN and HKNETI are not specified, nethsmenroll attempts to contact
the nShield Connect to determine what they are, and requests confirmation.
Usage:
Options:
config-serverstartup
config-serverstartup [OPTIONS]
For more information about the options available to use with config-serverstartup, run the
command:
config-serverstartup --help
Note: If an nToken is installed in a client, it can be used to both generate and protect a key that is
then used for the impath communication between the nShield Connect and the client. A
strongly protected key is used at both ends of the impath as a result.
Do the following:
1. On the client, open a command line window, and run the command:
nethsmenroll --help
2. To retrieve the ESN and HKNETI of the nShield Connect, run the command:
3138-147F-2D64 691be427bb125f38768638a18bfd2eab75623320
If the ESN and HKNETI are not specified, nethsmenroll attempts to contact the nShield
Connect to determine what they are, and requests confirmation.
3. Do one of the following:
a. If you are enrolling a client with an nToken installed, run the command:
b. If you are enrolling a client without an nToken installed, run the command:
nethsmenroll [Options] --privileged < Unit IP> < Unit ESN> < Unit
KNETI HASH>
Configure the TCP sockets on the client for Java applications (for
example, KeySafe)
Do the following:
2. Do one of the following to stop and restart the hardserver, according to your operating system:
a. Windows:
b. Unix-based:
/opt/nfast/sbin/init.d-ncipher restart
enquiry
See Enquiry utility on page 69 for an example of the output that the enquiry utility generates.
1. On the nShield Connect front panel, use the right-hand navigation button to select System >
System configuration > Client config > New IPv4 client.
The following screen displays:
Client configuration
Please enter your
client IPv4 Address
0. 0. 0. 0
CANCEL NEXT
2. Enter the IP address of the client, and press the right-hand navigation button.
You are asked to choose the permissions for the client:
Client configuration
Please choose the
client permissions
Unprivileged
BACK NEXT
4. When you have selected a connection option, press the right-hand navigation button.
The following screen is displayed:
Client configuration
This client is not
configured to use an
nToken. Do you want to
enroll with an nToken?
NO
BACK NEXT
The next steps in the configuration process vary slightly depending on whether the client uses an
nToken to communicate with the nShield Connect, or not.
or:
a. To enroll the client with nToken authentication, you must first confirm the nToken
authentication key. On the client, open a command line window, and run the command:
ntokenenroll -H
b. Ensure that you write down the hash or have it otherwise available for the next steps.
c. On the nShield Connect, enter the number of the port on which the client is listening and
press the right-hand navigation button. (The default port is 9004.)
The following is an example of the information displayed by the nShield Connect. This
identifies the client by its ESN and displays the reported key hash:
d. Compare the hash displayed by the nShield Connect with the nToken key hash returned
by ntokenenroll.
e. If there is an exact match, select Yes and then press the right-hand navigation button to
configure the client.
f. The unit displays a message reporting that the client has been configured. Press the right-
hand navigation button again.
See the User Guide for more about modifying or deleting an existing client, configuring multiple clients,
client licenses, configuring an nShield Connect to use a client with configuration files and auto push,
and advanced configuration options.
Key Description
A Power button
B Warning LED (orange)
C Display screen
D Touch wheel
E Status indicator LED (blue)
F Display navigation button (left)
G Display navigation button (right)
H Select button
I Slot for smart cards
J Clear button
K USB connector
For more information about the user interface, including the front panel controls, see the nShield
Connect User Guide.
Use the touch wheel to change values or move the cursor on the display screen. To confirm a value,
press the Select button.
Note: If you select an option, the module displays the menu options in the level below. If you cancel
a selected option, you return to level above.
l 1-1-9-1 UK keyboard
l 1-1-9-2 US keyboard
1-1-10 Tamper config
1-1-11 Default config
1-1-12 Remote configuration options
2 HSM
Enquiry utility
Run the enquiry utility to check that your module is working correctly. The enquiry utility is in the bin
subdirectory of the nCipher directory. This is usually:
If the module is working correctly, the enquiry utility returns the message:
Server:
enquiry reply flags none
enquiry reply level Six
...
Module ##:
...
mode operational
version #.##.#
If the output from the enquiry utility does not show mode operational, you can use the Status LED to
discover the status of the module.
On, occasionally blinks off. The module is in Operational mode and accepting
commands. The more frequently the Status LED blinks off,
the greater the load on the module.
Status: Initialization mode
Existing Security World data on the module has been
Flashes two short pulses, followed by a short erased.
pause.
The module is automatically placed in Initialization mode
after a Security World is created. For more information,
see the nShield Connect User Guide.
Status: Maintenance mode
Flashes two long pulses followed by a Used for reprogramming the module with new firmware.
pause.
The module only goes into Maintenance mode during a
software upgrade.
Status: Error mode
If the module encounters an unrecoverable error, it enters
Error mode. In Error mode, the module does not respond
to commands and does not write data to the bus.
Flashes SOS, the Morse code distress code For internal security modules running firmware 2.61.2 and
(three short pulses, three long pulses, three
short pulses). above, the error code is also reported by the enquiry
utility in the hardware status field of the Module and
After flashing SOS, the Status LED flashes a
Morse code letter which identifies the under hardware errors in the hardserver log.
error.
If a command does not complete successfully, the module
normally writes an error message to the log file and
continues to accept further commands. It does not enter
Error mode.
For information about error codes, see the User Guide.
The warning sounds when only one of the two PSUs is powered and turned on. Check that:
If the audible warning continues, there might be a fault with one or both PSUs. Before investigating
further, switch off the audible alarm by navigating to the 1-2-5-3 Critical Errors screen. The orange
warning LED remains on until you resolve the issue.
For more information about identifying and replacing a failed PSU, see the nShield Connect Power
Supply Unit Installation Sheet.
Display screen
When the module is in Maintenance or Initialization mode, there is a color-coded footer at the bottom
of the display screen. There is no footer when the module is in Operational mode.
Note: The blue Status LED flashes to indicate the status of the internal security module.
Power button
The Power button, in combination with the display screen, indicates the general status of the module.
Note: The display screen turns off automatically if the front panel buttons are inactive for more than
three minutes. Use the touch wheel to turn the display screen back on.
Ethernet LEDs
There are four Ethernet LEDs, two for each of the two Ethernet ports on the module. The Ethernet LEDs
indicate the status of the connection with other Ethernet devices.
Module overheating
If the internal module of the nShield Connect exceeds the safe operating temperature, the unit stops
operating and displays the SOS-T error message on the Status LED. See Status LED on page 70 for
details of the SOS-T error message.
The client can store logs, and can configure them to contain different types of message.
Information
This type of message indicates routine events:
Notice
This type of message is sent for information only:
Client
This type of message indicates that the server has detected an error in the data sent by the client (but
other clients are unaffected):
Serious error
This type of message indicates a serious error, such as a communications or memory failure:
If you receive a serious error, even if you are able to recover, contact Support.
Start-up errors
This type of message indicates that the server was unable to start:
nFast server: Fatal error during startup: message nFast Server service
version failed init. nFast Server service version failed to read registry
Reinstall the server as described in the nShield Connect User Guide. If reinstallation does not solve the
problem, contact Support.
Fatal errors
This type of message indicates a fatal error for which no further reporting is available:
or
If the module is without power for an extended period, the RTC time is lost. When this happens,
attempts to read the clock (for example, using the ncdate or rtc utilities) return a BadTokenData error
status.
The correct procedure in these cases is to reset the clock and leave the module powered up for at least
ten hours to allow the battery to recharge. No other nonvolatile data is lost when this occurs.
l The PSUs
l The fan tray module
Replacing a PSU or fan tray module does not affect FIPS 140-2 validations for the nShield Connect, or
result in a tamper event. However, in the very rare event that a PSU or fan tray module requires
replacement, contact Support before carrying out the replacement procedure.
Do not remove the fan tray for more than 30 minutes, otherwise a tamper event will occur.
For more information about replacing either a PSU or the fan tray module, see the Installation Sheet
that accompanies the replacement part.
Breaking the security seal or dismantling the nShield Connect voids your warranty cover, and
any existing maintenance and support agreements.
Mains power plugs on UK cordsets contain a 5A fuse (BS1362). Only replace with the same
type and rating of fuse. If a replacement fuse fails immediately, contact Support. Do not
replace with a higher value fuse.
If you have an enquiry about any of the parts listed, contact Support.
The automated Security World Software installers do not delete other components or any key data and
Security World data that you have created. However, in Unix environments, a manual installation using
.tar files does overwrite existing data and directories.
The uninstaller removes only those files that were created during the installation.
Note: Before you uninstall the Security World Software, Thales strongly recommends that you make
a secure backup of any key data and any existing Security World. See the User Guide for
more information.
Note: When upgrading the Security World Software, you do NOT need to delete key data or any
existing Security World. If you want to do so for other reasons, see the User Guide for more
information. If you do delete Security World data, it cannot be restored unless you have an
up-to-date backup and a quorum of the Administrator Card Set (ACS) is available.
Note: The file nCipherKM.jar, if present, is located in the extensions folder of your local Java
Virtual Machine. The uninstall process may not delete this file. Before reinstalling over an old
installation, remove the nCipherKM.jar file. See the User Guide for your module and
operating system for more about locating the Java Virtual Machine extensions folder.
Note: In Windows environments, because the hardserver is installed as a named service (known as
the nFast server), it is only possible to have one Security World Software installation on any
given computer.
It is also not possible to have more than one Security World Software installation on the
same computer in Unix environments.
Thales recommends that you do not uninstall the Security World Software unless you are
either certain it is no longer required, or you intend to upgrade it.
Uninstalling on Solaris
To uninstall the Security World Software from Solaris:
1. Assume the nFast Administrator privileges or root privileges by running the command:
$ su -
/opt/nfast/sbin/install -u
/usr/sbin/pkgrm
Note: Do not delete the configuration file if you are planning to re-install the product.
If required, you can safely remove the module after shutting down all connected hardware.
/opt/nfast/sbin/install -u
smit install_remove
4. For SOFTWARE name, select List to list all available file sets, and then select all those prefixed
with ncipher.
5. Press Enter to confirm the selected file sets for uninstallation.
The Remove Installed Software panel is displayed.
6. Ensure that the PREVIEW Only option is set to No (or the removal operation does not occur),
and press Enter.
7. When prompted to confirm that you are sure about the removal, press Enter again to start the
uninstall process.
8. If you are not planning to re-install the product, delete the configuration file /etc/nfast.conf if
it exists.
Note: Do not delete the configuration file if you are planning to re-install the product.
If required, you can safely remove the module after shutting down all connected hardware.
1. Assume the nFast Administrator privileges or root privileges by running the command:
$ su -
/opt/nfast/sbin/install -u
/usr/sbin/swremove
Note: Do not delete the configuration file if you are planning to re-install the product.
If required, you can safely remove the module after shutting down all connected hardware.
1. Assume the nFast Administrator privileges or root privileges by running the command:
$ su -
/opt/nfast/sbin/install -u
4. Delete all the files (including those in subdirectories) in /opt/nfast and /dev/nfast/ by
running the following commands:
rm -rf /opt/nfast
Note: Deleting all the files and subdirectories in /opt/nfast also deletes the
/opt/nfast/kmdata directory. To be able to restore an existingSecurity World after
deleting all the files in /opt/nfast, ensure you have made a backup of the
/opt/nfast/kmdata directory in a safe location before deleting the original.
5. If you are not planning to re-install the product, delete the configuration file /etc/nfast.conf if
it exists.
Note: Do not delete the configuration file if you are planning to re-install the product.
6. Unless needed for a subsequent installation, remove the user nfast and, if it exists, the user
ncsnmpd:
a. Open the file /etc/group with a text editor.
b. Remove the line that begins with the form:
nfast:x:n
nfast:x:...
ncsnmpd:x:...
If required, you can safely remove the module after shutting down all connected hardware.
Thales supply the hardserver and associated software as bundles of common components that provide
much of the required software for your installation. In addition to the component bundles, Thales
provide individual components for use with specific applications and features supported by certain
Thales modules.
Component bundles
javasp Java Support (including KeySafe) See Java Support (including KeySafe)
nhfw nShield Connect firmware files See nShield Connect firmware files
Component bundles
javasp Java Support (including KeySafe) See Java Support (including KeySafe)
nhfw nShield Connect firmware files See nShield Connect firmware files
Component bundles
javasp Java Support (including KeySafe) See Java Support (including KeySafe)
nhfw nShield Connect firmware files See nShield Connect firmware files
l Hardware Support
l Core Tools
l Java Support
l nShield Connect firmware files
l Remote Administration Service
l Remote Administration Client.
The Hardware Support (mandatory) bundle contains the hardserver and kernel device drivers:
Core tools
The Core Tools (recommended) bundle contains all the Security World Software command-line utilities,
including generatekey, low level utilities, and test programs:
nfpy
Thales recommend that you always install the Core Tools bundle.
ksafe KeySafe 2
The Remote Administration Service bundle contains the Remote Administration Service installation and
configuration. When installed, the Remote Administration Service starts automatically.
Remote Administration Client
Graphical User Interface and command line versions of the Remote Administration Client.
Firmware image files for the nShield Connect. Typically a firmware image file is included that contains
the latest FIPS Approved module firmware, as well as the firmware image file for the particular nShield
release. In some cases these may be one and the same thing.
l CipherTools Developer
l Java Developer.
l Code safe
l Java developer.
CipherTools Developer
The CipherTools Developer bundle contains components supplied with the CipherTools Developer Kit:
The CodeSafe Developer bundle contains components supplied with the CodeSafe Developer Kit:
The Java Developer bundle contains components to support development of Java applications:
If you are planning to use Security World Software with an nShield Edge, ensure that the optional Edge
Monitor Controller feature is selected during installation.
Ensure that you have installed the Hardware Support (mandatory) and Core Tools (recommended)
bundles.
If you have CipherTools installation media, Thales recommend that you install the CipherTools
Developer bundle.
If you have CodeSafe installation media, Thales recommend that you install the CodeSafe Developer
bundle.
l If your module has a part code of the form nC4nn2 or Bn1nnn, install the Prebuilt arm- gcc for
Codesafe/C component.
l If your module has a part code of the form nC4nn3, Bn2nnn, BN2nnn(-E), or NH2nnn, install the
Prebuilt powerpc- gcc for Codesafe/C component.
If you have CipherTools installation media or CodeSafe installation media and you are developing in
Java, install the Java Developer and Java Support (including KeySafe) bundles; after installation,
ensure that you have added the .jar files to your CLASSPATH.
You must install the nfdrvk component if you are using a Thales PCI card.
If you want to use the module with PKCS #11 applications, including release 4.0 or later of Netscape
Enterprise Server, Sun Java Enterprise System (JES), or Netscape Certificate Server 4, install the
nCipher PKCS11 library. For detailed PKCS #11 configuration options, see:
l The appropriate User Guide for your module and operating system
l The appropriate third-party integration guide for your application
Integration guides for third-party applications are available from the Thales web site:
https://www.thales-esecurity.com/knowledge-base/knowledge-base-listing/integration-guides.
See the User Guide for your module and operating system for more about configuring the nCipherKM
JCA/JCE cryptographic service provider.
If this is a first time install, the nCipher SNMP Agent will not run by
default. Please see the manual for further instructions.
See the User Guide for your module and operating system for more about how to activate the SNMP
agent after installation.
Unspecified :: :: ::
Site-local
fec0:: feff:ffff:ffff:ffff:ffff:ffff:ffff:ffff fec0::100:abc:22
(depreciated)
Note: The available addresses in the Global Unicast range are not contiguous.
Support: http://www.thales-esecurity.com/support-landing-page
Addresses and contact information for the main Thales e-Security sales offices are provided at the
bottom of the following page.
Follow us on: