Installing and configuring an SEE module

The required SEE module file is available in installation_image_root_folder/Software/HSM-NCIPHER/aal2sdk.sxf, where installation_image_root_folder is the root folder of the OneSpan Authentication Server product installation CD. We recommend to copy this file to the /opt/nfast/kmdata folder.

Integrating the Entrust nShield HSM and OneSpan Authentication Server requires to integrate the HSM with OneSpan Authentication Server Framework. This requires to sign the OneSpan Authentication Server client as an SEE machine, install the SEE module, and configure the module accordingly.

To install and configure the SEE module

  1. Navigate to the location of the SEE module.

  2. Generate the SEE code signing key with the name seesigningkey. This is the key name expected by the signing script used by the SEE module:

    generatekey --generate seeinteg type=rsa size=2048 pubexp= recovery=yes nvram=no plainname=seesigningkey

    The SEE code signing key will be created as the following file and is protected by the OCS: /opt/nfast/kmdata/local/key_seeinteg_seesigningkey

  3. Sign the SEE module file using the SEE code signing key:

    tct2 --sign --key seesigningkey --is-machine --machine-type=PowerPCSXF --module=moduleID ‑o aal2sdk.sig aal2sdk.sxf

    where moduleID is the identifier of the module with which you want to perform the signing operation. This module identifier is likely 1.

    You can also use the environmental variable ${moduleID} as the moduleID. If you do, the command will automatically use the appropriate module ID from your environment.

  4. Generate the signed SEE machine file, i.e. seemach_ppc.sar:

    tct2 --pack --module=moduleID -o "/opt/nfast/kmdata/seemach_ppc.sar" aal2sdk.sxf aal2sdk.sig

    This command will generate the following SEE machine file: /opt/nfast/kmdata/seemach_ppc.sar

  5. Generate a dummy user data file named userdata.dat:

    echo 'Dummy data' > userdata.dat

  6. Sign the user data file with the SEE code signing key. To do so, run the following two commands:

    tct2 --sign --key seesigningkey --machine-key-ident=seesigningkey --machine-type=PowerPCSXF ‑‑module=moduleID -o userdata.sig userdata.dat

    tct2 --pack --module=moduleID -o "/opt/nfast/kmdata/userdata.sar" userdata.dat userdata.sig

  7. Delete the userdata.dat and userdata.sig files for security reasons.

The OneSpan Authentication Server instance is now fully configured as an SEE machine. As such, it can now be integrated with theEntrust nShield HSM.