Configuring the Entrust nShield HSM
The Entrust nShield HSM needs to be configured for the following:
- To use the correct networking settings (netHSM IP, subnet mask, default gateway).
- To connect to the OneSpan Authentication Server instance and use it as a client. To create the keys and upload the SEE module, the permissions of the client should be set to Privileged, and nToken should be NO. You can set the connection type to unprivileged after the configuration.
For instructions on how to set these configurations, refer to the nShield Connect Quick Start Guide packaged with your HSM.
In addition to configuring the HSM, you will also need to create an Operator Card Set (OCS). The OCS is needed to help protect the SEE code signing key. This signing key allows the OneSpan Authentication Server instance (i.e. the SEE machine) to sign in as a Security World client.
On a Security World compliant with FIPS 140-2 Level 3 (or FIPS 3), an Administrator Card Set (ACS) is required to authorize the creation of an OCS. The ACS is also provided with your Entrust nShield HSM.
The easiest way to create an OCS is via the Cards wizard of the KeySafe utility. This utility is located in /opt/nfast/bin/ksafe.
For detailed instructions to create an OCS, refer to the nShield Connect and netHSM User Guide, Section "Managing card sets and softcards".