Integrating OneSpan Authentication Server with Entrust nShield HSM
After you configured OneSpan Authentication Server as an SEE machine, you can integrate it with you Entrust nShield HSM. This requires you to upload the SEE machine into the HSM.
Ensure that the SEE machine is uploaded only once to the HSM! Uploading the SEE machine multiple times causes the HSM to become inconsistent and requires a restart of the HSM.
You can configure the hardserver to automatically upload an SEE machine, but only one hardserver can be configured to automatically upload the OneSpan Authentication Server SEE machine. In this case, typically the hardserver running on the remote file system (RFS) server must be configured to automatically upload the SEE machine.
For Entrust nShield Connect, you need to perform the following procedure from the remote file system (RFS) server. In an Entrust nShield-secure environment, this is the server used to store keys, configuration data, and (optionally) log files synchronized from the HSM. For more information about the RFS, refer to the nShield Connect and netHSM User Guide.
To automatically upload the SEE machine
-
Configure the HSM to authorize the client machine to issue privileged commands on the HSM. This can be done by setting the connection type between the HSM and the client to Priv. on any port.
For instructions on how to do so, refer to the nShield Connect and netHSM User Guide, Section "Configuring the Connect to use the client".
-
Configure the hardserver on the client machine to allow privileged connections to the HSM. The hardserver settings are configured via the following file: /opt/nfast/kmdata/config/config
Configure the following settings in the configuration file accordingly:
Hardserver settings (for automatic SEE machine upload) Section Setting Description [nethsm_imports] privileged The connection type (privileged VS non-privileged) the hardserver should use to connect to the HSM. This should be set to 1 (enabled). [load_seemachine] module The module number of the HSM to which the SEE machine should be uploaded. machine_file The absolute path to the SEE machine file (by default, /opt/nfast/kmdata/seemach_ppc.sar). For more information, see Installing and configuring an SEE module userdata The absolute path to the user data file. The user data file is the userdata.sar file generated and signed with the SEE code signing key during the SEE module setup (seeInstalling and configuring an SEE module). worldid_pubname The published name of the SEE machine. This should always be set to IDENTIKEY_SEE_Machine. -
Refresh the client machine hardserver's configuration. To do this, run the following command:
cfg-reread
-
Test the configuration with the following command:
/opt/nfast/bin/enquiry
At any given time, each HSM should have a corresponding SEE machine loaded. Without it, OneSpan Authentication Server cannot connect to the HSM.
In addition, there should only be one SEE machine loaded per HSM. OneSpan Authentication Server will be unable to connect to an HSM that has multiple SEE machine instances loaded.