Skip to main content

PCA security

PCA security

Configure nCipher startup scripts to boot before PCA

The following steps configure the nCipher startup scripts to boot or reboot before the PCA startup scripts are run. The nCipher card must be initialized before the PCA can be started.

If you haven't already installed the PCA software, you can do so now.

Depending on the operating system, complete the following sets of instructions:

Create nCipher Security World for PCA

If the nCipher card is to be used as an HSM keystore, then an nCipher Security World must be created. The following instructions apply to the creation of a nCipher Security World with some modifications specific to the CX Passive Capture Application.

Note: These instructions work for:
  • nCipher nShield 4000
  • nCipher nShield 6000e

If your network environment requires a different set of policies or more configuration, refer to the nShield_Quick_Start_Guide.pdf for further instructions.

  1. Plug in the smart card reader and insert a card. A green light on reader indicates a good connection.
    Note: To create a Security World keystore, the smart card reader must be plugged in with a card for writing the AES smart card group.

    Importing SSL keys does not require the card reader to be plugged in for the default FIPS140-2 level2. The card reader must be installed to run the PCA by using the Security World keystore for its SSL keys.

  2. Create a Security World.
  3. Log in to the host computer as a user in the nfast group.
  4. Set the module switch on the back panel of the nShield to the I position, which is the pre-initialization mode.
  5. To clear the module, run the following command: 
    
/opt/nfast/bin/nopclearfail ca
  6. Run the following command: 
    
/opt/nfast/bin/new-world -m 1 -s 0 -Q 1/2 -k rijndael

    This command creates a FIPS Level two-compliant Security World, with OCS recovery and replacement that is enabled, and a 1/2 ACS. The Security World is protected by an AES key. It generates 2 ACS smart cards, but only one is required for security access.

  7. During the smart card generation process, you must enter passphrase.
    For example: 
    
ACS smartcard test passphrase:  testcard123

    This process takes 1-2 minutes per card. When the Security World is generated, a message similar to the following must be displayed:

    
Security World generated on module #1;
hknso = 26b0b0fed1e2753c665b34af15523ebbb2a995a3
  8. Set the module switch on the back of nShield to the O position, for Operational mode.

Configure startup scripts for RedHat

For servers using RedHat, complete the following set of instructions:

  1. Test the configuration by running the runlevel startup list command: 
    
chkconfig --list |grep nc_

    If a list is returned, the default nCipher startup scripts were correctly configured. To test, reboot the PCA and validate that it is the nCipher kernel driver.

    If nothing is listed, the default nCipher startup scripts are not correctly configured.

    The following startup scripts must have the correct run-level headers in the script file to be recognized:

    
nc_drivers
nc_hardserver

    The nCipher startup scripts are sym-linked to the following:

    
/opt/nfast/scripts/init.d/drivers
/opt/nfast/scripts/init.d/hardserver
  2. Edit the nCipher startup scripts:
    1. Add the following lines to /opt/nfast/scripts/init.d/drivers: 
      
# chkconfig: 2345 45 55
  # description: nCipher drivers
    2. Add the following lines to /opt/nfast/scripts/init.d/hardserver: 
      
# chkconfig: 2345 50 50
# description: nCipher hardserver
      For example: 
      
#!/bin/sh
# generated by inst-def.sh
# chkconfig: 2345 45 55
# description: nCipher drivers

    It can take a few minutes for the system to automatically add the scripts to the chkconfig --list.

  3. If the scripts are not displayed, then enable runlevels manually by using chkconfig to turn on runlevel 2,3,4,5 for nc_drivers and nc_hardserver. 
    
chkconfig --level 2345 nc_drivers on
chkcofnig --level 2345 nc_hardserver on
  4. Validate that the PCA can access the kernel driver.
  5. Validate PCA access to nCipher kernel driver.
    1. Restart the PCA.
    2. Run the following command: 
      
# lsmod |grep nfp

      The output is nfp 42116 2. The 2 indicates that it is "used by".

    3. To confirm the PCA and nCipher startup scripts have the right startup priorities, the following examples show nCipher starts first, followed by PCA starts: 
      
/etc/rc.d/rc2.d/S45nc_drivers
/etc/rc.d/rc2.d/S50nc_hardserver

/etc/rc.d/rc2.d/S60tealeaf-pca
/etc/rc.d/rc2.d/S55tealeaf-startup
    4. Validate that the PCA sees the nCipher kernel driver.

Configure startup scripts for SLES

Verify that nCipher starts up correctly with the Passive Capture Application. As of nCipher v11.40, two startup scripts (symlinks) are provided in the following directories.

Note: These instructions apply to nCipher v11.40 and later, unless otherwise noted.
  1. For proper startup, run these scripts must in the order listed: 
    /etc/init.d/nc_drivers
/etc/init.d/nc_hardserver
    Note: For nCipher to be properly recognized, these nCipher startup scripts must be run before the PCA startup scripts.

    There can be issues with the startup sequence not working properly with Suse SLES. For SLES, the suggested workaround is the following sequence.

    1. Disable runlevels for nc_drivers and nc_hardserver: 
      
chkconfig -s nc_drivers off
chkcofnig -s nc_hardserver off
    2. Turn them back on with runlevels 3 and 5: 
      
chkconfig -s nc_drivers on 3 5
chkcofnig -s nc_hardserver on 3 5
    3. By default, the priority for both scripts in each runlevel is set to S01. Change startup runlevel priority of each of these scripts in the rc3.d and rc5.d directories by using the following commands: 
      
mv /etc/rc.d/rc3.d/S01nc_drivers /etc/rc.d/rc3.d/S09nc_drivers
mv /etc/rc.d/rc5.d/S01nc_hardserver /etc/rc.d/rc5.d/S10nc_hardserver
  2. To validate that the nCipher driver is loaded properly, use the following command: 
    
lsmod |grep nfp

    The expected output must be similar to:

    
nfp   42116    2
(where '2' is expected)
  3. Validate that the PCA is seen the nCipher kernel driver.

Validate nCipher Security World

To validate that the security world environment is properly created, complete the following steps.

  1. Run the following command: 
    
/opt/nfast/bin/nfkminfo

    The expected output must be the following, with Usable indicating proper validation:

    
World
  generation  #
  state       0x17270000 Initialised Usable ...
  ...
Module #1
  generation  #
  state      0x2 Usable
  2. For more information about adding SSL keys to the nCipher Security World keystore, review the instructions for using the following command: 
    
/opt/nfast/bin/generatekey

    The output of this command is a .pem reference SSL key. This key must be converted to the .ptl format that is used by the PCA.

  3. To convert the reference key file to .ptl key, use the following command: 
    
tealeaf pem2ptl <nCipherReference>.pem
  4. The newly created PCA .ptl keys can now be explicitly loaded into the PCA:
    • Manually: See SSL key management.
    • Automatically: Load the keys into the default directory: 
      
/usr/local/ctccap/etc/capturekeys
      Note: You must create the directory and enable the proper access permissions. See SSL key management.
    The .ptl keys are loaded for use by the PCA.

Import SSL keys into nCipher keystore

To store private SSL keys for use by the PCA, the clear text PEM format of the keys is required. The nCipher utility, generatekey, creates equivalent reference PEM key files, which can then be converted for use by the PCA.

To install nCipher SSL Key Management System, complete the following steps.

  1. Confirm that Linux™ is installed.
  2. Install the nCipher hardware card.
  3. Install the nCipher software, which installs the /opt/nfast/... directories and nfast scripts.
  4. Add the nCipher CHIL library directory to the load library path, /opt/nfast/toolkits/hwcrhk, to the /etc/ld.so.conf file, if it is not present.
  5. Confirm that the PCA software is installed.
  6. Restart the CX Passive Capture Application server to confirm it boots up successfully.
  7. Run the kernel module list command to confirm that the nfp nCipher kernel module is loaded, lsmod.
  8. Create the required security world environment for key import.
  9. Import the RSA PEM key files to the nCipher security world by using the nCipher utility, /opt/nfast/bin/generatekey.
    For example: 
    
/opt/nfast/bin/generatekey -i embed

    This example assumes that keys are stored on disk in encrypted format.

    1. Run the following command: 
      
[root@tstsys]# /opt/nfast/bin/generatekey -i embed
      Result: 
      
protect: Protected by? (token, softcard, module) [module] >
    2. Press RETURN to accept the default.
      Result: 
      
pemreadfile: PEM file containing RSA key? []
    3. Enter the private key file: tealeaf-web.pem.
      Result: 
      
embedsavefile: Filename to write key to? []
    4. Enter the name of the ref file to write: tealeaf-web_ref.pem.
      Result: 
      
plainname: Key name? []
    5. Enter the key name alias: tealeaf-web.
    6. Enter RETURN for the remaining prompts to accept the default values.
  10. Run nCipher utility to list keys in security world: 
    
/opt/nfast/bin/nfkminfo \-l

Verify use of private SSL keys

Through the PCA capture log, you can verify that the PCA is able to see and use the nCipher card.

In the PCA capture.log file, you must see following message during startup:


May 26 15:30:11 mammoth reassd[22722]: OpenSSL hw engine(1): CHIL hardware
engine support

The number of keys must also be indicated in the log:


Aug 20 16:53:37 mammoth reassd[10889]: Loaded 1 keys from Capture.CaptureKeys.

A message like the following indicates an error in accessing the nCipher card:


hw engine(0)

Disable nCipher startup at passive capture boot time

This procedure must be done before removal of the nCipher hardware to allow Passive Capture to boot without the hardware.

  1. Create a DISABLED directory in /etc/init.d.
  2. If present, move the nfast script from /etc/init.d directory to the DISABLED directory.
  3. If you are using v11.40 or later software, move the two scripts, nc_drivers and nc_hardserver, from /etc/init.d directory to the DISABLED directory.
  4. In /usr/lib, rename the libnfhwcrhk.so to add .disabled extension 
    
mv libnfhwcrhk.so libnfhwcrhk.so.disabled
  5. Restart Passive Capture.

Related articles

community icon

Join the community

Ask questions, share best practices, and connect with fellow marketers.

Ask a question

Academy

Read how-to articles, guides, and more to help you on the path to success.

Learn more