The following steps configure the nCipher startup scripts to boot or reboot before the PCA startup scripts are run. The nCipher card must be initialized before the PCA can be started.
If you haven't already installed the PCA software, you can do so now.
Depending on the operating system, complete the following sets of instructions:
Create nCipher Security World for PCA
If the nCipher card is to be used as an HSM keystore, then an nCipher Security World must be created. The following instructions apply to the creation of a nCipher Security World with some modifications specific to the CX Passive Capture Application.
- nCipher nShield 4000
- nCipher nShield 6000e
If your network environment requires a different set of policies or more configuration, refer to the nShield_Quick_Start_Guide.pdf
for further instructions.
- Plug in the smart card reader and insert a card. A green light on reader indicates a good connection.
Note: To create a Security World keystore, the smart card reader must be plugged in with a card for writing the AES smart card group.
Importing SSL keys does not require the card reader to be plugged in for the default FIPS140-2 level2. The card reader must be installed to run the PCA by using the Security World keystore for its SSL keys.
- Create a Security World.
- Log in to the host computer as a user in the nfast group.
- Set the module switch on the back panel of the nShield to the I position, which is the pre-initialization mode.
- To clear the module, run the following command:
/opt/nfast/bin/nopclearfail ca
- Run the following command:
/opt/nfast/bin/new-world -m 1 -s 0 -Q 1/2 -k rijndael
This command creates a FIPS Level two-compliant Security World, with OCS recovery and replacement that is enabled, and a 1/2 ACS. The Security World is protected by an AES key. It generates 2 ACS smart cards, but only one is required for security access.
- During the smart card generation process, you must enter passphrase.
For example:
ACS smartcard test passphrase: testcard123
This process takes 1-2 minutes per card. When the Security World is generated, a message similar to the following must be displayed:
Security World generated on module #1; hknso = 26b0b0fed1e2753c665b34af15523ebbb2a995a3
- Set the module switch on the back of nShield to the O position, for Operational mode.
Configure startup scripts for RedHat
For servers using RedHat, complete the following set of instructions:
- Test the configuration by running the runlevel startup list command:
chkconfig --list |grep nc_
If a list is returned, the default nCipher startup scripts were correctly configured. To test, reboot the PCA and validate that it is the nCipher kernel driver.
If nothing is listed, the default nCipher startup scripts are not correctly configured.
The following startup scripts must have the correct run-level headers in the script file to be recognized:
nc_drivers nc_hardserver
The nCipher startup scripts are sym-linked to the following:
/opt/nfast/scripts/init.d/drivers /opt/nfast/scripts/init.d/hardserver
- Edit the nCipher startup scripts:
- Add the following lines to
/opt/nfast/scripts/init.d/drivers
:# chkconfig: 2345 45 55 # description: nCipher drivers
- Add the following lines to
/opt/nfast/scripts/init.d/hardserver
:# chkconfig: 2345 50 50 # description: nCipher hardserver
For example:#!/bin/sh # generated by inst-def.sh # chkconfig: 2345 45 55 # description: nCipher drivers
It can take a few minutes for the system to automatically add the scripts to the
chkconfig --list
. - Add the following lines to
- If the scripts are not displayed, then enable runlevels manually by using chkconfig to turn on runlevel
2,3,4,5
fornc_drivers
andnc_hardserver
.chkconfig --level 2345 nc_drivers on chkcofnig --level 2345 nc_hardserver on
- Validate that the PCA can access the kernel driver.
- Validate PCA access to nCipher kernel driver.
- Restart the PCA.
- Run the following command:
# lsmod |grep nfp
The output is
nfp 42116 2
. The 2 indicates that it is "used by". - To confirm the PCA and nCipher startup scripts have the right startup priorities, the following examples show nCipher starts first, followed by PCA starts:
/etc/rc.d/rc2.d/S45nc_drivers /etc/rc.d/rc2.d/S50nc_hardserver /etc/rc.d/rc2.d/S60tealeaf-pca /etc/rc.d/rc2.d/S55tealeaf-startup
- Validate that the PCA sees the nCipher kernel driver.
Configure startup scripts for SLES
Verify that nCipher starts up correctly with the Passive Capture Application. As of nCipher v11.40, two startup scripts (symlinks) are provided in the following directories.
- For proper startup, run these scripts must in the order listed:
/etc/init.d/nc_drivers /etc/init.d/nc_hardserver
Note: For nCipher to be properly recognized, these nCipher startup scripts must be run before the PCA startup scripts.There can be issues with the startup sequence not working properly with Suse SLES. For SLES, the suggested workaround is the following sequence.
- Disable runlevels for
nc_drivers
andnc_hardserver
:chkconfig -s nc_drivers off chkcofnig -s nc_hardserver off
- Turn them back on with runlevels
3
and5
:chkconfig -s nc_drivers on 3 5 chkcofnig -s nc_hardserver on 3 5
- By default, the priority for both scripts in each runlevel is set to S01. Change startup runlevel priority of each of these scripts in the
rc3.d
andrc5.d
directories by using the following commands:mv /etc/rc.d/rc3.d/S01nc_drivers /etc/rc.d/rc3.d/S09nc_drivers mv /etc/rc.d/rc5.d/S01nc_hardserver /etc/rc.d/rc5.d/S10nc_hardserver
- Disable runlevels for
- To validate that the nCipher driver is loaded properly, use the following command:
lsmod |grep nfp
The expected output must be similar to:
nfp 42116 2 (where '2' is expected)
- Validate that the PCA is seen the nCipher kernel driver.
Validate nCipher Security World
To validate that the security world environment is properly created, complete the following steps.
- Run the following command:
/opt/nfast/bin/nfkminfo
The expected output must be the following, with
Usable
indicating proper validation:World generation # state 0x17270000 Initialised Usable ... ... Module #1 generation # state 0x2 Usable
- For more information about adding SSL keys to the nCipher Security World keystore, review the instructions for using the following command:
/opt/nfast/bin/generatekey
The output of this command is a
.pem
reference SSL key. This key must be converted to the.ptl
format that is used by the PCA. - To convert the reference key file to
.ptl
key, use the following command:tealeaf pem2ptl <nCipherReference>.pem
- The newly created PCA
.ptl
keys can now be explicitly loaded into the PCA:- Manually: See SSL key management.
- Automatically: Load the keys into the default directory:
/usr/local/ctccap/etc/capturekeys
Note: You must create the directory and enable the proper access permissions. See SSL key management.
The.ptl
keys are loaded for use by the PCA.
Import SSL keys into nCipher keystore
To store private SSL keys for use by the PCA, the clear text PEM format of the keys is required. The nCipher utility, generatekey
, creates equivalent reference PEM key files, which can then be converted for use by the PCA.
To install nCipher SSL Key Management System, complete the following steps.
- Confirm that Linux™ is installed.
- Install the nCipher hardware card.
- Install the nCipher software, which installs the
/opt/nfast/...
directories and nfast scripts. - Add the nCipher CHIL library directory to the load library path,
/opt/nfast/toolkits/hwcrhk
, to the/etc/ld.so.conf
file, if it is not present. - Confirm that the PCA software is installed.
- Restart the CX Passive Capture Application server to confirm it boots up successfully.
- Run the kernel module list command to confirm that the nfp nCipher kernel module is loaded,
lsmod
. - Create the required security world environment for key import.
- Import the RSA PEM key files to the nCipher security world by using the nCipher utility,
/opt/nfast/bin/generatekey
.For example:/opt/nfast/bin/generatekey -i embed
This example assumes that keys are stored on disk in encrypted format.
- Run the following command:
[root@tstsys]# /opt/nfast/bin/generatekey -i embed
Result:protect: Protected by? (token, softcard, module) [module] >
- Press
RETURN
to accept the default.Result:pemreadfile: PEM file containing RSA key? []
- Enter the private key file:
tealeaf-web.pem
.Result:embedsavefile: Filename to write key to? []
- Enter the name of the ref file to write:
tealeaf-web_ref.pem
.Result:plainname: Key name? []
- Enter the key name alias:
tealeaf-web
. - Enter RETURN for the remaining prompts to accept the default values.
- Run the following command:
- Run nCipher utility to list keys in security world:
/opt/nfast/bin/nfkminfo \-l
Verify use of private SSL keys
Through the PCA capture log, you can verify that the PCA is able to see and use the nCipher card.
In the PCA capture.log
file, you must see following message during startup:
May 26 15:30:11 mammoth reassd[22722]: OpenSSL hw engine(1): CHIL hardware
engine support
The number of keys must also be indicated in the log:
Aug 20 16:53:37 mammoth reassd[10889]: Loaded 1 keys from Capture.CaptureKeys.
A message like the following indicates an error in accessing the nCipher card:
hw engine(0)
Disable nCipher startup at passive capture boot time
This procedure must be done before removal of the nCipher hardware to allow Passive Capture to boot without the hardware.
- Create a
DISABLED
directory in/etc/init.d
. - If present, move the
nfast
script from/etc/init.d
directory to theDISABLED
directory. - If you are using v11.40 or later software, move the two scripts,
nc_drivers
andnc_hardserver
, from/etc/init.d
directory to theDISABLED
directory. - In
/usr/lib
, rename thelibnfhwcrhk.so
to add.disabled
extensionmv libnfhwcrhk.so libnfhwcrhk.so.disabled
- Restart Passive Capture.