READ ME FIRST!

TM

netHSMª

Quick Start Guide

Welcome to the future of network-based
Hardware Security Modules

For online technical support visit

www.ncipher.com/support or email support@ncipher.com
Basic Software Set Up
This page shows how to set up a netHSM (with or without an nToken) on an RFS machine with a default configuration file for the first time.
For more detailed information about setup procedures and options, see the Hardware Installation Guide and appropriate chapters of the
netHSM User Guide.
Note: The instructions in this document require you to have added the path %NFAST_HOME%\bin (Windows)
or /opt/nfast/bin/ (Unix-based systems) to the value for the PATH system variable.
For more detailed information, see:
1. Install nToken hardware into client machine
Physically fit nToken PCI card into client machine. Prepares client for installation (if nToken required). Hardware Installation Guide

2. Install nCipher software on remote file system (RFS) and client machines
Administrator privileges needed on each machine. netHSM User Guide, Ch4: Software installation

3. Configure the Ethernet interface (from netHSM menu 1-1-1-1)

Enter netHSM IP (from netHSM menu 1-1-1-1). Sets the network location of the netHSM. netHSM User Guide, Ch5: Module & client config
Enter subnet mask (from netHSM menu 1-1-1-1). Note: Leave link speed set to auto.
Confirm reboot and reboot netHSM.
Enter default gateway (from netHSM menu 1-1-1-3).

4. Configure the remote file system (RFS) on the RFS machine (not the netHSM)
anonkneti <netHSM IP> [Will respond with an ESN and HASH rfs-setup creates a file and folder structure on a local netHSM User Guide, Ch5: Module & client config
to be used in the rfs-setup command below.] machine for use by the netHSM as a remote file store.
rfs-setup --force <netHSM IP> <netHSM ESN> <netHSM KNETI HASH>
This should look something like this example below:
rfs-setup --force xxx.xxx.xxx.xxx 9F73-2D25-5D1A 4c05f57e9f981d33eadd149cd060b6ad535fc676

5. Configure the netHSM to use the RFS (from netHSM menu 1-1-3)
Enter IP of remote file system (RFS) machine. Informs the netHSM of the location of its remote file system. netHSM User Guide, Ch5: Module & client config
Leave port number as default of 9004.

6. Configure the auto push option (from netHSM menu 1-1-6)

Allow auto push. Turn on, and set to RFS machine's IP address. This permits netHSM config files to be modified on RFS and netHSM User Guide, Ch5: Module & client config
loaded onto the netHSM.

7. Configure log file storage options (from netHSM menu 1-1-7)

Select either Append or Log. Decide what to do with log files – store on netHSM and RFS netHSM User Guide, Ch5: Module & client config
(select Append) or only on netHSM (select Log).

8. Set the time and date on the netHSM (from netHSM menu 1-1-8)
Enter UTC date and time. Sets the time and date of the netHSM as UTC.
A reboot is requested here.

9. Create new (or load existing) security world (from netHSM menu 3-2-1 or 3-2-2)
Create new security world (3-2-1). In either case, you are prompted for the ACS. netHSM User Guide, Ch6: Managing security worlds
Load existing security world (3-2-2).

10. Create OCS (from netHSM menu 3-5-1)

Create OCS, choosing appropriate K/N quorum and other options. netHSM User Guide, Ch6: Managing card sets & softcards

11. Configure the module to use the client (from netHSM menu 1-1-4-1)
New client. Informs the netHSM of the location of its client netHSM User Guide, Ch5: Module & client config
Enter remote client IP. (a client is a machine using the netHSM for cryptography).
Select client privileged on any port. If you want a privileged connection to the client
Select No for nToken.†† ††If your client has an nToken and you wish to use it:

On client machine run ntokenenroll. Note or keep on

screen the keyhash and ESN. On netHSM, select Yes to
enroll nToken, select port (default 9004). Check keyhash
and ESN from client, and enroll if same.

12. Configure the client to use the module

nethsmenroll -p <netHSM IP> <netHSM ESN> This sets a priviledged client connection into the client netHSM User Guide, Ch5: Module & client config
<netHSM KNETI HASH> configuration file. Use anonkneti for ESN and HASH.

13. Configure TCP sockets on the client for Java applications (for example, KeySafe)
config-serverstartup -sp This enables TCP sockets for Java. netHSM User Guide, Ch5: Module & client config

14. Stop and restart the hardserver

Run the command: net stop "nfast server" These two commands stop and restart the hardserver.
Then run the command: net start "nfast server" On Unix-based systems, log in as root and use the command
init.d-ncipher restart.

15. Test the completed installation

enquiry netHSM User Guide, Ch5: Module & client config
Menu Outline
1 System 3 Security World Mgmt
1-1 System configuration 3-1 Display world info
1-1-1 Network config
1-1-1-1 Set up interface #1
3-2 Module initialization
1-1-1-2 Set up interface #2
1-1-1-3 Set default gateway 3-2-1 New security world
1-1-1-4 Set up routing** 3-2-2 Load security world
1-1-1-5 Show routing table
3-2-3 Erase security world
1-1-1-6 Ping remote host
1-1-1-7 Trace route to host
1-1-2 Hardserver config 3-3 RFS operations
1-1-3 Remote file system
3-3-1 Update world files
1-1-4 Client config**
3-3-2 Remove RFS lock
1-1-5 Resilience config
1-1-6 Config file options
1-1-6-1 Fetch configuration
3-4 Admin operations
1-1-6-2 Allow auto push
3-4-1 Replace ACS
1-1-7 Log config
3-4-2 Recover keys
1-1-8 Date/time setting
3-4-3 Recover PIN
1-1-9 Keyboard layout
1-1-9-1 UK keyboard 3-4-4 Set secure RTC
1-1-9-2 US keyboard
1-1-10 Default config 3-5 Cardset Operations
3-5-1 Create OCS
1-2 System information
3-5-2 List cardsets
1-2-1 View system logs
1-2-2 View hardserver logs 3-6 Card Operations
1-2-3 Display tasks
3-6-1 Card details
1-2-4 Component versions
3-6-2 Check PIN
1-2-5 View h/w diagnostics
3-6-3 Change PIN
3-6-4 Erase card
1-3 Login settings**
3-7 Keys
1-4 Upgrade system
3-7-1 List keys
1-5 Factory state 3-7-2 Verify Key ACLs

1-6 Shutdown/Reboot 3-8 Set up remote slots**

1-6-1 Shutdown
1-6-2 Reboot

2 HSM
2-1 HSM information
2-1-1 Display details
2-1-2 Display secure RTC
2-1-3 Speed test 4 payShield
2-1-4 Display statistics

2-2 HSM reset

2-3 HSM feature enable 5 CodeSafe ** TM

2-3-1 Read FEM from card

2-3-2 Read from a file
2-3-3 View current state **Sub menus beneath these items are dependent upon the current
settings of the unit
2-3-4 Write state to file

2-4 Set HSM mode

2-4-1 Operational For online technical support, visit www.ncipher.com/support/
2-4-2 Initialization or email support@ncipher.com
© Copyright 2008 nCipher Corporation Ltd.
nCipher, netHSM, payShield, nToken, and CodeSafe, are trademarks of nCipher Corporation
Limited. nFast® and the nCipher logo are registered trademarks of nCipher Corporation
Limited. All other trademarks are the property of the respective trademark holders.
N-012116/7
netHSM Quick Start Guide
Welcome to the future of network-based Hardware Security Modules

2 3

Warning: This equipment must be earthed.

Attention: Le système doit être mis à la
terre conformément aux prescriptions.
Vorsicht: Das System muß stets
vorschriftsmäßig geerdet sein.

6
For full installation and saftey
instructions, now read the
Hardware Installation Guide.

4 5
7

? www.ncipher.com/support
support@ncipher.com