Skip to main content

Introduction

Entrust Authority Security Manager is a Public-Key Infrastructure (PKI) that manages digital certificates and can publish Certificate Revocation Lists (CRLs). The Entrust nshield Hardware Security Modules (HSMs) are used to securely store and manage:

  • The key pair for the Certificate Authority (CA).

  • The key pair for the CRLs.

Note
Throughout this guide, the term HSM refers to nshield Solo/Solo+, nshield Connect/Connect+, and nshield Edge products.

Product configuration

The integration between the HSM and Security Manager has been successfully tested in the following configurations:

Product Version

Operating System

Windows Server 2019

Security Manager

10.0.10

Supported nshield hardware and software versions

Entrust has successfully tested with the following nshield hardware and software versions.

Connect XC

Security World Software Firmware Image OCS Softcard Notes

12.80.4

12.50.11

12.80.4

FIPS 140-2 Level 3

12.80.4

12.50.11

12.80.4

FIPS 140-2 Level 2

12.80.4

12.60.15

12.80.4

Common Criteria

Connect +

Security World Software Firmware Image OCS Softcard Notes

12.80.4

12.50.8

12.80.4

FIPS 140-2 Level 3

12.60.11

2.55.4

12.45.1

Supported but not tested

Common Criteria

Edge

Security World Software Firmware OCS Softcard Notes

12.80.4

12.50.8

FIPS 140-2 Level 3

Supported nshield functionality

Function Supported

Key Generation

Yes

Key Management

Yes

Key Import

No

Key Recovery

Yes

1-of-N Operator Card Set

Yes

K-of-N Operator Card Set

Yes

Softcards

Yes

Module-only Key

No

Strict FIPS Support

Yes

Load Balancing

Yes

Fail Over

Yes

Note
Fail Over and Load Balancing are not supported with the nshield Edge.

Requirements

To integrate the HSM and Security Manager, you need the following server to be set up as follow:

The following software needs to be installed:

  • nshield Security World software.

  • A directory service installed and running according to the Entrust Authority Security Manager 10.0 Directory Configuration Guide .

  • PostgreSQL Server.

  • Security Manager 10.

Before attempting to install the software, Entrust recommends that you familiarize yourself with the Security Manager documentation and setup process, and that you have the User Guide for your HSM available. You also need to consider the following aspects of HSM administration:

  • The number and quorum of Administrator Cards in the Administrator Card Set (ACS), and the policy for managing these cards.

  • The number and quorum of Operator Cards in the OCS, and the policy for managing these cards.

  • Key attributes such as the key size, persistence, and time-out.

  • Whether there is any need for auditing key usage.

  • Whether the Security World should be compliant with FIPS 140-2 Level 3 and whether to use with the NIST SP800-131 suite of algorithms.

Note
The nshield Edge does not support NIST SP800-131.

More information

For more information about the nshield HSM, see the User Guide for the nshield HSM.

Procedures

Summary

  1. Install the HSM.

  2. Install the nshield Security World Software, and configure the Security World.

  3. Edit the cknfastrc file located in %NFAST_HOME%\cknfastrc .

  4. Install and configure Directory Services

  5. Install Entrust Authority Database.

  6. Establish a preload session.

  7. Install and configure Security Manager 10.0.10:

    1. Install Security Manager 10.0.10.

    2. Configure and initialize the Entrust CA.

All these procedures are described in the following sections.

Install the HSM

Install the HSM using the instructions in the Hardware Installation Guide for the HSM. Entrust recommends that you install the HSM before configuring the nshield Security World Software with your Security Manager setup.

Note
If you are using an nshield Edge, install the software first and then plug in the nshield Edge. If the nshield Edge is not reported or is reported as failed, open a command window as an Administrator, and navigate to %NFAST_HOME%\bin and run nc_hsc.exe .

Install the nshield Security World Software and create the Security World

Install the nshield Security World Software and create the Security World as described in the Hardware Installation Guide for the HSM. This document assumes that:

  • You are installing an offline root Certificate Authority.

  • A new root key is generated during installation.

After creating the Security World, configure the cknfastrc environment variables. The cknfastrc file can be found in %NFAST_HOME%\cknfastrc . Edit the file to include: 

CKNFAST_NO_UNWRAP=1
CKNFAST_NO_ACCELERATOR_SLOTS=1
CKNFAST_LOADSHARING=0 <see note below>
CKNFAST_OVERRIDE_SECURITY_ASSURANCES=none
NFAST_NFKM_TOKENSFILE=C:\Preload\<filename>
Note
The filename is user defined and will be referenced in the preload command. For example, %NFAST_HOME%\Bin>preload -c <OCS Name> -f <pathname to preload file and filename> pause .
Note
When using a K-of-N Cardset where K>1, set CKNFAST_LOADSHARING=0 . When using a K-of-N Cardset where K=1, set CKNFAST_LOADSHARING=1 . This also applies to when using Softcards.
Note
For more information about the environment variables used in cknfastrc , see the nshield PKCS11 library environment variables section in the User Guide for the HSM.
Note
For Enhanced Database Protection (EDP) use CKNFAST_LOADSHARING=0 after enabling the database hardware protection. Restart the system for load sharing to work.
Note
When you are using nshield with ePassport CVCA, use CKNFAST_ASSUME_SINGLE_PROCESS=0 . If ePassport Document Verifier Certificate requests are canceled, this setting ensures that the associated physical key is deleted in the HSM. For information on environment variables, see the User Guide for the HSM.

Install and configure Directory Services

Install the Directory Services using the instructions in the Security Manager 10.0 Directory Configuration Guide . This guide describes the Security Manager directory requirements and the Security Manager schema. It also describes how to configure supported directories for Security Manager.

When completed make a note of the following as it will be use later in the setup.

  • Top Level DN: o=Entrust .

  • CA Directory Location: ou=CA,o=Entrust .

  • Director Administrator: cn=diradmin,ou=CA,o=Entrust .

  • Password for CA: xxxxxx

  • Password for Directory Administrator: xxxxxx

Install the Entrust Authority database

Security Manager requires a database to store information about the Certification Authority, X.509 users, and EAC entities. For a list of supported databases, see PSIC-Entrust Authority Security Manager 10.0 .

In this guide, an embedded Security Manager PostgreSQL database is used. This database will be installed on the same server that will host Security Manager.

For information more about installing and configuring Security Manager PostgreSQL Database, see the Security Manager Database Configuration Guide .

If you are using your own supplied database, it is strongly recommended that you install the database on its own dedicated server. To install and configure (or upgrade) your chosen database, read your database documentation and the Security Manager Database Configuration Guide .

To install and use Security Manager in a cluster, you must use your own supplied database. Using the Entrust supplied Security Manager PostgreSQL Database is not supported for a cluster environment.

To install PostgreSQL Server on the server machine:

  1. Download PostgreSQL Server installer from the Entrust TrustedCare online support site for the Windows operating system ( SecurityManagerPostgreSQL.11.7.27.msi ).

  2. To start installing the PostgreSQL database for Security Manager, double-click the setup file SecurityManagerPostgreSQL.11.7.27.msi .

    An installation wizard appears.

    postgres wizard

  3. Select Next .

  4. In the PostgreSQL Database Folders window, accept the default, then select Next .

  5. In the PostgreSQL Windows Account Password window, set the password for easm_entrust_pg account, then select Next .

    postgres easm entrust pg password

  6. In the PostgreSQL Databases Accounts window, provide the password for the easm_entrust and easm_entbackup accounts and select Next .

    postgres database password

  7. In the PostgreSQL Database Port window, accept the default, select Next .

  8. In the Check Setup Information window, review and select Next .

  9. In the Ready to Install window, select Install .

    postgres install

  10. In the Install Wizard Complete dialog, select Finish .

  11. Close any open windows or dialogs.

Make a note of these users and passwords as this information will be needed later in the setup.

Establish a preload session

You can use a OCS or Softcard to establish connection with the HSM. Before installing Security Manager, you must preload the OCS or Softcard that is used to protect the Entrust keys. If you are using an K-of-N OCS, this section assumes the OCS has been created. Please refer to your Security World User Guide on how to create an OCS or Softcard. You must decide which method you will use for the connection before proceeding.

To initialize Security Manager, the OCS or Softcard has to be preloaded.

  1. Create an empty folder called Preload on drive C: .

  2. Right-click on a command prompt and select Run as Administrator and navigate to %NFAST_HOME%\bin> .

  3. Run the following command to list the OCS:

    • For K-of-N OCS: 

      % nfkminfo.exe -c

    • For Softcard: 

      % nfkminfo.exe -s

  4. Preload the Cardset by running the following command:

    • For K-of-N OCS: 

      % preload -c <cardsetname> -f <pathname>\<filename> pause

    • For Softcard: 

      % preload -s <softcardname> -f <pathname>\<filename> pause

    The filename is user defined but must be consistent when setting the variable in cknfastrc and invoking preload . For example:

    • A variable set in cknfastrc : NFAST_NFKM_TOKENSFILE=C:\Preload\filename

    • A variable invoked with preload : >preload.exe -c ocsname -f "C:\Preload\filename" pause

  5. Present the OCS when prompted and enter the passwords for the OCS or Softcard. You must keep the preload command window active. You can minimize it but do not close it, otherwise you will shut down the session. You can confirm that the Cardset has preloaded by opening another command window and running the command below. The loaded Objects will be reported.

    • For K-of-N OCS: 

      % preload.exe -c <cardsetname> -f <pathname>\<filename> nfkminfo

    • For Softcard: 

      % preload -s <softcardname> -f <pathname>\<filename> nfkminfo

Useful information concerning Operator Card Sets (OCS):

  • You must present sufficient different OCS cards to fulfill the quorum. The passphrase (if any) can be different for each OCS card.

  • If non-persistent cards are used, then the last card in the quorum must remain inserted in the card reader.

  • If persistent cards are used, then the last card in the quorum can be removed from the card reader.

  • The tokens file is generated by the preload utility and is valid for one continuous session only. If the session is lost, then the token authorization is lost. You cannot reuse the same token file once the session is lost, even if you will use the exact same OCS cards again. To restart, you must delete the expired tokens file, and will have to go through the entire preload sequence again.

  • A session, and tokens authorization may be lost if:

    • There is a temporary power failure

    • You remove the last card in the quorum if they are non-persistent OCS cards

    • You clear the module.

  • Softcards can be created using the ppmk command: 

    ppmk -n mysoftcard
Important
The tokens file represents a security risk if permissions to access it are not restricted to authorized persons only.

Install and configure Security Manager

Install Security Manager

To install Security Manager on the server computer:

  1. Download Security Manager for Windows from the Entrust TrustedCare online support site: SecurityManager.10.0.10.173.msi .

  2. Run the installation program. The install wizard will launch and install the software. The installation path after the install will be ( C:\Program Files\Entrust ).

  3. Once the installation completes, select Finish in the Install Wizard Complete dialog.

Configure the Entrust CA

This section describes how to configure Security Manager. You can configure Security Manager immediately after you install it. You must configure Security Manager before you can initialize it. (Initializing Security Manager allows you to use Security Manager).

When you configure Security Manager, you provide data that allows Security Manager to connect to your directory and the Security Manager database, and you choose certificate algorithms, lifetimes, and other options for your Certification Authority.

Note
You can only configure Security Manager once. If you make a mistake configuring Security Manager, you can change some of the settings by editing the entmgr.ini file or you can uninstall Security Manager, then reinstall and configure it.

To configure Security Manager:

  1. Navigate to the Security Manager \bin directory. By default, this is: C:\Program Files\Entrust\Security Manager\bin .

  2. Double-click entConfig.exe .

    The Database Deployment Model dialog appears.

    Database Deployment Model

  3. Select Yes .

  4. In the Entrust Authority Security Manager Configuration dialog, select Next .

    The Security Manager License Information dialog appears.

    entrust licensing information

  5. Enter the Enterprise licensing information that appears on your Entrust licensing card:

    • Serial Number

    • Enterprise user limit

    • Enterprise licensing code

  6. Select Next .

    The Security Manager Data and Backup Locations dialog appears.

    entrust security manager data and backup locations

  7. Accept the defaults:

    • For the data files, the default is c:\authdata .

    • For the backup files, the default is c:\entbackup .

  8. Select Next .

    The Directory Node and Port dialog appears.

    entrust directory node and port

  9. Enter the required details:

    • Select the type of directory that the Security Manager will use, for example: LDAP Directory .

    • Enter the Directory node name (server name or IP address) of your directory services server.

    • Set the Directory listen port to 389.

  10. Select Next .

    The CA Distinguished Name and Password dialog appears.

    entrust ca distinguished name password

  11. Enter the CA DN and CA Directory access password , which you provided when you were configuring the Directory Services for use with Security Manager, see Install and configure Security Manager .

  12. Select Test Bind Information .

    • If the bind is successful, select OK .

    • If the bind is unsuccessful, ensure that the server name or IP address are correct, and that the Directory Services is running and retest using the following information:

      • Set CA DN to o=CA<name> .

      • Enter the CA Directory access password .

  13. Select Next .

    The Directory Administrator Distinguished Name and Password dialog appears.

    entrust directory admin name password

  14. Enter the distinguished name and password details:

    • Enter the Directory administrator DN as cn=diradmin,ou=CA,o=Entrust .

    • Enter the Directory access password .

  15. Select Test Bind Information .

    • If the bind is successful, select OK .

    • If the bind is unsuccessful, ensure that the server name or IP address are correct, and that the Directory Services is running and retest using the following information:

      • Set Directory administrator DN to cn=<manager> .

      • Enter the Directory access password .

  16. Select Next .

    The Advanced Directory Attributes dialog appears. This displays the distinguished name for the First Officer.

    entrust advanced directory attributes

  17. Verify the information for the First Officer is correct. This should follow the cn=First Officer, o=CA<name> general format.

  18. Select Next .

    The Verify Directory Information dialog appears.

    entrust verify directory information

  19. Select Verify Directory information now , then select Next .

    The ENTDVT Logfile page appears.

    The Entrust Directory Verification Tool ( EntDVT ) will verify the settings. At the bottom of the dialogue there should be no errors in the Summary section. For example:

    entrust entdvt logfile
    Note
    		If there are errors on the results, you need to address them in your directory services setup before proceeding.

  20. Select Next .

    The Current User’s Windows Login Password dialog appears.

    entrust current windows user password

  21. Log in with your Windows credentials.

  22. Clear the Enable autologin for automatic service startup checkbox.

  23. Select Next .

    The Database User and Password dialog appears.

    entrust database user password

  24. Enter the password that was assigned to easm_entrust when you installed the PostgreSQL Server, see Install and configure Security Manager , then select Next .

    The Database User and Password dialog appears.

    entrust database backup user password

  25. Enter the password that was assigned to the backup user when you installed the PostgreSQL Server, see Install and configure Security Manager , then select Next .

    The Security Manager Port Configuration dialog appears.

    entrust security manager port configuration

  26. Accept the defaults, then select Next .

    The CA Type dialog appears.

    entrust ca type

  27. Accept the default Root CA , then select Next .

    The Cryptographic Information dialog appears.

    entrust chryptografic information

  28. Select the Certification Authority Key Generation tab, select Use hardware , then select Next .

  29. On the CA Key Type tab, which defines the CA key pair type and parameters, accept the defaults, then select Next .

    entrust ca key pairtype

  30. On the Database tab, which defines the database encryption algorithm, accept the default, then select Next .

    entrust database encryption algorithm

  31. On the User Signing Key Type tab, which defines the key pair type and parameters for user signing keys, accept the defaults, then select Next .

    entrust signing nonrepudiation keys

  32. On the User Encryption Key Type tab, which defines the key pair type and parameters for user encryption keys, accept the defaults, then select Next .

    entrust encryption dual usage keys

  33. On the CA Signing Algorithm Type tab, accept the default, then select Next .

    entrust signature algorithm

  34. On the Policy Certificate tab, which defines the lifetime of the Entrust policy certificate, accept the default, then select Next .

    entrust policy lifetime
    Note
    		For this integration to work with EC-P and RSAPSS, the ECC activation feature must be enabled for the nshield HSM. In the %NFAST_ HOME%\bin directory, run FET.exe .

    The No Hardware Device Found dialog appears.

    entrust no hardware devide found

  35. Select Ok .

    A file explorer opens.

    entrust select library

  36. To select the nshield PKCS11 library, navigate to and select %NFAST_HOME%\toolkits\pkcs11\cknfast.dll .

    Note
    		You can confirm this location by opening the entmgr.ini file located in the Entrust directory and looking for the CryptokiV2LibraryNT = C:\Program Files\nCipher\nfast\toolkits\pkcs11\cknfast.dll entry.

  37. In the Use This Hardware dialog, select the HSM slot, then select Next .

    entrust use hardware

  38. In the CRL Configuration dialog, select No, do not work with Microsoft Windows applications , then select Next .

    entrust crl configuration

  39. In the CRL Distribution Point dialog, accept the defaults, then select Next .

    entrust crl distribution

  40. In the CA Certificate Properties dialog, accept the default of 120 months for the CA certificate lifetime and 100% for the private key usage period, then select Next .

    entrust ca certificate properties
    Note
    		Consult your security policy of your organization about recommendations for CA lifetime.

    The CRL Share Warning dialog appears.

    entrust crl share

  41. Select OK .

    The Configuration Complete dialog appears.

    entrust complete configuration

  42. To initialize the CA, select Run Security Manager Control Command Shell now , and then select OK .

    The Security Manager Control Command Shell ( entsh ) launches, and starts the CA initialization process.

    Note
    		You will have the option to initialize the CA later by running the init command from the entsh command window.

  43. Provide the password for the HSM PKCS11 user that you created when you installed and initialized the HSM using the tools provided by the HSM.

  44. Enter and confirm passwords for all Master users and the First Officer. These are required later during testing. For example: 

    Starting First-Time Initialization...

A Hardware Security Module (HSM) will be used for the CA key:
    nCipher Corp. Ltd  SN : b0xxxxxxxxxxxx19e
    The HSM requires a password.

Enter password for CA hardware security module (HSM):
Enter new password for Master1:
Confirm new password for Master1:
Enter new password for Master2:
Confirm new password for Master2:
Enter new password for Master3:
Confirm new password for Master3:
Enter new password for First Officer:
Confirm new password for First Officer:

Initialization starting; creating ca keys...
Initialization complete.
Starting the services...
Creating CA profile...
Creating First Officer profile...
You are logged in to Security Manager Control Command Shell.
Performing database backup...
NOTICE:  pg_stop_backup complete, all required WAL segments have been archived
SUCCESS: Full backup completed successfully.
Enabling autologin for service startup...
Press return to exit

  45. Close any open windows or dialogs.

Initialize Security Manager

In case you have not initialized the Security Manager at the end of the configuration process you can do so later:

  1. Open a Windows cmd terminal.

  2. Enter the following commands: 

    % cd C:/Program Files/Entrust/Security Manager/bin
% entsh.exe -e "source \"C:/Program Files/Entrust/Security Manager/bin/FirstTimeInit.tcl\""

Test the integration

  1. Open a Windows command terminal.

  2. Open an Entrust Shell: 

% cd C:/Program Files/Entrust/Security Manager/bin
% entsh.exe

Further commands during testing are executed inside the Entrust Shell.

Verify the in-memory CA key cache

In the Entrust Shell: 

entsh$ ca key show-cache

**** In Memory CA cache ****
Record Status Legend:
  C = current key
  H = key on hold
  A = non-current key
  X = revoked or expired non-current key has been obsoleted
  HWV1 = hardware key PKCS11 V1 *** NOT SUPPORTED ***
  HWV2 = hardware key PKCS11 V2
  SW = software key

----------------------------------------------------

Internal key index:           1
CA certificate issued by:     ou=CA,o=Entrust
serial number:                009XXXXXXXXXXXXXXXXXXXXXXXXXXX89A0
current CA certificate:       Y
CA certificate issue date:    Thu Feb 11 20:02:26 2021
CA certificate expire date:   Tue Feb 11 20:32:26 2031
subject key identifier:       0010852416D0F74AF66F7F23F726CA0321C6888B
private key active:           Y
private key expired:          N
certificate expired:          N
certificate revoked:          N
revocation details:           N/A
key:                          RSA-2048
global signing policy:        RSA-SHA256 (sha256WithRSAEncryption)
record status in database:    C HWV2
migrated:                     N
hardware load error:          N
hardware CKA_ID:              LH/7mxxxxxxxxxxxxxxxxM=
hardware status: Loaded >> 'nCipher Corp. Ltd  SN : b0xxxxxxxxxxxxxxxxa19e SLOT : 761406613'.

----------------------------------------------------
**** End of In Memory CA cache ****
Verify the hardware information

In the Entrust Shell: 

entsh$ ca key show-cahw -type all

You must log in to issue the command.
Master User Name: Master1
Password:

EAC is not enabled. There is no associated cryptographic hardware for EAC.

**** Hardware Information ****

----------------------------------------------------

Name:
nCipher Corp. Ltd  SN : b02xxxxxxxxxxxxxxxxx19e SLOT : 761406613

Has current X.509 CA key: Y
Load Status:              hardware loaded ok
Uses Password:            Y
DB protection HW:         N
In use for X.509 CA keys: Y
In use for EAC keys:      N
ECDSA style:              1 (use raw digest)

----------------------------------------------------
**** End of Hardware Information ****
Import the CA key pair from software to hardware

To import the CA key pair from software to the HSM (from software to hardware), use the Entrust Shell: 

entsh$ ca key update

This prompts you to select the destination for the new CA key.

Select the nCipher slot as the destination for the new CA key. For example: 

Select the destination for the new CA key.
Choose one of:
1. Software
2. nCipher Corp. Ltd  SN : cfc17259ebffe335 SLOT : 761406613
3. Cancel operation
> 2
Checking cluster status...

The cluster will be stopped and the CA key updated.
Do you wish to continue (y/n) ? [y]
Stopping cluster...

100% complete. Estimated time remaining -:-:- /

CA key and certificate successfully updated.
Recovering CA profile...
Starting cluster...

CA profile successfully recovered.

It is recommended that all revocation lists be re-issued. This can be done later with the 'rl issue' command. Re-issue revocation
lists now (y/n) ? [y] y

Issuing CRLs, please wait ...

1 CRL(s) were issued.
1 ARL(s) were issued.
1 combined CRL(s) were issued.

Publishing CRLs, please wait ...

After you have moved the CA key to the HSM and have finished updating it, a message about the CA profile being successfully recovered appears.

Security Manager configuration and integration with the HSM is now complete.

Export the CA key pair from hardware to software

To export the Entrust CA key pair from the HSM to software (from hardware to software), use the Entrust Shell: 

entsh$ ca key update

This prompts you to select the destination for the new CA key.

Select the software slot as the destination for the new CA key. For example: 

Select the destination for the new CA key.
Choose one of:
1. Software
2. nCipher Corp. Ltd  SN : cfc17259ebffe335 SLOT : 761406613
3. Cancel operation
> 1
Checking cluster status...

The cluster will be stopped and the CA key updated.
Do you wish to continue (y/n) ? [y] y
Stopping cluster...

100% complete. Estimated time remaining -:-:- -

CA key and certificate successfully updated.
Recovering CA profile...
Starting cluster...


CA profile successfully recovered.

It is recommended that all revocation lists be re-issued. This can be done later with the 'rl issue' command. Re-issue revocation
lists now (y/n) ? [y]

Issuing CRLs, please wait ...


1 CRL(s) were issued.
1 ARL(s) were issued.
1 combined CRL(s) were issued.

After you have finished updating the CA key, its export to software is complete.

Back up Security World files

To back up Security World files:

  1. Back up the C:\ProgramData\nCipher\Key Management Data\local directory.

    Such a backup of Security World files must be performed after any new key generation or Security World administration activities.

  2. Store the backup files according to your organization’s disaster recovery instructions.

Troubleshooting

The following are error messages that might appear during the procedures described in this guide.

(-8973) Could not connect to the Entrust Authority Security Manager service. Security Manager service may not be running.

The Entrust service is not running in the Entrust Authority Master Control shell ( entsh$ ).

Resolution

  1. Open the Master Control shell ( entsh$ ).

  2. Log in with Master1 .

  3. Run Service Start .

Error encountered querying CA hardware

When you are configuring Security Manager, you see the following message: 

Are you using a hardware device for the CA keys (y/n) ? [n] y

Enter the pathname for the CryptokiLibrary.
[/opt/nfast/toolkits/pkcs11/libcknfast.so] >

Error encountered querying CA hardware.

Resolution

Make sure you have an operator card set in the HSM. Once that is in place, the script should be able to see the HSM.

(-77) Problem reported with crypto hardware.

When you are initializing Security Manager, you see the following message: 

Initialization starting; creating ca keys...
(-77) Problem reported with crypto hardware.
GenerateKeyPairX509
Press return to exit

Resolution

Make sure that the following variable in the cnkfastrc file is set to 1 . 

CKNFAST_LOADSHARING=1

(-2229) An error occurred. Check the service status and manager logs for details.

Timeout issue.

Resolution

  1. Log in to entsh$ .

  2. Run service status .

  3. If the service is shown as down , start it by running service start .

HSM logs show missing algorithms errors that are not configured by Security Manager during startup.

Security Manager performs a FIPS Self-Test where many algorithms and functions beyond those explicitly configured to be used once operational. These tests are required by FIPS 140-x conformance.

Resolution

  • Security Manager treats any algorithm not being available during self-test as informational only.

  • FIPS Self Tests HSM log errors do NOT stop Security Manager startup.

"No Hardware Device Found"

During the configuration of Entrust Security Manager, the message "No Hardware Device Found" pops up every time, even if the right library is selected.

Resolution

  • Make sure the entconfig.ini and entrust.ini both have the correct PKCS#11 library setting.

  • Ensure that any HSM service is running.

(-2684) General hardware error

HSM Service is not available

Resolution

Ensure that any HSM service is running and responding.

RESOURCES
RELATED PRODUCTS