1) Install the module : Follow the instructions in section ‘Installing an nShield module’ in document Hardware_Installation.pdf and install the module.
2) Install the nCipher software :
a) Install Java 2 runtime environment
b) Copy files from the vendor media to the computer which has the module and run setup.exe. Refer section ‘2.2 – Install the nCipher software’ in the document nShield_Quick_Start_Guide.pdf and install the software.
3) Test the installation : Run the instructions mentioned in section ‘2.3 Test the installation’ in the document nShield_Quick_Start_Guide.pdf and verify the installation.
4) Fix KeySafe starting issue : KeySafe application is used to manage keys, cards and modules. It can be found at All Programs -> nCipher .Open file %NFAST_KMDATA%\config\config in notepad.Modify ‘# nonpriv_port=PORT’ to ‘nonpriv_port=9000’ and ‘# priv_port=PORT’ to ‘priv_port=9001’.Restart hard server by running commands net stop “nFast Server” and net start “nFast Server”.
5) Create a security world : Use ‘64bit CSP install wizard’( This is at All Programs->nCipher) and follow instructions in section ‘2.4 - Create a security world’ in document nShield_Quick_Start_Guide.pdf to create a security world.
6) Create an Operator Card Set : Follow instructions in section ‘2.5 Create an Operator Card Set (OCS)’ to creats OCS. In Step 1 choose ‘Module protection (requires no extra cards but is less secure) instead of ‘Operator Card Set Protection’.(See screenshot below)
7) Test the security world : Test the security world using instructions mentioned in ‘2.6 Test the security world’ in nShield_Quick_Start_Guide.pdf.
1) Storing clmagent private key on the module : Duplicate certificate template ‘user’ ,choose version ‘Windows 2003 Server , Enterprise Edition’ and name it ‘CLMAgent User nCipherCSP’. In the certificate template properties in ‘Request Handling’ tab uncheck ‘Allow private key to be exported’ checkbox,in CSPs select ‘nCipher Enhanced Cryptographic Provider’.
1) Storing clmEnrollAgent private key on the module : Similar to steps mentioned in 1 duplicate certificate template ‘Enrollment Agent’, logon as clmEnrollAgent, request certificate using the template and include it’s certificate hash in web.config key Clm.EnrollAgent.Certificate.Hash.
2) Storing clmKRAgent private key on the module : Similar to steps mentioned in 1 duplicate certificate template ‘Key Recovery Agent’ ,logon as clmKRAgent, uncheck checkbox ‘CA certificate manager approval’ in ‘Issuance Requirements’ tab and request certificate using the certificate template. In CA properties -> Recovery Agents include the certificate.
3) Run Config wizard : In Config wizard choose ‘use existing accounts for agents’ and ‘configure certificates manually’.
4) Set Encryption algorithm to TripleDES : <add key="Clm.Encryption.Algorithm" value="TripleDes" />
1) nCipher CSP and KSPs cannot coexist. Before doing KSP configuration CSP configuration should be removed. To remove the CSP configuration
a) Delete keys from HSM : In KeySafe go to Keys->List Keys select a key and click ‘Discard Key!’ button.
b) Erase Module : Put the module in pre-initialization mode. In KeySafe go to Modules->Erase Module and click ‘Erase Module!’ button.
c) Delete Security world : Delete the files in the directory to which the NFAST_KMDATA environment variable points.
2) Doing KSP configuration is same as CSP configuration except we need to use ‘CNG configuration wizard’ instead of ‘CSP install wizard’ to create security world. Follow the steps 1 to 7 above in “Installing and configuring the module(CSP configuration)” to configure the module for KSP. In step 5 use ‘CNG configuration wizard’ instead of ‘64bit CSP install wizard’ to create security world. Remaining steps are same.
1) FIM CM KSP based certificates can be used for encryption only.They cannot be used for signing. Agent certificates are used for signing. So the certificates can not use nCipher KSP.
2) Storing encryption private key on the module : Duplicate certificate template ‘user’ ,choose version ‘Windows 2008 Server , Enterprise Edition’ and name it ‘nCipher KSP Encryption Cert Template’. In the certificate template properties in ‘Request Handling’ tab uncheck ‘Allow private key to be exported’ checkbox,in Cryptography tab select ‘nCipher Security World Key Storage Provider’.(see screenshot below)
1) Run Config wizard.
2) Set <add key="Clm.Encryption.Algorithm" value="Aes" />
Sander Temme Thalesesec edited Revision 7. Comment: Add link to the e-book about this integration. Note: I work for Thales.
Peter Geelen edited Revision 6. Comment: Added link to additional CM/CLM resources
Kurt Hudson MSFT edited Revision 5. Comment: Corrected the link to the Java Runtime Environment
Kurt Hudson MSFT edited Revision 4. Comment: Added even more additional information, removed confusing sales pitch landing page
Kurt Hudson MSFT edited Revision 3. Comment: Added one more link to additional information
Kurt Hudson MSFT edited Revision 2. Comment: removed unnecessary information added link
Kurt Hudson MSFT edited Original. Comment: Updated directions a bit for formatting purposes
Not being a FIM expert, it seems to me that this product has a lot of moving parts and touches the HSMs in multiple places. This makes it an ill fit to be covered in a single Wiki page, and I suggest that you refer to the 98 page E-Book instead.