Skip to main content

Preparing for Setup

Before configuring Key Manager with nCipher nShield HSM, note the following prerequisites and precautions:

  • Note the HSM policies in your corporate network environment. You should always consult your HSM department about the actual procedures required for setting HSM support in your network environment.

  • Ensure that the nCipher Security nShield product you are using is supported by Key Manager.

  • Ensure that you have the nShield Connect packages required for setting up Linux clients.

  • The nShield security world must be set up with a RFS for sharing keys between Key Manager servers. Key Manager only reads management keys from the RFS. The RFS must include at least one SSH key pair for Key Manager to function properly.

  • Key Manager only performs sign operations on the HSM, and does not use any hashing algorithms provided by the HSM. Data hashing is handled internally by the SSH protocol.

  • Key Manager will attempt to establish management connections by iteratively authenticating with every key pair that is available on its designated RFS. Since SSH servers are typically configured to deny connections after a certain amount of authentication attempts, having too many keys on the RFS may cause some management connections to fail. For this reason we recommend keeping the number of SSH key pairs on the HSM partition to a minimum.

    To prevent management-connection failures, you must ensure that the number of management-key pairs on the HSM partition is equal to or less than the number of authentication attempts allowed by the SSH servers in your environment. Note that each management-key pair can be used for more than one agentless host.

  • Key Manager interfaces with its designated RFS using PKCS #11. The libraries required for PKCS #11 authentication and access, and any other tools required for setting up client connections to HSM, are expected to be provided by the HSM service vendor.

  • Ensure that your network settings allow Key Manager to connect to the HSM.

  • Host deployment using HSM keys can only be performed via the command-line client (not the Key Manager GUI).

  • Make sure the nCipher HSM is in correct operational mode. This can be checked by running the command enquiry provided by nCipher Security, located in /opt/nfast/bin. While creating the Security World, the operational mode should be pre-initialization. Once the module is ready to be used with Key Manager, the operational mode should be operational.