Configuring KeyControl as an HSM Client using nShield Connect

The following procedure describes how to configure KeyControl as an nShield Connect HSM client. You can either use a standalone KeyControl node or a cluster.

Before You Begin 

For the nShield Connect HSM server that you want to connect to KeyControl, make sure you have the following information available:

  • The HSM server name/FQDN, Server IP, ESN, Port, and Keyhash.
  • The Security World Bundle file that is provided by the HSM Administrator.

  • Information to create a softcard consisting of a label and password.

The nShield Connect client version 12.60 is included in HyTrust DataControl/KeyControl 5.2. nShield Connect servers compatible with the 12.60 client are supported. You can also use either the on-premise nCipher nShield HSM or nShield as a Service (nSaaS).

You will also need:

  • A KeyControl account with Security Admin privileges.
  • Access to the on-premise HSM server.
  • KeyControl must be added to the nShield configuration as a privileged client (clientperm=priv). You may need to consult your HSM administrator.

Note: The following instructions are specific to the nShield Connect HSM from nCipher.

Procedure 

  1. Log into the KeyControl webGUI using an account with Security Admin privileges.

    Note: If you are using a cluster, you only need to use the webGUI for one node.

  2. In the top menu bar, click Settings.
  3. In the System Settings section, click HSM Server Settings.

  4. On the HSM Server Settings tab, select nShield Connect HSM and then click the Initialize button.

    The nCipher Clients window displays the information you will need to continue.

  5. Click the Copy the IP address and keyhashes to the keyboard link and paste them in a text window.

  6. Use the IP address and keyhash to authenticate KeyControl on nShield. Please see your nShield documentation.

    Important: If you are using a cluster, you will need to authenticate the IP address and keyhash for each node.

  7. Copy the Security World Bundle from nShield and place it on your local machine. It should be in the format world.zip.

  8. On the HSM Server Settings tab, click the Complete Setup button.

    The nShield HSM Server Setup window displays the tasks to complete the setup.

  9. After reading the Get Started Screen, click Continue.

  10. On the Enrollment screen, complete the following: 

    Note: All information is from the nShield HSM.

    Field

    Description

    Server Name

    Enter the FQDN of the nShield HSM.

    Server IP

    Enter the IP address for the nShield HSM.

    ESN

    Enter the nShield Electronic Serial Number (ESN).

    Port

    Enter the port used for the nShield HSM.

    Key Hash

    Enter the key hash of the nShield HSM.

  11. Click Enroll and Continue.
  12. On the Security World screen, click Load File and locate the security world bundle that you downloaded from the nShield HSM.
  13. Click Upload and Continue.

  14. On the Softcard screen, enter the Softcard Label and Softcard Passphrase that you want to use to link to the HSM server.

  15. Click Complete Setup.

    After the setup is complete, you will be returned to the nShield Connect HSM Server Settings page, with all values except for the Softcard Password filled in.

    Note: If the configuration failed, then you must click Reset HSM Configuration before you try again.

  16. Click the Locate Admin Key button to ensure that the HSM is fully connected to KeyControl.

    If you are using a cluster, you should be able to locate the admin key on both nodes.

What to Do Next