RSA Keon Ready Implementation Guide For PKI 3rd Party Application

RSA Keon Ready Implementation Guide 

For PKI 3 rd Party Application 

1. Partner Information 

Last Modified 04/30/01 

Partner Name nCipher Inc. 

Web Site http://www.ncipher.com/ 

Product Name nCipher nShield F2 Standard PCI & F3 UltraSign SCSI 

Version & Platform Module/Accelerator firmware v1.54.24 

Product Description The nShield range of hardware security modules 

(HSMs) delivers plug and play key management, 

transaction acceleration and tamper-resistant physical 

protection for PKI applications. 

nShield works in unison with leading PKI solutions to 

protect the integrity of critical private keys. By storing 

and managing your private digital signature keys in 

nCipher’s highly secure hardware environment, you can 

truly protect your PKI from internal or external security 

threats. nShield UltraSign models provide additional 

acceleration for PKI transactions, such as digital 

signatures used for online certificate validation. 

Product Category General Security Utilities 

Interaction with Keon Certificate Authority 

2. Contact Information 

Pre-Sales Post-Sales 

E-mail (US) ussales@ncipher.com support@us.ncipher.com 

(outside US) sales@ncipher.com support@ncipher.com 

Phone (US) 800-624-7437 877-994-4008 

(outside US) +44-1223-723600 +44-1223-723600 

Web www.ncipher.com www.ncipher.com

3. Product Requirements 

�� Hardware and Software requirements 

SCSI nShield F3 UltraSign on both Windows NT 4.0 and Solaris 2.6 

SCSI nShield F3 Standard on both Windows NT 4.0 and Solaris 2.6 

SCSI nShield F2 UltraSign on both Windows NT 4.0 and Solaris 2.6 

SCSI nShield F2 Standard on both Windows NT 4.0 and Solaris 2.6 & 2.7 

PCI nShield F2 UltraSign on both Windows NT 4.0 and Windows 2000 

PCI nShield F2 Standard on both Windows NT 4.0 and Windows 2000 

nCipher software package v3.5 for Windows NT and Sun Solaris and v4.11 for 

Windows 2000 

nCipher PKCS #11 library v1.5.14 for Windows NT 

nCipher PKCS #11 library v1.9.11 for Sun Solaris 

nCipher Module/Accelerator firmware v1.54.24. 

4. Product Configuration 

Introduction 

nCipher’s nShield family of products are Public Key Cryptographic Standard #11 (PKCS#11) 

compliant devices that generate and store certificate authority (CA) keys and provide high 

performance and secure hardware key management for RSA Security’s Keon CA product suite. 

Using nShield, Keon CA deployments can be optimized for highly scaled e-commerce 

applications. nShield is based on nCipher's powerful encryption acceleration technology and 

provides a high level of performance for Keon CA key generation, signing, verification and 

authentication operations. 

When using nCipher’s nShield hardware security module (HSM), keys are never revealed to the 

outside world or even to the main memory of the Keon CA installation in an unencrypted format, 

vastly increasing the security of CA key data. Keon CA uses nCipher hardware to generate 

keys using true hardware-based random number generation, encrypt keys for secure storage, 

and guarantee key security in highly sensitive applications where federal standards level 

security is critical. Depending on how they are used, nCipher hardware devices are Federal 

Information Processing Standard 140 (FIPS-140) Level 2 and Level 3 compliant. 

Functionality 

Keypair Generation 

Keon CA can create keys using nCipher smart cards. These smart cards support key 

generation for keypairs based on both RSA algorithms and DSA algorithms. 

Key Storage 

Keon CA supports the storage of cryptographic keys using nCipher smart cards.

Signature Verification 

Keon CA supports signature verification using nCipher smart cards. 

Signing with Keys 

Keon CA supports using keys stored in nCipher’s key storage for signing operations. 

Certificate Signing 

Keon CA supports certificate signing for CA and end-entity certificates using keys stored in 

nCipher’s key storage. 

CRL Signing 

Keon CA supports the signing of certificate revocation lists (CRLs) using CA keys stored in 

nCipher’s key storage. Users should ensure that the required nCipher smart card is inserted 

into the nCipher card reader before initiating any signing operations through Keon CA. The 

smart card should not be removed from the card reader until signing operations are complete. 

The smart card is not needed for signing/verification if it was set to persistent during 

initialization. 

Certificate Authority Creation 

Keon CA supports the generation of certificate authorities with private keys stored in nCipher’s 

key storage. The smart card is required for keypair generation whether or not it was set to 

persistent during initialization. 

5. Product Operation 

Configuration 

Installing nCipher Hardware 

nCipher hardware must be installed to provide nCipher functionality to Keon CA. Full 

installation instructions are available in nCipher’s Getting Started Guide (start.pdf) on the 

nCipher installation CD-ROM. Instructions for upgrading the module firmware are available in 

nCipher’s nShield User Guide. 

Installing the nCipher Server Software and PKCS #11 Library 

After installing nCipher hardware, you must install the nCipher’s Server Software and PKCS 

#11 Library. Installation instructions are available in Chapter 3 of nCipher’s nShield User Guide 

on the nCipher installation CD-ROM.

nCipher Security World 

Before you can use the nCipher HSM, you must create an nCipher Security World. A security 

world consists of one or more hardware modules, a set of smart cards, and some encrypted 

data stored on the computer. 

In order to create a security world you must set the hardware module in pre-initialization mode, 

and create a security world using the KeySafe application (or the sw-init command): 

Figure 1 – KeySafe Splash Screen 

The nCipher HSM must then be put in operational state. Detailed information on configuring a 

security world can be found in nCipher’s nShield User Guide. 

PKCS #11 Security Officer and User Accounts 

The nCipher name for the PKCS #11 Security Officer (SO) is the Administrator Card Set. The 

nCipher name for the PKCS #11 User is the Operator Card Set. The Administrator Card Set is 

used to control access to recovery functions. The Operator Card Set is used to control access 

to application keys. The nCipher Security World is designed to ensure all keys remain secure 

throughout their life cycle. Each user can access the keys protected by the Security World and 

protected by their Operator Card Set only. The use of persistent Operator Card Sets is not 

recommended. When you initialize a smart card, you must provide new Operator Card Set 

passphrases. 

The Operator Card Set smart cards are used by Keon CA. It has full access to all data stored 

on the smart card, including public and private keys. Keon CA accesses the smart card via the 

User account for all operations. Further information on smart cards can be found in nCipher’s 

nShield User Guide. The smart cards used as Operator Cards must be erased before reinitializing 

the nCipher module. Otherwise, these cards must be discarded because they cannot 

be used, erased, or reformatted without the old security world key.

nCipher Smart Card Slots and Labels 

nCipher smart cards are always referenced in Keon CA as being in slot 2. 

Smart card labels are defined when the smart card is initialized. They are simply a name that 

you attach to the smart card to help you organize your smart cards and keep track of what each 

one is used for. Labels can only be changed by re-initializing the smart card. 

Initializing nCipher Smart Cards for Use With Keon CA 

nCipher smart cards must be initialized before they can be used with Keon CA. A new smart 

card can be initialized using one of the following methods: 

�� Using “ckinittoken” 

Refer to nCipher’s nShield User Guide on the nCipher installation CD-ROM. Instructions 

for using ckinittoken are available in chapter 7 in the section “Creating Operator Card 

Sets.” 

�� Using “createoc-simple” 

/createoc-simple [--force] 

 

where: 

--force Allows for the overwriting of non-blank cards 

module Module number of the HSM, usually 1 

slot Usually 0 

label Name of token 

persist Should be ‘yes’ or ‘no’ 

timeout Must be 0 

password mandatory, undocumented 

For example: createoc-simple 1 0 token1 no 0 1234 

Refer to nCipher’s nShield User Guide on the nCipher installation CD-ROM. Instructions 

for using “createoc-simple” are available in chapter 7 in the section “Creating Operator 

Card Sets.” 

�� Using nCipher’s KeySafe utility. 

nCipher smart cards can also be initialized using nCipher’s KeySafe utility. Refer to 

chapter 7 of nCipher’s nShield User Guide “Creating Operator Card Sets” for 

instructions. 

nCipher PKCS #11 library only supports tokens that are part of a 1-from-N card set. 

When using KeySafe to initialize smart cards, do not select K > 1 for a K-from-N card 

set.

Keon CA Installation 

If nCipher hardware, server software, and PKCS #11 library are installed before Keon CA, Keon 

CA determines that nCipher support is available during installation. To install Keon CA using an 

nCipher smart card, the smart card must be initialized prior to beginning the Keon CA 

installation. See “Initializing nCipher Smart Cards for Use With Keon CA” in the nShield User 

Guide for more information. 

Note that for Solaris versions, Keon CA must be installed by the “root” user to allow operation 

with nCipher hardware. 

Adding nForce or nShield Support to an Existing Keon CA Installation 

To add smart card support to an existing Keon CA installation that does not use smart cards, 

you do not need to reinstall Keon CA. 

To add nCipher smart card support to an existing installation: 

0. Install the nCipher hardware, server software, and PKCS #11 library as described in the 

following sections. 

1. Initialize a smart card and insert it into the reader. See “Initializing nCipher Smart Cards 

for Use With Keon CA” 

2. Stop the Keon CA Administration Server and Secure Directory Server. 

3. Add a directive to the top of /Xudad/conf/xudad.conf to specify the 

location of the nCipher PKCS #11 dynamic link library. For Windows NT/Windows 

2000, the default-installed location is C:\nfast\bin\cknfast.dll . For example: 

crypto_providers “pkcs11v2,C:\nfast\bin\cknfast.dll” 

For Solaris, the default installed location is /opt/nfast/gcc/lib/libcknfast.so. For 

example: 

crypto_providers “pkcs11v2,/opt/nfast/gcc/lib/libcknfast.so” 

4. Add a directive to the end of /WebServer/conf/Keon.conf to specify the 

location of the nCipher PKCS #11 dynamic link library. 

For Windows NT/Windows 2000 the directive should read: 

crypto_providers = pkcs11v2,C:\nfast\bin\cknfast.dll 

For Solaris the directive should read 

crypto_providers = pkcs11v2,/opt/nfast/gcc/lib/libcknfast.so 

5. Start the Keon CA Administration Server and Secure Directory Server.

Upon completing the preceding steps, when an administrator opens the Admin console and 

performs any type of signing operation, he or she should see the option to select the nCipher 

HSM for the Signing Algorithm: 

Figure 2 – Selecting the Signing Algorithm 

If this option is not present, ensure that the nCipher HSM has been properly installed and 

configured. Also, check to make sure all edits to the appropriate .conf files have been made. 

Recovery Features 

All recovery options described below require that the recovery option must have been enabled 

when creating the security world. 

Loss of Smart Card 

To recover from the loss of an nCipher smart card, nCipher’s replaceocs or sw-racs utility can 

be used to replace any lost smart card. Refer to chapter 7 of nCipher’s nShield User Guide, 

Replacing Operator Card Sets or Replacing Administrator Card Set, respectively, for detailed 

instructions. 

Loss of Hardware 

The actual nShield HSM needs to be replaced. After replacing the nCipher hardware, recreate 

the security world using the procedure documented in chapter 6 of nCipher’s nShield User 

Guide, Adding a Module to the Security World using the sw-rest command. If the replacement

module had been used with another Security World then you must initialize that module using 

initunit command before using sw-rest. 

This procedure can be used to move the Security World from one machine to another, including 

across platforms. 

Loss of Hard Drive Data 

If files containing the Security World data are lost (e.g. \kmdata directory), you may simply 

restore the files from backup. Any data created since the last backup will be lost. If the 

complete nCipher software installation is damaged or lost, follow the procedure given under “ 

Loss of Hardware” in the nShield User Guide, provided a backup of the Security World data 

exists. 

Useful nCipher Commands 

�� enquiry to confirm versions of server software and module firmware 

�� ckcheckinst to get PKCS #11 library version (the library description is the number of 

interest) 

�� nfkminfo to get information about the Security World, i.e. whether recovery option is 

enabled 

6. Known Issues 

None

RSA Keon Ready Implementation Guide For PKI 3rd Party Application

Create successful ePaper yourself

Delete template?

Save as template?