Entrust nShield Solo User manual
nShield Security World
nShield Solo and Solo
XC v13.4 Install Guide
12 December 2023
Table of Contents
1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Ê1
1.1. About this guide. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Ê1
2. Hardware security modules. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Ê3
2.1. Electrical power requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Ê3
2.2. Handling modules . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Ê3
2.3. Module operational temperature and humidity specifications. . . . . . . . . . . . Ê3
2.4. Cooling requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Ê5
2.5. Physical location considerations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Ê6
3. Regulatory notices . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Ê7
3.1. FCCÊclass AÊnotice . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Ê7
3.2. Canadian certification - CAN ICES-3 (A)/NMB- 3(A) . . . . . . . . . . . . . . . . . . . Ê7
3.3. Battery cautions. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Ê7
3.4. Hazardous substance caution. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Ê7
3.5. Recycling and disposal information. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Ê7
4. Before installing the module. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Ê9
4.1. Back panel . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Ê9
4.2. Module pre-installation steps . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Ê10
4.3. Fitting a module bracket . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Ê10
4.4. User Replaceable items . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Ê11
5. Installing the module. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Ê14
5.1. Fitting a smart card reader . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Ê14
5.2. After installing the module. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Ê14
6. Before you install the software . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Ê16
6.1. Preparatory tasks before installing software. . . . . . . . . . . . . . . . . . . . . . . . . . . Ê16
6.2. Firewall settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Ê19
7. Installing the software . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Ê21
7.1. Installing the Security World Software on Windows . . . . . . . . . . . . . . . . . . . . Ê21
7.2. Installing the Security World Software on Linux . . . . . . . . . . . . . . . . . . . . . . . Ê23
8. Checking the installation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Ê25
8.1. Checking operational status. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Ê25
8.2. Mode switch and jumper switches. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Ê27
8.3. Log message types. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Ê27
8.4. BadTokenData error (Solo only) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Ê29
9. Status indicators . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Ê30
9.1. Solo. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Ê30
10. Uninstalling existing software . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Ê31
10.1. Uninstalling the Security World Software on Windows . . . . . . . . . . . . . . . . Ê32
10.2. Uninstalling the Security World Software on Linux . . . . . . . . . . . . . . . . . . . Ê32
11. Software packages on the Security World installation media. . . . . . . . . . . . . . . . Ê34
11.1. Security World installation media . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Ê34
11.2. Components required for particular functionality . . . . . . . . . . . . . . . . . . . . . Ê35
11.3. nCipherKM JCA/JCE cryptographic service provider . . . . . . . . . . . . . . . . . . Ê36
11.4. SNMP monitoring agent . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Ê36
12. Virtualization Remote Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Ê38
12.1. Virtualization and Hyper-V . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Ê38
12.2. Virtualization and XenServer/VMware vSphere hypervisor, ESXi . . . . . . . Ê39
12.3. ESXi environment. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Ê39
12.4. XenServer environments . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Ê41
12.5. Hyper-V environment . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Ê44
1. Introduction
The Entrust nShield Solo and Solo XC are Hardware Security Modules (HSM) for
servers and appliances.
1.1. About this guide
This guide includes:
•Installing the nShield Solo and nShield Solo XC. See Installing the module.
•Installing the Security World Software. See Installing the software.
•Steps to check the installation. See Checking the installation.
•A description of the module status indicators. See Status indicators.
•Instructions about removing existing software. See Uninstalling existing
software.
See the User Guide for your module and operating system for more about, for
example:
•Creating and managing a Security World
•Creating and using keys
•Card sets
•The advanced features of the nShield Solo and the nShield Solo XC.
For information on integrating Entrust nShield products with third-party
enterprise applications, see https://www.entrust.com/digital-security/hsm.
1.1.1. Model numbers
Model numbering conventions are used to distinguish different nShield hardware
security devices.
Model number Used for
nC3nnnE-nnn, nC4nnnE-nnn nShield Solo PCIe
nC30n5E-nnn, nC40n5E-nnn nShield Solo XC PCIe
1.1.2. Terminology
Chapter 1. Introduction
nShield Solo and Solo XC v13.4 Install Guide 1/49
The nShield Solo and nShield Solo XC are referred to as the nShield Solo and
nShield Solo XC, the Hardware Security Module, or the HSM in this guide.
Chapter 1. Introduction
nShield Solo and Solo XC v13.4 Install Guide 2/49
2. Hardware security modules
2.1. Electrical power requirements
Module Maximum power
nShield Solo 9.9W
nShield Solo XC 24W
Make sure that the power supply in your computer is rated to
supply the required electric power.
The PCIe cards, nShield Solo and nShield Solo XC, are intended for installation into
a certified personal computer, server, or similar equipment.
If your computer can supply the required electric power and sufficient cooling,
you can install multiple modules in your computer.
2.2. Handling modules
The module contains solid-state devices that can withstand normal handling.
However, do not drop the module or expose it to excessive vibration.
Before installing hardware, you must disconnect your computer
from the power supply. Ensure that a grounded (earthed)
contact remains. Perform the installation with care, and follow all
safety instructions in this guide and from your computer
manufacturer.
Static discharge can damage modules. Do not touch the module
connector pins, or the exposed area of the module.
Leave the module in its anti-static bag until you are ready to install it. Always wear
an anti-static wrist strap that is connected to a grounded metal object. You must
also ensure that the computer frame is grounded while you are installing or
removing an internal module.
2.3. Module operational temperature and humidity
specifications
Chapter 2. Hardware security modules
nShield Solo and Solo XC v13.4 Install Guide 3/49
The nShield Solo module operates within the following environmental conditions.
nShield Solo environmental
conditions
Operating range Comments
Min. Max.
Operating temperature* 10°C (50°F) 35°C (95°F) Subject to sufficient airflow
Storage temperature -20°C (-4°F) 70°C (158°F) -
Operating humidity 10% 90% Relative. Non-condensing at
35°C (95°F)
Storage humidity 0 85% Relative. Non-condensing at
35°C (95°F)
*Air temperature at PCIe card inlet surface. For more information, see Cooling
requirements.
The nShield Solo XC module operates within the following environmental
conditions.
nShield Solo XC
environmental conditions
Operating range Comments
Min. Max.
Operating temperature 5°C (41°F) 55°C (131°F) Subject to sufficient airflow
Storage temperature -5°C (-23°F) 60°C (140°F) -
Transportation temperature -40°C (-40°F) 70°C (158°F) -
Operating humidity 5% 85% Relative. Non-condensing at
30°C (86°F)
Storage humidity 5% 93% Relative. Non-condensing at
30°C (86°F)
Transportation humidity 5% 93% Relative. Non-condensing at
30°C (86°F)
Altitude -100m (-328ft) 2000m (6561ft) Above Mean Sea Level
The module is designed to operate in moderate climates only.
Never operate the module in dusty, damp, or excessively hot
conditions. Never install, store, or operate the module at
locations where it may be subject to dripping or splashing
liquids.
Chapter 2. Hardware security modules
nShield Solo and Solo XC v13.4 Install Guide 4/49
2.4. Cooling requirements
An air velocity of 1.9 m/s (373 LFM) is recommended for a
module in operation.
During installation, ensure there is adequate airflow around the module. Airflow
from fans must be directed to the inlet surface of the module such that air is
flowing through and across the length of the module. To maximize airflow, use a
PCIe slot with no neighboring modules if possible. If airflow is limited, consider
fitting extra cooling fans.
The nShield Solo module is a passively cooled PCIe card that
requires the host to provide sufficient airflow for cooling. Passive
cards should not be powered without cooling airflow in place.
Ensure the module has adequate cooling. Failure to do so can
result in damage to the module or computer.
To check the actual and maximum temperature of the module during operation,
see the Maintenance of nShield Hardware section of the User Guide for your
module and operating system. It is advised to do this directly after installing the
module in its normal working environment. Monitor the temperature of the module
over its first few days of operation.
2.4.1. Cooling recommendations for a desktop installation
For a desktop installation running in operating environmental conditions,
dedicated airflow is required across the module. If the system cannot provide the
necessary airflow, Entrust recommends you add a sufficiently powerful dedicated
fan to directly cool the module. For details regarding the cooling requirements see
Cooling requirements.
2.4.2. Cooling recommendations for a server installation
The desktop cooling recommendations further apply to a server installation. In
addition, power and airflow control software is sometimes available in a server
installation. If this is the case, Entrust recommends you:
•Configure the target air velocity in the software to ensure it does not fall
below the airflow recommendations of the module. For details regarding the
cooling requirements, see Cooling requirements.
Chapter 2. Hardware security modules
nShield Solo and Solo XC v13.4 Install Guide 5/49
•Ensure that the PCIe slot has been configured to fulfil the module power
requirements.
2.5. Physical location considerations
For the certification of Entrust nShield HSM, refer to the Security Manual. In
addition to the intrinsic protection provided by an nShield HSM, customers must
exercise due diligence to ensure that the environment within which the nShield
HSMs are deployed is configured properly and is regularly examined as part of a
comprehensive risk mitigation program to assess both logical and physical threats.
Applications running in the environment shall be authenticated to ensure their
legitimacy and to thwart possible proliferation of malware that could infiltrate
these as they access the HSMs' cryptographic services. The deployed environment
must adopt 'defense in depth' measures and carefully consider the physical
location to prevent detection of electromagnetic emanations that might otherwise
inadvertently disclose cryptographic material.
Chapter 2. Hardware security modules
nShield Solo and Solo XC v13.4 Install Guide 6/49
3. Regulatory notices
3.1. FCCÊclass AÊnotice
The nShield Solo and nShield Solo XC HSMs comply with Part 15 of the FCC rules.
Operation is subject to the following two conditions:
1. The device may not cause harmful interference, and
2. The device must accept any interference received, including interference that
may cause undesired operation.
This equipment has been tested and found to comply with the limits for a Class A
digital device, pursuant to Part 15 of the FCC Rules. These limits are designed to
provide reasonable protection against harmful interference when the equipment is
operated in a commercial environment. This equipment generates, uses, and can
radiate radio frequency energy and, if not installed and used in accordance with
the instruction manual, may cause harmful interference to radio communications.
Operation of this equipment in a residential area is likely to cause harmful
interference in which case the users will be required to correct the interference at
their own expense.
3.2. Canadian certification - CAN ICES-3 (A)/NMB-
3(A)
3.3. Battery cautions
Danger of explosion if the battery is incorrectly replaced. The battery may only be
replaced with the same or equivalent type. Dispose of the used battery in
accordance with your local disposal instructions.
3.4. Hazardous substance caution
This product contains a lithium battery and other electronic components and
materials which may contain hazardous substances. However, this product is not
hazardous providing it is used in the manner in which it is intended to be used.
3.5. Recycling and disposal information
Chapter 3. Regulatory notices
nShield Solo and Solo XC v13.4 Install Guide 7/49
For recycling and disposal guidance, see the nShield product’s Warnings and
Cautions documentation.
Chapter 3. Regulatory notices
nShield Solo and Solo XC v13.4 Install Guide 8/49
4. Before installing the module
4.1. Back panel
Label Description
A Status LED
B Recessed clear button
C Physical mode switch
D Physical mode override jumper switch, in the Off position. When set to On, the mode
switch (C) is deactivated. See the User Guide for your module and operating system for
more information.
E Remote mode override jumper switch, in the Off position. When set to On, remote mode
switching is disabled. See the User Guide for your module and operating system for
more information.
F A mini-DIN connector for connecting a smart card reader.
Chapter 4. Before installing the module
nShield Solo and Solo XC v13.4 Install Guide 9/49
The configuration of connectors varies between modules and
might not be as in the image.
4.2. Module pre-installation steps
Check the module to ensure that there is no sign of damage or tampering:
•Check the epoxy resin security coating or the metal lid for the Solo XC for
obvious signs of damage.
•If you intend to install the module with an external smart card reader, check
the cable for signs of tampering. If evidence of tampering is present, do not
use and request a new cable.
•Check that the two jumper switches are in the required positions.
•The physical mode switch must be set to Operational (O) to be able to use the
remote mode switch override to change the mode. To use the Remote
Administration feature to be able to change the mode of the module remotely,
ensure that the jumper switch (E) is in the off position and the physical mode
switch (C) is set to Operational (O).
The default factory setting of the jumper DIP switch Eis Off. This enables remote
MOI switching. Factory shipping nShield Solo HSMs loaded with firmware 2.61.2 or
greater will support remote MOI switching by default. Customers who expressly
do not want to enable the remote MOI switching capability must switch jump
switch Eto the On position.
4.3. Fitting a module bracket
Before installing a module in a PCI Express card slot, you may have to replace the
bracket if it is not the same height as the slot. Both full height and low profile
brackets are supplied with the module.
Do not touch the connector pins, or the exposed area of the module without
taking electrostatic discharge (ESD) precautions.
Chapter 4. Before installing the module
nShield Solo and Solo XC v13.4 Install Guide 10/49
To fit the bracket to the module:
1. Remove the two screws from the solder side of the module.
2. Remove the incorrect bracket.
3. Fit the correct bracket to the component side of the module.
4. Insert the two screws into the solder side of the module to secure the bracket.
Do not over tighten the screws.
4.4. User Replaceable items
If the module has been removed so that a part can be replaced, follow these
procedures before installing the module. If no parts need replacing, proceed to
Installing the module.
4.4.1. Replace the fan - Solo XC only
Chapter 4. Before installing the module
nShield Solo and Solo XC v13.4 Install Guide 11/49
Required Tools
•Phillips screwdriver #0
•Phillips screwdriver #2
•Small needle nose pliers
Required Part
•Orderable part number SOLOXC-REP-FAN (Replacement fan assembly).
1. Power off the system and while taking ESD precautions, remove the Solo
XC card.
2. Place the Solo XC on a flat surface.
3. Remove the top EMI cover using a #2 screwdriver.
4. Pull the fan power cable and grommet from the slot in the EMI fence.
5. Using the needle nose pliers, gently remove the fan power cable from the
P3 connector.
6. Using the #0 Phillips screwdriver, remove the four fan retaining screws.
7. Remove the defective fan from the Solo XC and install the replacement
fan with the power cable positioned towards the P3 power connector.
Ensure that the fan lays flat against the heatsink.
8. Replace the four fan retaining screws.
9. Install the power cable connector into the Solo XC P3 power connector.
10. Install the power cable grommet into the slot in the EMI fence, with the
flat side towards the top of the fence.
Chapter 4. Before installing the module
nShield Solo and Solo XC v13.4 Install Guide 12/49
11. Replace the top EMI cover.
12. Re-install the Solo XC into the PCIe slot.
4.4.2. Replace the battery
Solo XC only
Please follow battery disposal guidelines in the installation
manual.
Required tools
•Small non-conductive tweezers
Required part
•Orderable part number: SOLOXC-REP-BATT (Replacement battery)
To remove and replace the battery:
1. Power off the system and while taking ESD precautions, remove the module.
2. Place the module on a flat surface.
3. Using the tweezers, gently remove the battery from the BT1 connector.
4. Observing the polarity, install the replacement battery in the BT1 connector.
5. Re-install the module into the PCIe slot.
Chapter 4. Before installing the module
nShield Solo and Solo XC v13.4 Install Guide 13/49
5. Installing the module
1. Power off the system and while taking electrostatic discharge precautions,
remove the module from its packaging.
2. Open the computer case and locate an empty PCIe slot. If necessary, follow
the instructions that your computer manufacturer supplied.
You must only install your nShield Solo or nShield Solo XC
module into a PCIe slot. See the instructions that your
computer manufacturer supplied to correctly identify the
slots on your computer.
Minimum requirement:
nShield Solo 1 PCIe x1 slot
nShield Solo XC 1 PCIe x4 slot
3. If there is a blanking plate across the opening to the outside of the computer,
remove it. Check that the opening is large enough to enable you to access the
module back panel.
4. Insert the contact edge of the module into the empty slot. Press the card
firmly into the connector to ensure that:
◦The contacts are fully inserted in the connector
◦The back panel is correctly aligned with the access slot in the chassis
5. Use the bracket screw or fixing clip to secure the module to the computer
chassis.
6. Check that the two jumper switches on the module are still in required
positions (see Back panel and jumper switches).
7. Check that the mode switch is still in the center O(operational) position.
8. Replace the computer case.
5.1. Fitting a smart card reader
Connect the smart card reader to the connector on the back panel of the module.
A D-type to mini-DIN adapter cable is supplied with the module.
5.2. After installing the module
Chapter 5. Installing the module
nShield Solo and Solo XC v13.4 Install Guide 14/49
If the Security World software has not already been installed, you must install the
Security World Software by following the instructions at Installing the software.
Although methods of installation vary from platform to platform, the Security
World Software should automatically detect the module on your computer and
install the drivers. You do not have to restart the system.
Chapter 5. Installing the module
nShield Solo and Solo XC v13.4 Install Guide 15/49
6. Before you install the software
Before you install the software, you should:
•Install the module. See Installing the module.
•Uninstall any older versions of Security World Software. See Uninstalling
existing software.
•If the nShield Remote Administration Client is installed on the machine,
remove it. You will also have to re-install it after you installed the new Security
World software version. See the nShield Remote Administration User Guide.
•Complete any other necessary preparatory tasks, as described in Preparatory
tasks before installing software.
6.1. Preparatory tasks before installing software
Perform any of the necessary preparatory tasks described in this section before
installing the Security World Software.
6.1.1. Windows
6.1.1.1. Power saving options
Adjust your computers power saving setting to prevent sleep mode.
You may also need to set power management properties of the HSM, once the
Security World Software is installed. See Installing the Security World Software on
Windows for more information.
6.1.1.2. Install Microsoft security updates
Make sure that you have installed the latest Microsoft security updates.
Information about Microsoft security updates is available from
http://www.microsoft.com/security/.
6.1.1.3. Add %NFAST_HOME%\bin\ to the PATH environment variable
The default location for %NFAST_HOME%\bin\ is C:\Program Files\nCipher\nfast.
Because of the space in Program Files, nShield commands could fail if
NFAST_HOME\bin\ is not in PATH.
Chapter 6. Before you install the software
nShield Solo and Solo XC v13.4 Install Guide 16/49
If you cannot change PATH, you will have to enclose all file names and paths that
use variable between double quotation marks (" "). For example:
"%NFAST_HOME%\toolkits\pkcs11\cknfast.dll"
6.1.2. Linux
6.1.2.1. Install operating environment patches
Make sure that you have installed:
•kernel packages like gcc, kernel-headers, kernel-devel
•the latest recommended patches for your environment in general
See the documentation supplied with your operating environment for information.
6.1.2.2. Users and groups
The installer automatically creates the following group and users if they do not
exist. If you wish to create them manually, you should do so before running the
installer. Create the following, as required:
•The nfast user in the nfast group, using /opt/nfast as the home directory.
•If you are installing SNMP, the ncsnmpd user in the ncsnmpd group, using
/opt/nfast as the home directory.
•If you are installing the Remote Administration Service, the raserv user in the
raserv group, using /opt/nfast as the home directory.
6.1.3. All environments
6.1.3.1. Install Java with any necessary patches
The following versions of Java have been tested to work with, and are supported
by, your nShield Security World Software:
•Java7 (or Java 1.7x)
•Java8 (or Java 1.8x)
•Java11.
Entrust recommends that you ensure Java is installed before you install the
Chapter 6. Before you install the software
nShield Solo and Solo XC v13.4 Install Guide 17/49
Other manuals for nShield Solo
1
This manual suits for next models
1
Table of contents
Other Entrust Network Hardware manuals
Popular Network Hardware manuals by other brands
Humanware
Humanware BrailleNote Touch Plus quick start guide
Monacor
Monacor DN-1218P operating instructions
OCTOMINER
OCTOMINER X8ULTRA troubleshooting guide
Hypercom
Hypercom MegaNAC 8000 Product data
Matrix Switch Corporation
Matrix Switch Corporation MSC-2HD3216S product manual
Sentera Controls
Sentera Controls MODBUS RTU installation guide
