Security World Software Installation

  1. Use an SSH Client (PuTTY on Windows or ssh on another Linux system) to open a remote console to the new Linux server. Login as the administrative user you created during installation.
  2. Use the su utility to change into the root account (use a dash after the su command to enable the root environment and move you to the root user’s home directory):

    $ su -

    Password: ********

    # pwd

    /root

    $ su -

    Password: ********

    # pwd

    /root

    Copy the Security World software packages into a directory within the root user’s home directory (e.g., /root/nCipher). Specifically, the SecWorld-linux64-user-12.50.4.iso.zip and wsop-user-1.00.00.zip files should be copied into this directory.

  3. Unzip these files using the unzip utility. You should be left with three new files beside the zip files:
    • SecWorld-linux64-user.12.50.4.iso
    • wsop-user-1.00.00.iso
    • rnotes_1_1.pdf (release notes that ship with the WSOP ISO image).
  4. Create directories in which to mount the ISO images, then mount these images within the new directories:

    # mkdir -p /mnt/sw

    # mount -t iso9660 -o loop /root/nCipher/SecWorld-linux64-user.12.50.4.iso /mnt/sw

    mount: /mnt/sw: WARNING: device write-protected, mounted read-only.

    # mkdir -p /mnt/wsop

    # mount -t iso9660 -o loop /root/nCipher/wsop-user-1.00.00.iso /mnt/wsop

    mount: /mnt/wsop: WARNING: device write-protected, mounted read-only.

    # mkdir -p /mnt/sw

    # mount -t iso9660 -o loop /root/nCipher/SecWorld-linux64-user.12.50.4.iso /mnt/sw

    mount: /mnt/sw: WARNING: device write-protected, mounted read-only.

    # mkdir -p /mnt/wsop

    # mount -t iso9660 -o loop /root/nCipher/wsop-user-1.00.00.iso /mnt/wsop

    mount: /mnt/wsop: WARNING: device write-protected, mounted read-only.

  5. Within the /mnt/sw/document directory, you should now find documentation for installing Security World software.
    1. Locate the files named nShield_Connect_Installation_Guide.pdf and nShield Connect User Guide for Unix; copy these files to a Windows system and open them for reference.
    2. Do the same with the file /mnt/wsop/document/WSOP_User_Guide.pdf.

    References to these documents will be made from here on.

  6. Instructions for installing Security World software begin in Chapter 4 of the nShield Connect Installation Guide. Instructions for installing on Linux systems begin at the bottom of page 26. You are already logged in as root so change to the root directory (cd /) and begin with step 4 of the instructions:

    The instructions in the nShield Connect Installation Guide are general purpose and based on the idea that Security World software might be installed for many purposes. This guide is more explicit, indicating exactly the packages needed for using Security World software with the WSOP.

    # tar xf /mnt/sw/linux/libc6_11/amd64/nfast/hwsp/agg.tar

    # tar xf /mnt/sw/linux/libc6_11/amd64/nfast/ctls/agg.tar

    # tar xf /mnt/sw/linux/libc6_11/amd64/nfast/nhfw/agg.tar

    # tar xf /mnt/sw/linux/libc6_11/amd64/nfast/hwcrhk/user.tar

    # tar xf /mnt/sw/linux/libc6_11/amd64/nfast/hwcrhk/gnupg.tar

    # tar xf /mnt/sw/linux/libc6_11/amd64/nfast/javasp/agg.tar

    # tar xf /mnt/sw/linux/libc6_11/amd64/nfast/jcecsp/user.tar

    # tar xf /mnt/wsop/linux/libc6_11/amd64/wsop/wsopinst/user.tar

    # /opt/nfast/sbin/install

    ---- Stopping any nCipher servers ----

    No nCipher init scripts installed.

    ---- Cleaning up any old install ----

    No nCipher components requiring cleanup found.

    ---- Installing ----

    -- Running install fragment 10nfastug

    Checking for user 'nfast' in group 'nfast'

    Creating nfast group.

    Creating nfast user.

    useradd: warning: the home directory already exists.

    Not copying any file from skel directory into it.

    Checking user 'nfast' is in correct group 'nfast'

    users created correctly

    -- Running install fragment 11systemd

    Register the SELinux policy for nFast, will take some time.

    -- Running install fragment 15makefiles

    Setting up directories.

    Making default config file.

    Making default cardlist file

    -- Running install fragment 45drivers

    Unloading old nCipher PCI nfp driver.

    Checking for PCI nfp hardware.

    Warning: No suitable pre-built PCI driver available.

    No nCipher PCI nfp devices found.

    Installing startup scripts for 'drivers'.

    Not linking in init scripts or loading drivers.

    -- Running install fragment 46exard

    Remove old nCipher PCI miniHSM devices.

    Checking for nCipher PCI miniHSM hardware.

    No nCipher PCI miniHSM devices found.

    Installing startup scripts for 'exard'.

    Not linking in init scripts or loading drivers.

    -- Running install fragment 50hardserver

    Configuring hardserver privileges.

    ls: cannot access '/dev/nfastpci*': No such file or directory

    Installing startup scripts for 'hardserver'.

    Linking in init scripts

    Adding and enabling a systemd unit

    Synchronizing state of nc_hardserver.service with SysV service script with /usr/lib/systemd/systemd-sysv-install.

    Executing: /usr/lib/systemd/systemd-sysv-install enable nc_hardserver

    Created symlink /etc/systemd/system/multi-user.target.wants/nc_hardserver.service → /etc/systemd/system/nc_hardserver.service.

    Note: Forwarding request to 'systemctl enable nc_hardserver.service'.

    Synchronizing state of nc_hardserver.service with SysV service script with /usr/lib/systemd/systemd-sysv-install.

    Executing: /usr/lib/systemd/systemd-sysv-install enable nc_hardserver

    Warning: Installed, but no directly attached hardware was found. If

    you have an nCipher PCI card , re-run 'install' script with hardware

    attached, or with '-d' option, or consult nCipher support.

    Starting nCipher 'hardserver' server process.

    waiting for nCipher server to become operational ...

    nCipher server now running

    -- Running install fragment 60cmdadp

    -- Running install fragment 70edgecfg

    ---- Installation complete ----

    # tar xf /mnt/sw/linux/libc6_11/amd64/nfast/hwsp/agg.tar

    # tar xf /mnt/sw/linux/libc6_11/amd64/nfast/ctls/agg.tar

    # tar xf /mnt/sw/linux/libc6_11/amd64/nfast/nhfw/agg.tar

    # tar xf /mnt/sw/linux/libc6_11/amd64/nfast/hwcrhk/user.tar

    # tar xf /mnt/sw/linux/libc6_11/amd64/nfast/hwcrhk/gnupg.tar

    # tar xf /mnt/sw/linux/libc6_11/amd64/nfast/javasp/agg.tar

    # tar xf /mnt/sw/linux/libc6_11/amd64/nfast/jcecsp/user.tar

    # tar xf /mnt/wsop/linux/libc6_11/amd64/wsop/wsopinst/user.tar

    # /opt/nfast/sbin/install

    ---- Stopping any nCipher servers ----

    No nCipher init scripts installed.

    ---- Cleaning up any old install ----

    No nCipher components requiring cleanup found.

    ---- Installing ----

    -- Running install fragment 10nfastug

    Checking for user 'nfast' in group 'nfast'

    Creating nfast group.

    Creating nfast user.

    useradd: warning: the home directory already exists.

    Not copying any file from skel directory into it.

    Checking user 'nfast' is in correct group 'nfast'

    users created correctly

    -- Running install fragment 11systemd

    Register the SELinux policy for nFast, will take some time.

    -- Running install fragment 15makefiles

    Setting up directories.

    Making default config file.

    Making default cardlist file

    -- Running install fragment 45drivers

    Unloading old nCipher PCI nfp driver.

    Checking for PCI nfp hardware.

    Warning: No suitable pre-built PCI driver available.

    No nCipher PCI nfp devices found.

    Installing startup scripts for 'drivers'.

    Not linking in init scripts or loading drivers.

    -- Running install fragment 46exard

    Remove old nCipher PCI miniHSM devices.

    Checking for nCipher PCI miniHSM hardware.

    No nCipher PCI miniHSM devices found.

    Installing startup scripts for 'exard'.

    Not linking in init scripts or loading drivers.

    -- Running install fragment 50hardserver

    Configuring hardserver privileges.

    ls: cannot access '/dev/nfastpci*': No such file or directory

    Installing startup scripts for 'hardserver'.

    Linking in init scripts

    Adding and enabling a systemd unit

    Synchronizing state of nc_hardserver.service with SysV service script with /usr/lib/systemd/systemd-sysv-install.

    Executing: /usr/lib/systemd/systemd-sysv-install enable nc_hardserver

    Created symlink /etc/systemd/system/multi-user.target.wants/nc_hardserver.service → /etc/systemd/system/nc_hardserver.service.

    Note: Forwarding request to 'systemctl enable nc_hardserver.service'.

    Synchronizing state of nc_hardserver.service with SysV service script with /usr/lib/systemd/systemd-sysv-install.

    Executing: /usr/lib/systemd/systemd-sysv-install enable nc_hardserver

    Warning: Installed, but no directly attached hardware was found. If

    you have an nCipher PCI card , re-run 'install' script with hardware

    attached, or with '-d' option, or consult nCipher support.

    Starting nCipher 'hardserver' server process.

    waiting for nCipher server to become operational ...

    nCipher server now running

    -- Running install fragment 60cmdadp

    -- Running install fragment 70edgecfg

    ---- Installation complete ----

  7. If you wish, edit your /root/.bash_profile script, prepending ‘/opt/nfast/bin:’ to the PATH variable defined therein. After editing, source the script to make the changes take effect in the current shell (source /root/.bash_profile). Test the installation now to ensure all is working properly by running the nfkminfo utility. The output should be as shown in the top portion of the example output at the bottom of the Linux section of Chapter 4 in the nShield Connect Installation Guide.

    The bottom portion of this output will show up when an HSM has been added to the Security World.

  8. Copy the nCipherKm.jar file into the Oracle JRE Extensions directory:

    # cp /opt/nfast/java/classes/nCipherKM.jar /usr/java/latest/lib/ext/

  9. The WSOP server is a standard embedded Tomcat service running the WSOP web application. The web application communicates with the Hardserver via the Hardserver’s non-privileged listen port. This port is not enabled by default. Enable it now as follows:

    # /opt/nfast/bin/config-serverstartup -s --port 9000

    [server_settings] change successful; you must restart the hardserver for this to take effect

    # /opt/nfast/sbin/init.d-ncipher restart

    -- Running shutdown script 50hardserver

    -- Running shutdown script 46exard|

    -- Running shutdown script 45drivers

    -- Running startup script 45drivers

    -- Running startup script 46exard

    -- Running startup script 50hardserver

    waiting for nCipher server to become operational ...

    nCipher server now running

Configuring the Linux Server to Use an Existing Security World

The steps to configure the server are very specific to the customer environment. The instructions on how to do this are provided in the nShield Connect User Guide for Unix.