Perform the following configuration steps if any solution requires an Entrust nShield HSM (Hardware Security Module). Skip them if you intend to use an HSM from another vendor.

Selecting the platform for creating the Entrust nShield Security World

You can create the Entrust nShield Security World on the machine running the Timestamping Authority solution, or on another machine of your choice. 

Selecting the drivers for creating the Entrust nShield Security World

Section HSM requirements details the version of the built-in client drivers Entrust solutions use to connect with Entrust nShield HSMs. To avoid potential incompatibilities, use client drivers of the same version when creating the Entrust nShield Security World.

Adding a cknfastrc file to the Entrust nShield Security World

To use the cknfastrc file in Timestamping Authority: 

1. Copy the file into the Security World kmdata folder that will be imported later as part of the Timestamping Authority configuration.

2. Edit the file and add the following line:

   CKNFAST_LOADSHARING=1
3. Save the file changes.

Configuring kmdata/config/config in Entrust nShield Security World

The following parameters in the ​kmdata/config/config file only support the default value. 

Registering Entrust PKI Hub nodes as Entrust nShield clients

Entrust nShield requires registering each Entrust PKI Hub node as a client. When using an Entrust nShield HSM, repeat the below steps for each node.

To register an Entrust PKI Hub node as Entrust nShield client

1. Run the client registration wizard as explained in https://nshielddocs.entrust.com/security-world-docs/v12.80/connect-ug-nix/configure.html#ConfigureConnectClient
2. When prompted Please enter your client IP address, type the node IP address and click Yes.
3. When prompted ​Do you want to save the IP in the config? click Yes.
4. When prompted Please choose the client permissions click Unprivileged.
5. When prompted Do you want secure authentication enabled on this client? click No.