To Next Page

To Previous Page

•

Remote reboot

•

Remote mode changes

•

Remote upgrade. If this functionality is not required then it must be disabled.

4.6.6. Configuring a client to communicate with an nShield Connect

A utility – nethsmenroll is used to edit the configuration file of the client hardserver to

add an nShield Connect. It is strongly recommended that the utility is used with the ESN

and HKNETI options filled in. This content must be obtained from the nShield Connect’s

front panel. As an alternative mechanism nethsmenroll can be used without the ESN and

HKNETI parameters specified. nethsmenroll will attempt to recover them from the nShield

Connect and prompts for confirmation that they are correct. Confirmation is achieved by

verifying the ESN and HKNETI displayed on the front panel of the nShield Connect are

the same values as the client recovered values. This step must be completed when

enrolling clients over a network to verify that the client is communicating with the valid,

identified nShield Connect. Once the values are confirmed they are automatically written

to the configuration file.

The nethsmenroll option –no-hkneti-confirmation actions an associated utility – anonkneti

to recover the ESN and HKNETI of an nShield Connect without confirmation. The utility

anonkneti can also be used on its own. Unless deployed on a local, completely secure

network, this option/utility should not be used as it could not mitigate the threat of an

attacker inserting a rogue device without being noticed.

4.6.7. Configuring a client to communicate through an nToken

If an nToken is installed in a client, it can be used to both generate and protect a key that

is then used for the Impath communication between the nShield Connect and the client.

A dedicated hardware protected key is used at both ends of the Impath as a result. The

nToken mitigates threats occurring in the client environment including vulnerabilities

arising in generic software and operating systems.

When configuring an nShield Connect to use a client containing an nToken, you must

obtain the nToken key hash from the client and then view the client’s configuration from

the front panel of the nShield Connect and verify that the nToken key hash displayed

there matches the nToken key hash obtained from the client. This makes sure that the

correct nToken will be enrolled.

nShield® Security Manual 19 of 90

Entrust nShield User Manual

Other manuals for Entrust nShield