If you change the UTC date or time, you must reboot the unit before the changes take effect.
Note Setting the time and date of the unit as UTC does not reset the value of the Real Time Clock (RTC) on the unit. The UTC date and time settings are used only in log messages.
Keyboard layout
You can connect a keyboard to the USB connector (nShield Connect) or PS/2 socket (netHSM) on the front panel of the unit. This enables you to control the unit using a special set of keystrokes instead of the standard front panel controls.
You can connect either a US or a UK keyboard. To configure the unit for your keyboard type, select System > System configuration > Keyboard layout and then choose the keyboard type you require.
Configuring the unit to use the client
You must inform the unit hardserver of the location of the client computer.
If nToken module hardware is installed on the client, you can configure the client to use it. If a client attempts to connect to the unit when an nToken module is in use, the unit not only examines the client’s IP address, but also requires the client to identify itself using a signing key.
Note If an nToken module is installed on a client, it can be used to both generate and protect a key that is used for the impath communication between the unit and the client. Thus a strongly protected key is used at both ends of the impath.
The client configuration process varies slightly depending on whether you are enrolling the client with or without an nToken module:
1 On the unit front panel, use the right-hand navigation button to select System > System configuration > Client config > New client.
The following screen is displayed:
Client configuration Please enter your client IP Address 0. 0. 0. 0 CANCEL NEXT
Configuring the unit to use the client
2 Enter the IP address of the first client, and press the right-hand navigation button.
You are asked to choose the permissions for the client:
Client configuration Please choose the client permissions Unprivileged BACK NEXT
3 Use the touch wheel to display the type of connection between the module on the unit and the client. The following options are available:
A privileged connection is required to administer the module on the unit, for example to initialize a Security World. If privileged connections are allowed, the client can issue commands (such as clearing the module) which interfere with its normal operation. We recommend that you allow only unprivileged connections unless you are performing administrative tasks.
Option Description
Unprivileged Privileged connections are never allowed.
Priv. on low ports Privileged connections are allowed only from ports numbered less than 1024. These ports are reserved for use by root on Unix-based systems.
Priv. on any ports Privileged connections are allowed on all ports.
Configuring the unit to use the client
4 When you have selected a connection option, press the right-hand navigation button.
The following screen is displayed:
Client configuration
You must choose whether to enroll the client with an nToken module, or without one:
- To enroll the client without nToken authentication, select No and press the right-hand navigation button.
- To enroll the client with nToken authentication, you must first confirm the nToken authentication key:
i On the client, open a command line window, and run the command:
ntokenenroll -H
This command produces output of the form:
nToken module #1
nToken ESN: 3138-147F-2D64 nToken key hash: 691be427bb125f387686 38a18bfd2eab75623320
ii Compare the nToken key hash returned by ntokenenroll with the hash on the unit.
Note Write the hash down, or ensure that you can see the key hash displayed on the unit as you work on the client.
iii On the unit, enter the number of the port on which the client is listening and press the right-hand navigation button. (The default is 9004.)
The unit display shows information of the following form, identifying the client by its ESN and displaying a key hash:
Client nnnnnnnnnn reported the key hash:
691be427bb125f387686 38a18bfd2eab75623320 Is this EXACTLY right?
Yes No
Configuring the unit to use the client
CANCEL FINISH
iv Compare the hash displayed by the unit with the hash that was previously reported by ntokenenroll on the client. If there is an exact match, select Yes and then press the right-hand navigation button to configure the client.
v The unit displays a message reporting that the client has been configured. Press the right-hand navigation button again.
vi Run one of the following commands:
- If you are enrolling the client with an nToken:
nethsmenroll --ntoken-esn <ESN of nToken> [Options] --privileged <nShield Connect IP> <nShield Connect ESN>
<nShield Connect KNETI HASH>
- If you are enrolling the client without an nToken:
nethsmenroll [Options] --privileged <nShield Connect IP> <nShield Connect ESN> <nShield Connect KNETI HASH>
To modify or delete an existing client, select System > System configuration > Client config and perform the appropriate procedure.
If you want to use multiple clients with the unit, you must enable additional client licenses (see Enabling optional features on the unit on page 90). When you have additional client licenses enabled, to configure more clients, repeat the appropriate steps of the procedure described in this section for each client.