Uninstall nCipher Software on CentOS

  • login as root
  • go to “opt/nfast/sbin”
  • execute “install -u”
[root@thalesrfs01 sbin]# ./install --help
./install [-d] [-u]
-d : debug mode
-u : uninstall only
[root@thalesrfs01 sbin]# ./install -u
---- Stopping any nCipher servers ----
-- Running shutdown script 60raserv
-- Running shutdown script 50hardserver
-- Running shutdown script 46exard
-- Running shutdown script 45drivers
---- Cleaning up any old install ----
-- Running uninstall fragment drivers
Removing nCipher 'drivers' init scripts.
Removing nCipher 'drivers' uninstall script.
Removing nCipher 'drivers' systemd unit.
-- Running uninstall fragment exard
Removing nCipher 'exard' init scripts.
Removing nCipher 'exard' uninstall script.
Removing nCipher 'exard' systemd unit.
-- Running uninstall fragment hardserver
Disabling the service
Note: Forwarding request to 'systemctl disable nc_hardserver.service'.
Removed symlink /etc/systemd/system/multi-user.target.wants/nc_hardserver.service.
Unlinking system init scripts
Disabling and unlinking systemd units
Removing nCipher 'hardserver' init scripts.
Removing nCipher 'hardserver' uninstall script.
Removing nCipher 'hardserver' systemd unit.
Removing nCipher 'hardserver' startup / shutdown scripts
-- Running uninstall fragment raserv
Disabling the service
Note: Forwarding request to 'systemctl disable nc_raserv.service'.
Removed symlink /etc/systemd/system/multi-user.target.wants/nc_raserv.service.
Unlinking system init scripts
Disabling and unlinking systemd units
Removing nCipher 'raserv' init scripts.
Removing nCipher 'raserv' uninstall script.
Removing nCipher 'raserv' systemd unit.
Removing nCipher 'raserv' startup / shutdown scripts
-- Running uninstall fragment zzselinux
Unregister the SELinux policy for nFast, will take some time.
libsemanage.semanage_direct_remove_key: Removing last nfast module (no other nfast module exists at another priority).
[root@thalesrfs01 sbin]# ls
hardserver init.d-ncipher install nffwd raserv server.conf
[root@thalesrfs01 sbin]#
  • execute “rm -rf /opt/nfast” command
  • execute “rm /etc/nfast.conf” command
  • execute “userdel nfast” command – the command will delate “nfast” group too.
[root@thalesrfs01 /]# userdel nfast
[root@thalesrfs01 /]# groupdel nfast
groupdel: group 'nfast' does not exist
[root@thalesrfs01 /]#
  • execute “userdel raserv” command – the command will delate “raserv” group too
  • execute “userdel ncsnmpd” command – the command will delate “ncsnmpd” group too

NOTE

  • raserv – is available if you have nCipher Remote Admin Server
  • ncsnmpd – is available if you have SNMP service

Thales (nCipher) “cat example.snmp.conf”

[user@SRV01 snmp]$ cat example.snmp.conf
#
#
example.snmp.conf
#
File giving some (hopefully) useful examples of configuring the
nCipher SNMP agents clients. This file configures the command-
line tools and 3rd party SNMP clients which use net-snmp libraries.
#
#
#
This file is intended as an example. If you want to use it for command
line tools, you should copy it to
$NFAST_HOME/etc/snmp/snmp.conf
#
for 3rd party SNMP clients refer to the documentaion supplied with the
client.
#
Standard options
defaultPort port
Specifies the port number that all daemons and applications
should use.
#
defaultPort 161
defVersion (v1|v2c|v3)
Specifies the default version of SNMP to use.
NB: use of SNMP v3 is recommended for security
#
defVersion v3
logTimestamp (1|yes|true|0|no|false)
Specifies whether or not the logging facilities will append
timestamps to log messages
#
logTimestamp yes
SNMP v3 options.
defSecurityLevel noAuthNoPriv|authNoPriv|authPriv
Specifies the default security level to use for SNMPv3 requests
noAuthNoPriv & authNoPriv are supported.
However authPriv is recommended for security
#
defSecurityLevel authPriv
defAuthType ( SHA )
Specifies the default authentication type
only SHA is supported
#
defAuthType SHA
defPrivType ( AES )
Specifies the default privacy type
only AES is supported
#
defPrivType AES
defSecrutiyModel STRING
Specifies the default security model to use for SNMPv3 requests
only "usm" is supported
#
defSecurityModel usm
Output options.
Setting the following options to true is equivalent
to passing in certain command-line switches. See the documentation
for detailed information about the effects of these.
printNumericEnums (1|yes|true|0|no|false)
equivalent to passing -Oe on the command line
printNumericOids (1|yes|true|0|no|false)
equivalent to passing -On on the command line
dontBreakDownOids (1|yes|true|0|no|false)
equivalent to passing -Ob on the command line
escapeQuotes (1|yes|true|0|no|false)
equivalent to passing -OE on the command line
quickPrinting (1|yes|true|0|no|false)
equivalent to passing -Oq on the command line
suffixPrinting (0|1|2)
1 --> equivalent to -Os
2 --> equivalent to -OS
extendedIndex (1|yes|true|0|no|false)
equivalent to passing -OX on the command line
dumpPacket (1|yes|true|0|no|false)
Specifies whether the commands should dump packets by default.
#
dumpPacket 0
doDebugging (1|0)
Turns on debugging for all applications if set to 1.
#
doDebugging 1
debugTokens token[,token…]
Specifies which debugging tokens should be printed.
See the documentation for more details.
#
debugTokens trace,ncsnmpd
[user@SRV01 snmp]$

Thales (nCipher) service status monitoring

Thales netwokr HSM solution is based on few components. HSM, Hardserver, RFS server, HSM Client

  • HSM IP address
  • HSM port 9004
  • RFS OS status (CPU, RAM, HDD)
  • hardserver service status
  • port 9001 on the HSM client
  • logfiles (hardserver, HSMs, etc.)
  • kmdata folder permissions, owner and group
  • SNMP

nCipher HSM log file rotation

The solution is based on CentOS “logrotation”

bash-4.2$ ls -la
total 28
drwxrwsr-x. 2 nfast nfast 177 Jan 15 22:14 .
drwxrwxr-x. 18 root root 230 Jan 7 01:32 ..
-rw-rw-r--. 1 root nfast 0 Jan 7 01:33 cmdadp-debug.log
-rw-rw-r--. 1 root nfast 0 Jan 7 01:33 cmdadp.log
-rw-r--r--. 1 nfast nfast 11146 Jan 15 22:40 hardserver.log
-rw-r-----. 1 nfast nfast 3932 Jan 15 20:56 hardserver.log-20190115.gz
-rw-r-----. 1 nfast nfast 6 Jan 15 20:56 hardserver.pid
lrwxrwxrwx. 1 root nfast 29 Jan 7 01:32 logfile -> /opt/nfast/log/hardserver.log
-rw-r-----. 1 raserv raserv 3671 Jan 15 20:56 raserv.log
-rw-r-----. 1 raserv raserv 6 Jan 15 20:56 raserv.pid
bash-4.2$ exit
[root@thalesrfs01 logrotate.d]# pwd
/etc/logrotate.d
[root@thalesrfs01 logrotate.d]# cat hardserver
/opt/nfast/log/hardserver.log {
su nfast nfast
missingok
notifempty
compress
size 100
daily
create 0644 nfast nfast
}
[root@thalesrfs01 logrotate.d]#