nShield 5 adoption steps

The steps below detail the most common approach for adoption of the nShield 5, both the nShield 5s and the nShield 5c.

As detailed in nShield 5 Compatibility, the nShield 5 HSM will support the same algorithms and follow the same Security World restrictions as an older generation of HSM running the same version of firmware and using the same Security World Software. Please consult the firmware release notes for details of any changes to this from the version currently in use.

Upgrade Security World Client-side Software

The first step is to ensure the client-side software has been upgraded to a version that supports the nShield 5 HSM:

Upgrade the Security World Client-side software to the latest required version. See for detailed instructions on installing.

After this step, the Security World will support current HSMs and nShield 5.
Install the new nShield 5 HSM hardware.

Follow the hardware setup instructions to install the new nShield 5 HSM. See hardware install guide.
Upgrade the 5s firmware or 5c image to the required version. Upgrade the firmware on the nShield 5s and/or 5c image on the nShield 5c to the desired version.

See Hardware, firmware, software versions in nShield 5 for details of the different versions and certifications and what new nShield 5 FW should be used.
Load/create new security world onto the nShield 5 HSM.
- If a Security World already exists, load this onto the new nShield 5 HSM, see add an HSM to a security world.
- Otherwise, create a new Security World onto the new nShield 5 HSM, see create a security world.

Security World Modes

The table below shows the different Security World modes and the difference between nShield XC and nShield 5 firmware compatibility. It shows where a world, created for nShield XC for a particular use case, can be loaded onto a nShield 5 and will continue to be compliant with that use case.

All of these are using the ciphersuite DLf3072s256mAEScSP800131Ar1 and FW version 12.50 and later.

Use Case new-world mode XC Version nShield 5 Version Required Active Modes

Use Case	new-world mode	XC Version	nShield 5 Version	Required Active Modes
FIPS 140 Level 2	-	12.50.11 12.72.1/3/4	None	`UseFIPSApprovedInternalMechanisms` `AlwaysUseStrongPrimes`
FIPS 140 Level 3 (12.50)	`fips-140-2-level-3`	12.50.11	None	`UseFIPSApprovedInternalMechanisms` `FIPSLevel3Enforcedv2` `AlwaysUseStrongPrimes`
FIPS 140 Level 3 (12.70 and later)	`fips-140-level-3`	12.72.1/3/4	13.2.4 13.4.5	`UseFIPSApprovedInternalMechanisms` `FIPSLevel3Enforcedv2` `AlwaysUseStrongPrimes` `StrictSP80056Ar3`
Common Criteria	`common-criteria-cmts`	12.60.15	13.5.1	`AuditLogging` `UseFIPSApprovedInternalMechanisms` `AlwaysUseStrongPrimes` `CommonCriteriaCMTSRestrictions`
Unrestricted	-	Any	Any	-

FIPS 140 Level 2

12.50.11
12.72.1/3/4

None

UseFIPSApprovedInternalMechanisms
AlwaysUseStrongPrimes

FIPS 140 Level 3
(12.50)

fips-140-2-level-3

12.50.11

None

UseFIPSApprovedInternalMechanisms
FIPSLevel3Enforcedv2
AlwaysUseStrongPrimes

FIPS 140 Level 3
(12.70 and later)

fips-140-level-3

12.72.1/3/4

13.2.4
13.4.5

UseFIPSApprovedInternalMechanisms
FIPSLevel3Enforcedv2
AlwaysUseStrongPrimes
StrictSP80056Ar3

Common Criteria

common-criteria-cmts

12.60.15

13.5.1

AuditLogging
UseFIPSApprovedInternalMechanisms
AlwaysUseStrongPrimes
CommonCriteriaCMTSRestrictions

Unrestricted

Any