HSM Management

HSMs

The table below shows the supported actions for each HSM Type, see HSM Types.

Action	WebUI Location	Full HSM	Tenant HSM	Platform HSM
View HSM information	Hardware Management > HSMs > <HSM>	Y	Y	Y
Manage HSM slots	Hardware Management > HSMs > <HSM> > Slots	Y	Y	N
Change mode	Hardware Management > HSMs > <HSM> > Actions > Change Mode If you change the mode to "Initialization", the HSM will enter the "Pre-initialization" mode until you run Re-Initialize HSM in KeySafe 5 (or initunit command in Security World software).	Y	Y	N
Clear HSM	Hardware Management > HSMs > <HSM> > Actions > Clear HSM	Y	Y	N
Initialize HSM	Hardware Management > HSMs > <HSM> > Actions > Re-Initialize HSM The HSM must be in "Initialization" or "Pre-initialization" mode before you can initialize it. After initializing the HSM, change the mode back to Operational.	Y	Y	N
Firmware Upgrade ^More information^	Hardware Management > Firmware Images Hardware Management > HSMs > <HSM> > Firmware	Y	N	Y
Set Module Minimum VSN ^More information^	Hardware Management > HSMs > <HSM> > Actions > Set (Module) Minimum VSN	Y	N	Y
Add and manage HSM features ^More information^	Hardware Management > HSMs > <HSM> > Features Hardware Management > Feature Certificates	Y	Y	Y
Remove HSM database record ^More information^	Hardware Management > HSMs > <HSM> > Actions > Remove record	Y	Y	Y

Action

WebUI Location

Full HSM

Tenant HSM

Platform HSM

View HSM information

Hardware Management > HSMs > <HSM>

Manage HSM slots

Hardware Management > HSMs > <HSM> > Slots

Change mode

Hardware Management > HSMs > <HSM> > Actions > Change Mode

If you change the mode to "Initialization", the HSM will enter the "Pre-initialization" mode until you run Re-Initialize HSM in KeySafe 5 (or initunit command in Security World software).

Clear HSM

Hardware Management > HSMs > <HSM> > Actions > Clear HSM

Initialize HSM

Hardware Management > HSMs > <HSM> > Actions > Re-Initialize HSM

The HSM must be in "Initialization" or "Pre-initialization" mode before you can initialize it. After initializing the HSM, change the mode back to Operational.

Firmware Upgrade ^More information^

Hardware Management > Firmware Images
Hardware Management > HSMs > <HSM> > Firmware

Set Module Minimum VSN ^More information^

Hardware Management > HSMs > <HSM> > Actions > Set (Module) Minimum VSN

Add and manage HSM features ^More information^

Hardware Management > HSMs > <HSM> > Features
Hardware Management > Feature Certificates

Remove HSM database record ^More information^

Hardware Management > HSMs > <HSM> > Actions > Remove record

HSM Firmware Upgrade

Firmware files for nShield HSM modules have a .npkg filename suffix.

You can never load firmware with a lower VSN than the target HSM’s minimum VSN requirement. For example, if the HSM has a minimum VSN requirement of 3 and the currently installed firmware has a VSN of 4, you can install firmware with a VSN of 3 or above to the HSM. You cannot install firmware with a VSN of 1 or 2 to this HSM.

To upgrade the firmware version of an HSM that is managed via KeySafe 5:

Upload the firmware file to KeySafe 5 by navigating to Hardware Management > Firmware Images and selecting Actions > Upload Firmware Image.
Navigate to the Firmware tab of the HSM.
On the Firmwares tab, identify the version of HSM firmware that you wish to upgrade to. For this firmware version, click either Dry Run (This will check that everything is in place for the upgrade to succeed but will not upgrade the firmware) or Install.
Carefully check the presented versions are as expected, the click to confirm and start the firmware upgrade.
This will create a long-running HSM Operation that you can track to see the progress of the ugprade operation.

When firwmare upgrade is complete the HSM Operation state will be Complete.

Set HSM Minimum VSN

The version of firmware that can be installed on an HSM is controlled by the Version Security Number (VSN). New firmware being installed must have a VSN value that is equal to, or greater than, the Minimum VSN value. See the nShield HSM User Guide for further details.

This setting controls the version of HSM firmware that can be loaded onto a Module. For Connect (Platform) Minimum VSN, see Set Connect Platform Minimum VSN.

The new Minimum VSN value must be higher than the current Minimum VSN value. Once the process has begun, the module will be set to maintenance mode, the minimum VSN will be updated and the module mode will be restored to its previous state. The module will be unavailable for a short period of time while the process completes.

Remove HSM record

Removing an HSM record removes the HSM database record from the KeySafe 5 database so that it will no longer appear in KeySafe 5. It does not remove the HSM from the estate.

Feature Certificates

Action	WebUI Location
View feature information	Hardware Management > Feature Certificates > <Feature>
Upload and enable feature certificate	Hardware Management > HSMs > <HSM> > Features > Upload New Certificate(s) Hardware Management > Feature Certificates > Actions > Upload

Action

WebUI Location

View feature information

Hardware Management > Feature Certificates > <Feature>

Upload and enable feature certificate

Hardware Management > HSMs > <HSM> > Features > Upload New Certificate(s)
Hardware Management > Feature Certificates > Actions > Upload

You can order Feature Enabling Certificates from Entrust. They are provided as a text file that you upload to KeySafe 5 from the Feature Certificates page or the Features tab for a specific HSM. The certificates contain the ESN of the HSM for which they were ordered, so you can upload multiple certificates at once and KeySafe 5 assigns them to the appropriate module.

To enable a new feature:

Navigate to the Features tab of the HSM, or navigate to Hardware Management > Feature Certificates.
On the Features tab, select Upload New Certificate or on the Feature Certificates page, select Actions > Upload.
Upload the required certificates, and select Next Step.
Select Enable, and then Finish and Close Wizard.

If you finish and close the wizard without enabling the certificate, you can enable it from the Features tab for the relevant HSM.

If a feature does not appear as enabled after uploading the certificate and enabling it, clear the HSM: Hardware Management > HSMs > <HSM> > Actions > Clear HSM.

You can enable and disable existing feature certificates from the feature information page or on the Features tab for a specific HSM.

For more information about the available features and how to order them, see Optional features in the Security World Software documentation.

nShield 5c 10G Platform HSM Management

When you first add an nShield 5c 10G HSM to KeySafe 5, it is added as an HSM resource with HSM Type "Platform", see HSM Types Concept. Platform HSMs are used for managing HSMs using KeySafe 5, not cryptographic or Security World, operations. You must create a tenancy within the HSM, or a "tenant" HSM, to perform cryptographic operations with the HSM.

Action

WebUI Location

Network Configuration ^More information^

HSM Management > HSMs > <Platform HSM> > Configuration > Network

Time Configuration ^More information^

HSM Management > HSMs > <Platform HSM> > Configuration > Time

System Logs ^More information^

HSM Management > HSMs > <Platform HSM> > Information > System Logs
HSM Management > HSMs > <Platform HSM> > Actions > Download Logs

Remote Logging Configuration ^More information^

HSM Management > HSMs > <Platform HSM> > Configuration > Logging

Tenancy Management ^More information^

HSM Management > HSMs > <Platform HSM> > Tenancies

Set Module Minimum VSN ^More information^

HSM Management > HSMs > <Platform HSM> > Actions > Set Module Minimum VSN

Set Platform Minimum VSN ^More information^

HSM Management > HSMs > <Platform HSM> > Actions > Set Platform Minimum VSN

Reboot HSM

HSM Management > HSMs > <Platform HSM> > Actions > Reboot

Shutdown HSM

HSM Management > HSMs > <Platform HSM> > Actions > Shutdown

You can not power on the HSM through KeySafe 5. To turn the HSM back on you will need either physical access to the HSM or access to the nShield Connect Serial Console.

Factory State HSM

HSM Management > HSMs > <Platform HSM> > Actions > Factory State

This action will restore the HSM back to its factory state. The HSM will be rebooted as part of this process.

Connectivity to KeySafe 5 will be lost. You must re-configure the Platform KeySafe 5 Agent to communicate with KeySafe 5 once the factory state operation is complete.

Network Configuration

Expanding the Network card in KeySafe 5 WebUI will show the current network state of the HSM.

To see the IPv4 Routing Table, select Routing Table.
To see network link information and Small Form-factor Pluggable (SFP) module information for connected SFP modules, select Link Information.
To configure the HSM network, select Edit.

See the nShield Hardware Install and Setup Guides for further details on the possible network configurations.

Time Configuration

Expanding the Time card in KeySafe 5 WebUI will show the current time configuration for the HSM.

Setting the time will configure the time on both the HSM platform and the HSM module. To set the time, select Edit on the Time card. The current time configuration will be displayed. You may either configure the time manually by specifying and exact date/time to use, or you may enable NTP (Network Time Protocol) and configure NTP to synchronize HSM time with an NTP server.

Once you have manually set the time on the HSM at least once, you are then unable to set the date and time to a time earlier than the HSM has previously been set to.

In the KeySafe 5 WebUI, the Information tab of a Platform HSM resource will show the last 100 lines of platform logs. These logs contain logs of services running on the HSM Platform and the Platform KeySafe 5 Agent running on the platform. If there is a running HSM Tenancy then these logs will also include the hardserver and Tenant KeySafe 5 Agent logs.

To download the last 100,000 lines of platform logs, click the Download Logs button. This will download a zip file containing:

system.log The Platform system logs
tamper.log The nShield Connect’s Tamper Log is located within the nShield Connect and protected by the nShield Connect’s tamper mechanisms. It cannot be erased. See the nShield Security Manual.

Remote Logging Configuration

Expanding the Logging card in KeySafe 5 WebUI will show the current logging configuration for the HSM.

To configure remote logging, select Edit on the Logging card The current logging configuration will be displayed. You may enable logging, and configure the IP address and port of the remote syslog server to send platform logs to.

When configuring the HSM to send logs to a remote syslog server via an IPv6 address, the IPv6 address must be enclosed in square brackets. For example: [1234:2345:3456:4567:5678:6789:789a:89ab]:514

Tenancy Management via the Platform HSM

A tenant HSM shares an ESN with the platform HSM to which it belongs, because they both use the same hardware. Creating a tenancy, or a tenant HSM, portions off some of the HSM into a container that has a UUID, known as a "VCM". This means that even though it uses the same hardware, and is a part of the same HSM as the platform, operationally it acts as a separate HSM.

To add a tenant HSM:

In KeySafe 5, select Hardware Management > HSMs, and then select the platform HSM you want to add a tenant to.
Platform HSMs only have a 12-character ESN in the Identifier column, for example, AB12-CD34-EF56. Tenant HSMs display the same ESN as their platform HSM as well as their UUID.
In the Tenancies tab, select Download CSR.
The button is at the bottom of the page.
Sign the certificate.csr with your PKI infrastructure. See the KeySafe 5 Installation and Upgrade Guide for more details.
In the Tenancies tab, select Configure.
The button is at the bottom of the page.
Update the Central Platform Address to use the IP address of the KeySafe 5 server.
If required, provide a Name and toggle the Auto Start on.
Auto start will start the tenancy automatically when the HSM is rebooted. You can manually start the tenancy after configuring it.
Upload the tls.crt file as the KeySafe 5 Agent Certificate.
This file might have a different name depending on your signing process.
Upload the ca.crt file as the CA certificate.
Select Confirm.
When the wizard closes, select Start at the bottom of the page.

Set Connect Platform Minimum VSN

The version of Connect firmware that can be installed on an HSM is controlled by the Version Security Number (VSN). New firmware being installed must have a VSN value that is equal to, or greater than, the Minimum VSN value. See the nShield HSM User Guide for further details.

This setting controls the version of Connect image firmware that can be loaded. For Module (HSM) Minimum VSN, see Set Module Minimum VSN.

The new Minimum VSN value must be higher than the current Minimum VSN value. Once the process has begun, any running tenant will be stopped, the minimum VSN will be updated and the tenant will be restored to its previous state. The module will be unavailable for a short period of time while the process completes.

nShield 5c 10G Tenant HSM Management

Once a Tenant HSM has been configured to communicate with a KeySafe 5 instance, and started, a Tenant HSM resource will appear in KeySafe 5.

This HSM can be configured and used in the same way as earlier models of nShield Connect.

Action

WebUI Location

Dynamic Slots Configuration

HSM Management > HSMs > <Tenant HSM> > Configuration > Dynamic Slots

The HSM must be cleared for the dynamic slots configuration to take effect.

Slot Mapping Configuration

HSM Management > HSMs > <Tenant HSM> > Configuration > Slot Mapping

Audit Database Configuration

HSM Management > HSMs > <Tenant HSM> > Configuration > Audit Database Settings

Hardserver Logs Configuration

HSM Management > HSMs > <Tenant HSM> > Configuration > Hardserver Logs Settings

Connect Hardserver Configuration

HSM Management > HSMs > <Tenant HSM> > Configuration > Connect Hardserver Settings

Connect Client Configuration

HSM Management > HSMs > <Tenant HSM> > Clients