Security World Management

Security Worlds

All nShield HSMs integrate using the nShield Security World architecture.

A Security World contains HSMs, HSM pools, and host machines. It references all associated certificates, licenses, Card Sets, Softcards and operations associated with the Security World.

Before creating a Security World, you must have created an HSM pool for the Security World to be loaded onto, and there must be at least one HSM in that pool.

If a Security World action, for example creation, requires authentication, an outstanding operation is created.

Action

WebUI Location

View Security World information

Security Worlds > Security Worlds > <Security World>

Create Security World

Security Worlds > Security Worlds > Actions > Create New World

Edit Security World name

Security Worlds > Security Worlds > <Security World> > Actions > Edit Name

Download Security World settings ^More information^

Security Worlds > Security Worlds > <Security World> > Download

Delete Security World

Security Worlds > Security Worlds > <Security World> > Delete

Ensure the Security World is not in use before doing this.

Use downloaded files to configure Security Worlds not managed by KeySafe 5

Ensure the Security World is not in use before doing this.

You can use the downloaded files to configure Security Worlds outside of KeySafe 5 by copying them into the kmdata directory on host machines that are not managed by KeySafe 5.

Cards and card sets

Action Instructions

Replace Administrator Card Set (ACS)

Security Worlds (toolbar) > Security Worlds > [Security World name] > Basic (tab) > Settings > Replace Admin Card Set

You need access to the required number of cards to give permission for the operation and you must have enough blank cards to be used in the new card set. These cards can be new or deleted cards.

Create Operator Card Set (OCS)

Security Worlds > Security Worlds > <Security World> > Cards > Create

Authorize any outstanding operations that were raised, see Outstanding operations.

Download OCS

Security Worlds (toolbar) > Security Worlds > [Security World name] > Cards (tab) > [Card Set name] > Settings > Download Card Set

The card set file downloads as a .zip file, which contains a separate file for each card.

Change card set passphrase

Security Worlds (toolbar) > Security Worlds > [Security World name] > Cards (tab) > [Card Set name] > Settings > Change Passphrase

Authorize any outstanding operations that were raised, see Outstanding operations.

Delete card set

Security Worlds > Security Worlds > <Security World> > Cards > [Card Set name] > Settings > Delete Card Set

You can only delete card sets that are not in use. Deleting a card set using KeySafe 5 deletes all child resources from the KeySafe 5 database. For example, if you are using nShield Web Services, key groups and keys are deleted.

This operation does not format the cards.

Deleting a card set is irreversible.

Create softcard

Security Worlds > Security Worlds > <Security World> > Softcard > Create

Authorize any outstanding operations that were raised, see Outstanding operations.

Download softcard

Security Worlds > Security Worlds > <Security World> > Softcard > [Softcard name] > Settings > Download Softcard

The Softcard file downloads as a .zip file.

Change softcard passphrase

Security Worlds > Security Worlds > <Security World> > Softcard > [Softcard name] > Settings > Change Passphrase

Delete softcard

Security Worlds > Security Worlds > <Security World> > Softcard > [Softcard name] > Settings > Delete Softcard

Deleting a softcard set in KeySafe 5 deletes all child resources from the KeySafe 5 database. For example, if you are using nShield Web Services, key groups and keys are deleted.

Deleting a softcard is irreversible.

Outstanding operations

When a requested task requires authentication, an operation is created. For example, if a card insertion is required for the task, an authentication operation is created. Any operations that have yet to be completed are collectively referred to as outstanding operations.

View outstanding operations

Action	Instructions
View outstanding operations for a specific Security World	Security Worlds > Security Worlds > <Security World Name> > Operations
View Security Worlds with outstanding operations	Security Worlds > Outstanding Operations Select a Security World to display the outstanding operations.

Action

Instructions

View outstanding operations for a specific Security World

Security Worlds > Security Worlds > <Security World Name> > Operations

View Security Worlds with outstanding operations

Security Worlds > Outstanding Operations

Select a Security World to display the outstanding operations.

Approve outstanding operations

You need the relevant physical ACS/OCS cards or virtual softcards and the passphrase to approve outstanding operations. If multiple card authorizations are required, repeat the procedure for each card.

To approve an outstanding operation:

Navigate to the outstanding operation, see View outstanding operations.
Select Authorize to launch the approval wizard.
Follow the instructions as directed.

Reject outstanding operations

To reject an outstanding operation:

Navigate to the outstanding operation, see View outstanding operations.
Select Reject.