Warrant Management
Warrant management for nShield Solo XC
To allow an nShield Remote Administration Card to be used with a nShield Solo XC HSM you need to ensure that the nShield Solo XC HSM has a KLF2 warrant installed in the appropriate place.
Check current warrant status
To check if a warrant is installed use the following command:
$ nfwarrant --checkThe following is an example output:
1 XXXX-XXXX-E0D2 Local, Warrant installed 2 XXXX-XXXX-CF11 Local, Warrant upgrade request possible 3 XXXX-XXXX-F1F2 Local, Warrant upgrade not supported 4 XXXX-XXXX-213B Remote, Warrant upgrade not required
In this example:
-
(1) already has a relevant warrant installed.
-
(2) is available for a warrant upgrade.
-
(3) cannot be upgraded. For example, the appropriate firmware is not installed.
-
(4) no warrant upgrade is required. The module is an nShield Connect.
If a warrant upgrade is needed contact Entrust Support supplying the ESN of the module which requires a warrant upgrade.
| You need an appropriate support contract to obtain a KLF2 warrant from Entrust. |
Validate the warrant you receive from Entrust
Validate the warrant that you receive from Entrust to ensure that it matches the ESN of your module
-
Run the following command:
$ nfwarrant --warrant --details <file>The following is an example output:
Warrant details: Filename: XXXX-XXXX-CF11 ESN: XXXX-XXXX-CF11 Keytype: ECDSAPublic Curve: NISTP521
Install a warrant for nShield Solo XC
To Install the warrant, run the following command:
$ nfwarrant --warrant --install <file><file> is the signed warrant provided by Entrust.
nfwarrant command-line utility
The nfwarrant command-line utility enables you to carry out all of the relevant warrant steps.
It is used to:
-
Identify modules that have the appropriate firmware and KLF2 key
-
Identify modules that need their KLF2 key to be warranted by Entrust
-
Install an upgraded warrant
-
List KLF2 warrants
Usage:
nfwarrant [--help] [--list] [--check] [--warrant] [--details= FILE] [--install= FILE] [--verbose] [--version]
Options:
| Option | Description |
|---|---|
|
Displays the options you can use with the utility. |
|
List ESNs of installed warrants |
|
List ESNs of known modules and their warrant state |
|
Perform warrant operations |
|
Display the module ESN found in the warrant <file> |
|
Install the warrant from <file> |
|
Print extra information about warrant files |
|
Print the version number of the nfwarrant tool |
Warrant management for nShield Connect XC
You do not need to manage the warrants for nShield Connect HSMs.
When you start or reboot the HSM, the warrant is copied to the appropriate location on the host or RFS:
-
Linux:
/opt/nfast/kmdata/hsm-<ESN>/warrants -
Windows:
C:\ProgramData\nCipher\Key Management Data\hsm-<ESN>\warrants
Where <ESN> is the ESN of the relevant module.
When you configure the RFS for an nShield Connect, rfs-setup creates the required directory structure.
If you cannot find a warrant at this location, re-run rfs-setup` to ensure that the RFS is configured correctly, and then reboot the HSM.
Warrant management for nShield 5s and nShield 5c
You do not need to manage the warrants for nShield 5s. Entrust supplies these HSMs with the required warrants pre-installed and stored within the module. The Security World software fetches warrants from the module when they are needed.
This includes a KLF2 and a KLF3 warrant. The KLF3 warrant is currently unused and is installed in preparation for multi-tenant systems.
To view the warrants installed on a module, run retrievewarrants.
This stores a copy of the warrants in the host file system.