Erase cards and softcards
Erasing a card or softcard removes all the secret information from the card or softcard and deletes information about the card or softcard from the host.
In the case of an OCS that uses nShield Remote Administration Cards, it is possible to reformat the cards at any time using slotinfo --ignoreauth .
In the case of an OCS that uses standard nShield cards, it is only possible to erase or format
the cards within the Security World in which they were created.
|
You can erase Operator Cards using
-
the unit front panel (only network-attached HSMs)
You can also use these methods to erase Administrator Cards other than those in the current Security World’s ACS (for example, you could use these methods to erase the remaining Administrator Cards from an incomplete set that has been replaced or Administrator Cards from another Security World).
None of these tools erases cards from the current Security World’s ACS. |
If you erase an Operator Card that is the only card in an OCS, information about the card set is deleted.
However, if you erase one card from an OCS of multiple cards, you must remove the card information from the opt/nfast/kmdata/local/
(Linux) or %NFAST_KMDATA\local%
(Windows) directory after you have erased the last card.
FIPS 140 Level 3-compliant Security Worlds
When you attempt to erase cards for a Security World that complies with FIPS 140 Level 3, you are prompted to insert an Administrator Card or Operator Card from an existing set. You may need to specify to the application the slot you are going to use to insert the card. You need to insert the card only once in a session. You can therefore use one of the cards that you are about to erase.
Erase card sets using an nShield network-attached HSM front panel
To erase a card set using the front panel, follow this procedure:
-
From the main menu select: Security World mgmt > Card operations > Erase card
-
Insert the card set that you want to erase. The card is read.
-
You are asked to confirm that you want to erase this card from the card set.
-
To confirm, press the right-hand navigation button.
-
You are asked once again if you want to erase this card.
-
To confirm, press the right-hand navigation button.
Erase cards using the command line
To erase a card from the command line, run the command:
createocs -m|--module=<MODULE> -e|--erase
If you have more than one card reader and there is more than one card available, createocs
prompts you to confirm which card you wish to erase.
Use [Ctrl][X] to switch between cards.
If you have created a FIPS 140 Level 3 compliant Security World, you must provide authorization in order to erase or create Operator Cards.
You can obtain this authorization from any card in the ACS or from any Operator Card in the current Security World, including cards that are to be erased.
After you insert a card containing this authorization, createocs
prompts you to insert the card to be erased.
As an alternative, you can reformat using slotinfo --format
.
Erase softcards
Erasing a softcard deletes all information about the softcard from the host.
You can erase softcards with the ppmk
command-line utility.
Erasing softcards with ppmk
To erase a softcard with ppmk
, open a command window, and give the command:
ppmk --delete <NAME>|<IDENT>
In this command, you can identify the softcard to be erased either by its name (NAME
) or by its logical token hash as listed by nfkminfo
(<IDENT>
).
If you are working within a FIPS 140 Level 3 compliant Security World, you must provide authorization to erase softcards; ppmk
prompts you to insert a card that contains this authorization.
Insert any card from the ACS or any Operator Card from the current Security World.
If you insert an Administrator Card from another Security World or an Operator Card that you have just created, ppmk
displays an error message and prompts you to insert a card with valid authorization.
When ppmk
has obtained the authorization from a valid card or if no authorization is required, it completes the process of erasing the softcard.