Operator Card Sets (OCS)

To delete a card set, see Erase cards and softcards

Create Operator Card Sets (OCSs)

You can use an Operator Card Set (OCS) to control access to application keys. OCSs are optional, but if you require one, create it before you start to use the hardware security module with applications. You must create an OCS before you create the keys that it is to protect.

You can create OCSs that have:

  • Names for individual cards, as well as a name for the whole card set

  • Specific K/N policies

  • Optional passphrases for any card within a given set

  • Formal FIPS 140 Level 3 compliance.

Some third-party applications impose restrictions on the OCS smart card quorums (K/N) or the use of smart card passphrases. For more information, see the appropriate integration guide for the application. Integration guides for third-party applications are available from https://nshieldsupport.entrust.com/.

OCSs belong to the Security World in which they are created. When you create an OCS, the smart cards in that set can only be read by hardware security modules belonging to the same Security World.

You can use the following tools to create an OCS:

Persistent Operator Card Sets

If you create a standard (non-persistent) OCS, the keys it protects can only be used while the last required card of the quorum remains loaded in the local slot of the HSM, or one of its Dynamic Slots. The keys protected by this card are removed from the memory of the device as soon as the card is removed from the smart card reader. If you want to be able to use the keys after you have removed the last card, you must make that OCS persistent.

Keys protected by a persistent card set can be used for as long as the application that loaded the OCS remains connected to the hardware security module (unless that application removes the keys).

For more information about persistent OCSs, see Using persistent Operator Card Sets.

Network-attached HSMs

An OCS to be used to authorize login on a unit must be persistent and not loadable remotely. It is recommended that such an OCS is not used to protect sensitive keys.

Time-outs

OCSs can be created with a time-out, so that they can only be used for limited time after the OCS is loaded. An OCS is loaded by most applications at start up or when the user supplies the final required passphrase. After an OCS has timed out, it is not loadable by another application unless it is removed and reinserted. Time-outs operate independently of OCS persistence.

FIPS 140 Level 3-compliant Security Worlds

When you attempt to create an OCS for a Security World that complies with FIPS 140 Level 3, you are prompted to insert an Administrator Card or Operator Card from an existing set. You may need to specify to the application the slot you are going to use to insert the card. You need to insert the card only once in a session.

Create an Operator Card Set using an nShield network-attached HSM front panel

To create an OCS, follow these steps:

  1. From the main menu, select Security World mgmt > Cardset operations > Create OCS.

    You are prompted to enter the name of the OCS.

  2. Enter a name and press right-hand navigation button.

  3. Enter the quorum for the OCS, using the touch wheel to move from one field to the other. The quorum consists of:

    • The maximum number of cards from the OCS required by default for an operation. This number must be less than or equal to the total number of cards in the set.

    • The total number of cards to be used in the OCS. This must be a value in the range 1 – 64.

  4. Press the right-hand navigation button to move to the next screen.

  5. If you wish to specify a time out for the card set, enter the time out in seconds.

  6. Choose whether to create a persistent card set. You can select:

    • Not persistent (which is the default)

    • Persistent

    • Remoteable/Persistent

  7. Choose whether to name individual cards and enable passphrase replacement by answering Yes or No to each question and then pressing the right-hand navigation button.

  8. Insert a smart card to be formatted for the OCS.

    If the card is not blank, choose whether to overwrite it or to use a different card. (If the card is an Operator Card from another Security World, you cannot overwrite it and are prompted to enter a different card.)

  9. If you have chosen to name individual cards, you are prompted to enter the name for the card.

  10. You are asked whether you wish to specify a passphrase for the card. If you choose Yes, you are prompted to enter the passphrase twice.

    While the Operator Card is being created, the screen displays the message Processing.

    If there are further cards from this OCS to be processed, the screen changes to Waiting. Remove the card, and repeat steps 8 through 10 for each of the remaining cards.

When all the cards in the set have been processed, you are told that the card set has been created successfully.

Creating an Operator Card Set using the command line

To create an OCS from the command line:

  1. Run createocs.

  2. Insert the smart card to use.

    If you insert an Administrator Card from another Security World or an Operator Card that you have just created, createocs displays the following message:

    Module x slot n: unknown card +
Module x slot n: Overwrite card ? (press Return)

    where x is the hardware security module number and n is the slot number. If you insert an Operator Card from another Security World, createocs displays the following message:

    Module x slot n: inappropriate Operator Card (TokenAuthFailed).

    When you insert a valid card, createocs prompts you to type a passphrase.

    The nShield PKCS #11 library requires Operator Cards with passphrases.
    Some applications do not have mechanisms for entering passphrases. Do not give passphrases to Operator Cards that are to be used with these applications.

  3. Type a passphrase and press Enter. Alternatively, press Enter if you do not want this card to have a passphrase.

    A passphrase can be of any length and can contain any character that you can type.

    If you entered a passphrase, createocs prompts you to confirm it.

  4. Type the passphrase again and press Enter.

    If the passphrases do not match, createocs prompts you to input and confirm the passphrase again.

  5. When the new card has been created, if you are creating a card set with more than one card in it, createocs prompts you to insert another card.

  6. For each additional card in the OCS, follow the instructions from step 2 through 4.

Create an Operator Card Set with the CSP or CNG wizard (Windows)

You can use the nShield CSP or CNG wizard to create a K/N OCS that is suitable for use with the nShield Cryptographic Service Provider (CSP) or Cryptography API: Next Generation (CNG), as appropriate. You can only create an OCS using the CSP or CNG wizard if you already have a Security World and have an ACS available for that Security World.

To create an OCS using the CSP or CNG wizard, follow these steps:

  1. Ensure that you have created the Security World and that at least one HSM is in the operational state.

  2. Run the wizard by double-clicking its shortcut in the Start menu: Start > Entrust nShield Security World.

  3. The wizard displays the welcome screen.

  4. Click the Next button. The wizard allows you to configure HSM Pool mode for CAPI/CNG.

    Do not enable HSM Pool mode when creating an Operator Card Set because HSM Pool mode only supports module-protected keys.

  5. Click the Next button.

    The wizard determines what actions to take based on the state of the Security World and of the HSMs that are attached to your computer:

    • If the wizard cannot find the Security World, it prompts you to create a new Security World or to install cryptographic acceleration only.

      In such a case, you should:

      • Cancel the operation

      • Check that the environment variable NFAST_KMDATA is set correctly

      • Copy the local sub-directory from the Key Management Data directory of another computer in the same Security World or from a backup tape of this computer to the Key Management Data directory of this computer.

      • run the wizard again.

    • If there is an existing Security World, the wizard gives you the option of using the existing Security World, creating a new Security World or installing cryptographic acceleration only.

      • In order to use the existing Security World, ensure that the Use the existing security world option is selected, and click the Next button.

      • If there are any HSMs in the pre-initialization state, the wizard adds them to the Security World; see Adding or restoring an HSM to the Security World.

  6. When at least one hardware security module is in the operational state, the wizard prompts you to select a method to protect private keys generated by the CSPs.

  7. Ensure that the Operator Card Set option is enabled. If you are running the CNG wizard (not the CSP wizard) click the Next button. Then select the Create a new Operator Card Set option.

    If you want the OCS to be persistent, select the Persistent option. Persistence is described in Persistent Operator Card Sets.

  8. Click the Next button, and if you have a FIPS world, the wizard prompts you to insert a card created with the current Security World.

    This shows that your Security World is compliant with the roles and services of the FIPS 140 Level 3 standard. It is included for those customers who have a regulatory requirement for compliance.

    Under the constraints of level 3 of the FIPS 140 standard, Operator Cards cannot be created without authorization. To obtain authorization, insert any card from the ACS or any Operator Card belonging to the current Security World.

    The wizard does not enable the next world, the wizard warns you and prompts you for another card.

  9. Click the Next button.

    The wizard prompts you for a smart card to use as the first card in the OCS.

  10. Insert a blank smart card to be used as the Operator Card, and click the Next button.

    Do not use a card from the ACS or an existing Operator Card.
    If you insert a card that is not blank, the wizard asks you if you want to erase it.

  11. When you have inserted an appropriate card, the wizard prompts you for the name of the card and, if required, a passphrase.

    If you want to protect this card with a passphrase, turn on the Card will require a passphrase option, and enter the passphrase. You must enter the passphrase in both fields to ensure that you have typed it correctly.

    Operator Cards with passphrases are required by the nShield PKCS #11 library.

  12. If you have not yet written all the smart cards in the OCS, the wizard prompts you for another card. Repeat the appropriate preceding steps of the OCS creation process for all smart cards in the set.

  13. When the wizard has finished creating the OCS, it displays a screen telling you this. If you want to create another OCS, click the Back button on this screen.

    When you have created all the OCSs that you require, click the Next button to install the CAPI CSP or register the CNG CSP. For more information, see Microsoft CryptoAPI Guide for nShield Security World v13.7.3 or Microsoft CNG Guide for nShield Security World v13.7.3.

[