Replace the ACS

Replacing the ACS requires a quorum of cards from the current ACS (K/N) to perform the following sequence of tasks:

  1. loading the secret information that is to be used to protect the archived copy of the Security World key.

  2. creating a new secret that is to be shared between a new set of cards.

  3. creating a new archive that is to be protected by this secret.

If you discover that one of the cards in the current ACS has been damaged or lost, or you want to migrate from standard nShield cards to nShield Remote Administration Cards, you should use one of the following to create a new set:

  • The racs utility.

    When using the racs utility, you cannot redefine the quantities in a K of N relationship for an ACS. The K of N relationship defined in the original ACS persists in the new ACS.

  • The front panel of an nShield network-attached HSM.

If further cards are damaged, you may not be able to re-create your Security World.
You cannot mix nShield cards with nShield Remote Administration Cards in the same set.
Replacing the ACS modifies the world file. In order to use the new ACS on other machines in the Security World, you must copy the updated world file to all the machines in the Security World after replacing the ACS. Failure to do so could result in loss of administrative access to the Security World.
We recommend that you erase your old Administrator Cards as soon as you have created the new ACS. An attacker with the old ACS and a copy of the old host data could still re-create all your keys. With a copy of a current backup, they could even access keys that were created after you replaced the ACS.
Before you start to replace an ACS, you must ensure that you have enough blank cards to create a complete new ACS. If you start the procedure without enough cards, you will have to cancel the procedure part way through.

Replace an ACS using an nShield network-attached HSM front panel

To replace an ACS:

  1. From the main menu, select Security World mgmt > Admin operations > Replace ACS.

  2. Insert one of the remaining cards from the card set that you want to replace and press the right-hand navigation button.

    Continue to insert cards until you have inserted the number of cards required to authorize the process.

  3. When prompted, insert a card for the replacement card set and press the right-hand navigation button.

  4. If required, specify a passphrase for the card.

  5. Insert cards until the card set is complete. A message confirms that the card set has been created.

  6. At this point the modified world file has been pushed to the RFS, so make a backup of the modified world file on the RFS, preferably in a way that distinguishes it from previous backups.

  7. Copy the world file to any other HSMs in the same Security World, either using the Security World mgmt > RFS operations > Update World files option on the HSM concerned or using the nethsmadmin utility, see Using nethsmadmin to copy a Security World to a nShield HSM and check the current version.

  8. If client cooperation is not enabled, copy the modified world file onto any client machines where it is needed.

  9. Check that the new Administrator Cards are usable and that their passphrases have been set as intended, see Passphrases

  10. Erase the Administrator Cards from the old card set. For more information, see Erase cards and softcards.

Replace an ACS using racs

The racs utility creates a new ACS to replace a set that was created with the new-world utility.

When using the racs utility, you cannot redefine the quantities in a K of N relationship for an ACS. The K of N relationship defined in the original ACS persists in the new ACS.

  1. Ensure the HSM is in operational mode.

  2. Run the racs utility:

    racs [-m|--module=<MODULE>]

    In this command: ** <MODULE>: the ModuleID of the module to use.

  3. When prompted, insert the appropriate quorum of Administrator Cards to authorize the replacement.

  4. When prompted that racs is writing the new ACS, insert blank cards as necessary on which to write the replacement Administrator Cards.

  5. Additional steps for network-attached HSMs:

    1. If you ran racs on a client machine, ensure that there is a copy of the modified world file on the RFS.

    2. Make a backup of the world file, preferably in a way that distinguishes it from previous backups.

    3. Copy the world file to any other HSMs in the same Security World, for example using the nethsmadmin utility, see Using nethsmadmin to copy a Security World to an nShield HSM and check the current version.

    4. If client cooperation is not enabled, copy the modified world file onto any other client machines where it is needed.

    5. Check that the new Administrator Cards are usable and that their passphrases have been set as intended, see Passphrases.

  6. When you have finished replacing the ACS, erase the old Administrator Cards. For more information, see Erase cards and softcards.