Replace OCS and softcards

Replace Operator Card Sets

Replacing an OCS requires authorization from the ACS of the Security World to which it belongs. You cannot replace an OCS unless you have the required number of cards from the appropriate ACS.

If you have lost a card from a card set, or you want to migrate from standard nShield cards to nShield Remote Administration Cards, you should use one of the following:

  • The rocs utility

  • The front panel of the nShield HSM

You cannot mix standard nShield cards with nShield Remote Administration Cards in the same set.

We recommend that after you have replaced an OCS, you then erase the remaining cards in the old card set and remove the old card set from the Security World. For more information, see Erase cards and softcards

Deleting the information about an OCS from the client or host does not remove the data for keys protected by that card set.

To prevent you from losing access to your keys if the smart card you are using as the Operator Card is lost or damaged, rocs command-line utility provides an interactive method or a command-line only method that can recover the keys protected by the lost Operator Card to another OCS or token.

Replacing one OCS with another OCS also transfers the keys protected by the first OCS to the protection of the new OCS.

When you replace an OCS or softcard and recover its keys to a different OCS or softcard, the key material is not changed by the process. The process deletes the original Security World or host data (that is, the encrypted version of the key or keys and the smart card or softcard data file) and replaces this data with host data protected by the new OCS or softcard.

To replace an OCS or softcard, you must:

  • Have enabled OCS and softcard replacement when you created the Security World

    If you did not enable OCS and softcard replacement, or if you created the Security World with an early version of the pkcs-init command-line utility that did not support OCS and softcard replacement, you cannot recover keys from lost or damaged smart cards or softcards.

  • Have created the original OCS using

    • the front panel of a network-attached HSM

    • createocs

    • createocs-simple

    • the nShield PKCS #11 library version 1.6 or later

    If you initialized the token using ckinittoken from the nShield PKCS #11 library version 1.5 or earlier, you must contact Support to arrange for them to convert the token to the new format while you still possess a valid card.

  • Have a sufficient number of cards from the ACS to authorize recovery and replacement

    All recovery and replacement operations require authorization from the ACS. If any of the smart cards in the ACS are lost or damaged, immediately replace the entire ACS.

  • Have initialized a second OCS using

    • the front panel of a network-attached HSM

    • createocs

    • createocs-simple

    • the nShield PKCS #11 library version 1.6 or later

    The new OCS need not have the same K/N policy as the old set.

If you are sharing the Security World across several client computers (for network-attached HSMs) or host computers (for PCIe HSMs), you must ensure that the changes to the host data are propagated to all your computers. One way to achieve this is to use client cooperation. For more information, see Client cooperation.

Replace OCS from a network-attached HSM front panel

To replace an OCS from the unit front panel, follow these steps:

  1. From the main menu, select Security World mgmt > Admin operations > Recover keys.

  2. Select all to recover all keys in the Security World, or select the application for which you want to recover the keys.

  3. If you selected an application, select the keys that you want to recover.

  4. Insert the required number of Administrator Cards to recover keys, and enter their passphrases if required.

  5. Insert the required number of Operator Cards, and enter their passphrases if required.

    When you have inserted the required number of cards, details of the recovered key are displayed.

  6. Check the key details are correct and then scroll down and select Recover key.

    You can also select More info to see more information about the keys.

A message is displayed when the keys are recovered.

Replace OCS or softcards with rocs

You can use the rocs command-line utility interactively, or you can supply all the parameters using the command line.

Using rocs interactively

Refer to rocs for more details about each of the available commands.

To replace an OCS or recover keys to a softcard:

To exit without completing the replacement or recovery process, press Q and then Enter. The rocs utility returns you to the rocs > prompt without processing any keys.

  1. Launch the rocs interactive mode prompt:

    rocs

  2. Enter the following commands, in order:

    1. module <number>
      The number of the HSM you want to use.

    2. list cardsets
      Note the number (No.) of the OCS or softcard to which you want to transfer the keys ('target').

    3. target <cardset-spec>
      <cardset-spec> is the number of the target OCS or softcard you obtained in the previous step.

      Keys protected by an OCS can only be recovered to another OCS, and not to a softcard. Likewise, softcard-protected keys can only be recovered to another softcard, and not to an OCS.

    4. list keys
      Note the number (No.) of the keys you want to recover.

    5. mark <key-spec> [<key-spec> […​]]
      <key-spec> is the number (No.) of the key you want to recover. To recover multiple keys, leave a space between each <key-spec>.

      Only mark keys from a different OCS or softcard to the one you selected as the target.

      If you selected any keys by mistake, deselect them with unmark ..<key-spec>.

    6. recover
      Transfers the marked keys to the target OCS or softcard.

      The operation is not permanent at this stage.

  3. When prompted, insert a card from the ACS and enter the passphrase.
    Repeat this step until you have loaded the required number of cards.
    If you do not have the required number of cards from the ACS, exit the process.

    Only insert Administrator Cards into a hardware security module that is connected to a trusted server.

  4. If you are recovering keys to:

    an OCS:

    +

    1. rocs prompts you to insert a card from the first OCS that you have selected as the target. OCSs are processed in ascending numerical order as listed by the list cardsets command.

    2. Insert a card from this OCS.

    3. rocs prompts you for the passphrase for this card. This action is repeated until you have loaded the required number of cards from the OCS.

    a Softcard:

    + If you are recovering keys to a softcard, rocs prompts you for the passphrase for the softcard that you have selected as the target.

    When you have loaded the target softcard or the required number of cards from the target OCS, rocs transfers the selected keys to the target OCS or softcard.

    If you have selected other target OCSs or softcards, rocs prompts for a card from the next OCS.

    Repeat this step for each selected target.

  5. Enter save [<key-spec> […​]].
    Write the key blobs to disk. If you specify one or more <key-spec> values, only those keys will be saved. If you do not specify a <key-spec>, all keys will be saved.

    If you have transferred a key by mistake, you can restore it to its original protection with revert <key-spec> [<key-spec> […​]].

Using rocs from the command line

Refer to rocs for more details about each of the available options.

You can select all the options for rocs using the command line by running a command of the form:

rocs -m|--module=<MODULE> [-t|--target=<CARDSET-SPEC>] [-k|--keys=<KEYS-SPEC>] [-c|--cardset=<CARDSET-SPEC>] [-i|--interactive]

Set the values as follows:

  • <MODULE>: The HSM to use.

  • (target) <CARDSET-SPEC>: The OCS or softcard to use to protect the keys.

  • <KEYS-SPEC>: The keys to recover.

  • (cardset) <CARDSET-SPEC>: This selects all keys that are protected by the named OCS or softcard.

-i\|--interactive starts rocs in interactive mode, even if keys have been selected.

You must specify the target before you specify keys.

You can use multiple --keys=<KEYS-SPEC> and --cardset=<CARDSET-SPEC> options, if necessary.

You can specify multiple targets on one command line by including separate --keys=<KEYS-SPEC> or --cardset=<CARDSET-SPEC> options for each target. If a key is defined by --keys=<KEYS-SPEC> or --cardset=<CARDSET-SPEC> options for more than one target, it is transferred to the last target for which it is defined.

If you have selected a hardware security module, a target OCS or softcard, and keys to recover but have not specified the --interactive option, rocs automatically recovers the keys. rocs prompts you for the ACS and OCS or softcard. For more information, see Using rocs interactively.

If you use rocs from the command line, all keys are recovered and saved automatically. You cannot revert the keys unless you still have cards from the original OCS.

If you do not specify the target and keys to recover, or if you specify the --interactive option, rocs starts in interactive mode with the selections you have made. You can then use further rocs commands to modify your selection before using the recover and save commands to transfer the keys.