Remote Operator

This chapter explains:

  • The concept of Remote Operator

  • How to configure Remote Operator.

If you wish to use the Remote Operator feature, you must have enabled it as described in Enabling optional features. The Remote Operator feature must have been ordered for, and enabled on, the nShield module that you intend to use as the remote, unattended module.

About Remote Operator

The Remote Operator feature enables the contents of a smart card inserted into the slot of one module (the attended module) to be securely transmitted and loaded onto another module (an unattended module). This is useful when you need to load an OCS-protected key onto a machine to which you do not have physical access (because, for example, it is in a secure area).

For Remote Operator to work, the modules must be in the same Security World. You insert the required cards from the OCS into a slot in the attended module. From this module, the contents of the OCS are transmitted over secure channels to the unattended module, which then loads them. You do not need physical access to the unattended module in order to load the OCS onto it.

The following limitations apply to Remote Operator:

  • You cannot access non-persistent card sets remotely

  • You cannot use the createocs command-line utility to write new cards or card sets remotely.

You can export a slot from an attended module and import a slot to any (unattended) module in the Security World. Before you can import a slot to one module, you must first export it from another module.

Configuring Remote Operator

This section explains how to configure Remote Operator.

Overview of configuring Remote Operator

Before you can use Remote Operator, you must perform the following initial configuration tasks:

  1. Configure the HSMs for Remote Operator.

    The HSMs must be in the same Security World, and must have been initialized with remote card set reading enabled.

    Both the attended and the unattended HSM must be in operational mode before they can import or export slots. See Checking and changing the mode on an nShield Connect for more about changing the mode.

  2. Configure the HSMs for slot import and export, as appropriate.

Dynamic Slots cannot be exported or imported as Remote Operator slots.

After the initial configuration is complete, to use Remote Operator you must:

  1. Create a Remote OCS (that is, an OCS with the correct permissions for Remote Operator).

  2. Generate keys that are protected by the Remote OCS.

  3. Ensure your application is configured to use keys protected by the Remote OCS.

Configuring HSMs for Remote Operator

  1. Ensure both HSMs are initialized into the same Security World; see Adding or restoring an HSM to the Security World.

    By default, HSMs are initialized with remote card-set reading enabled. If you do not want an HSM to be able to read remote card sets, you can initialize it by running the new‑world with the ‑S MODULE (where MODULE is the HSM’s ID number).

  2. For the unattended HSM:

    1. Check whether the Remote Operator feature is enabled by running the enquiry command-line utility. The output for the HSM must include Remote Share in its list of Features.

    2. Check whether the HSM has permission to allow loading of Remote OCSs by selecting Security World mgmt > Display World info. The output from this selection must show that flags are set to include ShareTarget, as in the following example:

      Module #1
generation 2
state 0x2 Usable
flags 0x10000 ShareTarget
n_slots 3
esn 8851-43DF-3795
hkml 391eb12cf98c112094c1d3ca06c54bfe3c07a103

    This information can also be output by running the nfkminfo command-line utility.

Configuring slot import and export

Before you can configure slot import and export, ensure that you have configured the attended and unattended HSMs for Remote Operator as described in Configuring HSMs for Remote Operator.

Ensure that your network firewall settings are correct. See the Installation Guide for more about firewall settings.

Configuring slot import and export using the Connect front panel

When the HSMs have been configured, follow these steps to configure slot import and export:

  1. Configure the attended HSM to export a slot by following these steps:

    1. From the main menu, select Security World mgmt > Set up remote slots > Export slot.

    2. Specify the HSM to which the slot is being export by supplying values for:

      • The IP address of the unattended HSM

      • The ESN of the unattended HSM.

  2. Configure the unattended HSM to import the slot that you are exporting from the attended HSM by following these steps:

    1. From the main menu, select Security World mgmt > Set up remote slots > Import slot.

    2. Specify the details of the Remote Operator slot by supplying values for:

      • The IP address of the HSM from which the slot is being exported

      • The ESN of the HSM from which the slot is being exported

      • The ID of the slot on the importing HSM

      • The port to use to connect to the hardserver hosting the attended HSM.

You can check that the slot was imported successfully by, on the unattended machine, running the command:

slotinfo -m 1

If slot importation was successful, the output from this command includes the line:

Slot Type            Token   IC    Flags   Details
#0   Smartcard       present 3     A
#1   Software Tkn    -       0
#2   smartcard       -       0     AR

The R in the Flags column indicates that slot 2 is a Remote Operator slot.

Applications running on the unattended machine can now use slot 2 to load OCSs that are presented to slot 0 on the attended machine. If any of the cards require a pass phrase, the application must pass this to the unattended HSM in the usual way.

For the application to be able to load the OCS onto the unattended HSM, it must be able to read the card set files associated with the OCS from the local Key Management Data directory. If the OCS was created on a different machine, you must copy the card set files in the Key Management Data directory onto the unattended machine (either manually or by using client cooperation; for more information, see Setting up client cooperation).

The same applies for any keys that an application on an unattended HSM needs to load but that were not generated on that machine.

Creating OCSs and keys for Remote Operator

When you have configured the HSMs and slot import and export, you can create Remote OCSs and generate keys protected by them. These Remote OCSs and keys can be used by applications running on the unattended HSM.

For the most part, card sets and keys intended to be used with Remote Operator are similar to their ordinary, non-Remote counterparts.

Creating OCSs for use with Remote Operator

You can generate Remote OCSs by using KeySafe or by running the createocs command-line utility with the -q|--remotely_readable option specified. The cards in a Remote OCS must be created as persistent; see Persistent Operator Card Sets.

To check whether the card in a slot is from a Remote OCS, select Security World mgmt > Display World info from the main menu or run the nfkminfo command-line utility. The output displays slot section information similar to the following:

Module #1 Slot #0 IC 1
generation         1
phystype           SmartCard
slotlistflags      0x2
state              0x5
Operator flags     0x20000 RemoteEnabled
shareno            1
shares             LTU(Remote)
error              OK

In this example output, the RemoteEnabled flag indicates the card in the slot is from a Remote OCS.

If you create a Remote OCS on the attended machine, then you must copy the Key Management Data files on the attended machine to the unattended machine.
Both the attended and unattended HSMs must be in the same Security World before you generate a Remote OCS. If you are not using client cooperation, the Key Management Data directories must be manually synchronized after you generate the Remote OCS.
If you already have recoverable keys protected by a non-Remote OCS, you can transfer them to a new Remote OCS by using KeySafe or the replaceocs command-line utility.

Loading Remote Operator Card Sets

Once configured, the Remote Operator slots can be used by all the standard nShield libraries. A Remote Operator slot can be used to load any OCSs that have been created to allow remote loading. For more information about the applications to use with remote cards, see Application interfaces. For more information about Remote Operator slots, see Remote Operator.

After an OCS has been inserted into a Remote Operator slot, for each time a given card is inserted, the module only allows each share on that card to be read one time. If there is a second attempt to read shares from that card before the card is reinserted, the operation fails with a UseLimitsUnavailable error.

Generating keys for use with Remote Operator

After you have created a Remote OCS, to generate keys protected by it you can run KeySafe or the generatekey and preload command-line utilities on the unattended module, inserting cards to the slot attached to the attended module. For more information about generating and working with keys, see Working with keys.

If you generate keys protected by a Remote OCS on the attended module, then you must copy the files in the Key Management Data directory on the attended machine to the unattended module.
KeySafe can list imported slots, but cannot use them.

If you already have an OCS-protected key that you want to use, but the protecting OCS is not a Remote OCS, you can use KeySafe to protect the key under a new Remote OCS if the key was originally generated with the key recovery option enabled.

However, if the key was not generated with key recovery enabled, you cannot protect it under a different OCS. In such a case, you must generate a new key to be protected by a Remote OCS.

Configuring the application

After you have configured the HSMs and slot import and export, created a Remote OCS, and generated keys protected by the Remote OCS, configure the application with which you want to use these keys as appropriate for the particular application.

After you have configured the application, start it remotely from the attended machine. Insert cards from the OCS into the attended machine’s exported slot as prompted.

Managing Remote Operator slots using the unit front panel

Editing Remote Operator slots

You can change the details of a Remote Operator slot. You must always update the details of both the exported slot on the local module and the imported slot on the remote module.

To update an exported a slot on the module:

  1. From the main menu, select Security World mgmt > Set up remote slots > Edit exported slot.

  2. Select the exported slot that you want to update. Slots are identified by the IP address of the remote module.

  3. Update the details of the slot.

To update an imported slot on the unit:

  1. From the main menu, select Security World mgmt > Set up remote slots > Edit imported slot.

  2. Select the imported slot that you want to update. Slots are identified by the IP address of the remote module.

  3. Update the details of the slot.

Deleting Remote Operator slots

You can delete Remote Operator slots.

To delete an exported slot, from the main menu, select Security World mgmt > Set up remote slots > Delete exported slot and select the slot you want to delete.

To delete an imported slot, from the main menu, select Security World mgmt > Set up remote slots > Delete imported slot and select the slot you want to delete.