Checking and changing the mode on an nShield Connect

This appendix tells you how to check and change the mode on an nShield Connect. You must change the mode to perform certain configuration tasks.

nShield Connect front panel controls

See The nShield Connect user interface for a description of the nShield Connect user interface, including the front panel controls.

We recommend that you use a keyboard to manage the front panel menu options and enter text. See Using a keyboard to control the unit for more information.

Available modes

The following modes are available:

  • Operational

    • The default setting for day-to-day use

  • Initialization

    • Sets the nShield Connect to start in pre-initialization mode

    • Allows you to use the nShield Connect to create a Security World or add the module to an existing one

You cannot select Maintenance mode. It is managed by the nShield Connect and cannot be set by a user.

Identifying the current mode

You can check the current mode of an nShield Connect:

  • At the nShield Connect itself

  • By using the enquiry command-line utility from a client computer

  • By using KeySafe from a client computer

Checking the mode at the nShield Connect

The status LED

The nShield Connect Status LED indicates the operational status of the module.

Status LED Description

On, occasionally blinks off.

Status: Operational mode

The module is in Operational mode and accepting commands. The more frequently the Status LED blinks off, the greater the load on the module.

Flashes two short pulses, followed by a short pause.

Status: Initialization mode

Existing Security World data on the module has been erased. The module is automatically placed in Initialization mode after a Security World is created. For more information, see the nShield Connect User Guide.

Flashes two long pulses followed by a pause.

Status: Maintenance mode

Used for reprogramming the module with new firmware. The module only goes into Maintenance mode during a software upgrade.

The front panel display screen

The nShield Connect screen shows a color-coded footer at the bottom of the display when it is not in Operational mode.

Footer color Text in footer Meaning

Yellow

Initialization

The system is rebooting or waiting for an Administrator Card to be inserted.

Blue

Maintenance

An administrative task is being performed. This mode is only entered during firmware upgrades.

Red

HSM Failed

The internal module has failed.

Checking the mode using enquiry

You can use the enquiry command-line utility to display information about the hardserver and the status of the nShield Connect. The enquiry utility is in the bin subdirectory of the nCipher directory. This is usually /opt/nfast.

To check the mode using enquiry:

  1. Log in on the client computer as a user, and open a command window.

  2. Run the command:

    opt/nfast/bin/enquiry

    The following is an example of the enquiry command output:

    Server:
enquiry reply flags     none
enquiry reply level     Six
serial number           ####-####-####-####
mode                    operational
version                 #.#.#
speed index             ###
rec. queue              ##..##
...
version serial          #
remote port (IPv4)      ####

Module #1:
enquiry reply flags     none
enquiry reply level     Six
serial number           ####-####-####-####
mode                    operational
version                 #.#.#
speed index             ###
rec. queue              ##..##
...
rec. LongJobs queue     ##
SEE machine type        PowerPCSXF

    In this example, the mode line shows that the nShield Connect is in operational mode.

Checking the mode by using KeySafe

You can use the Module Status tree of the KeySafe GUI to identify the current mode of the nShield Connect.

To check the mode using KeySafe:

  1. Start KeySafe on a client computer.

  2. Locate the Module Status tree (part of the Security World status panel) positioned to the bottom left of the KeySafe window.

  3. Expand the Security World and/or Outside Security World nodes as required.

  4. Locate the appropriate nShield Connect (Module).
    The current mode of the module is displayed in the State field.

See Using KeySafe for more about using KeySafe. See Module information for more about checking the mode.

Changing the mode

You can change the mode of an nShield Connect using:

  • The front panel controls of the nShield Connect

  • The nopclearfail command-line utility from a client computer

Changing the mode using the front panel controls of an nShield Connect

To change the mode of an nShield Connect, use the front panel menu screens and dialogs to do the following:

  1. Navigate to HSM > Set HSM mode.

  2. Select Initialisation or Operational as required.

Changing the mode using remote mode and nopclearfail

You can enable or disable the ability to make remote mode changes, see Enabling and disabling remote mode changes

Once you have enabled remote mode changes, you can change the mode of an nShield Connect from a computer using the nopclearfail command, without accessing the unit itself.

Available commands

You can use the following commands to change the mode of a module:

Command Resulting mode

nopclearfail --operational | -O

Operational

nopclearfail --initialization | -I

Pre-initialization

To change the mode, do the following:

  1. Run either:

    1. The nopclearfail --operational | -O command.
      or:

    2. The nopclearfail --initialization | -I command.
      When finished, the system responds with OK.

    The system responds with OK, regardless of whether the mode of the nShield Connect has changed or not. To confirm that state of the module, do the following:

  2. Run the enquiry command.
    The mode line of the Module section displays the current mode.