Client Software and module configuration
This chapter describes software and module configuration tasks that you can choose to perform after the initial installation of Security World Software and hardware. See the Installation Guide for more information about hardware and software installation.
You must determine whether particular configuration options are necessary or appropriate for your installation. The additional configuration options described in this chapter can be performed either before or after the creation of a Security World (as described in Creating a Security World) and an OCS (as described in "Creating Operator Card Sets (OCSs).
About user privileges
Cryptographic security does not depend on controlling user privileges or access but maintaining the integrity of your system from both deliberate or accidental acts can be enhanced by appropriate use of (OS) user privileges.
Setting up client cooperation
You can allow an nShield HSM to automatically access the remote file system (RFS) belonging to another nShield HSM and share the Security World and key data stored in the Key Management Data directory. Client hardware security modules that access data in this way are described as cooperating clients.
To configure client cooperation for hardware security modules that are not nShield HSMs:
-
Configure the RFS used by your nShield Connect to accept access by cooperating clients.
-
On each client that is to be a cooperating client, you must run the
rfs-sync
command-line utility with appropriate options:-
for clients using a software
K
NETI key to authenticate themselves to the RFS, run the command with the default options:rfs-sync --setup <RFS_IP_ADDRESS>
-
for clients using a module
K
NETI key to authenticate themselves to the RFS, run the command:rfs-sync --setup --authenticate --module=<MODULE> <RFS_IP_ADDRESS>
In this command:
-
<RFS_IP_ADDRESS>
is the IP address of the RFS. -
<MODULE>
is the local module to use for authentication.
-
-
The rfs‑sync
utility uses lock files to ensure that updates are made in a consistent fashion.
If an rfs‑sync
--commit
operation (the operation that writes data to the remote file system) fails due to a crash or other problem, it is possible for a lock file to be left behind.
This would cause all subsequent operations to fail with a lock time‑out error.
+
The rfs‑sync
utility has options for querying the current state of the lock file, and for deleting the lock file; however, we recommend that you do not use these options unless they are necessary to resolve this problem.
Clients without write access cannot delete the lock file.
+
For more information about the rfs‑sync
utility, see rfs-sync.
-
To remove a cooperating client so the RFS no longer recognizes it, you must:
-
Know the IP address of the cooperating client that you want to remove
-
Manually update the
remote_file_system
section of the hardserver configuration file by removing the following entries for that particular client:remote_ip=client_IP_address remote_esn=keyhash=0000000000000000000000000000000000000000 native_path=%NFAST_KMDATA%\local volume=kmdata-local allow_read=yes allow_write=yes allow_list=yes is_directory=yes is_text=no
and
remote_ip=client_IP_address remote_esn=keyhash=0000000000000000000000000000000000000000 native_path=%NFAST_KMDATA%\local\sync-store volume=kmdata-backup allow_read=yes allow_write=yes allow_list=yes is_directory=yes is_text=no
-
Useful utilities
anonkneti
To find out the ESN and the hash of the K
NETI key for a given IP address, use the anonkneti
command-line utility.
A manual double‑check is recommended for security.
The IP address could be one of the following:
-
An IPv4 address, for example
123.456.789.123
. -
An IPv6 address, for example
fc00::1
. -
A link-local IPv6 address, for example
fe80::1%eth0
. -
A hostname.
rfs-sync
This utility synchronises the kmdata
between a cooperating client and the remote file system it is configured to access.
It should be run when a cooperating client is initialised in order to retrieve data from the remote file system and also whenever a client needs to update its local copy of the data or, if the client has write access, to commit changes to the data.
Usage
rfs-sync [-U|--update] [-c|--commit] [-s|--show] [--remove] [--setup [setup_options] ip_address]
Options
-U
,--update
-
These options update local key-management data from the remote file system.
If a cooperating client has keys in its kmdata\local
directory that are also on the remote file system, if these keys are deleted from the remote file system and thenrfs-sync --update
is run on the client, these keys remain on the client they are until manually removed. -c
,--commit
-
These options commit local key-management data changes to the remote file system, and update the client from the remote file system.
-s
,--show
-
These options display the current synchronisation configuration.
--setup
-
This option sets up a new synchronisation configuration. Specifics of the configuration can be altered using
setup_options
as follows: -a
,--authenticate
-
This set-up option specifies the use of a module KNETI key to authenticate this client to the RFS. By default the software KNETI key is used instead.
-m
,--module=module
-
This option selects the local module to use for authentication. The default is 1. This option can only be used with the
--authenticate
option. -p
,--port=port
-
These options specify the port on which to connect to the remote file system. The default is 9004.
ip_address
-
This option specifies the IP address of the remote file system, which could be one of the following:
-
An IPv4 address, for example
123.456.789.123
. -
An IPv6 address, for example
fc00::1
. -
A link-local IPv6 address, for example
fe80::1%eth0
. -
A hostname.
-
--remove
-
This option removes the synchronisation configuration.
A client can use rfs-sync
--show
to display the current configuration, or rfs-sync
--remove
to revert to a standalone configuration.
Reverting to a standalone configuration leaves the current contents of the Key Management Data directory in place.
The rfs-sync
command also has additional administrative options for examining and removing lock files that have been left behind by failed rfs-sync --commit
operations.
Using the --who-has-lock
option displays the task ID of the lock owner.
As a last resort, you can use the rfs-sync
command-line utility to remove lock files. In such a case, the --kill-lock
option forcibly removes the lock file.
The lock file can also be removed via menu item 3‑3‑2, Remove RFS Lock: this executes the rfs-sync --kill-lock command.
|
Setting environmental variables
This section describes how to set Security World Software-specific environment variables. You can find detailed information about the environment variables used by Security World Software in Environment variables. Environment variables
You can set Security World Software-specific environment variables as follows:
-
Open the System dialog by clicking System in the control panel menu.
-
Select the Advanced tab and click the Environment Variables button.
-
To add a variable, click New. Alternatively, to edit an existing variable select an entry in the System Variables list and click Edit.
-
In the Variable Name field, type or edit the name of the environment variable (for example, NFAST_HOME).
-
In the Variable Value field, type or edit the value to use.
-
Click the OK button to set the value, and then click the OK button to close the dialog.
-
Open the Administrative Tools dialog by clicking the Administrative Tools icon in the Control Panel
-
Open the Services console by clicking the Services icon.
-
From the displayed list of services, select the nFast Server icon, and select Restart the service.
Logging and debugging
The Security World Software generates logging information that is configured through a set of four environment variables:
-
NFLOG_FILE
-
NFLOG_SEVERITY
-
NFLOG_DETAIL
-
NFLOG_CATEGORIES
If none of these logging environment variables are set, the default behavior is to log nothing, unless this is overridden by any individual library. If any of the four logging variables are set, all unset variables are given default values. |
Detailed information about controlling logging information by means of these environment variables is supplied in Logging, debugging, and diagnostics.
Some components of the Security World Software generate separate debugging information which you can manage differently. If you are setting up the client to develop software that uses it, you should configure debugging before commencing software development.
Configuring Java support for KeySafe
To use KeySafe, follow the instructions in Using KeySafe.
Configuring the hardserver
The hardserver handles secure transactions between the HSMs connected to the host computer and applications that run on the host computer. In addition, the hardserver, for example:
-
Controls any Remote Operator slots that the HSM uses
-
Loads any SEE (Secure Execution Engine) machines that are to run on the HSM
-
Enables Remote Administration and provides the communication channel between the Remote Administration Service and the HSM
The hardserver can handle transactions for multiple HSMs. This does not require configuration of the hardserver. For more information, see Using multiple modules.
The hardserver must be configured to control:
-
The way the hardserver communicates with remote HSMs
-
The way the hardserver communicates with local HSMs
-
The import and export of Remote Operator slots
-
The loading of SEE machines on to the HSM when the hardserver starts up
-
The number of Dynamic Slots available on the HSM
-
The port used to connect to the Remote Administration Service
-
Whether a Dynamic Slot needs to be exchanged with slot 0 of an HSM
-
Timeout values for nShield Remote Administration Card presence assurance
-
Configuring the audit logging destination.
The hardserver configuration file defines the configuration of the hardserver.
By default, it is stored in the
%NFAST_KMDATA%
\config
directory, and a default version of this file is created when the Security World Software is installed.
See Overview of hardserver configuration file sections for an overview of the hardserver configuration file, and see "Hardserver configuration files" for detailed information about the various options available through it.
In some previous releases of the Security World Software, hardserver configuration was controlled by environment variables. The use of these variables has been deprecated. If any of these environment variables are still set, they override the settings in the configuration file. |
You must load the configuration file for the changes to the configuration to take effect.
To configure the hardserver, follow these steps:
-
Save a copy of the configuration file %NFAST_KMDATA%
\config\config
so that the configuration can be restored if necessary. -
Edit the configuration file %NFAST_KMDATA%
\config\config
to contain the required configuration. (See "Hardserver configuration files" for descriptions of the options in the configuration file.) -
Run the
cfg-reread
command-line utility to load the new configuration.If you changed the server_startup section of the hardserver configuration file, you must restart the hardserver instead of running cfg-reread. For more information, see Stopping and restarting the hardserver. -
Test that the hardserver is configured correctly by running the
enquiry
command-line utility.Check that an HSM with the correct characteristics appears in the output.
-
Test that the client has access to the Security World data by running the
nfkminfo
command-line utility.Check that an HSM with the correct ESN appears in the output and has the state
0x2 Usable
.
Overview of hardserver configuration file sections
Configuring remote HSM connections
A remote HSM is an HSM that is not connected directly to the host computer but with which the hardserver can communicate. It can be one of the following:
-
A network-connected nShield HSM that is configured to use the host computer as a client computer
-
An HSM to which an attended Remote Operator slot is imported for the hardserver’s unattended local HSM
(Remote Operator feature only).
You configure the hardserver’s communications with remote HSMs in the server_remotecomms
section of the hardserver configuration file.
This section defines the port on which the hardserver listens for communications from remote HSMs.
You need to edit this section only if the default port (9004) is not available.
For detailed descriptions of the options in this section, see server_remotecomms.
For information about configuring the Remote Operator feature (Remote Operator slots), as opposed to remote HSMs, see Remote Operator.
Hardserver settings
You configure the hardserver’s settings in the server_settings
section of the configuration file.
This section defines how connections and hardserver logging are handled. These settings can be changed while the hardserver is running.
For detailed descriptions of the options in this section, see server_settings.
Hardserver performance settings
You configure the hardserver performance settings in the server_performance section of the configuration file.
This section determines whether multi-threaded performance scaling is enabled or not. By default, scaling is not enabled. Any changes you make to the settings in this section do not take effect until after you restart the hardserver.
For detailed descriptions of the options in this section, see server_performance.
HSM settings
You configure the HSM’s settings in the module_settings
section of the configuration file.
This section defines the settings for the HSM that can be changed while the hardserver is running.
For detailed descriptions of the options in this section, see module_settings.
Hardserver start‑up settings
You configure the hardserver’s start‑up settings in the server_startup
section of the configuration file.
This section defines the sockets and ports used by the hardserver. You need to change this section only if the default ports for privileged or unprivileged connections (9000 and 9001) are not available.
You should use the nt_privpipe_users option to define the name of the user who is allowed to carry out privileged operations, for example, using the nopclearfail utility. See nt_privpipe_users for more information.
|
For detailed descriptions of the options in this section, see server_startup.
SEE machines
You configure the hardserver to load SEE machines on start-up in the load_seemachine
section of the configuration file. The SEE Activation feature must be enabled on the HSM, as described in Enabling optional features.
This section defines the SEE machines and optional user data to be loaded, as well any other applications to be run in order to initialize the machine after it is loaded.
For detailed descriptions of the options in this section, see load_seemachine.
For information about SEE machines, see CodeSafe applications.
Remote Operator slots
You configure Remote Operator slots in the slot_imports
and slot_exports
sections of the configuration file.
These sections define the slots that are imported to or exported from the HSM. This applies to the Remote Operator feature only.
For detailed descriptions of the options in these sections, see slot_imports and slot_exports.
The Remote Operator feature must be enabled on the HSM, as described in Enabling optional features.
Remote file system
Each client’s remote file system is defined separately in the remote_file_system
section of the configuration file with a list of HSMs that are allowed to access the file system on the given client.
For information about setting up client cooperation, see Setting up client cooperation.
The remote_file_system section is updated automatically when the rfs‑setup utility is run. Do not edit the remote_file_system section manually.
|
As a reference, for detailed descriptions of the options in this section, see remote_file_system.
Audit logging
You configure the hardserver’s audit logging in the auditlog_settings
section of the configuration file.
This section defines the host IP address and port used as the destination for the syslog output of the audit logging capability. Optionally, the audit logging messages can be copied to the hardserver’s log file.
For further details see Audit Logging.
The hardserver needs to be restarted for these settings to take effect. |
Enabling optional features
nShield modules support a range of optional features. Optional features must be enabled with a certificate that you order from Entrust. You can order the features when you purchase a module, or you can obtain the certificate at a later date and use the Feature Enable Tool to enable the features.
For more information about:
-
Ordering optional features, see Ordering additional features
-
Feature-enabling procedures, see Enabling features.
The firmware checks to confirm whether any features that it attempts to use are enabled. It normally does this when it authorizes the commands or command options that relate to a specific feature.
Most features are static; that is, they are enabled by means of a switch in the EEPROM
of the
module.
A dynamic feature must be enabled again if the
module
is reinitialized.
Some optional features are static; that is, they are enabled by means of a switch in the EEPROM
of the unit. A dynamic feature must be enabled again if the unit is reinitialized.
After you have enabled features on a module, you must clear the module to make them available.
Clear the module by running the command nopclearfail --clear --all
or by pressing the module’s Clear switch.
If you are enabling the Remote Operator feature, you must enable it on the module that is to be used as the unattended module. For information about Remote Operator, see Remote Operator. |
Available optional features
Elliptic Curve
Cryptography based on elliptic curves relies on the mathematics of random elliptic curve elements. It offers better performance for an equivalent key length than either RSA or Diffie-Hellman public key systems. Using RSA or Diffie-Hellman to protect 128-bit AES keys requires a key of at least 3072 bits. The equivalent key size for elliptic curves is only 256 bits. Using a smaller key reduces storage and transmission requirements.
Elliptic curve cryptography is endorsed by the US National Security Agency and NIST (the National Institute of Standards and Technology), and by standardization bodies including ANSI, IEEE and ISO.
nShield modules incorporate hardware that supports elliptic curve operations for ECDH (Elliptic curve Diffie‑Hellman) and ECDSA (Elliptic Curve Digital Signature Algorithm) keys.
Elliptic Curve activation
All nShield HSMs require specific activation to utilize the elliptic curve features. HSMs use an activator smart card to enable this feature. Refer to Enabling features with a smart card for instructions on how to enable the EC feature. Additionally it is possible to activate the elliptic curve feature without a physical smart card. In this case the certificate details can be provided by email and entered locally. Refer to Enabling features without a smart card
Contact Sales if you require an EC activation.
nShield modules with elliptic curve activation support MQV (Menezes-Qu-Vanstone) modes.
Elliptic Curve support on the nShield product line
The following table details the range of nShield HSMs and the level of elliptic curve support that they offer.
HSM module type | Elliptic Curve support | Elliptic Curve offload acceleration3 | ||
---|---|---|---|---|
Named curves2 |
Custom curves1, 5 |
Named curves2 |
Custom curves1, 5 |
|
nShield Edge (Windows only) |
Yes |
Yes |
No |
No |
nShield Solo 500 and 6000 nShield 500, 1500 and 6000 |
Yes |
Yes |
No |
No |
nShield Solo 500+, 6000+ nShield 6000+ |
Yes |
Yes |
Yes, Prime curves and twisted Brainpool curves are accelerated4. |
Yes |
nShield Solo XC nShield Solo XC |
Yes |
Yes |
Yes, Prime curves and both twisted and non-twisted Brainpool curves are accelerated4. |
Yes |
1Accessed via nCore, PKCS#11 and JCE APIs.
2Both Prime and Binary named curves are supported. Refer to Named Curves, below, which lists the most commonly supported elliptic curves.
3Offload acceleration refers to offloading the elliptic curve operation from the main CPU for dedicated EC hardware acceleration.
4Binary curves are supported, but are not hardware offload accelerated.
5Brainpool curves are supported as named curves via nCore, PKCS#11 and JCE only.
nShield software / API support required to use elliptic curve functions
Security World Software for nShield | CodeSafe | |
---|---|---|
Elliptic curve supported / API |
Microsoft CNG, PKCS#11, Java Cryptographic Engine (JCE)1. |
Microsoft CNG, PKCS#11, Java Cryptographic Engine (JCE)1. |
1Java elliptic curve functionality is fully supported by the nShield security provider, nCipherKM. There is also the option to use the Sun/IBM PKCS #11 Provider with nCipherKM configured to use the nShield PKCS#11 library.
To demonstrate the accelerated performance of elliptic signing and verify operations, run the perfcheck utility. See perfcheck: performance measurement checking tool.
Named Curves
This table lists the supported named curves that are pre-coded in nShield module firmware.
Supported named curves | |||
---|---|---|---|
ANSIB163v1 |
BrainpoolP160r1 |
NISTP192 |
SECP160r1 |
ANSIB191v1 |
BrainpoolP160t1 |
NISTP224 |
SECP256k1 |
BrainpoolP192r1 |
NISTP256 |
||
BrainpoolP192t1 |
NISTP384 |
||
BrainpoolP224r1 |
NISTP521 |
||
BrainpoolP224t1 |
NISTB163 |
||
BrainpoolP256r1 |
NISTB233 |
||
BrainpoolP256t1 |
NISTB283 |
||
BrainpoolP320r1 |
NISTB409 |
||
BrainpoolP320t1 |
NISTB571 |
||
BrainpoolP384r1 |
NISTK163 |
||
BrainpoolP384t1 |
NISTK233 |
||
BrainpoolP512r1 |
NISTK283 |
||
BrainpoolP512t1 |
NISTK409 |
||
NISTK571 |
Custom curves
nShield modules also allow the entry of custom elliptic curves which are not pre-coded in firmware. If the curve is Prime, it may benefit from hardware acceleration if supported by the nShield HSM (see nShield software / API support required to use elliptic curve functions, above).
Custom curves are supported by nCore and PKCS #11 APIs.
Further information on using elliptic curves
For more information on how to use elliptic curves, see the following sections:
-
PKCS #11:
-
Mechanisms supported by PKCS #11: Mechanisms
-
-
CNG:
-
Supported algorithms for CNG: Supported algorithms for CNG
-
Key exchange for CNG: Key exchange
-
-
Symmetric and asymmetric algorithms: Cryptographic algorithms
-
Using
generatekey
options and parameters to generate ECDH and ECDSA keys: Key generation options and parameters
Java elliptic curve functionality is fully supported by the nShield security provider, nCipherKM. There is also the option to use the Sun/IBM PKCS #11 Provider with nCipherKM configured to use the PKCS #11 library. |
Secure Execution Engine (SEE)
The SEE is a unique secure execution environment. The SEE features available to you are:
SEE Activation (EU+10) |
This SEE feature is provided with the CodeSafe developer product to enable you to develop and run SEE applications. The CodeSafe developer product is only available to customers in the Community General Export Area (CGEA, also known as EU+10). Contact Entrust to find out whether your country is currently within the CGEA. |
SEE Activation (Restricted) |
This SEE feature is provided with specific products that include an SEE application. This feature enables you to run your specific SEE application and is available to customers in any part of the world. |
For more information about the SEE, see the CodeSafe Developer Guide.
Remote Operator support
Many Entrust customers keep critical servers in a physically secure and remote location. The Security World infrastructure, however, often requires the physical presence of an operator to perform tasks such as inserting cards. Remote Operator enables these customers to remotely manage servers running Security World Software using a secure nShield communications protocol over IP networks.
The Remote Operator feature must be enabled on the module installed in the remote server. Remote Operator cannot be enabled remotely on an unattended module.
For more information about using Remote Operator, see Remote Operator.
For v12 and later, Entrust recommends that you use Remote Administration, which is more flexible than the Remote Operator functionality.
ISO smart card Support (ISS)
ISS, also called Foreign Token Open (FTO) allows data to be read to and written from ISO 7816 compliant smart cards in a manner prescribed by ISO7816-4. ISS allows you to develop and deploy a security system that can make full use of ISO 7816 compliant smart cards from any manufacturer.
Korean algorithms
This feature enables the following mechanisms:
-
Korean Certificate-based Digital Signature Algorithm (KCDSA), which is a signature mechanism.
KCDSA is used extensively in Korea as part of compliance with local regulations specified by the Korean government. For more information about the KCDSA, see the nCore API Documentation.
-
SEED, which is a block cipher.
-
ARIA, which is a block cipher.
-
HAS160, which is a hash function.
Fast RNG for ECDSA
Utilise a faster alternative for Random Number Generation (RNG) for Elliptic Curve Digital Signature Algorithm (ECDSA). This feature is applicable for Solo XC / Connect XC modules only.
The faster performance, comparable with V12.40 performance, is achieved by the RNG part of ECDSA being done on the NXP C291 Crypto Coprocessor.
This implementation of ECDSA uses an RNG that is not within scope for the Edge certifications and for this reason it will not be used when the HSM is in a fips-140-2-level-3 or common-criteria-cmts Security World (regardless of the feature bit setting).
Ordering additional features
When you have decided that you require a new feature, you can order it from Sales. Before you call Sales, you collect information about your client as follows:
-
If possible, make a note of the serial number. This can be found on the circuit board of the nShield module.
-
Run the
enquiry
command and note the Electronic Serial Number of the module.
You must provide the ESN number to order a new feature.
If you prefer, you can include this information in an e-mail to Sales. You can use the Feature Enable Tool to save the ESN details to a file. For more information about using the Feature Enable Tool, see Enabling features.
When your order has been processed, you receive a Feature Enabling Certificate in one of the following ways:
-
Entrust e-mails you the Feature Enabling Certificate.
-
Entrust sends you a smart card that contains the Feature Enabling Certificate.
The Feature Enabling Certificate contains the information that you need to enable the features you have ordered.
For more information, including pricing of features, telephone or email your nearest Sales representative using the contact details from this guide, or contact Entrust nShield Support, https://nshieldsupport.entrust.com.
Enabling features
Viewing enabled features
The Feature Enable Tool can be used to view the status of modules connected to the host or to confirm that a feature has been successfully enabled on all modules connected to the host. To view the status of features, run the tool without a smart card.
Enabling features with a smart card
When it is launched, the Feature Enable Tool automatically scans the smart card readers of all modules attached to a host computer for any Feature Enabling smart cards present in the smart card readers, including imported Remote Operator slots and Dynamic Slots. However, feature enable smart cards do not work in Dynamic Slots.
To enable a new feature with a Feature Enabling smart card from Entrust:
-
Insert the Feature Enabling card from Entrust into a slot available to the module to be updated, excluding any Dynamic Slots.
-
Run the
fet
command-line utility to start the Feature Enable Tool.
A message is displayed if the features are enabled successfully. If you do not see this message confirming a successful upgrade, see Enabling features without a smart card.
Enabling features without a smart card
The Feature Enable Tool can also obtain the Feature Enabling Certificate information supplied by Entrust from a file or from the keyboard.
When you run the Feature Enable Tool without a Feature Enabling smart card in an HSM slot, a message similar to the following is displayed. There is a line for the features on each module, and a list of options.
In this example, only one module (ESN 4748-494A-4B4C
) is attached to the host.
Feature Enable Tool
===================
CAN Activation
| ISO Smart Card Support
| | Remote Operator
| | | Korean Algorithms
| | | | SEE Activation (EU+10)
| | | | | SEE Activation (Restricted)
| | | | | | CodeSafe SSL
| | | | | | | Elliptic Curve algorithms
| | | | | | | | Elliptic Curve MQV
| | | | | | | | | Accelerated ECC
| | | | | | | | | | HSM Base Speed
| | | | | | | | | | | HSM Mid Speed
| | | | | | | | | | | | HSM High Speed
| | | | | | | | | | | | | Fast RNG for ECDSA
Mod Electronic | | | | | | | | | | | | | |
No.
Serial Number
1 4748-494A-4B4C -- N N N N N N N N N N N N N N
. Exit Feature Enable Tool.
. Read FEM certificate(s) from a smart card or cards.
. Read FEM certificate from a file.
. Read FEM certificate from keyboard.
. Write table to file.
Enter option :
Using multiple modules
The hardserver can communicate with multiple modules connected to the host. By default, the server accepts requests from applications and submits each request to the first available module. The server can share load across buses, which includes the ability to share load across more than one module.
If your application is multi-threaded, you can add additional modules and expect performance to increase proportionally until you reach the point where cryptography no longer forms a bottleneck in the system.
Identifying modules
Modules are identified in two ways:
-
By serial number
-
By
ModuleID
.
You can obtain the ModuleID
's and serial numbers of all your modules by running the enquiry
command-line utility.
Electronic Serial Number (ESN)
The serial number is a unique 12-digit number that is permanently encoded into each module. Quote this number in any correspondence with Support.
ModuleID
The ModuleID
is an integer assigned to the module by the server when it starts.
The first module it finds is given a ModuleID
of 1, the next is given a ModuleID
of 2, and this pattern of assigning ModuleID
numbers continues for additional modules.
The order in which buses are searched and the order of modules on a bus depends on the exact configuration of the host. If you add or remove a module, this can change the allocation of ModuleIDs to all the modules on your system.
You can use the enquiry
command-line utility to identify the PCI bus and slot number associated with a module.
All commands sent to nShield modules require a ModuleID
. Many Security World Software commands, including all acceleration-only commands, can be called with a ModuleID
of 0. Such a call causes the hardserver to send the command to the first available module.
If you purchased a developer kit, you can refer to the developer documentation for information about the commands that are available on nShield modules.
In general, the hardserver determines which modules can perform a given command. If no module contains all the objects that are referred to in a given command, the server returns an error status.
However, some key-management operations must be performed together on the same module.
In such cases, your application must specify the ModuleID
.
To be able to share OCSs and keys between modules, the modules must be in the same Security World.
Adding a module
If you have a module installed, you can add further modules without reinstalling the server software.
However, we recommend that you always upgrade to the latest server software and upgrade the firmware in existing modules to the latest firmware.
Before you install new hardware, check the release notes on the installation media supplied with your new module for information about specific compatibility issues, new features, and bug fixes. |
-
Install the module hardware. Refer to the Installation Guide for information on installing nShield hardware.
-
Add the module to the Security World. Refer to Adding or restoring an HSM to the Security World.
Module fail-over
The Security World Software supports fail-over: if a module fails, its processing can be transferred automatically to another module provided the necessary keys have been loaded. Depending on the mode of failure, however, the underlying bus and operating system may not be able to recover and continue operating with the remaining devices.
To maximize uptime, we recommend that you fit any additional nShield modules for failover on a bus that is physically separate from that of the primary modules.
Stopping and restarting the hardserver
If necessary, you can stop the hardserver on the client, and where applicable the Remote Administration Service, by running the following command in a command window with administrative privileges:
net stop "nfast server"
If the Remote Administration Service is running, you will be warned and given the option of continuing or not.
Similarly, you can restart the hardserver on the client, and where applicable the Remote Administration Service, by running the following command in a command window with administrative privileges
net start "nfast server"
net start "nfast Remote Administration Service"
You can also stop, start, or restart the hardserver, and where applicable the Remote Administration Service, from the Windows Control Panel:
-
From the Windows Start menu, open the Windows Control Panel.
-
Double-click Administrative Tools.
-
Double-click Services.
-
Locate nFast Server or nFast Remote Administration Service in the list of services, and from the Action menu, select Stop, Start, or Restart as required.
The nFast Remote Administration Service, where applicable, is dependent on the nFast Server so should be started or restarted after the nFast Server.