Warrant Management for Solo and Edge
This appendix describes how you can ensure that a suitable warrant is available to allow an nShield Remote Administration Card to be used with nShield Solo and Edge HSMs. To be able to use an nShield Remote Administration Card you need to ensure that:
-
The appropriate firmware is installed on the nShield Solo or Edge HSM. (Firmware 2.61.2 or later)
See Upgrading firmware for more about firmware versions.
-
The nShield Solo or Edge HSM has a KLF2 warrant installed in the appropriate place.
Warranting steps
| You need an appropriate support contract to obtain a KLF2 warrant from Entrust. |
Ensure v12.xx Security World Software has been installed on your host computer (to access the nfwarrant tool) and the nShield Solo or Edge HSM has Firmware 2.61.2 firmware or later installed.
You then need to carry out the following steps to ensure a suitable warrant is available
-
Check if the relevant module has the appropriate firmware.
-
Check if a warrant upgrade is required, if so, follow steps 3-6.
-
Generate a Certificate Signing Request (CSR) for the warrant.
-
Send the CSR to Entrust.
Ensure that the ESN contained in the upgrade request is the one that belongs to the relevant module, for example, by running the nfkminfocommand-line utility. See Displaying information about a Security World with nfkminfo for more about viewing an ESN. -
Validate the warrant that you receive from Entrust to ensure that it matches the sent request.
-
Install the warrant.
nfwarrant command-line utility
The nfwarrant command-line utility enables you to carry out all of the relevant warrant steps.
It is used to:
-
Identify modules that have the appropriate firmware and KLF2 key
-
Identify modules that need their KLF2 key to be warranted by Entrust
-
Generate a warrant upgrade request for a specific module, as required
-
Install an upgraded warrant
-
List KLF2 warrants
Running nfwarrant
Usage
nfwarrant [--help] [--list] [--check] [--warrant] [--csr] [--details= FILE] [--install= FILE] [--req= MODULE] [--out= FILE] [--verbose] [--version]
Options
| Option | Description |
|---|---|
|
Displays the options you can use with the utility. |
|
List ESNs of installed warrants |
|
List ESNs of known modules and their warrant state |
|
Perform warrant operations |
|
Perform CSR operations |
|
Display the module ESN found in the CSR/warrant <file> |
|
Install the warrant from <file> |
|
Request a warrant CSR for the given module number/ESN |
|
Save the new requested CSR to <file> |
|
Print extra information about CSR and warrant files |
|
Print the version number of the nfwarrant tool |
Checking the available hardware
Run the following command:
$ nfwarrant --check
The following is an example output:
1 XXXX-XXXX-E0D2 Local, Warrant installed 2 XXXX-XXXX-CF11 Local, Warrant upgrade request possible 3 XXXX-XXXX-F1F2 Local, Warrant upgrade not supported 4 XXXX-XXXX-213B Remote, Warrant upgrade not required
In this example:
-
(1) already has a relevant warrant installed.
-
(2) is available for a warrant upgrade.
-
(3) cannot be upgraded. For example, the appropriate firmware is not installed.
-
(4) no warrant upgrade is required. The module is an nShield Connect.
Generating a warrant upgrade request
Run the following command:
$ nfwarrant --csr --req <module>The following is an example output, displaying the location of the resultant upgrade request for a module with ESN XXXX-XXXX-CF11:
CSR written to 'C:\ProgramData\nCipher\Key Management Data\warrants\csr_XXXX-XXXX-CF11'Ensure that the ESN in this request file is the correct one and send the file to Entrust to be signed.
Validating the warrant you receive from Entrust
-
Run the following command:
$ nfwarrant --warrant --details <file>The following is an example output:
Warrant details: Filename: XXXX-XXXX-CF11 ESN: XXXX-XXXX-CF11 Keytype: ECDSAPublic Curve: NISTP521 -
Compare the ESN in the file received from Entrust with the one in the original request, by running the following command:
$ nfwarrant --csr --details <file>The following is an example output:
XXXX-XXXX-CF11