Warrant Management for Solo and Edge

This appendix describes how you can ensure that a suitable warrant is available to allow an nShield Remote Administration Card to be used with nShield Solo and Edge HSMs. To be able to use an nShield Remote Administration Card you need to ensure that:

  • The appropriate firmware is installed on the nShield Solo or Edge HSM. (Firmware 2.61.2 or later)

    See Upgrading firmware for more about firmware versions.

  • The nShield Solo or Edge HSM has a KLF2 warrant installed in the appropriate place.

Warranting steps

You need an appropriate support contract to obtain a KLF2 warrant from Entrust.

Ensure v12.xx Security World Software has been installed on your host computer (to access the nfwarrant tool) and the nShield Solo or Edge HSM has Firmware 2.61.2 firmware or later installed.

You then need to carry out the following steps to ensure a suitable warrant is available

  1. Check if the relevant module has the appropriate firmware.

  2. Check if a warrant upgrade is required, if so, follow steps 3-6.

  3. Generate a Certificate Signing Request (CSR) for the warrant.

  4. Send the CSR to Entrust.

    Ensure that the ESN contained in the upgrade request is the one that belongs to the relevant module, for example, by running the nfkminfo command-line utility. See Displaying information about a Security World with nfkminfo for more about viewing an ESN.
  5. Validate the warrant that you receive from Entrust to ensure that it matches the sent request.

  6. Install the warrant.

nfwarrant command-line utility

The nfwarrant command-line utility enables you to carry out all of the relevant warrant steps. It is used to:

  • Identify modules that have the appropriate firmware and KLF2 key

  • Identify modules that need their KLF2 key to be warranted by Entrust

  • Generate a warrant upgrade request for a specific module, as required

  • Install an upgraded warrant

  • List KLF2 warrants

Running nfwarrant

Usage

nfwarrant [--help] [--list] [--check] [--warrant] [--csr] [--details= FILE]
[--install= FILE] [--req= MODULE] [--out= FILE] [--verbose] [--version]

Options

Option Description

-h|--help

Displays the options you can use with the utility.

--list

List ESNs of installed warrants

--check

List ESNs of known modules and their warrant state

--warrant

Perform warrant operations

--csr

Perform CSR operations

--details=<FILE>

Display the module ESN found in the CSR/warrant <file>

--install=<FILE>

Install the warrant from <file>

--req=<MODULE>

Request a warrant CSR for the given module number/ESN

--out=<FILE>

Save the new requested CSR to <file>

--verbose

Print extra information about CSR and warrant files

--version

Print the version number of the nfwarrant tool

Checking the available hardware

Run the following command:

$ nfwarrant --check

The following is an example output:

1 XXXX-XXXX-E0D2 Local, Warrant installed
2 XXXX-XXXX-CF11 Local, Warrant upgrade request possible
3 XXXX-XXXX-F1F2 Local, Warrant upgrade not supported
4 XXXX-XXXX-213B Remote, Warrant upgrade not required

In this example:

  • (1) already has a relevant warrant installed.

  • (2) is available for a warrant upgrade.

  • (3) cannot be upgraded. For example, the appropriate firmware is not installed.

  • (4) no warrant upgrade is required. The module is an nShield Connect.

Generating a warrant upgrade request

Run the following command:

$ nfwarrant --csr --req <module>

The following is an example output, displaying the location of the resultant upgrade request for a module with ESN XXXX-XXXX-CF11:

CSR written to 'C:\ProgramData\nCipher\Key Management Data\warrants\csr_XXXX-XXXX-CF11'

Ensure that the ESN in this request file is the correct one and send the file to Entrust to be signed.

Validating the warrant you receive from Entrust

  1. Run the following command:

    $ nfwarrant --warrant --details <file>

    The following is an example output:

    Warrant details: Filename: XXXX-XXXX-CF11 ESN: XXXX-XXXX-CF11 Keytype: ECDSAPublic Curve: NISTP521
  2. Compare the ESN in the file received from Entrust with the one in the original request, by running the following command:

    $ nfwarrant --csr --details <file>

    The following is an example output:

    XXXX-XXXX-CF11

Installing a warrant

Run the following command:

$ nfwarrant --warrant --install <file>

<file> is the signed warrant provided by Entrust.