nShield 5s modes of operation

This chapter describes the use of nShield 5s modes of operation:

Modes of operation

The status of the nShield 5s HSM can only be one of the following:

Status Description

Starting up

The nShield 5s HSM is booting up and performing self tests. After all tests complete successfully, the HSM enters Operational mode.

Operational mode

The nShield 5s HSM is working and ready to perform cryptographic operations. An initialized HSM enters Operation mode automatically after it is powered up and all pre-tests are successfully completed. To enter Operational mode manually, see Check and change the mode of operation.

Emulated maintenance mode

The nShield 5s HSM is ready to receive maintenance commands, or is processing a maintenance command. The HSM remains in Emulated maintenance mode until you change mode manually, see Check and change the mode of operation.

Pre-initialization mode

The nShield 5s HSM is ready to receive initialization commands. For example, initialization commands to set the root-of-trust key (KNSO), to create a Security World, or load an existing Security World. To enter Pre-initialization mode, see Check and change the mode of operation.

Initialization mode

The nShield 5s HSM is processing an initialization command. After the command completes, the HSM will return to Pre-initialization mode.

Uninitialized mode

The nShield 5s HSM was booted with no root-of-trust key (KNSO) set. This typically happens after leaving a factory state, see Return to factory state. To resolve this, switch to Pre-initialization mode, set the KNSO and reboot the HSM.

Error

The nShield 5s HSM is in an error state, see HSM status and error codes. No cryptographic operations can be performed until this error has been cleared.

Recovery mode

The nShield 5s HSM is running on the recovery image instead on the primary image. See Recovery mode.

Factory state

The nShield 5s HSM is in a factory state. See Return to factory state.

Check and change the mode of operation

You must change the mode on the nShield 5s HSM to perform certain maintenance and configuration tasks. The nShield 5s HSM does not have a physical mode switch. Switch between modes using the nopclearfail utility.

Use the following commands to change the mode of an nShield 5s HSM:

Command Resulting mode

nopclearfail --maintenance |-M

Emulated maintenance mode

nopclearfail --operational | -O

Operational

nopclearfail --initialization | -I

Pre-initialization

  1. Run the nopclearfail command specifying the module number and the new mode.

    When finished, the system responds with OK. This message is not confirmation that the module has changed mode.

    nopclearfail --maintenance --module 1
    Module 1, command ClearUnitEx: OK
  2. Confirm the new mode of the module by running the enquiry command.

    The mode line of the Module section displays the current mode.

    enquiry -m1
    Module #1:
    enquiry reply flags  none
    enquiry reply level  Five
    serial number        XXXX-XXXX-XXXX
    mode                 Emulated maintenance mode. hsmadmin may be used to perform module management whilst in this mode.
    module type code     14
    product name         NC5536E/NC5536N
    device name          #1 Secure Shell nshield-XXXX-XXXX-XXXX.local
    hardware status      OK

Return to factory state

nShield 5s HSMs that are delivered from the factory contain no data relating to the ncoreapi service. A small amount of 'lifetime' data, which is used by the platform services, is pre-installed. This data is for personalisation and identification of the individual HSM, such as its ESN.

You can perform a reset operation that returns the data stored in an HSM to the state it was in when it left the factory. This erases user credentials and information, leaving only the 'lifetime' data.

When an HSM is in this state it will not support any user commands other than hsmadmin enroll and it will be necessary to follow the process described in Set up communication between host and module before any further actions can be taken.

Purpose of factory state

The main reason for returning an nShield 5s HSM to factory state is to securely erase all user secrets. This is important when, for example:

  • The HSM is being taken out of service.

  • The HSM is being moved from one domain to another, where it is important to ensure that there is no possibility of secrets being leaked between domains.

  • The HSM is being returned to Entrust for servicing or warranty.

Returning a unit to factory state will also be necessary if you have lost possession of the SSH keys used to communicate with the HSM and you have not previously made a backup of those keys with hsmadmin keys backup (or hsmadmin keys backup --passphrase if the HSM is being re-installed in a different machine). If this happens, returning the HSM to factory state will allow hsmadmin enroll to successfully create new keys and re-establish communication with the HSM.

Enter and exit the factory state

The nShield 5s HSM can be returned to factory state in one of two ways. Either by use of hsmadmin factorystate or by placing the HSM in recovery mode as described in Recovery mode.

If the SSH keys used to communicate with the HSM have been lost, only the recovery mode option is possible. Both of the above methods include a reboot of the HSM.

The HSM is taken out of factory state by use of hsmadmin enroll

Recovery mode

nShield 5s HSMs are loaded with two different firmware images:

  • The primary image.

  • A recovery image.

During normal operation, the HSM is running firmware that is loaded from the primary image.

If required, the HSM can be forced into recovery mode to run firmware loaded from the recovery image. Entry into recovery mode performs the same actions as hsmadmin factorystate

Recovery mode is useful in the following cases:

Restrictions in recovery mode

The main purpose of recovery mode is to allow essential maintenance activities that are not possible in when the nShield 5s is running the primary image firmware.

The ncoreapi and launcher services don’t run when the nShield 5s is in recovery mode. Only the platform services are available, meaning that only the commands described in Administration of platform services are available.

Commands that use ncoreapi or launcher service do not run and may show error messages.

Entry into recovery mode

Boot the nShield 5s HSM into recovery mode by holding down the recovery mode button on the back panel of the HSM whilst rebooting. See the appropriate Installation Guide for your nShield HSM for the location of the recovery mode button. This button is non-latching and must be held down for at least 60s after the reboot has been initiated. The reboot may be triggered either by hsmadmin reset or by power cycling the host machine containing the HSM.

Booting into recovery mode performs the same actions as hsmadmin factorystate. You must run hsmadmin enroll after the boot has completed before any further actions can be performed.

Run hsmadmin status to verify that the HSM is in recovery mode.

Exit from recovery mode

Exit recovery mode by booting the nShield 5s HSM without the recovery mode button held down. If the firmware is changed whilst in recovery mode using hsmadmin upgrade, the unit automatically reboots.

When the unit next boots into primary mode it will be in factory state. You must run hsmadmin enroll again before any further actions can be performed.

If you exited recovery mode using hsmadmin reset, or as part of a firmware upgrade, you must restart the hardserver/nFast server after running hsmadmin enroll.

Run hsmadmin status to verify that the HSM is in the correct mode.