Platform services and ncoreapi
The nShield HSM firmware provides multiple services.
These are divided into platform services and the ncoreapi
service.
ncoreapi service
The ncoreapi
service provides cryptographic services to the end user.
This can either be via custom applications created by the end user accessing services using the ncoreapi
service, as described in nCore API Documentation and Cryptographic API, or by using the utilities provided on the installation media.
Platform services
Several platform services are provided which perform the tasks associated with the installation, commissioning, and maintenance of the HSM firmware and hardware.
These run independently of the ncoreapi
service.
The platform services are
Service name | Function |
---|---|
|
This services provides functions to upgrade the HSM firmware |
|
This service provides functions to view the HSM 'lifetime' data installed in the factory and to return the HSM to factory settings |
|
This service provides functions to retrieve and clear logs stored within the HSM |
|
This service provides functions to manage the SSH keys used by the platform services and the |
|
Launcher service. On versions with CodeSafe 5 support, this is used for starting CodeSafe 5 applications on the HSM. |
The administration of platform services is described in Administration of platform services
An interlock mechanism prevents most platform services from being accessed when the ncoreapi
service is in operational mode:
-
Non-invasive services that only access information, such as log retrieval or a firmware version check, can be used while
ncoreapi
is running. -
Invasive services that would change the platform’s state, such as log clearing or firmware updates, cannot be used while ncoreapi` is running.
To access invasive platform services the ncoreapi
service must be put into maintenance mode using nopclearfail -M -m <MODULEID> -w
.
For example:
>nopclearfail -M -m 1 Module 1, command ClearUnitEx: OK
Separation of services
Each of the platform services and the ncoreapi
service has its own communication channel with the host PC that is protected by use of SSH encryption.
The procedure for installing the necessary SSH keys is described in Set up communication between host and module.