System upgrade

Terminology

Within this section the term 'software' is used to mean Security World software running on the PC in which the HSM is installed and the term 'firmware' is used to mean the Security World firmware running on the HSM.

The software and firmware can be upgraded independently.

Software and firmware compatibility

In general, Entrust recommends that you use the software and firmware from the same version of Security World. The system is designed to be backwards compatible so that it will still operate with differing versions of software and firmware but some functionality may not be available and you may receive warnings during operation.

This user guide describes the behaviour of v13.5 software interacting with v13.5 firmware. Some areas where functionality differs depending on the version of firmware loaded are also described in this guide but it is not possible to describe all possible combinations of software and firmware.

Release notes and user guides for each Security World release are available from the Entrust website and these together with Entrust Support will help you should you experience any problems when operating with differing versions of software and firmware.

System upgrade procedure

When upgrading the whole system, Entrust recommends that you always upgrade the host software before upgrading the HSM firmware, however this is not mandatory and you may upgrade the firmware first should you wish to do so.

Always read the release notes accompanying the Security World release before upgrading any part of the system as these may include additional upgrade steps.
If the Version Security Number (VSN) of the firmware has been increased, it may not be possible to roll-back the firmware to the previous version after upgrade. See Version Security Number for more information.

Software upgrade procedure

For Security World software upgrades, you do not need to delete key data or any existing Security World. If you do delete Security World data, it cannot be restored unless you have an up-to-date backup and a quorum of the Administrator Card Set (ACS) available.

Before upgrading software

You must perform these steps if you are planning to re-install the Security World software, for example to re-install it on the same machine after an operating system update, or to install a newer Security World software version as part of an upgrade.

Performing these steps is useful even if you are not planning a re-install because it preserves data that you would otherwise irretrievably lose when you uninstall the Security World software.

  1. For Linux installations make a backup of your Security World and nShield configuration files stored in /opt/nfast/kmdata/ and /opt/nfast/hardserver.d by copying them to external media or to a location not within /opt/nfast.

    When you are upgrading the Security World, you will also restore the backup to preserve your PKCS #11 and Soft KNETI authentication settings and any customizations. If you delete the /opt/nfast or $NFAST_HOME directory without making a copy of it, you will lose these configuration settings. When you are restoring a Security World from a backup, you will need to maintain permissions.

  2. Back up your SSH keys, see Making a backup of installed SSH keys.

    • If you are planning a clean reinstallation of the Security World software on the same machine and same operating system, back up your SSH keys in /opt/nfast/services using hsmadmin keys backup.

    • If you are planning to re-create the Security World on a different machine or after re-installing the operating system, use hsmadmin keys backup --passphrase. hsmadmin keys backup alone is only suitable for a local backup followed by a local restore on the same machine and same operating system.

      If you erase your SSH keys without making a backup you will need to use recovery mode, see Recovery mode to restore communication with the HSM. This will return the HSM to factory state, see Factory state.

Upgrading software

Software upgrade is performed by uninstalling the old software as described in Uninstalling Security World Software and then installing the new software as described in Installing the software in the nShield 5s User Guide.

After upgrading software

  1. Copy back any data that was manually backed-up as part of the procedures in Before upgrading software to the locations from which it was copied.

  2. Restore communication with the HSM by following the procedures at restoring SSH keys from backup.

Firmware upgrade procedure