Warrant Management

Warrant management for nShield Solo and nShield Edge

You must use a Windows machine to manage warrants for nShield Edge HSMs.

This appendix describes how you can ensure that a suitable warrant is available to allow an nShield Remote Administration Card to be used with nShield Solo and Edge HSMs. To be able to use an nShield Remote Administration Card you need to ensure that:

  • The appropriate firmware is installed on the nShield Solo or Edge HSM. (Firmware 2.61.2 or later)

  • The nShield Solo or Edge HSM has a KLF2 warrant installed in the appropriate place.

Warranting steps for nShield Solo and nShield Edge

You need an appropriate support contract to obtain a KLF2 warrant from Entrust.

Ensure v12.xx Security World Software has been installed on your host computer (to access the nfwarrant tool) and the nShield Solo or Edge HSM has Firmware 2.61.2 firmware or later installed.

You then need to carry out the following steps to ensure a suitable warrant is available

  1. Check if the relevant module has the appropriate firmware.

  2. Check if a warrant upgrade is required, if so, follow steps 3-6.

  3. Generate a Certificate Signing Request (CSR) for the warrant.

  4. Send the CSR to Entrust.

    Ensure that the ESN contained in the upgrade request is the one that belongs to the relevant module, for example, by running the nfkminfo command-line utility.
  5. Validate the warrant that you receive from Entrust to ensure that it matches the sent request.

  6. Install the warrant.

nfwarrant command-line utility

The nfwarrant command-line utility enables you to carry out all of the relevant warrant steps. It is used to:

  • Identify modules that have the appropriate firmware and KLF2 key

  • Identify modules that need their KLF2 key to be warranted by Entrust

  • Generate a warrant upgrade request for a specific module, as required

  • Install an upgraded warrant

  • List KLF2 warrants

Usage:

nfwarrant [--help] [--list] [--check] [--warrant] [--csr] [--details= FILE]
[--install= FILE] [--req= MODULE] [--out= FILE] [--verbose] [--version]

Options:

Option Description

-h|--help

Displays the options you can use with the utility.

--list

List ESNs of installed warrants

--check

List ESNs of known modules and their warrant state

--warrant

Perform warrant operations

--csr

Perform CSR operations

--details=<FILE>

Display the module ESN found in the CSR/warrant <file>

--install=<FILE>

Install the warrant from <file>

--req=<MODULE>

Request a warrant CSR for the given module number/ESN

--out=<FILE>

Save the new requested CSR to <file>

--verbose

Print extra information about CSR and warrant files

--version

Print the version number of the nfwarrant tool

Check the available hardware

$ nfwarrant --check

The following is an example output:

1 XXXX-XXXX-E0D2 Local, Warrant installed
2 XXXX-XXXX-CF11 Local, Warrant upgrade request possible
3 XXXX-XXXX-F1F2 Local, Warrant upgrade not supported
4 XXXX-XXXX-213B Remote, Warrant upgrade not required

In this example:

  • (1) already has a relevant warrant installed.

  • (2) is available for a warrant upgrade.

  • (3) cannot be upgraded. For example, the appropriate firmware is not installed.

  • (4) no warrant upgrade is required. The module is an nShield Connect.

Generate a warrant upgrade request for nShield Solo

Run the following command:

$ nfwarrant --csr --req <module>

The following is an example output, displaying the location of the resultant upgrade request for a module with ESN XXXX-XXXX-CF11:

CSR written to 'C:\ProgramData\nCipher\Key Management Data\warrants\csr_XXXX-XXXX-CF11'

Ensure that the ESN in this request file is the correct one and send the file to Entrust to be signed.

Validate the warrant you receive from Entrust

  1. Run the following command:

    $ nfwarrant --warrant --details <file>

    The following is an example output:

    Warrant details: Filename: XXXX-XXXX-CF11 ESN: XXXX-XXXX-CF11 Keytype: ECDSAPublic Curve: NISTP521
  2. Compare the ESN in the file received from Entrust with the one in the original request, by running the following command:

    $ nfwarrant --csr --details <file>

    The following is an example output:

    XXXX-XXXX-CF11

Install a warrant for nShield Solo

Run the following command:

$ nfwarrant --warrant --install <file>

<file> is the signed warrant provided by Entrust.

Warrant management for nShield Connect + and nShield Connect XC

You do not need to manage the warrants for nShield Connect HSMs. They copy the warrant back to the host or RFS on startup.

Warrant management for nShield 5s and nShield 5c

You do not need to manage the warrants for nShield 5s. Entrust supplies these HSMs with the required warrants pre-installed and stored within the module. The Security World software fetches warrants from the module when they are needed.

This includes a KLF2 and a KLF3 warrant. The KLF3 warrant is currently unused and is installed in preparation for multi-tenant systems.

To view the warrants installed on a module, run retrievewarrants. This stores a copy of the warrants in the host file system.