Checking and changing the mode on the HSM

This appendix tells you how to check and change the mode on the nShield HSM. You must change the mode to perform certain configuration tasks.

Front panel controls

See Front panel controls for a description of the nShield HSM user interface, including the front panel controls.

We recommend that you use a keyboard to manage the front panel menu options and enter text. See Using a keyboard to control the unit for more information.

Available modes

The following modes are available:


The default setting for day-to-day use.


Sets the nShield HSM to start in pre-initialization mode. This allows you to use the nShield HSM to create a Security World or add the module to an existing one.


You cannot select this mode manually. It is managed by the nShield HSM and cannot be set by a user.

Identifying the current mode

You can check the current mode of the nShield HSM:

  • At the nShield HSM itself

  • By using the enquiry command-line utility from a client computer

  • By using KeySafe from a client computer

Checking the mode at the nShield HSM

The status LED

The nShield HSM Status LED indicates the operational status of the module.

Status LED Description

On, occasionally blinks off.

Status: Operational mode

The module is in Operational mode and accepting commands. The more frequently the Status LED blinks off, the greater the load on the module.

Flashes two short pulses, followed by a short pause.

Status: Initialization mode

Existing Security World data on the module has been erased. The module is automatically placed in Initialization mode after a Security World is created.

Flashes two long pulses followed by a pause.

Status: Maintenance mode

Used for reprogramming the module with new firmware. The module only goes into Maintenance mode during a software upgrade.

The front panel display screen

The nShield HSM screen shows a color-coded footer at the bottom of the display when it is not in Operational mode.

Footer color Text in footer Meaning



The system is rebooting or waiting for an Administrator Card to be inserted.



An administrative task is being performed. This mode is only entered during firmware upgrades.


HSM Failed

The internal module has failed.

Checking the mode using enquiry

You can use the enquiry command-line utility to display information about the hardserver and the status of the nShield HSM. The enquiry utility is in the bin subdirectory of the nCipher directory. This is usually /opt/nfast (Linux) or C:\Program Files\nCipher\nfast (Windows)

To check the mode using enquiry:

  1. Sign in to the client computer as a user, and open a command window.

  2. Run the command:


    Example output:

    enquiry reply flags     none
    enquiry reply level     Six
    serial number           ####-####-####-####
    mode                    operational
    version                 #.#.#
    speed index             ###
    rec. queue              ##..##
    version serial          #
    remote port (IPv4)      ####
    Module #1:
    enquiry reply flags     none
    enquiry reply level     Six
    serial number           ####-####-####-####
    mode                    operational
    version                 #.#.#
    speed index             ###
    rec. queue              ##..##
    rec. LongJobs queue     ##
    SEE machine type        PowerPCSXF

    In this example, the mode line shows that the nShield HSM is in operational mode.

Checking the mode by using KeySafe

You can use the Module Status tree of the KeySafe GUI to identify the current mode of the nShield HSM.

To check the mode using KeySafe:

  1. Start KeySafe on a client computer.

  2. Locate the Module Status tree (part of the Security World status panel) positioned to the bottom left of the KeySafe window.

  3. Expand the Security World and/or Outside Security World nodes as required.

  4. Locate the appropriate nShield HSM (Module).
    The current mode of the module is displayed in the State field.

See Using KeySafe for more about using KeySafe. See Module information for more about checking the mode.

Changing the mode

You can change the mode using:

  • The front panel controls of the nShield HSM

  • The nopclearfail command-line utility from a client computer

Changing the mode using the front panel controls

To change the mode, use the front panel menu screens and dialogs to do the following:

  1. Navigate to HSM > Set HSM mode.

  2. Select Initialisation or Operational as required.

Changing the mode using remote mode and nopclearfail

You can enable or disable changing the mode remotely, see enable_remote_mode in the server_settings section or the Top-level menu chapter of the HSM Install Guide. Once you have enabled remote mode changes, you can change the mode of the nShield HSM from a computer using the nopclearfail command, without accessing the unit itself.

Available commands

You can use the following commands to change the mode of a module:

Command Resulting mode

nopclearfail --operational | -O


nopclearfail --initialization | -I


To change the mode, do the following:

  1. Run either:

    1. The nopclearfail --operational | -O command.

    2. The nopclearfail --initialization | -I command.
      When finished, the system responds with OK.

    The system responds with OK, regardless of whether the mode of the nShield HSM has changed or not. To confirm that state of the module, do the following:
  2. Run the enquiry command.
    The mode line of the Module section displays the current mode.