Checking the installation

This guide covers the following HSMs:

  • nShield 5s

  • nShield Solo

  • nShield Solo XC

This guide describes what to do if you have an issue with the module or the software.

The facilities described below are only available if the software has been installed successfully. If the software has not installed correctly see, Problems during installation and commissioning.

Checking operational status

Enquiry utility

Run the enquiry utility to check that the module is working correctly. You can find the enquiry utility in the bin subdirectory of the nCipher directory. This is usually:

  • C:\Program Files\nCipher\nfast for Windows

  • /opt/nfast for Linux

If the module is working correctly, the enquiry utility returns a message similar to the following:

nShield 5s
Server:
enquiry reply flags  none
enquiry reply level  Six
serial number        ############-####
mode                 operational
version              #.#.#
speed index          ###
rec. queue           ##..##
...
module type code     0
product name         nFast server
...
Module ##:
enquiry reply flags  none
enquiry reply level  Six
serial number        ############-####
mode                 operational
version              #.#.#
speed index          ###
rec. queue           ##..##
...
module type code     14
product name         #######/#######
...
rec. LongJobs queue  ##
SEE machine type     None
supported KML types  DSAp1024s160 DSAp3072s256
active modes         none
physical serial      48-U50104
hardware part no     PCA10005-01 revision 03
hardware status      OK
nShield Solo
Server:
enquiry reply flags    none
enquiry reply level    Six
serial number          ############-####
mode                   operational
version                #.#.#
speed index            ###
rec. queue             ##..##
...
version serial         #
remote server port     ####
...
module type code       0
product name           nFast server
...
Module ##:
enquiry reply flags    none
enquiry reply level    Six
serial number          ############-####
mode                   operational
version                #.#.#
speed index            ###
rec. queue             ##..##
...
module type code       7
product name           #######/#######/#######
...
rec. LongJobs queue    ##
SEE machine type       Power PCSXF
supported KML types    DSAp1024s160 DSAp3072s256
hardware status        OK
nShield Solo XC
Server:
enquiry reply flags    none
enquiry reply level    Six
serial number          ############-####
mode                   operational
version                #.#.#
speed index            ###
rec. queue             ##..##
...
module type code       0
product name           nFast server
...
version serial         #
remote server port     ####

Module ##:
enquiry reply flags    none
enquiry reply level    Six
serial number          ############-####
mode                   operational
version                #.#.#
speed index            ###
rec. queue             ##..##
...
module type code       12
product name           #######/#######/#######
...
rec. LongJobs queue    ##
SEE machine type       Power PCELF
supported KML types    DSAp1024s160 DSAp3072s256
hardware status        OK

If the mode is operational the module has been installed correctly.

If the mode is initialization or maintenance, the module has been installed correctly, but you must change the mode to operational. See the User Guide for your module and operating system for more about changing the module mode.

If the output from the enquiry command says that the module is not found, first restart your computer, then re-run the enquiry command.

If the operating system supports power saving, disable power saving. See Install a PCIe HSM for more information. Otherwise, if your system enters Sleep mode, the HSM may not be found when running enquiry. If this happens, you need to reboot your system.

nFast server (hardserver)

Communication can only be established with a module if the nFast server is running. If the server is not running, the enquiry utility returns the message:

NFast_App_Connect failed: ServerNotRunning

Restart the nFast server, and run the enquiry utility again. See the User Guide for your module and operating system for more about how to restart the nFast server.

Mode switch and jumper switches (nShield Solo and Solo XC only)

The mode switch on the back panel controls the mode of the module. See the User Guide for your module and operating system for more about checking and changing the mode of an HSM. You can set the physical mode override jumper switch on the circuit board of the nShield Solo to the On position, to prevent accidental operation of the mode switch. If this override jumper switch is on, the nShield Solo and nShield XC will ignore the position of the mode switch (see Back panel and jumper switches).

You can set the remote mode override jumper switch on the circuit board of the nShield Solo and nShield Solo XC to the On position to prevent mode change using the nopclearfail command. This should be done if, for example, the security policies of your organization require the physical mode switch to be used to authorize mode changes.

Log message types

By default, the hardserver writes log messages to:

  • The in Windows Operating System event log.

  • log/logfile in the nCipher directory (normally opt/nfast/log directory) on Linux. The environment variable NFAST_SERVERLOGLEVEL determines what types of message you see in your log. The default is to display all types of message. For more information on NFAST_SERVERLOGLEVEL, see the User Guide for your module and operating system.

    NFAST_SERVERLOGLEVEL is a legacy debug variable.

Information

This type of message indicates routine events:

nFast Server service: about to start
nFast Server service version starting
nFast server: Information: New client clientid connected
nFast server: Information: New client clientid connected - privileged
nFast server: Information: Client clientid disconnected
nFast Server service stopping

Notice

This type of message is sent for information only:

nFast server: Notice: message

Client

This type of message indicates that the server has detected an error in the data sent by the client (but other clients are unaffected):

nFast server: Detected error in client behaviour: message

Serious error

This type of message indicates a serious error, such as a communications or memory failure:

nFast server: Serious error, trying to continue: message

If you receive a serious error, even if you are able to recover, contact Support.

Serious internal error

This type of message indicates that the server has detected a serious error in the reply from the module. These messages indicate a failure of either the module or the server:

nFast server: Serious internal error, trying to continue: message

If you receive a serious internal error, contact Support.

Start-up errors

This type of message indicates that the server was unable to start:

nFast server: Fatal error during startup: message nFast Server service version failed init.
nFast Server service version failed to read registry

Reinstall the server as described in the User Guide for your module and operating system. If this does not solve the problem, contact Support.

Fatal errors

This type of message indicates a fatal error for which no further reporting is available:

nFast server: Fatal internal error

or

nFast server: Fatal runtime error

If you receive either of these errors, contact Support.

BadTokenData error (Solo only)

The PCIe module (not the Solo XC module) is equipped with a rechargeable backup battery for maintaining Real-Time Clock (RTC) operation when the module is powered down. This battery typically lasts for two weeks. If the module is without power for an extended period, the RTC time is lost. When this happens, attempts to read the clock (for example, using the ncdate or rtc utilities) return a BadTokenData error status.

The correct procedure in these cases is to reset the clock and leave the module powered up for at least ten hours to allow the battery to recharge. No other nonvolatile data is lost when this occurs. See the User Guide for your module and operating system for more about resetting the clock.

The Solo XC module is equipped with a battery with a ten year life for maintaining RTC operation when the module is powered down. The RTC will not require resetting after the module has been shut down for extended periods. The battery is not rechargeable.