Environment variables

This appendix describes the environmental variables used by Security World Software.

When you are using these environment variables on Windows to configure nShield services such as the hardserver (nFast Server service), these must be set as System variables only; not as User Variables. Any service for which the environment variable changes are intended must be restarted for the change to take effect.
Variable Description Win Lnx

KERNEL_HEADERS

This variable allows you to specify the path to kernel headers (if, for example, they are not in the default directory). It is necessary for the configuration script to be able to find the kernel headers when building the PCI driver during software installation.

n

y

NFAST_CERTDIR

This variable specifies the path to the dynamic feature enabling Feature Certificates directory. You only need to change the value of this variable if you move the Installation directory. See NFAST_HOME, NFAST_KMDATA, and NFAST_LOGDIR.

y

y

NFAST_DEBUG

This variable enables debug logging for the PKCS #11 library. You must set NFAST_DEBUG equal to a value in the range 1 – 7 for debug messages to be logged (see the Logging, Debugging, and Diagnostics chapter of the User Guide for your HSM).

y

y

NFAST_DEBUGSYSLOG

This variable redirects debug logging to syslog. The value of the environment variable should be one of the syslog facilities to be used. Prefixing the facility name with + enables traditional logging and syslog simultaneously.

y

Y

NFAST_HOME

This variable specifies the path to the Installation directory, which is set by the Security World Software installation script. You only need to change the value of this variable if you move the Installation directory. See NFAST_KMDATA, NFAST_CERTDIR, and NFAST_LOGDIR.

y

y

NFAST_KMDATA

This variable sets the location of the Key Management Data directory. You only need to change the value of this variable if you move the Key Management Data directory. See NFAST_HOME, NFAST_CERTDIR, NFAST_LOGDIR, and NFAST_KMLOCAL.

y

y

NFAST_KMLOCAL

This variable specifies the location of the Key Management and Security World Data directory. If this environment variable is not set, by default the module looks for the Security World data in the local subdirectory of the Key Management Data directory. See NFAST_KMDATA.

y

y

NFAST_LOGDIR

This variable specifies the location of the Log Files directory. You only need to change the value of this variable if you move the Log Files directory. See NFAST_HOME, NFAST_KMDATA, and NFAST_CERTDIR.

y

y

NFAST_USER_LOGDIR

This variable specifies the location of log files that are specific to each user. In Security World versions before 12.60.3, the default is the user’s home directory (Linux) or user profile folder (Windows). From 12.60.3, the default is the subdirectory nshieldlogs in the home directory or user profile folder.

y

y

NFAST_NFKM_TOKENSFILE NFAST_NFKM_TOKENSSELECT

This variable sets the default values for a file in which ClientID and KeyIDs are stored by the preload command-line utility.

y

y

NFAST_SEE_MACHINEENCKEY_DEFAULT

This variable is the name of the SEEConf key needed to decrypt SEE-machine images. Running the command loadmache --encryptionkey=`IDENT (or `loadmache --unencrypted) overrides any value set by this variable.

y

y

NFAST_SEE_MACHINEENCKEY_<module>

This variable is the name of the SEEConf key needed to decrypt the SEE-machine image targeted for the specified module. It overrides NFAST_SEE_MACHINEENCKEY_DEFAULT for the specified module. Running the command loadmache --encryptionkey=<IDENT> (or loadmache --unencrypted) overrides any value set by this variable.

y

y

NFAST_SEE_MACHINEIMAGE_DEFAULT

This variable is the path of the SEE machine image to load on to any module for which a specific image is not defined. Supplying the machine-filename parameter when running the loadmache command-line utility overrides this variable. This variable is not affected when running the loadsee-setup or hsc_loadseemachine utilities.

y

y

NFAST_SEE_MACHINEIMAGE_<module>

This variable is the path of the SEE machine image to load on to the specified module. If set, this variable overrides the use of NFAST_SEE_MACHINEIMAGE_DEFAULT for the specified module. Supplying the <machine-filename> parameter when running the loadmache command-line utility overrides the NFAST_SEE_MACHINEIMAGE_<module> variable. This variable is not affected when running the loadsee-setup or hsc_loadseemachine utilities.

y

y

NFAST_SEE_MACHINESIGHASH_DEFAULT

This variable is the default key hash of the vendor signing key (seeinteg) that signs SEE machine images. This variable is only required if you are using a dynamic SEE feature with an encrypted SEE machine. Running the command loadmache --sighash=<HASH> any value set in this variable.

y

y

NFAST_SEE_MACHINESIGHASH_<module>

This variable is the key hash of the vendor signing key (seeinteg) that signs SEE machine images for the specified module. It overrides NFAST_SEE_MACHINESIGHASH_DEFAULT for the specified module. This variable is only required if you are using a dynamic SEE feature with an encrypted SEE machine. Running the command loadmache --sighash=<HASH> any value set in this variable.

y

y

NFAST_SERVER

NFAST_PRIVSERVER

If these variables are set in the hardserver’s environment, the values specify:

On Linux, the pathnames of the UNIX domain sockets that the hardserver uses for ordinary/privileged client connections to the hardserver.

On Windows, the names of the Windows named pipes for ordinary/privileged client connections to the hardserver.

These variables are available for this purpose for backward compatibility only; you should configure sockets in the hardserver configuration file. If you set these variables for a network-attached HSM, they override the values in the hardserver configuration file. See the server_startup section in the User Guide for your HSM.

y

y

NFAST_SERVER_PORT

NFAST_SERVER_PRIVPORT

If these variables are set in the hardserver’s environment, the values specify the TCP port numbers that the nFast server uses for connections over TCP sockets.

These variables are available for this purpose for backward compatibility only: you should configure ports in the hardserver configuration file, as described in the server_startup section of the User Guide for your HSM. If you set these variables, they override the values in the hardserver configuration file.

y

y

NFLOG_CATEGORIES

This variable is used to filter log messages by supplying a colon-separated list of allowable message categories; see Logging, debugging, and diagnostics. If no value is supplied, all message categories are logged.

y

y

NFLOG_SEVERITY

This variable is used to filter log messages by supplying a minimum severity level to be logged; see Logging, debugging, and diagnostics. If no value is supplied, the default severity level is WARNING.

y

y

NFLOG_DETAIL

This variable is used to filter log messages by supplying a bitmask of detail flags; see Logging, debugging, and diagnostics. The default is time+severity+writeable.

y

y

NFLOG_FILE

This variable is used to specify a filename (or file descriptor) in which log messages are to be written; see Logging, debugging, and diagnostics. The default is stderr (the equivalent of file descriptor &2).

y

y