Operator Card Sets (OCS)

To delete a card set, see Erase cards and softcards

Create Operator Card Sets (OCSs)

You can use an Operator Card Set (OCS) to control access to application keys. OCSs are optional, but if you require one, create it before you start to use the hardware security module with applications. You must create an OCS before you create the keys that it is to protect.

You can create OCSs that have:

  • Names for individual cards, as well as a name for the whole card set

  • Specific K/N policies

  • Optional passphrases for any card within a given set

  • Formal FIPS 140 Level 3 compliance.

Some third-party applications impose restrictions on the OCS smart card quorums (K/N) or the use of smart card passphrases. For more information, see the appropriate integration guide for the application. Integration guides for third-party applications are available from https://nshieldsupport.entrust.com/.

OCSs belong to the Security World in which they are created. When you create an OCS, the smart cards in that set can only be read by hardware security modules belonging to the same Security World.

You can use the following tools to create an OCS:

Persistent Operator Card Sets

If you create a standard (non-persistent) OCS, the keys it protects can only be used while the last required card of the quorum remains loaded in the local slot of the HSM, or one of its Dynamic Slots. The keys protected by this card are removed from the memory of the device as soon as the card is removed from the smart card reader. If you want to be able to use the keys after you have removed the last card, you must make that OCS persistent.

Keys protected by a persistent card set can be used for as long as the application that loaded the OCS remains connected to the hardware security module (unless that application removes the keys).

For more information about persistent OCSs, see Using persistent Operator Card Sets.

Network-attached HSMs

An OCS to be used to authorize login on a unit must be persistent and not loadable remotely. It is recommended that such an OCS is not used to protect sensitive keys.


OCSs can be created with a time-out, so that they can only be used for limited time after the OCS is loaded. An OCS is loaded by most applications at start up or when the user supplies the final required passphrase. After an OCS has timed out, it is not loadable by another application unless it is removed and reinserted. Time-outs operate independently of OCS persistence.

FIPS 140 Level 3-compliant Security Worlds

When you attempt to create an OCS for a Security World that complies with FIPS 140 Level 3, you are prompted to insert an Administrator Card or Operator Card from an existing set. You may need to specify to the application the slot you are going to use to insert the card. You need to insert the card only once in a session.

Create an Operator Card Set using an nShield network-attached HSM front panel

To create an OCS, follow these steps:

  1. From the main menu, select Security World mgmt > Cardset operations > Create OCS.

    You are prompted to enter the name of the OCS.

  2. Enter a name and press right-hand navigation button.

  3. Enter the quorum for the OCS, using the touch wheel to move from one field to the other. The quorum consists of:

    • The maximum number of cards from the OCS required by default for an operation. This number must be less than or equal to the total number of cards in the set.

    • The total number of cards to be used in the OCS. This must be a value in the range 1 – 64.

  4. Press the right-hand navigation button to move to the next screen.

  5. If you wish to specify a time out for the card set, enter the time out in seconds.

  6. Choose whether to create a persistent card set. You can select:

    • Not persistent (which is the default)

    • Persistent

    • Remoteable/Persistent

  7. Choose whether to name individual cards and enable passphrase replacement by answering Yes or No to each question and then pressing the right-hand navigation button.

  8. Insert a smart card to be formatted for the OCS.

    If the card is not blank, choose whether to overwrite it or to use a different card. (If the card is an Operator Card from another Security World, you cannot overwrite it and are prompted to enter a different card.)

  9. If you have chosen to name individual cards, you are prompted to enter the name for the card.

  10. You are asked whether you wish to specify a passphrase for the card. If you choose Yes, you are prompted to enter the passphrase twice.

    While the Operator Card is being created, the screen displays the message Processing.

    If there are further cards from this OCS to be processed, the screen changes to Waiting. Remove the card, and repeat steps 8 through 10 for each of the remaining cards.

When all the cards in the set have been processed, you are told that the card set has been created successfully.

Creating an Operator Card Set using the command line

To create an OCS from the command line:

  1. Run createocs.

  2. Insert the smart card to use.

    If you insert an Administrator Card from another Security World or an Operator Card that you have just created, createocs displays the following message:

    Module x slot n: unknown card +
    Module x slot n: Overwrite card ? (press Return)

    where x is the hardware security module number and n is the slot number. If you insert an Operator Card from another Security World, createocs displays the following message:

    Module x slot n: inappropriate Operator Card (TokenAuthFailed).

    When you insert a valid card, createocs prompts you to type a passphrase.

    The nShield PKCS #11 library requires Operator Cards with passphrases.
    Some applications do not have mechanisms for entering passphrases. Do not give passphrases to Operator Cards that are to be used with these applications.
  3. Type a passphrase and press Enter. Alternatively, press Enter if you do not want this card to have a passphrase.

    A passphrase can be of any length and can contain any character that you can type.

    If you entered a passphrase, createocs prompts you to confirm it.

  4. Type the passphrase again and press Enter.

    If the passphrases do not match, createocs prompts you to input and confirm the passphrase again.

  5. When the new card has been created, if you are creating a card set with more than one card in it, createocs prompts you to insert another card.

  6. For each additional card in the OCS, follow the instructions from step 2 through 4.

Create an Operator Card Set with KeySafe

KeySafe enables you to create OCSs with:

  • Their own names

  • K/N policies

  • Optional passphrases for any card within the OCS

  • Formal FIPS 140 Level 3 compliance.

To create an OCS with KeySafe:

  1. Start KeySafe. (For an introduction to KeySafe and information on starting the software, see Using KeySafe.)

  2. Click the Card sets menu button, or select Card sets from the menu.

    The List Operator Card Sets panel is displayed.

  3. Select an HSM within the Security World from the Security World status pane.

  4. Click the Create new card set button to open the Create Operator Card Set panel. You can specify the following options:

    1. A name for the card set.

    2. Whether passphrase recovery will be enabled for the OCS. (Only available if the Security World has passphrase recovery enabled.)

    3. Whether the card set can be used remotely. (Only available if the Security World has remote sharing available.) For more information, see Remote Operator.

    4. Whether this OCS will be persistent.

    5. Whether this OCS will have a time-out (a period after which the card set must be inserted again).

    6. The value for the time-out, in seconds.

    7. The total number of Operator Cards (N) that you want this OCS to have. This must be a value in the range 1 – 64.

    8. The number of Operator Cards needed to re-create a key (K). K must be less than or equal to N.

  5. When you have entered all the details, click Commit. KeySafe takes you to a new Create Operator Card Set panel.

    If K is equal to N, a message is displayed:

    The total number of cards is equal to the required number of cards. – If the total and required number of cards are equal, losing one card will render any nonrecoverable keys unusable. Is this what you want?

    Click Yes to confirm the values for K and N, or No to change them.

    If you are creating the card set in a FIPS 140 Level 3 Security World, insert an Administrator Card or an existing Operator Card when prompted.
  6. Insert a blank, unformatted card into the reader.

    A message is displayed, confirming that the card is blank. Click OK to open the Set Card Protection passphrase panel.

    If you insert a card from another OCS, KeySafe asks whether you want to erase it. If you insert an Administrator Card from the current Security World, KeySafe prevents you from accidentally erasing it. If you insert an OCS card from another Security World you will get the message:

    Error. Unreadable card - may be incorrectly inserted or be from another Security World’s operator card set. Please check.

    To overcome this you must replace the card you have inserted with another card that is readable (or blank).

    When creating a card set, KeySafe recognizes cards that already belong to the set before the card set is complete. If you accidentally insert a card to be written again after it has already been written, you receive a warning.
  7. Select whether or not you want to set a passphrase for the currently inserted card. Each card in a set can have an individual passphrase, and you can also create a set in which some cards have passphrases and others do not.

  8. If setting a passphrase for the currently inserted card, enter the same passphrase in both text fields. A passphrase can contain any characters you can type except for tabs or carriage returns (because these keys are used to move between data fields).

    You can change a passphrase at any time. If you do not set a passphrase now, you can use the KeySafe Change passphrase option (on the Examine/Change Card panel) to add one later. Likewise, if you later decide that you do not need a passphrase on a card, you can use this option to remove it.
  9. After entering your desired passphrase (if any) in both text fields, click the OK button. Unless you have entered details for the last card in the set, KeySafe returns you to the Create Operator Card Set panel and prompts you to enter the next card in the set to be written.

  10. After KeySafe has written the details of the last smart card in the set, it displays a dialog indicating that the OCS has been successfully created. Click the OK button, and KeySafe returns you to the Create Operator Card Set panel, where you can create another OCS or choose a different operation by clicking one of the menu buttons.

Create an Operator Card Set with the CSP or CNG wizard (Windows)

You can use the nShield CSP or CNG wizard to create a K/N OCS that is suitable for use with the nShield Cryptographic Service Provider (CSP) or Cryptography API: Next Generation (CNG), as appropriate. You can only create an OCS using the CSP or CNG wizard if you already have a Security World and have an ACS available for that Security World.

To create an OCS using the CSP or CNG wizard, follow these steps:

  1. Ensure that you have created the Security World and that at least one HSM is in the operational state.

  2. Run the wizard by double-clicking its shortcut in the Start menu: Start > Entrust nShield Security World.

  3. The wizard displays the welcome screen.

  4. Click the Next button. The wizard allows you to configure HSM Pool mode for CAPI/CNG.

    Do not enable HSM Pool mode when creating an Operator Card Set because HSM Pool mode only supports module-protected keys.
  5. Click the Next button.

    The wizard determines what actions to take based on the state of the Security World and of the HSMs that are attached to your computer:

    • If the wizard cannot find the Security World, it prompts you to create a new Security World or to install cryptographic acceleration only.

      In such a case, you should:

      • Cancel the operation

      • Check that the environment variable NFAST_KMDATA is set correctly

      • Copy the local sub-directory from the Key Management Data directory of another computer in the same Security World or from a backup tape of this computer to the Key Management Data directory of this computer.

      • run the wizard again.

    • If there is an existing Security World, the wizard gives you the option of using the existing Security World, creating a new Security World or installing cryptographic acceleration only.

      • In order to use the existing Security World, ensure that the Use the existing security world option is selected, and click the Next button.

      • If there are any HSMs in the pre-initialization state, the wizard adds them to the Security World; see Adding or restoring an HSM to the Security World.

  6. When at least one hardware security module is in the operational state, the wizard prompts you to select a method to protect private keys generated by the CSPs.

  7. Ensure that the Operator Card Set option is enabled. If you are running the CNG wizard (not the CSP wizard) click the Next button. Then select the Create a new Operator Card Set option.

    If you want the OCS to be persistent, select the Persistent option. Persistence is described in Persistent Operator Card Sets.

  8. Click the Next button, and if you have a FIPS world, the wizard prompts you to insert a card created with the current Security World.

    This shows that your Security World is compliant with the roles and services of the FIPS 140 Level 3 standard. It is included for those customers who have a regulatory requirement for compliance.

    Under the constraints of level 3 of the FIPS 140 standard, Operator Cards cannot be created without authorization. To obtain authorization, insert any card from the ACS or any Operator Card belonging to the current Security World.

    The wizard does not enable the next world, the wizard warns you and prompts you for another card.

  9. Click the Next button.

    The wizard prompts you for a smart card to use as the first card in the OCS.

  10. Insert a blank smart card to be used as the Operator Card, and click the Next button.

    Do not use a card from the ACS or an existing Operator Card.
    If you insert a card that is not blank, the wizard asks you if you want to erase it.
  11. When you have inserted an appropriate card, the wizard prompts you for the name of the card and, if required, a passphrase.

    If you want to protect this card with a passphrase, turn on the Card will require a passphrase option, and enter the passphrase. You must enter the passphrase in both fields to ensure that you have typed it correctly.

    Operator Cards with passphrases are required by the nShield PKCS #11 library.
  12. If you have not yet written all the smart cards in the OCS, the wizard prompts you for another card. Repeat the appropriate preceding steps of the OCS creation process for all smart cards in the set.

  13. When the wizard has finished creating the OCS, it displays a screen telling you this. If you want to create another OCS, click the Back button on this screen.

    When you have created all the OCSs that you require, click the Next button to install the CAPI CSP or register the CNG CSP. For more information, see Microsoft CryptoAPI Guide for nShield Security World v13.6.3 or Microsoft CNG Guide for nShield Security World v13.6.3.