Security World Files

Location of Security World files

The logic for finding the security world data directory is:

  1. If NFAST_KMLOCAL is set, use that.

  2. Otherwise, if NFAST_KMDATA is set, use ${NFAST_KMDATA}/local on Linux, %NFAST_KMDATA%\local on Windows.

  3. Otherwise, if NFAST_HOME is set, use ${NFAST_HOME}/kmdata/local on Linux, %NFAST_HOME%\kmdata\local on Windows.

  4. Otherwise, use /opt/nfast/kmdata/local on Linux, C:\nfast\kmdata\local on Windows.

By default, the Key Management Data directory, and sub-directories, inherit permissions from the user that creates them. Installation of the Security World Software must be performed by a user with Administrator rights that allow read and write operations, and the starting and stopping of applications.

Security World operations create or modify Security World files as follows:

Operation creates/modifies file(s)

Create a Security World



(for each module in the Security World) module_ESN, module_ESN_HKML

Load a Security World

creates or modifies

(for each module in the Security World) module_ESN

Replace an ACS



Create an OCS




Create a softcard



Generate a key



Recover a key


key_APPNAME (for each key that has been recovered)

  • <ESN> - Electronic serial number of the module on which the Security World is created.

  • <HKML> - Hash of the long term key in the module.

  • <IDENT> - Identifier given to the card set or key when it is created.

  • <NUMBER> - Number of the card in the card set.

  • <APPNAME> - Name of the application by which the key was created. It’s a 40-character string that represents the hash of the card set’s logical token. It’s either user supplied or a hash of the key’s logical token, depending on the application that created the key.

Make keys and cards available from the front panel (network-attached HSMs)

If you want to make cards or keys which are normally created from the client available from the module’s front panel, we recommend that you use client co-operation to automate the copying of files to the module. For information about configuring client co-operation, see Setting up client cooperation in the User Guide for your HSM.

If you do not use client cooperation, you must manually copy the appropriate card and key files from the client or host on which the card set or key was created to the remote file system of /opt/nfast/kmdata/local (Linux) or %NFAST_KMDATA%\local (Windows). These files must then be updated on the module by selecting Security World mgmt > RFS operations > Update World files from the main menu.

To be able to create Operator Cards or keys, the user on the client must have write permission for this directory. All other valid users must have read permission.

Required files

The following files must be present and up to date in the /opt/nfast/kmdata/local (Linux) or %NFAST_KMDATA%\local (Windows) directory, or the directory specified by the NFAST_KMLOCAL environment variable, for a client or host to use a Security World:

  • world

  • A module_ESN file for each module that this host uses

  • A cards_<IDENT> file for each card set that is to be loaded from this host

  • A card_<IDENT>_NUMBER file for each card in each card set that is to be loaded from this host

  • A key_<APPNAME>_<IDENT> file for each key that is to be loaded from this host.

These files are not updated automatically. You must ensure that they are synchronized whenever the Security World is updated on the module.