Checking and changing the mode on a network-attached HSM
This appendix tells you how to check and change the mode on the nShield HSM. You must change the mode to perform certain configuration tasks.
Front panel controls
See Front panel controls for a description of the nShield HSM user interface, including the front panel controls.
We recommend that you use a keyboard to manage the front panel menu options and enter text. See Using a keyboard to control the unit for more information. |
Available modes
The following modes are available:
Operational |
The default setting for day-to-day use. |
Initialization |
Sets the nShield HSM to start in pre-initialization mode. This allows you to use the nShield HSM to create a Security World or add the module to an existing one. |
Maintenance |
You cannot select this mode manually. It is managed by the nShield HSM and cannot be set by a user. |
Identifying the current mode
You can check the current mode of the nShield HSM:
-
At the nShield HSM itself
-
By using the
enquiry
command-line utility from a client computer -
By using KeySafe from a client computer
Checking the mode at the nShield HSM
The status LED
The nShield HSM Status LED indicates the operational status of the module.
Status LED | Description |
---|---|
On, occasionally blinks off. |
Status: Operational mode The module is in Operational mode and accepting commands. The more frequently the Status LED blinks off, the greater the load on the module. |
Flashes two short pulses, followed by a short pause. |
Status: Initialization mode Existing Security World data on the module has been erased. The module is automatically placed in Initialization mode after a Security World is created. |
Flashes two long pulses followed by a pause. |
Status: Maintenance mode Used for reprogramming the module with new firmware. The module only goes into Maintenance mode during a software upgrade. |
The front panel display screen
The nShield HSM screen shows a color-coded footer at the bottom of the display when it is not in Operational mode.
Footer color | Text in footer | Meaning |
---|---|---|
Yellow |
Initialization |
The system is rebooting or waiting for an Administrator Card to be inserted. |
Blue |
Maintenance |
An administrative task is being performed. This mode is only entered during firmware upgrades. |
Red |
HSM Failed |
The internal module has failed. |
Checking the mode using enquiry
You can use the enquiry
command-line utility to display information about the hardserver and the status of the nShield HSM.
The enquiry
utility is in the bin
subdirectory of the nCipher
directory.
This is usually /opt/nfast
(Linux) or C:\Program Files\nCipher\nfast
(Windows)
To check the mode using enquiry:
-
Sign in to the client computer as a user, and open a command window.
-
Run the command:
- Linux
-
opt/nfast/bin/enquiry
- Windows
-
enquiry
Example output:
Server: enquiry reply flags none enquiry reply level Six serial number ####-####-####-#### mode operational version #.#.# speed index ### rec. queue ##..## ... version serial # remote port (IPv4) #### Module #1: enquiry reply flags none enquiry reply level Six serial number ####-####-####-#### mode operational version #.#.# speed index ### rec. queue ##..## ... rec. LongJobs queue ## SEE machine type PowerPCSXF
In this example, the
mode
line shows that the nShield HSM is inoperational
mode.
Checking the mode by using KeySafe
You can use the Module Status tree of the KeySafe GUI to identify the current mode of the nShield HSM.
To check the mode using KeySafe:
-
Start KeySafe on a client computer.
-
Locate the Module Status tree (part of the Security World status panel) positioned to the bottom left of the KeySafe window.
-
Expand the Security World and/or Outside Security World nodes as required.
-
Locate the appropriate nShield HSM (Module).
The current mode of the module is displayed in the State field.
See Using KeySafe for more about using KeySafe. See Module information for more about checking the mode.
Changing the mode
You can change the mode using:
-
The front panel controls of the nShield HSM
-
The
nopclearfail
command-line utility from a client computer
Changing the mode using the front panel controls
To change the mode, use the front panel menu screens and dialogs to do the following:
-
Navigate to HSM > Set HSM mode.
-
Select Initialisation or Operational as required.
Changing the mode using remote mode and nopclearfail
You can enable or disable changing the mode remotely, see enable_remote_mode
in the server_settings section or the Top-level menu chapter of the HSM Install Guide.
Once you have enabled remote mode changes, you can change the mode of the nShield HSM from a computer using the nopclearfail
command, without accessing the unit itself.
Available commands
You can use the following commands to change the mode of a module:
Command | Resulting mode |
---|---|
|
Operational |
|
Pre-initialization |
To change the mode, do the following:
-
Run either:
-
The
nopclearfail --operational | -O
command.
or: -
The
nopclearfail --initialization | -I
command.
When finished, the system responds withOK
.
The system responds with OK
, regardless of whether the mode of the nShield HSM has changed or not. To confirm that state of the module, do the following: -
-
Run the
enquiry
command.
Themode
line of theModule
section displays the current mode.