Checking the installation
This guide covers the following HSMs:
-
nShield 5s
-
nShield Solo
-
nShield Solo XC
This guide describes what to do if you have an issue with the module or the software.
The facilities described below are only available if the software has been installed successfully. If the software has not installed correctly see, Problems during installation and commissioning. |
Checking operational status
Enquiry utility
Run the enquiry
utility to check that the module is working correctly.
You can find the enquiry
utility in the bin
subdirectory of the nCipher
directory.
This is usually:
-
C:\Program Files\nCipher\nfast
for Windows -
/opt/nfast
for Linux
If the module is working correctly, the enquiry
utility returns a message similar to the following:
- nShield 5s
-
Server: enquiry reply flags none enquiry reply level Six serial number ############-#### mode operational version #.#.# speed index ### rec. queue ##..## ... module type code 0 product name nFast server ... Module ##: enquiry reply flags none enquiry reply level Six serial number ############-#### mode operational version #.#.# speed index ### rec. queue ##..## ... module type code 14 product name #######/####### ... rec. LongJobs queue ## SEE machine type None supported KML types DSAp1024s160 DSAp3072s256 active modes none physical serial 48-U50104 hardware part no PCA10005-01 revision 03 hardware status OK
- nShield Solo
-
Server: enquiry reply flags none enquiry reply level Six serial number ############-#### mode operational version #.#.# speed index ### rec. queue ##..## ... version serial # remote server port #### ... module type code 0 product name nFast server ... Module ##: enquiry reply flags none enquiry reply level Six serial number ############-#### mode operational version #.#.# speed index ### rec. queue ##..## ... module type code 7 product name #######/#######/####### ... rec. LongJobs queue ## SEE machine type Power PCSXF supported KML types DSAp1024s160 DSAp3072s256 hardware status OK
- nShield Solo XC
-
Server: enquiry reply flags none enquiry reply level Six serial number ############-#### mode operational version #.#.# speed index ### rec. queue ##..## ... module type code 0 product name nFast server ... version serial # remote server port #### Module ##: enquiry reply flags none enquiry reply level Six serial number ############-#### mode operational version #.#.# speed index ### rec. queue ##..## ... module type code 12 product name #######/#######/####### ... rec. LongJobs queue ## SEE machine type Power PCELF supported KML types DSAp1024s160 DSAp3072s256 hardware status OK
If the mode is operational the module has been installed correctly.
If the mode is initialization or maintenance, the module has been installed correctly, but you must change the mode to operational.
If the output from the enquiry
command says that the module is not found, first restart your computer, then re-run the enquiry
command.
If the operating system supports power saving, disable power saving.
See Install a PCIe HSM for more information.
Otherwise, if your system enters Sleep mode, the HSM may not be found when running enquiry .
If this happens, you need to reboot your system.
|
nFast server (hardserver)
Communication can only be established with a module if the nFast server is running.
If the server is not running, the enquiry
utility returns the message:
NFast_App_Connect failed: ServerNotRunning
Restart the nFast server, and run the enquiry
utility again.
See Stopping and restarting the hardserver for more about how to restart the nFast server.
Mode switch and jumper switches (nShield Solo and Solo XC only)
The mode switch on the back panel controls the mode of the module. See Checking and changing the mode on an nShield Solo module for more about checking and changing the mode of an HSM. You can set the physical mode override jumper switch on the circuit board of the nShield Solo to the On position, to prevent accidental operation of the mode switch. If this override jumper switch is on, the nShield Solo and nShield XC will ignore the position of the mode switch (see Back panel and jumper switches).
You can set the remote mode override jumper switch on the circuit board of the nShield Solo and nShield Solo XC to the On position to prevent mode change using the nopclearfail command.
This should be done if, for example, the security policies of your organization require the physical mode switch to be used to authorize mode changes.
|
Log message types
By default, the hardserver writes log messages to:
-
The in Windows Operating System event log.
-
log/logfile
in thenCipher
directory (normallyopt/nfast/log
directory) on Linux. The environment variableNFAST_SERVERLOGLEVEL
determines what types of message you see in your log. The default is to display all types of message.NFAST_SERVERLOGLEVEL
is a legacy debug variable.
Information
This type of message indicates routine events:
nFast Server service: about to start
nFast Server service version starting
nFast server: Information: New client clientid connected
nFast server: Information: New client clientid connected - privileged
nFast server: Information: Client clientid disconnected
nFast Server service stopping
Client
This type of message indicates that the server has detected an error in the data sent by the client (but other clients are unaffected):
nFast server: Detected error in client behaviour: message
Serious error
This type of message indicates a serious error, such as a communications or memory failure:
nFast server: Serious error, trying to continue: message
If you receive a serious error, even if you are able to recover, contact Support.
Serious internal error
This type of message indicates that the server has detected a serious error in the reply from the module. These messages indicate a failure of either the module or the server:
nFast server: Serious internal error, trying to continue: message
If you receive a serious internal error, contact Support.
Start-up errors
This type of message indicates that the server was unable to start:
nFast server: Fatal error during startup: message nFast Server service version failed init.
nFast Server service version failed to read registry
Reinstall the server. If this does not solve the problem, contact Support.
BadTokenData error (Solo only)
The PCIe module (not the Solo XC module) is equipped with a rechargeable backup battery for maintaining Real-Time Clock (RTC) operation when the module is powered down.
This battery typically lasts for two weeks.
If the module is without power for an extended period, the RTC time is lost.
When this happens, attempts to read the clock (for example, using the ncdate
or rtc
utilities) return a BadTokenData
error status.
The correct procedure in these cases is to reset the clock and leave the module powered up for at least ten hours to allow the battery to recharge. No other nonvolatile data is lost when this occurs. See rtc for more about resetting the clock.
The Solo XC module is equipped with a battery with a ten year life for maintaining RTC operation when the module is powered down. The RTC will not require resetting after the module has been shut down for extended periods. The battery is not rechargeable.