Add HSMs to a Security World

Pre-initialization backup (PCIe and USB HSMs)

Initialization removes any data stored in an HSM’s nonvolatile memory (for example, data for an SEE program or NVRAM-stored keys). To preserve this data, you must back it up before initializing the HSM and restore it after the HSM has been reprogrammed. We provide the nvram-backup utility to enable data stored in nonvolatile memory to be backed up and restored.

In order to continue using existing keys and Operator Cards, you must reprogram the HSM:

  • After you upgrade the firmware

  • If you replace the HSM

  • If you need to add an HSM to an existing Security World.

Add an HSM to a Security World with the CSP or CNG wizard (Windows)

To add an HSM to an existing Security World:

  1. Ensure the HSM is in initialization mode and run the wizard by double-clicking its shortcut in the Windows Start menu: Start > Entrust nShield Security World.

  2. Click the Next button.

    The wizard allows you to configure HSM Pool mode for CAPI/CNG.

  3. Click the Next button.

    If the wizard finds an existing Security World, it prompts you to specify whether you want to use the existing Security World or create a new Security World.

    If the wizard displays any other windows:

    1. Cancel the operation.

    2. Check that you have correctly set the environment variable NFAST_KMDATA.

    3. Copy the local sub-directory from the Key Management Data of another computer in the same Security World or from a backup tape of this computer to the Key Management Data directory of this computer.

    4. Run the wizard again.

  4. Ensure that the Use the existing security world option is selected, and click the Next button.

You can then proceed to add HSMs in the same manner that you add multiple HSMs when you create a Security World.

Add an HSM to a Security World with new-world

  1. Run:

    new-world [-l|--program] [-S|--no-remoteshare-cert] [-m|--module=<MODULE>]

    If you intend to initialize the HSM into a new Security World, run new-world with the -i option.

    If the HSM is not in the pre-initialization state, new-world displays an error and exits.

    The HSM must be in pre-initialization mode.

    If the HSM is in the pre-initialization state, new-world prompts you for cards from the Security World’s ACS and to enter their passphrases as required.

  2. After new-world has reprogrammed the HSM, restart the HSM in the operational state.

  3. If you enrolled a network-attached HSM into a security world, propagate the world and module files to all client machines.

  4. If using HSM Pool Mode, additionally run hsc_configurepoolmodule -mN on each machine enrolled as a client (N is the module number of the newly enrolled HSM).

    If there is more than one module to configure and the Security World software version is v13.6 or later, it’s enough to run hsc_configurepoolmodule without any parameters to add all eligible modules to the pool.

  5. Store the ACS in a safe place.

If any error occurs (for example, if you do not enter the correct passphrases), the HSM is reset to the factory state. The HSM does not form part of the Security World unless you run new-world again.

Add an HSM to a Security World using the nShield HSM front panel (network-attached HSMs)

To add an HSM to a Security World:

  1. If the HSM already belongs to a Security World, erase it from the Security World to which it belongs, as described in Remove modules and delete Security Worlds.

  2. From the main menu, select Security World mgmt > Module initialization > Load Security World.

  3. Specify whether the HSM can use the Remote Operator feature import slots. For more information, see Remote Operator.

  4. At the prompt, insert an Administrator Card, and enter its passphrase if required.

  5. Continue to insert Administrator Cards when prompted until you have inserted the number required to authorize HSM reprogramming.

Add or restore an HSM to the Security World

When you have created a Security World, you can add additional HSMs to it. The HSMs may have previously been removed from the same Security World, that is, the Security World can be restored on an HSM by adding the HSM to the Security World again.

(PCIe and USB HSMs) These additional HSMs can be on the same host computer as the original HSM or on any other host.

You can also restore an HSM to a Security World to continue using existing keys and Operator Cards:

  • After you upgrade the firmware

  • If you replace the HSM.

The additional HSMs can be any nShield HSMs.

To add an HSM to a Security World, you must:

  • Have installed the additional HSM hardware.

  • PCIe and USB HSMs: After installing additional HSM hardware and restarting host machine, you must stop and then restart the hardserver as described in Stopping and restarting the client hardserver. This ensures that the added HSM is recognized and accessible.

  • Network-attached HSMs: Have a copy of the Security World data on the HSM’s remote file system in the Key Management Data directory.

  • PCIe and USB HSMs: Have a copy of the Security World data on this host. This is the host data written by Keysafe, the nShield HSM CSP wizard (Windows), or new-world when you created the Security World. This data is stored in the local directory within the Key Management Data directory.

    If the Key Management Data directory is not in the default location, ensure that the NFAST_KMDATA environment variable is set with the correct location for your installation.

  • PCIe and USB HSMs: Be logged in to the host computer as root (Linux) or as a user who is permitted to create privileged connections (Windows). See Hardserver start-up settings and server_startup.

  • Have started the HSM in pre-initialization mode.

  • Possess a sufficient number of cards from the ACS and the appropriate passphrases.

Adding or restoring an HSM to a Security World:

  • Erases the HSM (PCIe and USB HSMs) or the Security World data on the HSM’s internal file system (network-attached HSMs).

  • Reads the required number of cards (K) from the ACS so that it can re-create the secret

  • Reads the Security World data from the RFS (network-attached HSMs) or the computer’s hard disk (PCIe and USB HSMs).

  • Uses the secret from the ACS to decrypt the Security World key

  • Stores the Security World key in the HSM’s nonvolatile memory

  • Configures the HSM for audit logging if the Security World was created with audit logging selected.

After adding an HSM to a Security World:

  • You cannot access any keys that were protected by a previous Security World that contained that HSM.

  • You have to sync the module file to the clients by one of the following methods:

    • Copy the files manually to the clients.

    • Run rfs-sync -update. See rfs-sync.

It is not possible to program an HSM into two separate Security Worlds simultaneously.