Replace the ACS

Replacing the ACS requires a quorum of cards from the current ACS (K/N) to perform the following sequence of tasks:

  1. loading the secret information that is to be used to protect the archived copy of the Security World key.

  2. creating a new secret that is to be shared between a new set of cards.

  3. creating a new archive that is to be protected by this secret.

If you discover that one of the cards in the current ACS has been damaged or lost, or you want to migrate from standard nShield cards to nShield Remote Administration Cards, you should use one of the following to create a new set:

  • The racs utility.

    When using the racs utility, you cannot redefine the quantities in a K of N relationship for an ACS. The K of N relationship defined in the original ACS persists in the new ACS.

  • The front panel of an nShield network-attached HSM.

  • The KeySafe Replace Administrator Card Set option.

    Accessed from the Card Operations panel.

If further cards are damaged, you may not be able to re-create your Security World.
You cannot mix nShield cards with nShield Remote Administration Cards in the same set.
Replacing the ACS modifies the world file. In order to use the new ACS on other machines in the Security World, you must copy the updated world file to all the machines in the Security World after replacing the ACS. Failure to do so could result in loss of administrative access to the Security World.
We recommend that you erase your old Administrator Cards as soon as you have created the new ACS. An attacker with the old ACS and a copy of the old host data could still re-create all your keys. With a copy of a current backup, they could even access keys that were created after you replaced the ACS.
Before you start to replace an ACS, you must ensure that you have enough blank cards to create a complete new ACS. If you start the procedure without enough cards, you will have to cancel the procedure part way through.

Replace an ACS using an nShield network-attached HSM front panel

To replace an ACS:

  1. From the main menu, select Security World mgmt > Admin operations > Replace ACS.

  2. Insert one of the remaining cards from the card set that you want to replace and press the right-hand navigation button.

    Continue to insert cards until you have inserted the number of cards required to authorize the process.

  3. When prompted, insert a card for the replacement card set and press the right-hand navigation button.

  4. If required, specify a passphrase for the card.

  5. Insert cards until the card set is complete. A message confirms that the card set has been created.

  6. At this point the modified world file has been pushed to the RFS, so make a backup of the modified world file on the RFS, preferably in a way that distinguishes it from previous backups.

  7. Copy the world file to any other HSMs in the same Security World, either using the Security World mgmt > RFS operations > Update World files option on the HSM concerned or using the nethsmadmin utility, see Using nethsmadmin to copy a Security World to a nShield HSM and check the current version.

  8. If client cooperation is not enabled, copy the modified world file onto any client machines where it is needed.

  9. Check that the new Administrator Cards are usable and that their passphrases have been set as intended, see Passphrases

  10. Erase the Administrator Cards from the old card set. For more information, see Erase cards and softcards.

Replace an ACS with KeySafe

When you have enough cards to create a complete new ACS ready and a quorum of the ACS you want to replace, follow these steps:

  1. Start KeySafe. (For an introduction to KeySafe and information on starting the software, see Using KeySafe).

  2. Click the Card sets menu button, or select Card sets from the Manage menu. KeySafe takes you to the List Operator Card Sets panel.

  3. Click the Replace ACS navigation button, and KeySafe takes you to the Replace Administrator Card Set panel.

  4. If you are sure that you want to replace the ACS, click the Replace ACS command button

  5. KeySafe takes you to the Load Administrator Card Set panel, where it prompts you to insert cards from the ACS in order to authorize the action. Each time you insert an Administrator Card into the module’s smart card slot, you must click the OK button to load the card.

    Only insert cards from your ACS into a module that is connected to a trusted server.

  6. When you have loaded enough Administrator Cards to authorize the action, KeySafe takes you to the Create Administrator Card Set panel, where it prompts you to insert the cards that are to form the ACS. These must be blank cards or cards that KeySafe can erase. KeySafe will not let you use cards from the existing ACS. If you do not have enough cards to form a complete new ACS, cancel the operation now.

    When creating a card set, KeySafe recognizes cards that belongs to the set even before the card set is complete. If you accidentally insert a card to be written again after it has already been written, KeySafe displays a warning.

  7. When you insert a blank card, KeySafe takes you to the Set Card Protection passphrase panel.

  8. If you want to set a passphrase for this Administrator Card:

    1. Select the Yes option.

    2. Enter the same passphrase in both text fields.

    3. Click the OK button.

    KeySafe then prompts you for the next card (if any). A given passphrase is associated with a specific card, so each card can have a different passphrase. You can change these passphrases at any time by using the KeySafe Examine/Change Card option (available from the List Operator Card Sets panel) or the cardpp command-line utility.

  9. If you do not want to set a passphrase for this Administrator Card:

    1. Select the No option.

    2. Click the OK button.

  10. After you have created all the Administrator Cards, KeySafe displays a message confirming that the ACS has been successfully replaced.

  11. Click the OK button, and KeySafe returns you to its introduction panel.

  12. (only on PCIe HSMs) When you have finished replacing the ACS, erase the old Administrator Cards; for more information, see Erase cards and softcards.

  13. (only on network-attached HSMs) When you have finished replacing the ACS:

    1. If you ran KeySafe on a client machine, ensure that there is a copy of the modified world file on the RFS.

    2. Make a backup of the world file, preferably in a way that distinguishes it from previous backups.

    3. Copy the world file to any other HSMs in the same Security World, for example using the nethsmadmin utility, see Using nethsmadmin to copy a Security World to an nShield HSM and check the current version.

    4. If client cooperation is not enabled, copy the modified world file onto any other client machines where it is needed.

    5. Check that the new Administrator Cards are usable and that their passphrases have been set as intended, see Passphrases.

    6. Erase the old Administrator Cards; for more information, see Erase cards and softcards.

Replace an ACS using racs

The racs utility creates a new ACS to replace a set that was created with the new-world utility.

When using the racs utility, you cannot redefine the quantities in a K of N relationship for an ACS. The K of N relationship defined in the original ACS persists in the new ACS.

  1. Ensure the HSM is in operational mode.

  2. Run the racs utility:

    racs [-m|--module=<MODULE>]

    In this command: ** <MODULE>: the ModuleID of the module to use.

  3. When prompted, insert the appropriate quorum of Administrator Cards to authorize the replacement.

  4. When prompted that racs is writing the new ACS, insert blank cards as necessary on which to write the replacement Administrator Cards.

  5. Additional steps for network-attached HSMs:

    1. If you ran racs on a client machine, ensure that there is a copy of the modified world file on the RFS.

    2. Make a backup of the world file, preferably in a way that distinguishes it from previous backups.

    3. Copy the world file to any other HSMs in the same Security World, for example using the nethsmadmin utility, see Using nethsmadmin to copy a Security World to an nShield HSM and check the current version.

    4. If client cooperation is not enabled, copy the modified world file onto any other client machines where it is needed.

    5. Check that the new Administrator Cards are usable and that their passphrases have been set as intended, see Passphrases.

  6. When you have finished replacing the ACS, erase the old Administrator Cards. For more information, see Erase cards and softcards.