Replace OCS and softcards

Replace Operator Card Sets

Replacing an OCS requires authorization from the ACS of the Security World to which it belongs. You cannot replace an OCS unless you have the required number of cards from the appropriate ACS.

If you have lost a card from a card set, or you want to migrate from standard nShield cards to nShield Remote Administration Cards, you should use one of the following:

The rocs utility
The front panel of the nShield HSM
The KeySafe Replace Operator Card Set option.

Accessed from the Card Operations panel.

You cannot mix standard nShield cards with nShield Remote Administration Cards in the same set.

We recommend that after you have replaced an OCS, you then erase the remaining cards in the old card set and remove the old card set from the Security World. For more information, see Erase cards and softcards

Deleting the information about an OCS from the client or host does not remove the data for keys protected by that card set. On the KeySafe Key Operations panel), such keys are listed as being protected by Deleted Card Set.

To prevent you from losing access to your keys if the smart card you are using as the Operator Card is lost or damaged, Entrust supplies several utilities that can recover the keys protected by the lost Operator Card to another OCS or token.

PCIe and USB HSMs: KeySafe includes an option to replace OCSs on the Card Operations panel (click the Replace OCS navigation button).
PCIe and USB HSMs: rocs command-line utility provides an interactive method or a command-line only method to replace OCSs.

Replacing one OCS with another OCS also transfers the keys protected by the first OCS to the protection of the new OCS.

When you replace an OCS or softcard and recover its keys to a different OCS or softcard, the key material is not changed by the process. The process deletes the original Security World or host data (that is, the encrypted version of the key or keys and the smart card or softcard data file) and replaces this data with host data protected by the new OCS or softcard.

To replace an OCS or softcard, you must:

Have enabled OCS and softcard replacement when you created the Security World

If you did not enable OCS and softcard replacement, or if you created the Security World with an early version of the pkcs-init command-line utility that did not support OCS and softcard replacement, you cannot recover keys from lost or damaged smart cards or softcards.

Have created the original OCS using

the front panel of a network-attached HSM
createocs
createocs-simple
KeySafe
the nShield PKCS #11 library version 1.6 or later

If you initialized the token using ckinittoken from the nShield PKCS #11 library version 1.5 or earlier, you must contact Support to arrange for them to convert the token to the new format while you still possess a valid card.

Have a sufficient number of cards from the ACS to authorize recovery and replacement

All recovery and replacement operations require authorization from the ACS. If any of the smart cards in the ACS are lost or damaged, immediately replace the entire ACS.
Have initialized a second OCS using
- the front panel of a network-attached HSM
- createocs
- createocs-simple
- KeySafe
- the nShield PKCS #11 library version 1.6 or later
The new OCS need not have the same K/N policy as the old set.

If you are sharing the Security World across several client computers (for network-attached HSMs) or host computers (for PCIe HSMs), you must ensure that the changes to the host data are propagated to all your computers. One way to achieve this is to use client cooperation. For more information, see Client cooperation.

Replace OCS from a network-attached HSM front panel

To replace an OCS from the unit front panel, follow these steps:

From the main menu, select Security World mgmt > Admin operations > Recover keys.
Select all to recover all keys in the Security World, or select the application for which you want to recover the keys.
If you selected an application, select the keys that you want to recover.
Insert the required number of Administrator Cards to recover keys, and enter their passphrases if required.
Insert the required number of Operator Cards, and enter their passphrases if required.

When you have inserted the required number of cards, details of the recovered key are displayed.
Check the key details are correct and then scroll down and select Recover key.

You can also select More info to see more information about the keys.

A message is displayed when the keys are recovered.

Replace OCS with KeySafe

In order to replace an OCS, you must have another OCS onto which to copy the first set’s data. If you do not already have an existing second OCS, you must create a new one. For more information, see [CreatingOCS].

When you have a second OCS ready, follow these steps in order to replace the first OCS:

Start KeySafe. (For an introduction to KeySafe and information on starting the software, see Using KeySafe.)
Click the Card Sets menu button, or select Card Sets from the Manage menu. KeySafe takes you to the List Operator Card Sets panel.

Click Replace card set. KeySafe takes you to the Replace card set panel.

This panel lists existing OCSs in tabular form. For each card set it displays:

Attribute	Description
Name	The name of the card set.
Required (K)	The number of cards needed to re-create a key.
Total (N)	The total number of cards in the set.
Persistent	Indicates whether or not the card set is persistent.
Timeout	The timeout value of the card, in seconds
Recoverable Key Count	The number of private keys protected by this card set that are recoverable.
Nonrecoverable Key Count	The number of private keys protected by this card set that are not recoverable.

Attribute

Description

Name

The name of the card set.

Required (K)

The number of cards needed to re-create a key.

Total (N)

The total number of cards in the set.

Persistent

Indicates whether or not the card set is persistent.

Timeout

The timeout value of the card, in seconds

Recoverable Key Count

The number of private keys protected by this card set that are recoverable.

Nonrecoverable Key Count

The number of private keys protected by this card set that are not recoverable.

You can click and drag with your mouse in order to resize the column widths and to rearrange the column order of this table. Clicking a column heading sorts the rows in ascending order based on that column heading.

Select an OCS that you want to replace, and click Replace card set.

If an OCS does not have any recoverable keys, it cannot be replaced.
KeySafe takes you to the Load Administrator Card Set panel, where it prompts you to insert cards from the ACS in order to authorize the action. Each time you insert an Administrator Card into the smart card of the hardware security module slot, you must click the OK button to load the card.

Only insert your ACS into a module that is connected to a trusted server.
When you have loaded enough cards from the ACS to authorize the procedure, KeySafe takes you to the Load Operator Card Set panel, where it prompts you to insert the OCS that is to protect the recoverable keys (this is the OCS onto which you are copying data from the OCS you are replacing). Each time you insert a card from the new OCS into the smart card slot of the hardware security module, you must click the OK button.

When you have loaded enough cards from the new OCS, KeySafe creates new working versions of the recoverable keys that are protected by this card set.

KeySafe deletes the original host data for all recovered keys and replaces this data with host data that is protected by the new OCS. If there are no nonrecoverable keys protected by the card set, KeySafe also removes the old card set from the Security World. However, if the OCS has nonrecoverable keys, the host data for the original card set and for the nonrecoverable keys is not deleted. These keys can only be accessed with the original OCS. If you want to delete these files, use the Remove OCS option.
When the process is complete, KeySafe displays a dialog indicating that the OCS has been successfully replaced. Click the OK button. KeySafe returns you the Replace Operator Card Set panel, where you may replace another OCS or choose a different operation.

Replace OCS or softcards with rocs

You can use the rocs command-line utility interactively, or you can supply all the parameters using the command line.

Using rocs interactively

Refer to rocs for more details about each of the available commands.

To replace an OCS or recover keys to a softcard:

To exit without completing the replacement or recovery process, press Q and then Enter. The rocs utility returns you to the rocs > prompt without processing any keys.

Launch the rocs interactive mode prompt:
```
rocs
```
Enter the following commands, in order:
1. module <number>
  The number of the HSM you want to use.
2. list cardsets
  Note the number (No.) of the OCS or softcard to which you want to transfer the keys ('target').
3. target <cardset-spec>
  <cardset-spec> is the number of the target OCS or softcard you obtained in the previous step.
  
  Keys protected by an OCS can only be recovered to another OCS, and not to a softcard. Likewise, softcard-protected keys can only be recovered to another softcard, and not to an OCS.
4. list keys
  Note the number (No.) of the keys you want to recover.
5. mark <key-spec> [<key-spec> […]]
  <key-spec> is the number (No.) of the key you want to recover. To recover multiple keys, leave a space between each <key-spec>.
  
  Only mark keys from a different OCS or softcard to the one you selected as the target.
  
  If you selected any keys by mistake, deselect them with unmark ..<key-spec>.
6. recover
  Transfers the marked keys to the target OCS or softcard.
  
  The operation is not permanent at this stage.
When prompted, insert a card from the ACS and enter the passphrase.
Repeat this step until you have loaded the required number of cards.
If you do not have the required number of cards from the ACS, exit the process.

Only insert Administrator Cards into a hardware security module that is connected to a trusted server.
If you are recovering keys to:
an OCS:

+
1. rocs prompts you to insert a card from the first OCS that you have selected as the target. OCSs are processed in ascending numerical order as listed by the list cardsets command.
2. Insert a card from this OCS.
3. rocs prompts you for the passphrase for this card. This action is repeated until you have loaded the required number of cards from the OCS.
a Softcard:

+ If you are recovering keys to a softcard, rocs prompts you for the passphrase for the softcard that you have selected as the target.
When you have loaded the target softcard or the required number of cards from the target OCS, rocs transfers the selected keys to the target OCS or softcard.

If you have selected other target OCSs or softcards, rocs prompts for a card from the next OCS.

Repeat this step for each selected target.
Enter save [<key-spec> […]].
Write the key blobs to disk. If you specify one or more <key-spec> values, only those keys will be saved. If you do not specify a <key-spec>, all keys will be saved.

If you have transferred a key by mistake, you can restore it to its original protection with revert <key-spec> [<key-spec> […]].

Using rocs from the command line

Refer to rocs for more details about each of the available options.

You can select all the options for rocs using the command line by running a command of the form:

rocs -m|--module=<MODULE> [-t|--target=<CARDSET-SPEC>] [-k|--keys=<KEYS-SPEC>] [-c|--cardset=<CARDSET-SPEC>] [-i|--interactive]

Set the values as follows:

<MODULE>: The HSM to use.
(target) <CARDSET-SPEC>: The OCS or softcard to use to protect the keys.
<KEYS-SPEC>: The keys to recover.
(cardset) <CARDSET-SPEC>: This selects all keys that are protected by the named OCS or softcard.

-i\|--interactive starts rocs in interactive mode, even if keys have been selected.

You must specify the target before you specify keys.

You can use multiple --keys=<KEYS-SPEC> and --cardset=<CARDSET-SPEC> options, if necessary.

You can specify multiple targets on one command line by including separate --keys=<KEYS-SPEC> or --cardset=<CARDSET-SPEC> options for each target. If a key is defined by --keys=<KEYS-SPEC> or --cardset=<CARDSET-SPEC> options for more than one target, it is transferred to the last target for which it is defined.

If you have selected a hardware security module, a target OCS or softcard, and keys to recover but have not specified the --interactive option, rocs automatically recovers the keys. rocs prompts you for the ACS and OCS or softcard. For more information, see Using rocs interactively.

If you use rocs from the command line, all keys are recovered and saved automatically. You cannot revert the keys unless you still have cards from the original OCS.

If you do not specify the target and keys to recover, or if you specify the --interactive option, rocs starts in interactive mode with the selections you have made. You can then use further rocs commands to modify your selection before using the recover and save commands to transfer the keys.