Security World Files

Location of Security World files

The logic for finding the security world data directory is:

  1. If NFAST_KMLOCAL is set, use that.

  2. Otherwise, if NFAST_KMDATA is set, use ${NFAST_KMDATA}/local on Linux, %NFAST_KMDATA%\local on Windows.

  3. Otherwise, if NFAST_HOME is set, use ${NFAST_HOME}/kmdata/local on Linux, %NFAST_HOME%\kmdata\local on Windows.

  4. Otherwise, use /opt/nfast/kmdata/local on Linux, C:\nfast\kmdata\local on Windows.

By default, the Key Management Data directory, and sub-directories, inherit permissions from the user that creates them. Installation of the Security World Software must be performed by a user with Administrator rights that allow read and write operations, and the starting and stopping of applications.

Security World operations create or modify Security World files as follows:

Operation creates/modifies file(s)

Create a Security World

creates

  • world

  • module_ESN (see note)

  • module_ESN_HKML (see note)

Load a Security World

creates or modifies

  • module_ESN (see note)

  • module_ESN_HKML (see note)

Replace an ACS

modifies

world

Create an OCS

creates

  • card_HASH

  • cards_HASH_NUMBER

Create a softcard

creates

softcard_HASH

Generate a key

creates

key_APPNAME__IDENT

Recover a key

modifies

key_APPNAME (for each key that has been recovered)

  • <ESN> - Electronic serial number of the module on which the Security World is created.

  • <HKML> - Hash of the long term key in the module.

  • <IDENT> - Identifier given to the card set or key when it is created.

  • <NUMBER> - Number of the card in the card set.

  • <APPNAME> - Name of the application by which the key was created. It’s a 40-character string that represents the hash of the card set’s logical token. It’s either user supplied or a hash of the key’s logical token, depending on the application that created the key.

module_ESN and module_ESN_HKML are created or modified for each module in the Security World.

module_ESN_HKML and module_ESN.old might exist as backups of module_ESN, taken when a Security World was previously loaded.

Make keys and cards available from the front panel (network-attached HSMs)

If you want to make cards or keys which are normally created from the client available from the module’s front panel, we recommend that you use client co-operation to automate the copying of files to the module. For information about configuring client co-operation, see Client cooperation.

If you do not use client cooperation, you must manually copy the appropriate card and key files from the client or host on which the card set or key was created to the remote file system of /opt/nfast/kmdata/local (Linux) or %NFAST_KMDATA%\local (Windows). These files must then be updated on the module by selecting Security World mgmt > RFS operations > Update World files from the main menu.

To be able to create Operator Cards or keys, the user on the client must have write permission for this directory. All other valid users must have read permission.

Required files

The following files must be present and up to date in the /opt/nfast/kmdata/local (Linux) or %NFAST_KMDATA%\local (Windows) directory, or the directory specified by the NFAST_KMLOCAL environment variable, for a client or host to use a Security World:

  • world

  • A module_ESN file for each module that this host uses

  • A module_ESN_HKML file for each module that this host uses

  • A cards_<IDENT> file for each card set that is to be loaded from this host

  • A card_<IDENT>_NUMBER file for each card in each card set that is to be loaded from this host

  • A key_<APPNAME>_<IDENT> file for each key that is to be loaded from this host.

These files are not updated automatically. You must ensure that they are synchronized whenever the Security World is updated on the module.