Security World Files
Location of Security World files
The logic for finding the security world data directory is:
-
If
NFAST_KMLOCAL
is set, use that. -
Otherwise, if
NFAST_KMDATA
is set, use${NFAST_KMDATA}/local
on Linux,%NFAST_KMDATA%\local
on Windows. -
Otherwise, if
NFAST_HOME
is set, use${NFAST_HOME}/kmdata/local
on Linux,%NFAST_HOME%\kmdata\local
on Windows. -
Otherwise, use
/opt/nfast/kmdata/local
on Linux,C:\nfast\kmdata\local
on Windows.
By default, the Key Management Data directory, and sub-directories, inherit permissions from the user that creates them. Installation of the Security World Software must be performed by a user with Administrator rights that allow read and write operations, and the starting and stopping of applications. |
Security World operations create or modify Security World files as follows:
Operation | creates/modifies | file(s) |
---|---|---|
Create a Security World |
creates |
|
Load a Security World |
creates or modifies |
|
Replace an ACS |
modifies |
|
Create an OCS |
creates |
|
Create a softcard |
creates |
|
Generate a key |
creates |
|
Recover a key |
modifies |
|
-
<ESN> - Electronic serial number of the module on which the Security World is created.
-
<HKML> - Hash of the long term key in the module.
-
<IDENT> - Identifier given to the card set or key when it is created.
-
<NUMBER> - Number of the card in the card set.
-
<APPNAME> - Name of the application by which the key was created. It’s a 40-character string that represents the hash of the card set’s logical token. It’s either user supplied or a hash of the key’s logical token, depending on the application that created the key.
|
Make keys and cards available from the front panel (network-attached HSMs)
If you want to make cards or keys which are normally created from the client available from the module’s front panel, we recommend that you use client co-operation to automate the copying of files to the module. For information about configuring client co-operation, see Client cooperation.
If you do not use client cooperation, you must manually copy the appropriate card and key files from the client or host on which the card set or key was created to the remote file system of /opt/nfast/kmdata/local
(Linux) or %NFAST_KMDATA%\local
(Windows).
These files must then be updated on the module by selecting Security World mgmt > RFS operations > Update World files from the main menu.
To be able to create Operator Cards or keys, the user on the client must have write permission for this directory. All other valid users must have read permission.
Required files
The following files must be present and up to date in the /opt/nfast/kmdata/local
(Linux) or %NFAST_KMDATA%\local
(Windows) directory, or the directory specified by the NFAST_KMLOCAL
environment variable, for a client or host to use a Security World:
-
world
-
A
module_ESN
file for each module that this host uses -
A
module_ESN_HKML
file for each module that this host uses -
A
cards_<IDENT>
file for each card set that is to be loaded from this host -
A
card_<IDENT>_NUMBER
file for each card in each card set that is to be loaded from this host -
A
key_<APPNAME>_<IDENT>
file for each key that is to be loaded from this host.
These files are not updated automatically. You must ensure that they are synchronized whenever the Security World is updated on the module.