System upgrade
Terms used in this topic
- software
-
Security World software running on the PC in which the HSM is installed
- firmware
-
Security World firmware running on the HSM
You can upgrade software and firmware independently of each other.
Software and firmware compatibility
In general, Entrust recommends that you use the software and firmware from the same version of Security World. The system is designed to be backwards compatible so that it will still operate with differing versions of software and firmware but some functionality may not be available and you may receive warnings during operation.
This user guide describes the behaviour of v13.5 software interacting with v13.5 firmware. Some areas where functionality differs depending on the version of firmware loaded are also described in this guide but it is not possible to describe all possible combinations of software and firmware.
Release notes and user guides for each Security World release are available from the Entrust website and these together with Entrust Support will help you should you experience any problems when operating with differing versions of software and firmware.
System upgrade procedure
When upgrading the whole system, Entrust recommends that you always upgrade the host software before upgrading the HSM firmware, however this is not mandatory and you may upgrade the firmware first should you wish to do so.
Always read the release notes accompanying the Security World release before upgrading any part of the system as these may include additional upgrade steps. |
If the Version Security Number (VSN) of the firmware has been increased, it may not be possible to roll-back the firmware to the previous version after upgrade. See Version Security Number for more information. |
Upgrade software
For Security World software upgrades, you do not need to delete key data or any existing Security World. If you do delete Security World data, it cannot be restored unless you have an up-to-date backup and a quorum of the Administrator Card Set (ACS) available.
Before upgrading software
You must perform these steps if you are planning to re-install the Security World software, for example to re-install it on the same machine after an operating system update, or to install a newer Security World software version as part of an upgrade.
Performing these steps is useful even if you are not planning a re-install because it preserves data that you would otherwise irretrievably lose when you uninstall the Security World software.
-
(Only if you are using the nShield PKCS #11 library) Back up the
cknfastrc
file by copying it to external media or to a location not within the Security World installation. -
(Linux only) Back up your Security World and nShield configuration files stored in
/opt/nfast/kmdata/
and/opt/nfast/hardserver.d
by copying them to external media or to a location not within/opt/nfast
.When you are upgrading the Security World, you will also restore the backup to preserve your PKCS #11 and Soft KNETI authentication settings and any customizations. If you delete the
/opt/nfast
or$NFAST_HOME
directory without making a copy of it, you will lose these configuration settings. When you are restoring a Security World from a backup, you will need to maintain permissions. -
(nShield 5s only) Back up your SSH keys, see Making a backup of installed SSH keys:
-
If you are planning a clean reinstallation of the Security World software on the same machine and same operating system, back up your SSH keys in
/opt/nfast/services
usinghsmadmin keys backup
. -
If you are planning to re-create the Security World on a different machine or after re-installing the operating system, use
hsmadmin keys backup --passphrase
.hsmadmin keys backup
alone is only suitable for a local backup followed by a local restore on the same machine and same operating system.
If you erase your SSH keys without making a backup you will need to use recovery mode, see Recovery mode to restore communication with the HSM. This will return the HSM to factory state, see Factory state. -
Reinstall Security World software
Software upgrade is performed by uninstalling the old software as described in Uninstalling Security World Software and then installing the new software as described in Install the Security World software.
After upgrading software
-
Copy back any data that was manually backed-up as part of the procedures in Before upgrading software to the locations from which it was copied.
-
(nShield 5s only) Restore communication with the HSM by following the procedures at restoring SSH keys from backup.