ncoreapi modes of operation

This chapter describes the ncoreapi modes of operation:

Modes of operation
Check and change the mode of operation

Modes of operation

The status of ncoreapi can only be one of the following:

Status	Description
Starting up	The nShield 5s HSM is booting up and performing self tests. After all tests complete successfully, the HSM enters Operational mode.
Operational mode	The nShield 5s HSM is working and ready to perform cryptographic operations. An initialized HSM enters Operation mode automatically after it is powered up and all pre-tests are successfully completed. To enter Operational mode manually, see Check and change the mode of operation.
Emulated maintenance mode	The nShield 5s HSM is ready to receive maintenance commands, or is processing a maintenance command. The HSM remains in Emulated maintenance mode until you change mode manually, see Check and change the mode of operation.
Pre-initialization mode	The nShield 5s HSM is ready to receive initialization commands. For example, initialization commands to set the root-of-trust key (KNSO), to create a Security World, or load an existing Security World. To enter Pre-initialization mode, see Check and change the mode of operation.
Initialization mode	The nShield 5s HSM is processing an initialization command. After the command completes, the HSM will return to Pre-initialization mode.
Uninitialized mode	The nShield 5s HSM was booted with no root-of-trust key (KNSO) set. This typically happens after leaving a factory state, see [factory-state]. To resolve this, switch to Pre-initialization mode, set the KNSO and reboot the HSM.
Error	The nShield 5s HSM is in an error state, see HSM status indicators and error codes (nShield 5s). No cryptographic operations can be performed until this error has been cleared.

Status

Description

Starting up

The nShield 5s HSM is booting up and performing self tests. After all tests complete successfully, the HSM enters Operational mode.

Operational mode

The nShield 5s HSM is working and ready to perform cryptographic operations. An initialized HSM enters Operation mode automatically after it is powered up and all pre-tests are successfully completed. To enter Operational mode manually, see Check and change the mode of operation.

Emulated maintenance mode

The nShield 5s HSM is ready to receive maintenance commands, or is processing a maintenance command. The HSM remains in Emulated maintenance mode until you change mode manually, see Check and change the mode of operation.

Pre-initialization mode

The nShield 5s HSM is ready to receive initialization commands. For example, initialization commands to set the root-of-trust key (KNSO), to create a Security World, or load an existing Security World. To enter Pre-initialization mode, see Check and change the mode of operation.

Initialization mode

The nShield 5s HSM is processing an initialization command. After the command completes, the HSM will return to Pre-initialization mode.

Uninitialized mode

The nShield 5s HSM was booted with no root-of-trust key (KNSO) set. This typically happens after leaving a factory state, see [factory-state]. To resolve this, switch to Pre-initialization mode, set the KNSO and reboot the HSM.

Error

The nShield 5s HSM is in an error state, see HSM status indicators and error codes (nShield 5s). No cryptographic operations can be performed until this error has been cleared.

Check and change the mode of operation

You must change the mode on the nShield 5s HSM to perform certain maintenance and configuration tasks. The nShield 5s HSM does not have a physical mode switch. Switch between modes using the nopclearfail utility.

When changing the mode, you should wait a few seconds before issuing subsequent commands. These commands might fail if issued before nopclearfail has completed.

Use the following commands to change the mode of an nShield 5s HSM:

Command Resulting mode

Command	Resulting mode
`nopclearfail --maintenance \|-M`	Emulated maintenance mode
`nopclearfail --operational \| -O`	Operational
`nopclearfail --initialization \| -I`	Pre-initialization

nopclearfail --maintenance |-M

Emulated maintenance mode

nopclearfail --operational | -O

Operational

nopclearfail --initialization | -I

Pre-initialization

Run the nopclearfail command specifying the module number and the new mode.

When finished, the system responds with OK. This message is not confirmation that the module has changed mode.
```
nopclearfail --maintenance --module 1
Module 1, command ClearUnitEx: OK
```

Confirm the new mode of the module by running the enquiry command.

The mode line of the Module section displays the current mode.

enquiry -m1
Module #1:
enquiry reply flags  none
enquiry reply level  Five
serial number        XXXX-XXXX-XXXX
mode                 Emulated maintenance mode. hsmadmin may be used to perform module management whilst in this mode.
module type code     14
product name         NC5536E/NC5536N
device name          #1 Secure Shell nshield-XXXX-XXXX-XXXX.local
hardware status      OK