Creating and managing Security Worlds

This section explains how to create and manage Security Worlds.

Creating a Security World

Before you begin, ensure you have enough smart cards to create the ACS needed in the Security World.

When you create a Security World, you generate the cryptographic key that protects the TSA keys and OCSs that are later created and used. To create a new Security World, see the Creating a Security World using new-world section of the User Guide for your HSM.

When creating a Security World, it is necessary to enable the SEEDebugForAll feature by specifying dseeall.

Currently, TSS only supports creation of TSA keys. However, future versions of the TSS may support the creation of keys for which the key recovery option is desirable. We therefore recommend that you select Yes. If the Security World supports key recovery, it is always possible to create a key with recovery disabled, but if the Security World does not support key recovery, then you cannot create a key with recovery enabled without reinitializing your Security World and discarding all your existing keys.

Once the Security World has been created, SEE delegation will need to be performed, see Security World: SEE delegation.

If you discover at any time that one or more of the cards in your Security World’s ACS has been damaged or lost, use the command-line utility racs.exe to create a new set immediately. See the User Guide for your HSM for more information about replacing a ACS. If further cards are damaged or lost, you may not be able to re-create your Security World.

Replacing a Security World

You can, if necessary, replace a Security World. Replacing an existing Security World in this way does not delete the Security World’s host and recovery data. It renames the existing local directory within %NFAST_KMDATA% directory in which these reside as local<nn> (where <nn> is an integer, 0 or greater, depending on how many Security Worlds have been previously saved).

Operator cards

Any Operator Cards created in a previous Security World cannot be used in a new Security World.

If you are replacing a Security World, you must erase all Operator Cards created in the previous Security World before you create the new Security World.

However, if you want to discard a Security World, we recommend that you erase all your Operator Cards first or create a backup of the %NFAST_KMDATA% directory.

Joining an existing Security World

To add a new module into your Security World, or to restore an existing module after a firmware upgrade, it is necessary to reprogram the module. See the section Adding an HSM to a Security World with new-world of the User Guide for your HSM for more information.

In order to use an existing Security World, the Security World will need to have been created with the SEEDebugForAll feature enabled. In addition, SEE delegation will need to be performed, for instructions see Security World: SEE delegation.

Security World: SEE delegation

As a Security Officer, you can use the Server Management > SEE Delegation option to give the TSS SEE machine the permanent ability to set the real-time clock (RTC), to allocate nonvolatile memory (NVRAM), and to originate keys. When the SEE delegation operation is complete, the delegation certificate signatures are stored in the file %NFAST_KMDATA%\local\dsedelegation.

If you lose the dsedelegation file, use the Server Management > SEE Delegation option to re-create the appropriate privileges.

Viewing the Security World status

To view the status information of your Security World and its ACS, navigate to About and examine the nfkminfo output. See the nfkminfo: information utility section of the User Guide for your HSM for more information.