Professional Documents
Culture Documents
Guide Windows
Version:
Date:
5.5
03 November 2005
Copyright 2005 nCipher Corporation Limited, Cambridge, United Kingdom.
Neither the whole nor any part of the information contained in this document may be adapted or
reproduced in any material or electronic form without the prior written consent of the copyright holder.
nCipher, nForce, nShield, payShield, nCore, nToken, nFast Ultra, nForce Ultra,
netHSM, KeySafe, CipherTools, CodeSafe, keyAuthority, SEE, and the SEE logo are
trademarks of nCipher Corporation Limited.
nFast and the nCipher logo are registered trademarks of nCipher Corporation Limited.
All other trademarks are the property of the respective trademark holders.
Information in this document is subject to change without notice.
nCipher Corporation Limited makes no warranty of any kind with regard to this information, including,
but not limited to, the implied warranties of merchantability and fitness for a particular purpose. nCipher
Corporation Limited shall not be liable for errors contained herein or for incidental or consequential
damages concerned with the furnishing, performance or use of this material.
Contents
Chapter 1:
Chapter 2:
Chapter 3:
Introduction
10
General information
10
Audience
11
11
Conventions
13
Additional Documentation
16
Further information
16
18
Security
20
Application independence
24
Platform independence
25
Flexibility
25
Robustness
31
Scalability
34
35
37
37
Risks
38
39
39
Chapter 4:
Chapter 5:
Chapter 6:
Chapter 7:
40
43
46
51
56
64
71
76
76
78
79
Uninstalling
82
82
83
83
Hardserver settings
84
84
Remote slots
84
SEE machines
85
85
96
98
Identifying modules
98
99
Adding a module
100
Chapter 8:
Chapter 9:
Chapter 10:
Chapter 11:
100
101
Available Features
101
payShield features
103
104
Enabling features
105
108
CodeSafe/C applications
108
Using KeySafe
109
Starting KeySafe
109
111
Errors
120
123
123
125
129
154
155
162
165
166
179
185
Chapter 12:
Chapter 13:
Chapter 14:
Chapter 15:
187
187
190
191
193
193
194
200
200
202
218
220
221
226
Help options
226
anonkneti
227
cfg-reread
228
enquiry
229
floodtest
238
hardserver
242
initunit
244
loadkeys
246
key-xfer-im
250
loadrom
253
mk-reprogram
255
Appendix A:
ncversions
257
new-world
259
nvram-backup
266
nvram-sw
272
payshield-config
278
payshield-info
280
payshield-install
283
postrocs
286
ppmk
287
preload
290
racs
301
rfs-setup
302
rfs-sync
304
rtc
307
slotinfo
310
sppupgradekeys
312
stattree
314
323
323
324
325
Key data
325
326
PCI modules
327
329
Appendix B:
330
330
335
CipherTools CD-ROM
335
CodeSafe CD-ROM
336
337
338
338
338
339
Appendix C:
Environment variables
340
Appendix D:
343
343
348
349
Hardserver debugging
350
350
352
Appendix E:
Installed Utilities
354
Appendix F:
361
362
Default settings
363
363
363
Further Information
364
382
385
Chapter 1: Introduction
General information
This guide describes how to use an nShield, payShield or payShield
Ultra hardware security module (or HSM) to protect and accelerate
the performance of the longterm cryptographic keys that are used by
your applications, including payment and related applications on
payShield modules.
In this guide, the term nShield refers to any of the nShield, payShield
or payShield Ultra modules. Information specific to the payShield and
payShield Ultra modules is clearly marked.
nCipher modules use the security world paradigm to provide a secure
environment with both application independence and platform
independence for all your module and key management operations.
Security worlds have the flexibility and scalability to suit your needs,
while also providing the robustness that is needed for every day
operation as a key component in your IT infrastructure.
Standard nCipher security worlds need to be prepared for use with
payShield applications. Although it is possible to convert an existing
security world for use with payShield, nCipher recommends that you
create a new security world and then follow the instructions in
payShield security world properties on page 191. Be sure to create
back up copies of any existing data in your kmdata directory before
creating a new security world, or attempting to convert an existing
security world.
All nCipher modules support standard cryptography frameworks and
can be quickly integrated with many standards based products.
10
1 Introduction
Audience
Audience
Read this guide if you need to configure or administer an nShield or
payShield module, and you use or require an nCipher security world
to protect your keys.
This guide assumes that you are familiar with the basic concepts of
cryptography and Public Key Infrastructure (PKI).
This guide assumes that you have read the Hardware Installation
Guide and that you have installed your nShield or payShield module.
11
1 Introduction
12
1 Introduction
Conventions
Conventions
nCipher modules
The following terms are used to distinguish different module versions:
Term
Model number
Used for
nCnnnnP-nnn
nC2022p-000 or
nC2023p-000
an nCipher nToken
module (PCI interface).
nHnnnn
acceleration-only module
nC10nnX-nnn
key-management module
nC30nnX-nnn,
nC40nnX-nnn, or
nHnnnn
nC3033P-1600
13
1 Introduction
Conventions
Version numbers
The version number shown on the copyright page and at the bottom
of each page in this guide is the version number of this document.
Please quote this version number if you contact Support at nCipher
with queries about nCipher documentation.
nCipher software
The hardserver software controls communication between
applications and nCipher modules, which may be installed locally or
remotely. It runs as a service on the host computer.
The nCipher support software is a collection of programs and utilities,
including the hardserver, supplied by nCipher to install and maintain
your nCipher security system.
Default directory
By default, nCipher software is installed in the /opt/nfast/ (Unix) or
C:\nfast (Windows) directory, referred to as the nCipher directory.
Instructions in this guide are given on the assumption that nCipher
software was installed in this location. If you install the software in
another directory, you must set the environment variable
NFAST_HOME to point to the directory where the software is
installed. You can choose to install nCipher software in another
location, in which case you must substitute your location accordingly.
An environment variable, NFAST_HOME, is used to specify the
default location for nCipher software. For further information on
setting environment variables, refer to Setting the environment
variables on page 49.
14
1 Introduction
Conventions
Typographical conventions
Note
install
Keyboard keys that you must type are represented like this: Enter ,
Ctrl - C .
15
1 Introduction
Additional Documentation
Additional Documentation
This guide forms one part of the information and support provided by
nCipher. The following documents are produced to support nCipher
products, and the guides for your product can be found in the
document directory of the CD-ROM for that product:
Guide
PDF file
Hardware_Installation.pdf
nShield_Operator.pdf
CodeSafe_C_Developer.pdf
Integration_Guide.pdf
nCore_Developer_Guide.pdf
nCore_Developer_Ref.pdf
payShield_Developer_Ref.pdf
Key-loading_Solution.pdf
Further information
Release notes containing the latest information about the nCipher
products are available in the release directory of the CD-ROM.
16
1 Introduction
Further information
17
security
application independence
platform independence
flexibility
robustness
scalability.
The security world infrastructure lets you perform and control all
these activities under your chosen security policy.
A security world consists of:
18
19
Figure 1
Security
Security
Most importantly, a key-management system must store keys
securely. Security must be designed into the system from the start; it
cannot be added later.
The nCipher security world has been designed to ensure that keys
remain secure throughout their life cycle. The security world uses
multiple interlocking keys, and because of this, each key is always
protected by another key, even during recovery operations.
20
Security
Note
Note
Note
21
Security
22
Security
23
Application independence
Application independence
A security world can protect keys for any nCipher-aware software.
Each key belongs to a specific application and is only ever used by
that application. However, within a single security world, every key
can belong to a different application. Keys are stored along with any
additional data that is required by the application.
You do not need to specify which applications you will use. You can
add a key for any supported application at any time.
The security world requires no knowledge of how the key will be used
by an application. A security world controls the protection for the key;
the application determines how it is used.
Although keys belong to a specific application, Operator Card Sets do
not. If a user requires keys for different applications, they can all be
protected under the same Operator Card Set.
Figure 2 illustrates this.
Figure 2
24
Platform independence
Platform independence
A security world is completely platform independent. All key
information is stored in nCipher's proprietary format. This format can
be read by any computer supported by nCipher, regardless of the
native format used by that computer. This means that you can safely
move a security world between platforms, even between platforms
with differing native formats. For example, you can move a security
world between Windows and UNIX platforms. You can also include
hosts running different operating systems in the same security world.
Note
Flexibility
Within a security world, you can choose the relevant level of
protection for each application key that you create.
When you create a security world, a cryptographic key is generated
that protects the application keys and Operator Card Sets in the
created security world. You can choose to make this security world
key can be a Triple DES (Data Encryption Standard) or an AES
(Advanced Encryption Standard) key.
25
Flexibility
26
Flexibility
You can only recover card sets that were created with the recovery
option explicitly set.
27
Flexibility
working card fails, retrieve the spare card from the safe and use it until
you re-create a new set of two cards, as described in Replacing an
Operator Card Set or recovering keys to softcards on page 32.
Note
You can only recover card sets that were created with the recovery
option explicitly set.
28
Flexibility
Keys that are protected by a given Operator Card Set cannot be shared
simultaneously between a large pool of modules.
Therefore, the security world architecture gives you the option of
making an Operator Card Set persistent. This means that the keys
protected by a card persist after the card has been removed. This
enables you to use the same smart card in several modules
simultaneously. It also means that several users can load keys onto the
same module at the same time. The nCipher support software
maintains strict separation between the keys loaded by each user, and
each user only has access to the keys protected by their Operator Card
Set.
Keys protected by a persistent card are automatically removed from
the module:
Note
when the application that loaded the Operator Card Set closes the
connection to the module.
after a time limit that may be specified when the card set is
created.
29
Flexibility
30
Robustness
Robustness
If you are using cryptography in a production environment, you need
to know that it will work 24 hours a day, 7 days a week. If something
goes wrong, you must be able to recover without compromising your
security. An nCipher security world offers all of these features.
31
Robustness
Replacing a module
If you have a problem with a module, you can replace it with a new
module by using the Administrator Card Set and the recovery data to
load the security world key securely. Use the same mechanism to
reload the security world key if you need to upgrade the firmware in
the module or if you need to add extra modules to the security world.
32
Robustness
Note
33
Scalability
Similarly, if you choose to create recovery data when you generate the
security world or key, it cannot be removed later in a secure manner.
The recovery data for application keys is kept separate from the
recovery data for the security world key. The security world always
creates recovery data for the security world key. It is only the recovery
of application keys that is optional.
Scalability
A security world is scalable. You can add multiple modules to a server
and share a security world across multiple servers. You can also add
Operator Card Sets and application keys at any time. You do not need
to make any decisions about the size of the security world when you
create it.
To share a security world across multiple servers:
use the recovery data and the Administrator Card Set to load the
required cryptographic keys securely onto every module.
If you want to have access to the same keys on every server, you must
ensure that all changes to the data are propagated to the remaining
servers. If your are part of a cluster, then the tools provided by the
cluster should synchronize the data. If the servers are connected by a
network, then they could all access the same copy of the data. There
is no risk of an attacker obtaining information by snooping on the
network, as the data is only ever decrypted inside a module.
Alternatively, you can maintain copies of the data on different servers.
It is now possible to allow non-netHSM modules to automatically
access the remote file system (RFS) used by netHSM and payShield
NET modules and to share security world and key data stored in the
34
kmdata directory. Client modules that access data in this way are
Load sharing
If you have more than one module on your system and you load the
same key onto each module, your nCipher-aware applications can
make use of the load sharing features in the nCipher server to share
the cryptography between them.
Note
35
Note
This option provides compliance with the roles and services of the
FIPS 140- 2 level 3 standard. It is included for those customers who
have a regulatory requirement for compliance.
KeySafe does not provide tools to back up and restore the host data or
update module firmware, nor does KeySafe provide tools to
synchronize host data between servers. These functions can be
performed with your standard system utilities.
In addition to KeySafe, nCipher also supplies command-line utilities
to manage the security world. Current versions of these tools can be
used interchangeably with the current version of KeySafe.
36
37
Risks
Risks
Even the best-designed tools cannot offer security against every risk.
Although a security world can control which user has access to which
keys, it cannot prevent a user from using a key fraudulently. For
example, a security world can only determine whether a user is
authorized to use a particular key; it cannot determine whether the
message being sent with that key is accurate.
A security world can only manage keys that were created inside the
security world; keys created outside a security world, even if imported
into the security world, may remain exposed to a security risk.
Most failures of security systems are not the result of inherent flaws
in the system, but result from carelessness on the part of the users. The
following basic rules apply to any security system:
Note
If you have any doubts about the security of a key and/or security
world, you should replace that key and/or security world with a newly
generated one.
38
2.
3.
4.
5.
6.
7.
8.
39
Do not start the installation procedure until you have this information.
40
41
You must install the hwsp Hardware Support bundle. If the hwsp
Hardware Support bundle is not installed, your module cannot
function.
Note
The nfdrv Windows device drivers component, required if you are using
an nCipher PCI card, is installed as part of the hwsp Hardware Support
bundle.
42
The Core Tools bundle includes the tclsrc Tcl run time component that
installs a run-time Tcl installation within the nCipher directories.
This is used by nCiphers tools for creating the security world, by
KeySafe, and by the new-world utility. This does not affect any other
installation of Tcl on your computer.
See Appendix B: Components on nCipher CD-ROMs for details of
the optional components. Ensure that you have identified those that
you require before you start the installation.
Note
43
nCipher supplies Windows 2000 Plug and Play drivers for the nCipher
module. These drivers have also been tested with Windows 2003
Server.
Take the following steps to install the nCipher server and associated
software:
1.
2.
Note
4.
44
Note
Click the Next button, and the installer installs and performs basic
configuration of the selected components.
Do not run the nCipher CSP installation wizard before you have
successfully installed the module.
When run, this wizard:
a.
b.
You must install this version of the nCipher CSP to work with this
version of the nCipher software, even if you have a previous version
of the nCipher CSP installed.
For more information on using the nCipher CSP with IIS
(Internet Information Service) and Microsoft Certificate Server,
see the appropriate Operator Guide for your module and the
relevant application guide.
Click the Next button to continue the installation.
45
Note
7.
8.
If you chose to install the nCipher PKCS #11 library and have an
existing PKCS #11 installation, the installer advises you of this.
The installer asks whether you want to configure the PKCS #11
library for use with Check Point VPN-1/Firewall-1. You can
choose to do one of the following:
a.
Select Yes, and then follow the steps in the Check Point
configuration dialog. See Check Points product
documentation for further information.
b.
If you choose to configure the PKCS #11 library for use with Check
Point VPN-1/Firewall-1, install the PKCS #11 module only after
Check Point VPN-1/Firewall-1 is installed.
9.
2.
46
3.
C:\nfast\bin\enquiry
47
Note
Always insert the smart card with the contacts facing up.
You can check that the card reader of any module is working correctly
by inserting an nCipher smart card and using the following test
command (assuming that you installed the server in the default
directory):
48
or
Module n slot 0:
Authentication key: 00000000-00000000-00000000-00000000-00000000
No data on token
3698 bytes free
Note
Open the System dialog box by clicking the System icon in the
Control Panel.
49
2.
3.
4.
In the Variable Name text box, type or edit the name of the
environment variable (for example, NFAST_HOME).
5.
In the Variable Value text box, type or edit the value to use.
6.
Click the OK button to set the value, and then click the OK button
to close the dialog box.
7.
You must ensure that KeySafe and the hardserver are communicating
on the same sockets. If you have set the environment variables
NFAST_SERVER_PORT or NFAST_SERVER_PRIVPORT in the server
environment, they must also be set to the same value in the KeySafe
environment. The port on which the hardserver listens for local
privileged TCP connections (priv_port) must be set to 9001 and the
port on which the hardserver listens for local nonprivileged TCP
connections (nonpriv_port) must be set to 9000.
NFLOG_FILE
50
Note
NFLOG_SEVERITY
NFLOG_DETAIL
NFLOG_CATEGORIES
51
restored if necessary.
2.
52
3.
4.
Test that the client has access to the security world data. To do
this, run the nfkminfo command-line utility.
Check that a module with the correct ESN appears in the output
and has the state 0x2 Usable.
2.
53
For clients that use a local KNETI (the nCipher integrity key,
which is installed when the module is shipped) for
authorization and which are to be given write access to the
remote file system, run the command:
For clients that do not have a local KNETI and require write
access, run the command:
The rfs-sync utility uses lock files to ensure that updates are made in a
consistent fashion. If a rfs-sync --commit operation (the operation that
writes data to the remote file system) fails due to a crash or other
problem, it is possible for a lock file to be left behind. This would
cause all subsequent operations to fail with a lock timeout error.rfssync has options for querying the current state of the lock file, and for
deleting the lock file; however, these should only be used if necessary
to resolve this problem. Clients without write access cannot delete the
lock file.
To remove a cooperating client so the remote file system no longer
recognizes it, you must:
54
remote_ip=ccc.ccc.ccc.cccremote_esn=
keyhash=0000000000000000000000000000000000000000
native_path=c:\nfast\kmdata\local
volume=kmdata-local
allow_read=yes
allow_write=yes
allow_list=yes
is_directory=yes
is_text=no
and
remote_ip=ccc.ccc.ccc.cccremote_esn=
keyhash=0000000000000000000000000000000000000000
native_path=c:\nfast\kmdata\localsync-store
volume=kmdata-backup
allow_read=yes
allow_write=yes
allow_list=yes
is_directory=yes
is_text=no
Useful utilities
To find out the ESN and the hash of the KNETI key for a given IP
address, use the anonkneti command-line utility. A manual doublecheck is recommended for security.
A client can use rfs-sync --show to display the current configuration,
or rfs-sync --remove to revert to a stand-alone configuration. Reverting
to a stand-alone configuration leaves the current contents of the
kmdata directory in place. See rfs-sync on page 304 for more
information.
55
The modules that you wish to add to the security world must be
in pre-initialization state, as described in Entering the
pre-initialization state on page 78.
You should know what the security policy for the module is, and
in particular the number and quorum of administrator and
operator cards to be used.
You must have enough smart cards to form the security worlds
card sets.
56
In this command:
57
-i, --initialize
Replacing an existing security world in this way does not delete the
security worlds host and recovery data, but renames the existing
kmdata directory in which these reside as kmdata_nn (where nn is an
integer, 0 or greater, depending on how many security worlds have
been previously saved during overwrites).
-S, --no-remoteshare-cert
This option provides compliance with the roles and services of the
FIPS 140-2 level 3 standard. It is included for those customers who
have a regulatory requirement for compliance.
-R, --no-recovery
58
59
Note
You should not create an Administrator Card Set for which the
required number of cards is equal to the total number of cards
because you will not be able to replace the Administrator Card Set if
even a single card is lost or damaged.
This option only takes effect if you are creating a new
security world.
60
Note
If you set the !fto flag, that is, turn off FTO, you will not be able to use
smart cards to import keys even if you set the --allow-smartcard-imports
option in the payshield-install utility.
Note
If you want to use extended debugging from the module, you must set
the dseeall flag.
The following feature names are available:
m
61
rtc
Note
If you want to use extended debugging from the module, you must set
the dseeall flag.
The dseeall option is designed for testing purposes only. Do not enable
this feature on production security worlds as it may enable SEE
applications to leak security information.
62
63
You must have created a security world that has the following
options:
-
64
See About payShield Card Sets on page 187 for important advice
about the choice of a value for K.
-
the SEE debugging for all option enabled, if you wish to make
use of the extended payShield module debugging option.
(You must have configured the security worlds card
requirements separately to enable this option.)
You must know what the security policy and the associated card
sets for the payShield installation are. If this is not already
decided, see About payShield Card Sets on page 187.
You must have enough smart cards to form the security worlds
card sets.
65
In this command:
psiname
Do not type a hash that differs from this value unless you are certain
that the new hash is from a valid payShield signing key. If you are in
any doubt as to the origin of the hash value you have been given, do
not create a payShield installation: contact Support at nCipher for
confirmation of the correct signing key hash.
As a minimum, specify the following:
payshield-install -S psiname keyhash
66
67
68
In this command, psiname is the name that you supplied when you
created the payShield installation.
69
Separate the flags for each module by a dash on its own line, as in the
following example:
postload args=-n psiname [-d]
module MODULE
In this example:
MODULE
This flag specifies that the operating SEE World has the
dseeall feature set and that the operating payShield
installation has the -D option set. Both of these conditions
70
K-of-N policies
Pass phrase
ISS
Not permitted
iPlanet
Required
You can create an Operator Card Set from the command line with the
createocs utility (as described here). Alternatively, you can use
71
1.
In this command:
-m MODULE, --module=MODULE
These options enable you to name the card set. The card
set must be named with this option before individual
cards can be named using the -M, --name-cards=NAME
options.
-M, --name-cards
72
These options mean that the pass phrase for this card set
cannot be recovered. The pass phrase for the card set is
recoverable by default. You can specify this explicitly
with --pprecovery.
-q, --remotely-readable
These options set the time-out for the card set. Use the
suffix s to specify seconds, m for minutes, h for hours,
and d for days. If the timeout is set to 0, the Operator
73
(press Return)
The nCipher PKCS #11 library requires Operator Cards with pass
phrases.
Note
74
3.
4.
5.
When the new card has been created, if you are creating a card set
with more than one card in it, createocs prompts you to insert
another card.
For each additional card in the Operator Card Set, follow the
instructions from step 2 through step 4.
75
Figure 3
Status LED
Clear switch
Mode switch
M
O
I
Maintenance
Smart card
connector
DC power
2.
76
When the self tests are complete, the unit should enter the premaintenance state. In this state, the Status LED emits repeated single
long flashes. Refer to the table below if the Status LED does not emit
repeated single long flashes:
LED
Note
State
Operational
Mainly on but
regularly blinks off
(The exact timing
depends on the
nCipher module.The
longer the LED
stays on the less the
load. At 100% load
the LED is off for as
long as it is on.)
Emits repeated
single short flashes
Pre-initialization
Error
77
Figure 4
Status LED
Clear switch
Mode switch
M
O
I
Initialization
Smart card
connector
DC power
2.
78
The module performs self tests, during which the Status LED is on.
When the self tests are complete, the unit should enter the preinitialization state. In this state, the Status LED emits repeated single
short flashes. Refer to the table below if the Status LED does not emit
repeated single short flashes:
LED
Note
State
Operational
Mainly on but
regularly blinks off
(The exact timing
depends on the
nCipher module.The
longer the LED
stays on the less the
load. At 100% load
the LED is off for as
long as it is on.)
Emits repeated
single long flashes
Pre-maintenance
Error
79
Figure 5
Status LED
Clear switch
Mode switch
M
O
I
Operational
Smart card
connector
DC power
2.
The module performs self tests, during which the Status LED is on.
When the self tests are complete, the unit should enter the operational
state. In this state the Status LED is mainly on, but blinks off regularly.
As the load on the unit increases, the length of time that the Status
80
LED is off increases. If the module is fully loaded, the Status LED is
off for as long as it is on. Refer to the table below if the Status LED is
not mainly on and blinking off regularly:
Note
LED
State
Emits repeated
single short flashes
Pre-initialization
Emits repeated
single long flashes
Pre-maintenance
Error
Note
81
Chapter 5: Uninstalling
This chapter provides information on uninstalling nCipher software.
Note
Do not uninstall the nCipher software unless either you are certain it
is no longer required or you are going to upgrade it.
1.
2.
3.
82
You normally configure the hardserver when you install the module,
as described in Chapter 3: Getting the module working. This chapter
contains full information about configuring the hardserver and the
options available for configuring it in the configuration file.
83
Hardserver settings
Hardserver settings
You configure the hardservers settings in the server_settings section
of the configuration file.
This section defines how connections and hardserver logging are
handled. These settings can be changed while the hardserver is
running.
Remote slots
You configure remote slots in the slot_imports and slot_exports
sections of the configuration file. The Remote Operator feature must
be enabled on the module, as described in Chapter 8: Feature
Enabling nCipher Modules.
84
SEE machines
These sections define the slots that are imported to or exported from
the module.
See Chapter 13: Remote Operator Card Sets for full information about
remote slots.
SEE machines
You configure the hardserver to load SEE machines on start-up in the
load_seemachine section of the configuration file. The SEE Activation
feature must be enabled on the module, as described in Chapter 8:
Feature Enabling nCipher Modules.
This section defines the SEE machines and optional user data to be
loaded, as well any other applications to be run in order to initalize the
machine after it is loaded.
See Chapter 9: Using CodeSafe Applications for information about
SEE machines.
server_settings
The server_settings section defines the settings for the client
hardserver that can be modified while the hardserver is running. The
section contains the following fields:
loglevel
info
85
notice
client
remoteserver
error
serious
internal
startup
fatal
fatalinternal
86
external_pid
87
msg_writeable
88
connect_keepalive
module_settings
The module_settings section defines the settings for the module that can
be changed while the hardserver is running. The section contains the
following fields:
esn
89
server_remotecomms
The server_remotecomms section defines the remote communication
settings for the client hardserver. These are read only at hardserver
start-up. This section contains the following fields:
impath_port
server_startup
The server_startup section defines the settings for the hardserver that
are loaded at startup. The section contains the following fields:
unix_socket_name
90
nt_privpipe_name
The port on which the hardserver listens for local nonprivileged TCP connections. 0 specifies none. Java clients
default to connecting to 9000. The default is 0.
If the NFAST_SERVER_PORT environment variable is set, it
overrides the value in the configuration file.
priv_port
load_seemachine
The load_seemachine section defines SEE machines that the module
should load and, if required, start for use by other clients. Each SEE
machine is defined by an entry as follows:
91
module
92
postload_args
slot_imports
The slot_imports section defines the remote slots that the client
hardserver on an unattended module should import from remote
modules for use by modules connected directly to that local computer.
Each slot is defined by an entry as follows:
local_esn
93
slot_exports
The slot_exports section defines the slots on local modules that the
local hardserver should allow network modules to import. Each local
slot has an entry for each remote module that can import it, as follows:
local_esn
remote_file_system
This section is updated automatically when the rfs-setup utility is run.
You should not edit it manually.
The remote_file_system section defines a remote file system on the
client, by listing the modules allowed to access the filesystem on this
client. Each module is defined by an entry as follows:
94
remote_ip
The hash of the key with which the client must authenticate
itself to the module. The default is 40 zeros, which means
that no key authentication is required.
native_path
The local file name for the volume to which this entry
corresponds.
volume
The volume which the remote host would access to use this
entry.
allow_read
95
is_directory
96
role=KeyRole_TPK
gen_a=allow
gen_u=
ex_a=ExportFormat_XORComponents,ExportFormat_ECBWrapped
ex_u=
im_a=ExportFormat_XORComponents,ExportFormat_ECBWrapped
im_u=ExportFormat_ECBWrapped
97
Identifying modules
Modules are identified in two ways:
by serial number
by ModuleID.
You can obtain the ModuleIDs and serial numbers of all your modules
by running enquiry. See enquiry on page 229.
Serial Number
The serial number is a unique 12-digit number that is permanently
encoded into each module. You should quote this number in any
correspondence with Support at nCipher.
ModuleID
The ModuleID is an integer assigned to the module by the server when
it starts. The first module it finds is given ModuleID 1, the next is given
ModuleID 2, and so on.
98
The order in which buses are searched and order of modules on a bus
depends on the exact configuration of the host. If you add or remove
a module, this can change the allocation of ModuleIDs to all the
modules on your system.
You can use the enquiry command-line utility to identify the PCI bus
and slot number associated with a module. See enquiry on page 229
for further information.
All commands sent to nShield payShield modules require a
ModuleID. Many nCipher commands, including all acceleration-only
commands, can be called with a ModuleID of 0. Such a call causes the
99
Adding a module
Adding a module
If you have a module installed, you can add further modules without
reinstalling the server software.
However, nCipher recommends that you always upgrade to the latest
server software and upgrade the firmware in existing modules to the
latest firmware.
Note
Before you install new hardware, check the release notes on the CDROM supplied with your new module for information about specific
compatibility issues, new features, and bug fixes.
1.
2.
3.
100
Available Features
This section lists the features that can be added to modules.
Contact sales@ncipher.com for full details of all available features.
Elliptic Curve
Elliptic curves allow small key sizes to provide improved levels of
security and are commonly used in embedded devices.
See Developers Reference for full details of the elliptic curve feature.
101
Available Features
SEE Activation
(Restricted)
See the CodeSafe/C Developer Guide for full details of the SEE.
102
payShield features
Client licenses
You can purchase additional client licenses that allow you to run
multiple clients for the module. Three clients are always enabled on
each module.
payShield features
If you have purchased payShield, the module is always supplied with
the following feature enabling tokens:
ISO smart card support (ISS), also called Foreign Token Open
(FTO), to allow the use of non-nCipher smart cards.
103
For payShield applications you must enable these features using the
Feature Enable Tool, described in The Feature Enable Tool on page
105, before you can use the secure payment application.
Run the enquiry command and note down the Electronic Serial
Number of the module.
ESN details to a file. See The Feature Enable Tool on page 105.
When your order has been processed, you receive a Feature Enabling
Certificate in one of the following ways:
104
Enabling features
Enabling features
The Feature Enable Tool
The Feature Enable Tool utility, by default, scans the smart card
readers of all modules attached to the host, and enables any features
found on inserted FEM cards.
To use the Feature Enable Tool, you must be logged in as a user who
is permitted to create privileged connections.
You can enable a feature without having physical access to a module
by exporting the slot on your local module, importing that slot into the
remote module, and then running the Feature Enable utility on the
remote host.
The Feature Enable Tool offers you the choice of clearing the module
after it has enabled features. If you do not choose to clear the module
then (for example, because you have another process running on the
module), you must clear it later. You can use any appropriate method
to do this (for example, the nopclearfail utility or the Clear button).
Usage
fet.exe
Help options
-h, --help
105
Enabling features
-u, --usage
If you are enabling the Remote Operator feature, you must enable it
on the module that is to be used as the remote module. See Chapter
13: Remote Operator Card Sets for details.
Insert the Feature Enabling smart card from nCipher into a slot
available to the module to be updated.
2.
106
Enabling features
When you run the Feature Enable Tool without a Feature Enabling
smart card in any module slot, a message similar to the following is
displayed. There is a line for the features on each module, and a list of
options. In this example, only one module (ESN 511D-DB15-D438) is
attached to the host.
Feature Enable Tool
===================
ISO Smart Card Support
| Remote Operator
| | Korean Algorithms
| | | SEE Activation (EU+10)
Mod Electronic
| | | | SEE Activation (Restricted)
No. Serial Number
| | | | |
1 511D-DB15-D438 -- NO NO NO NO NO
1. Read FEM certificate(s) from a smart card or cards.
2. Read FEM certificate from a file.
3. Read FEM certificate from keyboard.
4. Write table to file.
Enter option :
107
If you wish to use the SEE to run applications, you must order and
enable it as described in Chapter 8: Feature Enabling nCipher
Modules.
An SEE application is typically a standalone SEE machine that is
loaded automatically by the hardserver, for example, a CodeSafe C
application.
Please check the documentation supplied by your application vendor
for information about signatures that may be required to set up and
use the application, and any other installation and configuration
information.
CodeSafe/C applications
CodeSafe/C applications are standalone applications.
Each CodeSafe C application can consist of multiple parts, and its
installation can include several configuration steps. Please see your
application vendors documentation for instructions on installing and
configuring each application.
You may need to use the hardserver, loadmache and tct2 utilities when
configuring and loading an applicationl; see hardserver on page 242,
and .
108
Starting KeySafe
In order to use KeySafe, Suns Java run-time environment version 1.5,
or the equivalent developer kit must be installed. It is recommended
that you install it before you install the nCipher components. The Java
executable must be on your path.
Note
109
10 Using KeySafe
Starting KeySafe
In order for KeySafe to work, you must set priv_port (the port on
which the hardserver listens for local privileged TCP connections) to
9001 and nonpriv_port (the port on which the hardserver listens for
local nonprivileged TCP connections) to 9000.
Note
110
10 Using KeySafe
Note
111
10 Using KeySafe
Sidebar
The sidebar provides access to different parts of the KeySafe
application (with the menu buttons) and also displays information
about both the current security world and your module or modules
(with the Module Status tree).
Menu buttons
There are six menu buttons at the top of the sidebar:
Introduction
Keys
Clicking the Keys menu button takes you to the Key Operations
panel, from which you can choose to create, import, view, or
destroy keys.
Cards
Clicking the Cards menu button takes you to the Card Operations
panel, from which you can:
Softcards
112
10 Using KeySafe
Modules
Exit
Clicking the Exit button displays a dialog asking whether you are
sure you want to exit KeySafe. Click Yes (or press Enter ) to exit
KeySafe; click No to continue using KeySafe. Clicking the Exit
dialogs close-window button will take you back to your KeySafe
session. These features prevent you from closing KeySafe
accidentally.
While KeySafe is executing a command, the menu buttons are
disabled. Their normal functionality returns when the command is
completed.
113
10 Using KeySafe
For purposes of clarity, screen shots in this guide are shown with some
of the Module Status tree toggles expanded.
Security world information
When you toggle the Module Status tree view of security world
information to its expanded setting, KeySafe reports Yes or No for
each of the following conditions:
114
10 Using KeySafe
the level of SEE debugging that is enabled for this security world.
whether or not you enabled the Foreign Token Open key for this
security world
Module information
When you toggle the Module Status tree view of module information
to its expanded setting for a given module, KeySafe displays:
state
-
115
10 Using KeySafe
state.
Note
The Module status tree has an Advanced folder that shows the
following details when expanded:
116
10 Using KeySafe
Navigation buttons
At the bottom left of the Module Operations panel are three navigation
buttons. Clicking a navigation button does not commit you to an
action, but instead selects an operation and loads another panel of
additional information and options related to the selected operation.
117
10 Using KeySafe
From the Module Operations panel, for example, clicking the Erase
Module navigation button does not itself erase a module, but rather
loads the Erase Module panel:
Command buttons
At the bottom right of the Erase Module panel is a command button
(the Erase Module! command button, in this case). Unlike clicking a
navigation button, clicking a command button does commit you to an
operation. Clicking a command button tells KeySafe to write or delete
data: it is not necessarily possible to reverse such changes even if you
subsequently cancel the operation.
For these reasons, command buttons are usually marked with an
exclamation point (!) if there is a danger that a command could
overwrite data that you may not want deleted. In some cases, clicking
a command button causes KeySafe to display a dialog box asking you
to confirm your command. Such features help prevent you from
accidentally destroying your data or keys.
118
10 Using KeySafe
Some panels require that, before you can click a command button, you
select options by means of radio buttons or that you enter data into text
fields:
Back buttons
Some KeySafe panels have Back buttons. Clicking a Back button takes
you to the panel from which the panel you are on is normally reached.
For example, clicking the Back button on the Erase Module panel takes
119
10 Using KeySafe
Errors
you to the Module Operations panel, and clicking the Back button on
the Examine/Change Card panel takes you to the Card Operations
panel.
Errors
If KeySafe detects an error from which it cannot recover, it may
display a Fatal Error message, such as:
Exit KeySafe.
2.
3.
Restart KeySafe.
120
10 Using KeySafe
Errors
This error may mean that your nCipher server or nCipher firmware is
not current. To update your firmware, take the following steps:
Note
1.
Exit KeySafe.
2.
3.
Restart KeySafe.
This error occurs if you attempt to create a card set with more than 64
cards.
121
10 Using KeySafe
Errors
Contact Support at nCipher if you receive any other error message that
looks similar to the one shown below:
122
123
Creates/modifies
Creates files...
Create a security
world
creates
world
module_ESN
Load a security
world
creates or modifies
module_ESN
Replace an
Administrator Card
Set
modifies
world
Create an Operator
Card Set
creates
Generate a key
creates
key_appname_ident
Create an Operator
Card Set
modifies
Recover a key
modifies
cards_ident card_ident_cardno
In this table:
ident is the identifier given to the card set or key when it is created
created.
The ident of a card set is a 40-character string that represents the hash
of the card sets logical token. The ident of a key is either user supplied
or a hash of the keys logical token, depending on the application that
created the key.
124
Required files
The following files must be present and up to date in the
C:\nfast\kmdata\local directory, or the directory specified by the
NFAST_KMLOCAL environment variable, for a host to use a security
world:
world
These files are not updated automatically. You must ensure that they
are synchronized whenever the security world is updated on the
module.
125
K and N
You must decide the total number of cards (N) in a security worlds
ACS and must have that many blank cards available before you start
to create the security world. You must also decide how many cards
from the ACS must be present (K) when performing administrative
functions on the security world.
Note
Note
126
This option provides compliance with the roles and services of the
FIPS 140- 2 level 3 standard. It is included for those customers who
have a regulatory requirement for compliance.
If you enable compliance with FIPS 140-2 level 3 roles and services,
authorization is required for the following actions:
Remote Operator
If you want to use a module without needing physical access to
present Operator Cards, the Remote Operator feature must be
explicitly enabled on the module; see Chapter 8: Feature Enabling
nCipher Modules. By default, modules are initialized into security
worlds with remote card set reading enabled. If you add a module for
which remote card reading is disabled to a security world for which
remote card reading is enabled, the module remains disabled.
127
SEE debugging
SEE debugging is disabled by default, but you can choose whether to
enable it for all users or whether to make it available only through use
of an ACS. In many circumstances, it is useful to enable SEE
debugging for all users in a development security world but to disable
SEE debugging in a production security world. Choose the SEE
debugging options that best suit your situation.
128
Any modules that you wish to add to the security world must be
started in pre-initialization state, as described in Entering the
pre-initialization state on page 78.
129
You should know what the security policy for the module is, and
in particular the number and quorum of administrator and
operator cards to be used. See Determining module requirements
on page 39 for details.
You must have enough smart cards to form the security worlds
card sets.
When you have completed the operation and run the payshield-install
utility if required, you must restart the module in the operational state.
The process of creating a security world:
130
2.
Check the Module Status tree to ensure that you have a module
in the pre-initialization state (PreInitMode). See Entering the premaintenance state on page 76.
3.
Click the Modules menu button, which takes you to the Module
Operations panel.
4.
5.
131
Note
Overwriting an existing security world in this way does not delete that
security worlds host and recovery data, but renames the existing
kmdata directory in which these reside as kmdata_nn (where nn is a 2digit integer assigned depending on how many security worlds have
been previously saved during overwrites up to a maximum of 99).
If you want to overwrite an existing security world, click the
Overwrite Security World button on the Existing Security World
panel. KeySafe then takes you to the Initialize Security World
panel.
6.
If KeySafe does not find existing security world data, it takes you
to the Initialize Security World panel:
7.
Enter the total number of cards (N) that you wish to have in the
Administrator Card Set. This number must be less than or equal
to 64.
132
8.
Note
Note
Select the protection mode for the security world (that is, whether
the security world key is to be a Triple DES key or an AES key).
10. Select whether or not you want the new security world to comply
with the roles and services, key management, and self-test
sections of the FIPS 140-2 standard at level 3.
Note
This option provides compliance with the letter of the FIPS 140-2
level 3 standard, but does not improve the security of your keys. It is
included for those customers who have a regulatory requirement for
compliance.
11. To configure SEE options, proceed to the SEE options panel, and
follow these steps:
a.
b.
c.
133
Restricted
No Access Control.
If you wish to use SEE, you must have ordered and enabled it as
described in Chapter 8: Feature Enabling nCipher Modules.
12. KeySafe always generates recovery data for the security world
key. However, if you want to be able to recover Operator Cards
and application keys, you must proceed to the Initialize Security
World Advanced Options panel:
134
b.
c.
d.
Note
135
13. Click the Initialize Security World! button. This takes you to the
Create Administrator Card Set panel:
14. KeySafe prompts you to insert the cards that are to form the
Administrator Card Set.
Insert a blank card and click the OK button. If you insert a nonblank card that KeySafe can erase, the Erase Card! button is
enabled, giving you the option of overwriting that card.
Note
136
15. KeySafe takes you to the Set Card Protection Pass Phrase panel:
b.
c.
e.
137
16. KeySafe then prompts you for the next card (if any).
Note
17. After you have created all the Administrator Cards, KeySafe
creates a new module key.
When initialization is complete, KeySafe displays a message:
Security world successfully initialized. Click the OK button, and
KeySafe returns you to its introduction panel.
18. After you have added a module to the security world, restart the
module in the operational state. (See Entering the premaintenance state on page 76).
If you have more than one module on this server, you can use
KeySafes Reprogram Module option to incorporate a new
module into your security world (or to restore an existing module
after a firmware upgrade), as described in Adding or restoring a
138
139
1.
140
141
142
3.
143
4.
Note
144
5.
When all the modules are in the pre-initialization state, click the
Next button. The wizard displays the following window:
6.
Note
Select either DES3 or AES for the security worlds module key
type.
145
8.
Note
You can select both the Advanced settings and the SEE settings option.
9.
Note
The Create a FIPS 140-2 level 3 compatible security world option provides
compliance with the letter of the FIPS 140-2 standard, but does not
improve the security of your keys. It is included for those customers
who have a regulatory requirement for compliance with this standard.
146
Each tab in this window lets you specify the number of cards
required to authorize specific tasks:
Note
If you require key recovery, you must enable it when you create the
security world. If you do not enable key recovery now, it never will be
possible to recover keys in this security world.
147
Note
148
If you want to protect this card with a pass phrase, select the Card
requires a pass phrase option. The wizard prompts you to enter
and confirm the pass phrase.
Note
The Next button is only enabled when you have entered two matching
pass phrases.
13. When you have entered the pass phrase, click the Next button.
14. Place the smart card in the module.
15. Click the Next button.
149
16. When the wizard successfully writes to this card, it prompts you
to insert the next card and to enter a pass phrase for this card.
Continue the process, following the onscreen instructions. When
the wizard has written the number of cards you requested, it
displays the following screen:
These smart cards form the Administrator Card Set for this
security world. The security of your key data depends on the
security of these smart cards.
150
Insert one of the cards from the Administrator Card Set that
you have just created, and click the Next button. If the card is
not from the Administrator Card Set, the wizard prompts for
another card.
b.
If you defined a pass phrase for this smart card, the wizard
prompts you to enter it. Enter the pass phrase, and click the
Next button.
If the pass phrase is incorrect, the wizard displays an error
message. If you type the pass phrase incorrectly three times,
the wizard does not continue, and this module is returned to
the factory state.
Note
If the wizard stops because the incorrect pass phrase has been entered
three times, the module is not be added to the security world. Run the
wizard again in order to add this module to the security world.
c.
151
18. When all the modules have been added to the security world, the
wizard displays this window:
152
This window enables you to create Operator Cards for the new
security world. If you do not want to use Operator Card Sets to
protect your keys, select the Module protection option. If this
option is selected, the CSP only creates keys that are protected by
153
the security world. This option is suited to applications where 24hour operation is required, because no human intervention is
required to use application keys.
If you want to use Operator Card Sets to protect your keys, select
the Operator Card Set protection keys option.
If you are using Microsofts CA and you want the wizard to
prompt you every time you create or import a key, turn on the
Always use the wizard when creating or importing keys option. If
you leave this option turned off, the wizard attempts to protect the
new or imported key by using the card currently in the module.
You can change these settings by rerunning the wizard and
selecting the Use the existing security world option.
If your security world is FIPS compliant, the option to use
module-protected keys is not available.
154
more than one card, you cannot restore the security world. If you have
created an Administrator card set where K equals N, then the loss of
one card stops you from being able to restore the security world.
To prevent this situation from occurring, replace lost or damaged
cards from the Administrator Card Set as soon as you discover the
loss or damage. See Replacing the Administrator Card Set on page
221.
The security of the keys that you create within this security world is
wholly dependent on the security of these smart cards.
The security world host data is stored in the directory to which the
NFAST_KMLOCAL environment variable points. (See the section
Security world files on page 123). The data in this directory is
encrypted. Ensure that this directory is backed up regularly. Check the
file permissions for this directory. Ensure that the nFast Administrator
role, and any user that you want to be able to create Operator Cards or
keys, has write permission for this directory. All other valid users
must have read permission.
Note
155
have a copy of the security world data on this host. This is the host
data written by KeySafe, the nCipher CSP wizard, or new-world
when you created the security world. This data is stored in the
directory to which the environment variable NFAST_KMDATA
points (by default, C:\nfast\kmdata).
reads the security world data from the computers hard disk
uses the secret from the Administrator Card Set to decrypt the
security world key
156
When you have added a module to a security world, you cannot access
any keys that were protected by a previous security world on the
module.
Note
2.
Click the Modules menu button. KeySafe takes you to the Module
Operations panel.
3.
157
4.
Note
Note
Select the module that you want to add to your security world by
clicking its listing in the Module Status tree.
The module that you want to add to your security world must be in the
pre-initialization state.
5.
6.
A pass phrase is associated with a specific card. If, for example, you
insert card A but enter the pass phrase associated with card B,
KeySafe does not accept the pass phrase and prompts you to type it
again.
7.
158
The newly added module can now be used with keys and cards from
the existing security world.
2.
3.
159
4.
c.
d.
Ensure that the Use the existing security world option is selected,
and click the Next button.
You can then proceed to add modules in the same manner that you add
multiple modules when you create a security world. Follow the
instructions for creating a security world in the section Creating the
security world using the CSP wizard on page 139 from step 17.
160
In this command:
-l, --program
161
3.
Note
If any error occurs (for example, if you do not enter the correct pass
phrases), the module is reset to the factory state. The module does not
form part of the security world unless you run new-world again.
162
After you have erased a module, it is in the same state as when it left
nCipher (that is, it has a random module key and a known KNSO).
2.
Click the Modules menu button. KeySafe takes you to the Module
Operations panel.
3.
4.
Select the module that you want to erase by clicking its listing on
the Module Status tree. Then click the Erase Module! command
button.
163
5.
Note
If you have any keys that were protected by an erased module, you
cannot access them unless you restore these secrets. You cannot
restore these secrets unless you have the appropriate Administrator
Card Set.
state.
Run new-world with the command:
new-world [-e|--factory] [-m|--module=MODULE]
In this command:
-e, --factory
Output
If new-world successfully erased a module, it does not display any
messages. Otherwise, new-world returns an error message.
164
Output
If initunit is successful, for each module that is in the pre-initialization
state, it returns a message similar to this:
Initialising Unit #
Setting dummy HKNSO
Module Key Info:
HKNSO ###################
HKM ###################
you will not be able to access any of the keys that you have
previously used
165
Note
before you remove an old security world, you must reformat any
smart cards that were used previously as Operator Cards within
this security world.
If you do not reformat the smart cards used as Operator Cards before
you reinitialize your module, you must throw them away because they
cannot be used, erased, or reformatted without the old security world
key.
You can, and should, reuse the smart cards from the old Administrator
Card Set. If you do not reuse or destroy these cards, then an attacker
with these smart cards, a copy of your data (for example, a weekly
backup) and access to any nCipher key management module can
access your old keys.
There are two ways to delete an existing security world:
Method 1:
a.
b.
c.
Method 2:
a.
b.
There may be copies of the security world data archive saved on your
backup media. If you have not reused or destroyed the old
Administrator Card Set, an attacker in possession of these cards
could access your old keys using this backup media.
166
In this command:
-w, --world-info
167
Output
nfkminfo displays information similar to that shown in the following
examples:
generation 1
state
0x70000 Initialised Usable Recovery !PINRecovery
!ExistingClient !RTC !NVRAM !FTO !SEEDebug
n_modules 1
hknso
hash_knso
hkm
hash_km
hkmwk
hash_knwk
hkre
hash_kre
hkra
hash_kra
ex.client none
...
...
Module #1
generation 1
state
0x1 Useable
flags
0x10000 ShareTarget
n_slots
2
esn
34F3-9CB4-753B
hkml
hash_kml
Module #1 Slot #0 IC 11
generation
1
phystype
SmartCard
slotlistflags 0x2
state
0x4 Operator
flags
0x20000 RemoteEnabled
shareno
2
error
OK
Cardset
name
"fred"
k-out-of-n
1/2
flags
NotPersistent
timeout
none
card names
"" ""
hkltu
hash_kt
Module #1 Slot #1 IC 0
generation
1
168
phystype
slotlistflags
state
flags
shareno
shares
error
No Cardset
SoftToken
0x0
0x1 Empty
0x0
0
OK
No Pre-Loaded Objects
Security world
nfkminfo reports the following information about the security world:
generation
169
!Recovery
This indicates that your security world is compliant with the roles and
services of the FIPS 140-2 level 3 standard. It is included for those
customers who have a regulatory requirement for compliance.
ExistingClient
170
PINRecovery
171
n_modules
172
other quora
173
Uninitialized
174
n_slots
This indicates the hash of the module signing key (if the
module is not in the Usable state, this value may not be
available).
Slot
For each nCipher slot on the module, nfkminfo reports:
IC
SmartCard
SoftToken.
slotlistflags
175
0x1
176
flags
This indicates the number of the card within the card set.
error
177
flags
This indicates that the card in the slot does not have
PIN recovery enabled. This is always true if PIN
recovery is disabled for the security world.
PINRecoveryRequired(enabled)
178
card
names the names of the cards in the set, not all software can
give names to individual cards in a set.
hkltu
The CSP key files can have arbitrary names (previously, the
names of key files were linked to their key type and their
container name). This new method facilitates the importation of
existing nCipher security world keys into the CSP.
179
180
If the key you select already has a certificate associated with it, you
can choose to use the same certificate for the CA. Such a choice is
typically used if you are reinstalling the CA and using the same key.
181
Request a certificate
2.
Advanced request
3.
Note
In order to use an existing key set, enable the Use existing key sets
name. The key size option is ignored in this case because the key size
was decided at the original key creation time.
182
The portion of the advanced certificate request form used for the CSP
and key setup is shown below, with all needed options selected
correctly:
This utility checks that CSP container files are intact and
uncorrupted, and also that referenced key files exist. Use
cspcheck in conjunction with nfkmcheck, but run nfkmcheck
first in order to test the integrity of your security world files.
183
cspimport
184
the security world from which keys are being transferred must
have recovery enabled (the destination security world can be nonrecoverable).
you must have the Administrator Card Sets for both the exporting
module and the importing module.
To transfer keys:
1.
Program the module to which you intend to transfer the key into
one of the security worlds involved.
If one of the security worlds is FIPS 140-2 level 3 compliant and
the other is not, then program the module into the security world
that is not FIPS 140-2 level 3 compliant.
2.
Note
If you change security worlds by using the command new-world -l, the
programmed module key is lost.
185
3.
4.
You can use preload to load other types of keys to verify that they
have been imported.See the Operator Guide for details.
5.
If you have transferred keys that protect PKCS #11 objects, run
postrocs on the target module once the key transfer is complete.
186
187
188
Card Holders
The entire security of the keys you create within the payShield
installation and of the data that they protect depends on the security of
the security world and of the payShield installation card sets. You
must ensure that all cards are stored securely and in the custody of
trusted personnel. Cards should never be exposed needlessly.
No individual should ever have possession of more than one card from
a particular card set, although an individual may hold one card from
each of a number of different card sets.
189
This type is the Local Master Key for key and data
encryption.
lmkr
This type is the Local Master Key for key encryption only.
zmk
This type is for secure messaging for the integrity master key
mkidn
190
mkac
191
192
Note
If you wish to use the Remote Operator feature, you must enable it as
described in Chapter 8: Feature Enabling nCipher Modules. The
Remote Operator feature must be ordered for, and enabled on, the
module that you intend to use as the remote, unattended module.
The createocs utility cannot use remote slots to write new cards or
card sets.
193
You can export a slot from an attended module and import a slot to any
(unattended) module in the security world. The unattended module
for import may be a local module connected to the host or a networkconnected module such as a netHSM or payShield net module.. (You
can import or export slots between netHSM or payShield net modules
and local modules only if the local module uses a hardserver whose
version is 2.6.10 or higher.) Before you can import a slot to one
module, you must first export it from another module.
194
Note
Module #1
generation
state
flags
n_slots
esn
hkml
2
0x2 Usable
0x10000 ShareTarget
3
8851-43DF-3795
391eb12cf98c112094c1d3ca06c54bfe3c07a103
195
All the modules must be included in the security world before you
generate the Operator Card Set. If you are not using client
cooperation, the kmdata directories must be manually synchronized
after you generate the Operator Card Set.
If the card in the given slot is from a remotely enabled card set,
nfkminfo displays a slot section similar to the following:
Module #1 Slot #0 IC 1
generation
1
phystype
SmartCard
slotlistflags
0x2
state
0x5
Operator flags
0x20000 RemoteEnabled
shareno
1
shares
LTU(Remote)
error
OK
In this output, the RemoteEnabled flag indicates the card can be loaded
remotely.
196
1.
2.
197
198
After an Operator Card Set has been inserted into a remote slot, for
each time a given card is inserted, the module only allows each share
on that card to be read once. If there is a second attempt to read shares
from that card before the card is reinserted, the operation fails with a
UseLimitsUnavailable error.
KeySafe can list the imported slot but cannot use it.
If you already have card-set protected keys that you want to use, but
the card set is not remotely loadable, you can use Keysafe to protect
the key under a new card set that is remotely loadable. This only
succeeds if the key was initially generated with recovery enabled. If
you created the key without enabling key recovery, you cannot protect
the key under a different card set. In this case, you must generate a
new key.
199
Before you can perform any of these operations, you must first create
a security world, as described in Chapter 11: Managing
security worlds.
200
In this command:
--recover
3.
At the prompt, insert the Operator Card whose pass phrase you
want to replace.
4.
At the prompt, type the pass phrase or press Enter if you do not
want to set a pass phrase.
5.
Operator Card.
6.
201
When you replace an Operator Card Set, the key material is not
changed by the process. The process deletes the original host data
(that is, the encrypted version of the key or keys and the smart card
data file) and replaces this data with host data protected by the new
Operator Card Set.
In order to replace an Operator Card Set, you must have:
Note
If you did not enable key recovery, or if you created the security world
with an early version of pkcs-init that did not support key recovery, you
cannot recover keys from lost or damaged smart cards.
created the original Operator Card Set using createocs, createocsimple, KeySafe, or the nCipher PKCS #11 library version 1.6 or
later
If you initialized the token using ckinittoken from the nCipher PKCS
#11 library version 1.5 or earlier, you must contact Support at
nCipher to arrange for them to convert the token to the new format
while you still possess a valid card.
202
Note
initialized a second Operator Card Set using createocs, createocsimple, KeySafe, or the nCipher PKCS #11 library version 1.6 or
later.
Note
The new Operator Card Set need not have the same K-of-N policy as
the old set.
If you are sharing the security world across several host computers,
you must ensure that the changes to the host data are propagated to all
your computers. One way to achieve this is to use client cooperation;
see Setting up client cooperation on page 53.
2.
Click the Cards menu button. KeySafe takes you to the Card
Operations panel.
203
3.
Click the Replace OCS navigation button, and KeySafe takes you
to the Replace Operator Card Set panel:
204
This panel lists existing Operator Card Sets in tabular form. For
each card set it displays:
Name
Note
4.
5.
If the card set does not have any recoverable keys, it cannot be
replaced.
205
6.
Note
8.
206
Note
1.
2.
List the Operator Card Sets and softcards in the current security
world by using the list cardsets command, which is described in
the section list cardsets on page 210.
3.
List the keys in the current security world using the list keys
command, which is described in the section list keys on page 212.
207
5.
6.
7.
After you have selected the keys that are to be recovered, transfer
these keys by using the recover command, which is described in
the section recover on page 214.
rocs prompts you to insert a card from the Administrator Card
Set.
8.
repeated until you have loaded the required number of cards from
the Administrator Card Set.
If you do not have the required number of cards from the
Administrator Card Set, press Q and then Enter . The rocs utility
returns you to the rocs > prompt without processing any keys.
Administrator cards should only be inserted in a server you know is
secure.
208
9.
rocs prompts you to insert a card from the first Operator Card
Set that you have selected as the target. Operator Card Sets
are processed in ascending numerical order as listed by the
list cardsets command.
b.
c.
rocs prompts you for the pass phrase for this card. This action
help topic
help intro
list cardsets
list keys
209
Note
mark key-spec
module number
quit
recover
rescan
revert key-spec
save key-spec
status
target cardset-spec
unmark key-spec
list cardsets
This command lists the Operator Card Sets and softcards in the
current security world. For example:
No.
1
2
3
Name
test
test2
test3
Keys (recov)
6 (6)
3 (2)
1 (1)
Sharing
3 of 5; 20 minute timeout
2 of 3
1 of 1; persistent
In this output:
210
No.
211
list keys
This command lists the keys in the current security world, as in the
following example:
No.
1
2
R 3
4
5
Name
rsa-test
Id: uc63e0ca3cb032d71c1c
Server-Cert
Id: uc63e0ca3cb032d71c1c
Server-Cert
App
hwcrhk
pkcs11
pkcs11
pkcs11
pkcs11
Protected by
module
test2
test --> test2
test --> test3
module (test ---> fred2)
where:
No.
description
module
name
name-->name2
module (name)
module (name-->name2)
212
mark key-spec
This command marks the listed keys that are to be recovered to the
target Operator Card Set or softcard. You can mark one or more keys
by number, ident, Operator Card Set or softcard, or hash. See
Specifying keys on page 217 for details. To mark more than one key
at a time, ensure that each key-spec is separated from the other by
spaces, as in the following example:
mark key-spec1 key-spec2 key-spec3
213
recover
This command transfers the marked keys to their target Operator Card
Sets or softcards. This operation is not permanent until you save these
keys by using the save command.
rescan
This command updates the card set and key information.
revert key-spec
This command returns keys that have been recovered, but not saved,
to being protected by the original protection method. If the selected
keys have not been recovered, rocs displays an error message.
save key-spec
This command writes the new key blobs to disk. If you specify a
key-spec, only those keys are saved. Otherwise, all recovered keys are
saved.
status
This command lists the currently selected module and target Operator
Card Set or softcard.
target cardset-spec
This command selects a given Operator Card Set or softcard as the
target. You can specify the card set or softcard name, the number
returned by list cardsets, or the hash.
214
unmark key-spec
This command unmarks the listed keys. Unmarked keys are not
recovered.
In this command:
-m, --module=MODULE
selects all keys that are protected by the given Operator Card
Set or softcard. See Specifying card sets on page 217 for
details.
-i, --interactive
215
If you use rocs from the command line, all keys are recovered and
saved automatically. You cannot revert the keys unless you still have
cards from the original Operator Card Set.
If you do not specify the target and keys to recover, or if you specify
the --interactive option, rocs starts in interactive mode with the
selections you have made. You can then use further rocs commands to
modify your selection before using the recover and save commands to
transfer the keys.
216
selects the Operator Card Set or softcard with the given hash.
In order to specify multiple Operator Card Sets or softcards, include
several CARDSET-SPECs on the command line.
Note
Specifying keys
The --keys=KEYS-SPEC option identifies one or more keys. It may
have any of the following forms:
mark key-number
This selects the key with the given number from the list
produced by the list keys command. Examples of usage are:
rocs -t target_OCS -k key_number
217
and
rocs -t target_OCS -k "mark 56"
appname:keyident
hash keyhash
This selects the key with the given key hash. An example of
usage is:
rocs -t target_OCS --keys="hash e364[...]"
--cardset cardset-spec
add a pass phrase to a card that currently does not have one
218
Each card in a card set can have its own individual pass phrase. You
can even have a set in which some cards have pass phrases and others
do not. A pass phrase can be of any length and can contain any
characters that you can type.
In this command:
--recover
219
2.
3.
When cardpp prompts you, insert the Operator Card whose pass
phrase you want to replace.
4.
When cardpp prompts you for the new pass phrase, type the pass
phrase or press Enter if you do not want to set a pass phrase.
5.
If you have entered a pass phrase cardpp asks you to confirm it.
After you confirm, cardpp sets the new pass phrase and prompts
you for another Operator Card.
6.
220
1.
3.
When prompted, type a pass phrase for the new softcard, and
press Enter . A pass phrase can contain any characters that you
can type and can be up to 1024 characters long.
4.
ppmk prompts you to confirm the pass phrase. Type the pass
phrase again and press Enter .
If the pass phrases do not match, ppmk prompts you to input and
confirm the pass phrase again.
Administrator Card Sets should only be inserted in a trusted server.
After you have confirmed the new pass phrase, ppmk finishes
configuring the softcard to use the new pass phrase.
2.
3.
221
If you discover that one of the cards in the current Administrator Card
Set has been damaged or lost, use the command-line utility racs or the
KeySafe Replace Administrator Card Set option to create a new set
immediately. If further cards are damaged, you may not be able to recreate your security world.
nCipher recommends that you erase your old Administrator Cards as
soon as you have created the new Administrator Card Set. An attacker
with the old Administrator Card Set and a copy of the old host data
could still re-create all your keys. With a copy of a current backup,
they could even access keys that were created after you replaced the
Administrator Card Set.
Note
2.
Click the Cards menu button. KeySafe takes you to the Card
Operations panel.
3.
Click the Replace ACS navigation button, and KeySafe takes you
to the Replace Administrator Card Set panel.
4.
If you are sure that you want to replace the Administrator Card
Set, click the Replace ACS! command button
222
5.
Note
Note
223
7.
When you insert a blank card, KeySafe takes you to the Set Card
Protection Pass Phrase panel:
8.
b.
c.
KeySafe then prompts you for the next card (if any). A given pass
phrase is associated with a specific card, so each card can have a
different pass phrase. You can change these pass phrases at any
time by using KeySafes Examine/Change Card option (available
from the Card Operations panel) or the cardpp command-line
utility.
9.
b.
224
10. After you have created all the Administrator Cards, KeySafe
displays a message:
ACS successfully replaced. Now consider erasing your old Administrator Cards
In this command:
--module=MODULE
tells racs to allow the use of smart cards that already contain
data. Any existing data is erased. If a value for this flag is not
specified, racs prompts you if a card contains data.
When you have finished replacing the Administrator Card Set, erase
the old Administrator Cards.
225
Help options
If a utility has the standard help options, these are not included in the
synopsis or in the description. The standard help options are as
follows:
226
anonkneti
anonkneti
This utility displays the ESN and HKNETI key hash from a netHSM
module identified by its IP address. This information is required to
configure your client hardserver to import the remote module.
This utility uses an anonymous host and is insecure. Use it only if you
trust your network. Otherwise, obtain the ESN and HKNETI of the
module from the welcome screen.
Usage
c:\nfast\bin\anonkneti [-m module] [-p port] IP_address
In this command:
-m module
227
cfg-reread
cfg-reread
This utility loads the hardserver configuration from the configuration
file.
Usage
C:\nfast\bin\cfg-reread.exe
Configuration file
section
Updates ...
hsc_loadseemachine.exe
load_seemachine
hsc_serverremotecomms.exe
server_remotecomms
Remote communications
settings
hsc_serversettings.exe
module_settings
server_settings
hsc_slotimports.exe
slot_imports
hsc_slotexports.exe
slot_exports
228
enquiry
enquiry
The enquiry utility returns information about the nCipher server and
the modules connected to it.
Usage
enquiry -m|--module=MODULE
Output
enquiry returns the following data for the server and each module:
enquiry reply flags
Failed indicates that the module has failed. This failure may
be because the module is in the Error state or because there
229
enquiry
operational
initialisation
maintenance
pre-initialisation
pre-maintenance
uninitialised.
230
enquiry
MaintenanceMode
There should be no level two flags set. If any are set, contact Support
at nCipher.
max write size
231
enquiry
232
enquiry
FastPollSlotList
The HasKLF flag is set if the module has a longterm fixed signing key.
HasShareACL
233
enquiry
HasKernelInterface
nC4032W-nnn
234
enquiry
nC4033P-nnn
product name
For modules that support enquiry level Six, this lists the
available key exchange groups that this module can use
when it makes a connection with another module.
feature ctrl flags
235
enquiry
features enabled
Feature name
ForeignTokenOpen
RemoteShare
Remote Operator
KISAAlgorithms
Korean Algorithms.
GeneralSEE
EllipticCurve
Elliptic Curve
236
enquiry
237
floodtest
floodtest
The floodtest utility performs hardware speed testing using modular
exponentiation with the Chinese Remainder Theorem.
Usage
C:\nfast\bin\floodtest.exe [--crt|--no-crt] [-Q|--query] [-R|--no-round-robin] [-l|-job-size=BITS]
[-t|--stop-after=TIME] [-j|--outstanding-jobs=COUNT] [-n|--jobs-count=COUNT]
[[[-K|--skew-check=SKEW ]| [-T|--min-check=COUNT ]] [-C|--check-start=TIME ]]
[--overprint][-o|--output=FILE] [-r|--report-interval=TIME]
Program options
--crt
238
floodtest
-l, --job-size=BITS
These options specify the maximum time to run the test. Use
the suffix s to specify seconds, m for minutes, h for hours,
and d for days. The default value of TIME is infinity.
-n, --jobs-count=COUNT
239
floodtest
-K, --skew-check=SKEW
Output options
--overprint
This option prints results all on one line, using \r rather than
\n.
-o, --output=FILE
240
floodtest
Output
floodtest returns output similar to this:
hardware, speed index 296, using rec. max outstanding + 1 = 46
1,
148 59.2,
151
overall
2,
410 140.32, 206
overall
3,
677 190.992, 226
overall
4,
944 221.395, 267
overall
5,
1190 231.237, 256.5 overall
...
The first column, to the right of the line numbers, shows the number
of seconds.
The second shows the total number of exponentiations performed.
The third column shows the number of exponentiations achieved this
second.
The last column shows a moving average of the number of
exponentiations achieved each second.
241
hardserver
hardserver
The hardserver is the communications service between applications
and nCipher modules.
You must be logged in as Administrator to use the command-line
options for this command.
Usage
hardserver.exe [-c|--command-line]
Hardserver startup
The hardserver utility is the hardserver program. It is installed as a
service and started automatically.
On startup, the hardserver looks for scripts in the
directory and executes them as
follows:
%NFAST_HOME%\scripts\hardserver.d
When the hardserver starts, it clears all modules and runs all the S
scripts and then all the M scripts in order for all operational modules.
242
hardserver
2.
3.
4.
Scroll down the list of services until you have highlighted the
nFast Server entry, and click the Stop button in order to stop the
server.
2.
3.
4.
Scroll down the list of services until you have highlighted the
nFast Server entry, and click the Start button in order to restart the
server.
243
initunit
initunit
The initunit utility initializes a unit with a random module key and a
known KNSO. This utility makes a key-management module usable
but does not enable any key archival or recovery.
Usage
In order to use initunit, you must be logged in to the host computer as
root or as a user in the group nfast and must start the module in the
pre-initialization state. See Entering the pre-maintenance state on
page 76 for information on putting the module into a pre-initialization
state.
C:\nfast\bin\initunit.exe [-m|--module=MODULE] [-n|--ntoken]
In this command:
-m, --module=MODULE
244
initunit
Output
If initunit is successful, it returns a message similar to this for each
module that has been initialized:
Initialising Unit #
Setting dummy HKNSO
Module Key Info:
HKNSO
###################HKM
###################
Otherwise, it returns an error message that points to the reason for the
initialization failure.
245
loadkeys
loadkeys
The loadkeys utility is used with a payShield installation. It imports,
generates or exports keys. Its use is described in full in the Keyloading
Solution Guide.
Usage
C:\nfast\bin\loadkeys.exe [options] psiname
Options
Modes of Operation
-I, --import
This option specifies that the application does not prompt for
nonessential options that have not been specified on the
command line. Non-essential options include key export
options, rolespecific options and group memberships.
246
loadkeys
General options
-m, --module=MODULE
These options specify the key Check Value format. This can
be one of none (for no check value), zero (for the
encryptzeros method) or self (for the encrypt-self method).
-d, --debug
These options specify the name for the imported key. This
can be either the name of the key to be exported or the name
to give the newly imported key, depending upon the
operation.
Import/Generate options
-l, --length=LENGTH
247
loadkeys
Component options
--ccvf=CV_FORMAT
248
loadkeys
Wrapped options
-w, --wrapper=NAME
249
key-xfer-im
key-xfer-im
The key-xfer-im utility transfers a key into a second security world.
The module must previously have had the second security worlds
module key loaded using the mk-reprogram utility, described in mkreprogram on page 255. (See Transferring keys between security
worlds on page 185.)
Usage
key-xfer-im SOURCE-KMDATA-LOCAL DESTINATION-KMDATA-LOCAL NEW-PROTECT KEY-FILE [KEYFILE ...] [NEW-PROTECT KEY-FILE [KEY-FILE ...]]
Parameters
SOURCE-KMDATA-LOCAL
The full path name of the kmdata file for the source security
world.
DESTINATION-KMDATA-LOCAL
The full path name of the kmdata file for the target security
world.
NEW-PROTECT
250
key-xfer-im
--export-leave
This is the full path of source kmdata file for the key. The
module must have module keys from both worlds: program
it into one world with new-world and use mk-reprogram to
251
key-xfer-im
252
loadrom
loadrom
The loadrom utility loads new firmware into a module. Firmware is
supplied as an encrypted and signed file. See Upgrading module
firmware on page 323 for information on upgrading firmware.
You can also use loadrom to obtain information about the firmware.
Usage
C:\nfast\bin\ [-v|--view] [-n|--notypecheck] [-m|--module=MODULE]
[-b|--maxblocksize=SIZE] NFF_file
In this command NFF_file is the name of the file that contains the
firmware. This has the extension .nff. See Appendix A: Upgrading
module firmware for information on the file name for your module.
Help options
-h, --help
Programming options
-v, --view
These options only display information about the .nff file and
do not load it.
253
loadrom
-i, --ioboard
Output
If you select the --view option, loadrom displays output similar to this:
File :..\..\module\firmware\2-18-13\ncx3p-21.nff
Firmware : PCI Type 3 firmware version 2.18.13cam1 (VSN 21)
for : nC1003P/nC3023P
Filetype : NFast3
Programming chunks: 12
Confidentiality key:
nC3023P confidentiality key (dorris #2)
Confidentiality mech:
DES3mCBCi64pPKCS5
Signatures:
#0: <unknown> integrity key
#1: nC3023P integrity key (dorris-1)
254
mk-reprogram
mk-reprogram
The mk-reprogram utility programs a security-world module key into
a module to which it does not yet belong. A key that is to be
transferred from one security world to another must be loaded into a
module that:
has had the module key of the target security world loaded into it
using mk-reprogram.
After the security-world module key has been loaded, you can use the
key-xfer-im utility to transfer a key into the second security world.
(See Transferring keys between security worlds on page 185.)
Usage
mk-reprogram.exe [[--module MODULE-NO----] CHANGES
Options
--module=MODULE-NO
255
mk-reprogram
Keywords
CHANGES can be one of the following:
list
Example
The following example command demonstrates the first step in
moving a module-protected key from a security world that is not FIPS
140 1 level 3 or FIPS 140 2 level 3 compliant to one that is:
mk-reprogram --module 1 add C:\nfast\kmdata_FIPS\local
256
ncversions
ncversions
The ncversions utility displays installed nCipher support software
components and their versions. The utility lists all components,
whether installed individually or as part of a component bundle, and
also the component bundles themselves. See Components on nCipher
CD-ROMs on page 330.
Usage
C:\nfast\bin\ncversions.exe
Output
The following in an example of a component list produced by
ncversions:
Comp
Output Version Repository/Build no.
---------------------------------------------------------------convrt
user
1.1.0
cam/1
csee
armdev 0.10.5
cam/3
csee
seedev 0.10.5
cam/3
ctd
agg
0.0.12
cam/4
ctls
agg
0.0.13
cam/3
cutils
devel
1.4.2
cam/8
emvjni
user
0.2.2
cam/36
emvspj
user
0.2.6
cam/20
emvspj
devel
0.2.6
cam/20
emvspp
user
1.5.10
cam/14
emvspp
devel
1.5.10
cam/14
gcchk
user
1.1.1
cam/2
...
...
...
...
...
...
...
...
257
ncversions
Comp
Version
258
new-world
new-world
The new-world utility creates a security world that supports SEE
functions and remote Operator Card Set use. new-world also allows
you to specify different thresholds for different operations, such as:
adding a module
world.
To use the new-world utility, you must be logged in to the host
computer as Administrator or a user who is permitted to create
privileged connections.
Note
Usage
new-world -i|initialize [-S|--no-remoteshare-cert][-o|--overwrite][-F|--strict-fips140-level-2-level-3] [-R|--no-recovery][-m|--module]MODULE] -Q|--acs-quorum=K/N FEATURES
-k|--km-type=KEY-TYPE [--reduced-features]
259
new-world
You must not include more than one of the --initialize, --program, and -factory options. If you do not specify any of these options and a
kmdata directory already exists, new-world loads the security world
found within the directory. If you do not specify any of these options
and no kmdata directory exists, new-world creates a security world.
260
new-world
You should not create an Administrator Card Set for which the
required number of cards is equal to the total number of cards
because you cannot replace the Administrator Card Set if even a
single card is lost or damaged.
The --acs-quorum=K/N option only takes effect if you are
creating a new security world.
261
new-world
-F, --strict-fips-140-2-level-3
This option provides compliance with the roles and services of the
FIPS 140-2 level 3 standard. It is included for those customers who
have a regulatory requirement for compliance.
The current release of the nCipher PKCS #11 library works with a
FIPS 140-2 level 3 compliant security world. However, if you intend
to use the security world with the PKCS #11 applications iPlanet
Enterprise Server or iPlanet Proxy Server, do not specify this flag.
The --strict-fips-140-2-level-3 option only has any effect if you
are creating a new security world.
-O, --overwrite
262
new-world
Features
When initializing a security world, features may be specified as
arguments after the module number. Some features are enabled by
default, and you can give the command new-world --help-features to
display a list of features indicating which are enabled by default when
initializing a security world with new-world.
Features are specified as a comma-separated list of terms. Each term
consists of a feature name, optionally preceded by either a dash (-) or
an exclamation point (!) to turn off the feature and can optionally be
followed by an equal sign (=) and the threshold for this feature.
However, the ! character, used to turn off a given feature, is
interpreted by some shells (for example, the C shell and its
derivatives, bash and zsh) as requesting a history expansion. In such
cases, you must escape the ! character by preceding it with a \
character, as in the following example:
new-world 2 rtc,nv,\!r
263
new-world
fto, Foreign Token Open authorization. Use this feature with ISO
Smartcard Support.
The dsee and dseeall options are not applicable unless you have
purchased and installed nCiphers CodeSafe Developer kit.
For example, the following features:
m=1,r,!p,nv=2,rtc=1
264
Note
new-world
Output
If new-world cannot interpret the command line, it displays its usage
message and exits.
If you attempt to set a threshold for a feature that you have disabled
or if you attempt to set a threshold too high, new-world displays an
error and exits.
If the module is not in the pre-initialization state, new-world displays
and error and exits. To put the module in the pre-initialization state,
see Entering the pre-maintenance state on page 76.
If the module is in the pre-initialization state, new-world prompts you
for smart cards and pass phrases as required.
When new-world has initialized the module, restart the module in the
operational state.
265
nvram-backup
nvram-backup
The nvram-backup utility copies files between a modules nonvolatile
memory and a smart card. It can be used to back up and restore files
that are stored in NVRAM. Files you can back up and restore are data
files stored in NVRAM by an SEE program and NVRAM-stored
keys. See the Operator Guide for more details.
Do not store keys in NVRAM unless you must do so to satisfy
regulatory requirements.
Note
nCipher introduced NVRAM key storage only for users who must store
keys within the physical boundary of a module to comply with
regulatory requirements. NVRAM-stored keys provide no additional
security benefits and their use exposes your Administrator Card Set to
increased risk. Storing keys in nonvolatile memory also reduces loadbalancing and recovery capabilities. Because of these factors,
nCipher recommends you always use standard security world keys
unless explicitly required to use NVRAM-stored keys.
To use nvram-backup you specify an action and, optionally, the
location of the files to be acted on. Available actions are list, copy and
delete. You can list the contents of, and delete files from, a modules
NVRAM, and copy files from NVRAM to a smart card. You can list
files on a smart card and copy from a card to a modules NVRAM.
You cannot use nvram-backup to delete files from a smart card.
Note
Use the bulkerase utility to format cards for use with nvram-backup.
If you are using a FIPS 140-2 level 3 compliant security world, you
will be prompted for an Administrator Card or Operator Card from the
security world to authorize copying of files to or from NVRAM and
deletion of files from the modules NVRAM.
When you copy files to a modules NVRAM or delete files from
NVRAM, you are required to insert a quorum of Administrator Cards
for NVRAM authentication.
266
nvram-backup
Usage
C:\nfast\bin\nvram-backup.exe -l|--list -M|--from-module|-S|--from-smartcard [-m|-module=MODULE] [-s|--slot=SLOT] [-f|--force] [-v|--verbose] [-x|--hex] [FILES]
Help options
-h, --help
267
nvram-backup
-c, --copy
268
nvram-backup
-s, --slot=SLOT
These options identify the slot on the selected module for the
specified nvram-backup action. The default is 0. You do not
need to specify a slot when listing the contents of, or deleting
files from, a modules NVRAM.
General options
-f, --force
These options specify that hex notation is used for the file
selection option.
--no-length
269
nvram-backup
Output
To list the contents of the default modules NVRAM, use the
command:
C:\nfast\bin\nvram-backup.exe --list
File ID (ASCII)
---------------
File Length
-----------
In this example, four files are stored in the modules NVRAM, two
NVRAM-stored keys and their associated recovery information. For
information on identifying file types by their File IDs, see nvram-sw
on page 272.
To obtain a listing of the contents of a modules NVRAM with further
information, including file size, use the nvram-sw utility.
To back up NVRAM-stored keys from the default module to a smart
card, use the command:
C:\nfast\bin\nvram-backup.exe --copy --from-module b*
If you have a FIPS 140-2 level 3 compliant security world, you must
provide authorization to back up files stored on NVRAM. nvrambackup prompts you to insert a smart card from this security world for
authorization.
270
1.
nvram-backup
2.
You can check the success of the command by listing the contents of
the smart card. Use the command:
C:\nfast\bin\nvram-backup.exe --list --from-smartcard
If you have a FIPS 140-2 level 3 compliant security world, you must
provide authorization to delete files from the modules NVRAM.
nvram-backup prompts you to insert a smart card from this security
world for authorization.
1.
2.
Insert the required number of cards, each one in turn, into the
authentication slot.
When authentication is complete, for each file that matches the
specified criteria, nvram-backup prompts for confirmation.
3.
271
nvram-sw
nvram-sw
The nvram-sw utility views and modifies NVRAM areas.
Usage
C:\nfast\bin\nvram-sw.exe -a|--alloc [-m|--module=MODULE] [-b|--bytes=BYTES] [-n|-nvram-id=ID] [-k|--key=APPNAME,IDENT][--no-copy]
Help options
-h, --help
272
nvram-sw
-V, --version
273
nvram-sw
-c, --delete-noadmin
General options
-m, --module=MODULE
These option specify the number of bytes to allocate for -alloc or to read for --read. The default is 100.
274
nvram-sw
-n, --nvram-id=ID
These option specify the identifier of the NVRAM file for all
actions except --list. The default is test-file
-f, --file=FILE
These option specify the file to be read or written for the -read and --write options. If this option is not specified for
these actions, stdin or stdout is used by default.
-k, --key=APPNAME, IDENT
These option specify a key during the --alloc action. This key
is required for all subsequent --read or --write actions on the
NVRAM area.
--no-copy
This option used with the --alloc option allocates a file with
an ACL that does not allow copying.
Identifying files
Files created by nCipher security world tools often have a FileID that
consists of a character identifying the type followed by a
M_ShortHash. You can use this information to identify the type of
files stored in NVRAM and for specifying types of files for use with
an nCipher security world utility.
275
nvram-sw
Description
0x1
0x2
0x53 (S)
0x62 (b)
0x72 (r)
0x74 (t)
0x80 (z)
nCipher may define further file types in future, but the first byte is
always in the range 0-127 (top bit clear). nCipher recommends that
third party developers use FileIDs with a first byte in the range 128255 (top bit set).
nCipher also uses the following specific FileIDs:
276
nvram-sw
FileID (hex)
FileID (ascii)
Description
WarntIdHltu
WarntIdBlob
test-file
277
payshield-config
payshield-config
The payshield-config utility modifies the payShield installations
settings. The utility must be run immediately after running payshieldinstall or payshield-install - -retarget to complete the setup or
retargeting of the payShield installation.
This utility can be used to enable the AcquirePIN Clear PIN
functionality. It uses its own key role which is incompatible with other
payShield PIN functions (KeyRole_AWK). Use of this function is not
recommended as best practice. You should only enable the
AcquirePIN function if the payShield installation will be running in a
physically secure location with trusted operators and network at all
times.
Any PIN entered via the AcquirePIN function cannot be considered to
be secured by the module. Using the same PIN and PAN combination
for both AcquirePIN and PVV/Offset PIN operations may therefore
negate the security of PVV/Offset.
This utility can also be used to enable IBM PIN functions and
unattended key import and export. Enabling these functions may
reduce the security of the system and is not recommended. If any of
these functions are needed, the proper restrictions should be applied.
If you are not sure whether you need these functions, or do not know
what the proper restrictions are, please contact nCipher Support.
Usage
payshield-config.exe [-h|- -help][-v|- -version][-u|- -usage] [{-m|--module}=MODULE]
[{-s|- -slot}=SLOT] [{-c|--configfile}=FILENAME] [{-d|--dump-config}=FILE] [-helpfeatures]PSINAME FEATURES
-m, --module=MODULE
278
payshield-config
-s, --slot=SLOT
279
payshield-info
payshield-info
The payshield-info utility displays information about a specified
payShield installation.
Usage
payshield-info.exe [-i|--info][-k|--keys][-n|--name]=keynamePSINAME
General options
-V, --verbose
These options select the output sort mode for the --keys and
--roles modes.
280
payshield-info
-n, --name=keyname
Keywords
PSINAME
The name of the payShield installation to provide
information about.
Output
The following information is displayed:
281
payshield-info
For example:
PSI Name: qapsi
EMVSM version: 1.0.6+ 2003-01-13 16:55:51. jgeater
Master Key Hash: d42e1791a4e5ea5021444e521bb2c650093efd4d
Estab Key Hash: a06fe51b52725b344dade13a59466bdb77400c1f
Max Keys: 1000
Flags (0x3e0000): TotallyInsecure InsecureImport InsecureDebug
SmartcardImport UnrestrictedImport
Cardsets:
allocated 0053BCD8
Estab CardSet: 1/1 (aaa002b568604e5bbc3a63dcdb0209cd478f317b)
Master CardSet: 1/1 (b9a595b21446ca82dee93a482d60848ec0f1b5dd)
282
payshield-install
payshield-install
The payshield-install utility is used to configure a security world
specifically for the requirements of your payShield installation.
Usage
payshield-install.exe [--master-quorum=K/N --estab-quorum=K/N[{-m|--module}=MODULE] [{s|- -slot}=SLOT] [{-A|- -adminslot}=ADMIN_SLOT] [{-L|--max-loaded-keys}=NUM] [--nonfips-temporarykeys] [--totally-insecure] [--override-keyhash-check] [-D|- -allowinsecure-debug] [-S|--allow-smartcard-import] [-I|- -allow-insecure-import] [-U|- allow-unrestricted-import] [--require-estab-always] [--retarget-see-machine] [-acquirepin-wait=INT] PSINAME KEYHASH
Security options
--master-quorum=K/N
These options specify the slot to use for loading FIPS and
FTO authorizations. The default is 0.
283
payshield-install
-L, --max-loaded-keys=NUM
284
payshield-install
Keywords
PSINAME
285
postrocs
postrocs
The postrocs utility performs clean-up tasks after key-xfer-im has been
used to transfer keys that protect PKCS #11 objects.
Usage
C:\nfast\bin\postrocs [-m|--module=MODULE] [-s|--slot=SLOT]
Help options
-h, --help
Options
-m, --module=MODULE
These options specify the target module for the key transfer.
The default is 1.
-s, --slot=SLOT
These options specify the target slot for the key transfer. The
default is 0.
286
ppmk
ppmk
This utility allows you to manage softcards. It can be used to perform
the following tasks:
listing softcards
deleting a softcard.
Usage
C:\nfast\bin\ppmk.exe --new [-r|-R] NAME
C:\nfast\bin\ppmk.exe -l
C:\nfast\bin\ppmk.exe -icCpr|--delete [PRELOAD-OPTIONS] NAME|IDENT
NAME
287
ppmk
288
ppmk
-R, --non-recoverable
289
preload
preload
The preload command-line utility enables keys to be loaded onto a
module before an application is run. The application can be run
immediately in the same session or the first session can be paused and
the application can be run in a separate session. Additional keys can
be loaded while a session is running.
For applications that do not support K-of-N Operator Card Sets,
preload enables K-of-N Operator Card Sets and module-protected
keys to be loaded before the application is run. You can use the
preload command to preload K-of-N Operator Card Sets before
Usage
C:\nfast\bin\preload.exe [-m MODULE|--module=MODULE] [-c IDENT|--cardset=IDENT] [-cardset-name=NAME] [-s IDENT|--softcard=IDENT] [-o|--any-one] [-i|--interactive] [-A
APP|--appname=APP] [-K PATTERN|--key-ident=PATTERN] [-n PATTERN| --name-pattern=PATTERN]
[--name-exact=NAME] [-M|--module-prot] [--no-cardset-keys] [--admin=NAME] [-F|--requirefips] [-N|--no-fips] [-f PRELOADFILE|--preload-file=PRELOADFILE] [-R|--reloadeverything] | pause | exit
290
preload
These options specify that all Operator Card Sets that match
IDENT are to be loaded. The IDENT variable can be the hash
or the name of a card set; the preload command tries to guess
whether IDENT is a hash or a name based on the form you
supply.
If you definitely want to preload a named card set, use the
--cardset-name=NAME option instead.
Use KeySafe or the nfkminfo command-line utility to
identify keys and cards that are used by particular
applications. For further information, see the appropriate
Operator Guide for your module. Card set patterns or names
are treated as substrings.
--cardset-name=NAME
This option loads a single Operator Card Set and then stops.
-i, --interactive
291
preload
If you specify keys and do not explicitly select Operator Card Sets with
--cardset, or use --module-prot, then preload loads only the Operator
Card Sets that are required by the specified keys. By default, if no key
selection options are used, preload loads all keys on the loaded
Operator Card Set(s) and, if --module-prot is specified, all moduleprotected keys.
-A APP, --appname=APP
custom
embed
hwcrhk
netscape
simple
ssleay
-K PATTERN, --key-ident=PATTERN
292
preload
Note
The current release of the preload command-line utility can only load
softcard-protected keys, not softcards themselves. To load softcards,
use the ppmk command-line utility; see ppmk on page 287.
If you definitely want to preload a named softcard, use the
--softcard-name=NAME option instead.
293
preload
--softcard-name=NAME
The current release of the preload command-line utility can only load
softcard-protected keys, not softcards themselves. To load softcards,
use the ppmk command-line utility; see ppmk on page 287.
Use the ppmk or nfkminfo command-line utilities to identify
keys and softcards that are used by particular applications.
For further information, see the appropriate Operator Guide
for your module. Softcard patterns or names are treated as
substrings.
-M, --module-prot
294
preload
FIPS options
-F, --require-fips
Loading options
-f PRELOADFILE, --preload-file=PRELOADFILE
Output examples
If you want to load keys from a number of Operator Card Sets in
module 2 and use them immediately in an application, for example,
with nfkminfo, give the following command:
C:\nfast\bin\preload -R -m 2 nfkminfo
295
preload
296
preload
297
preload
298
preload
299
preload
You can use the preloaded keys and tokens when running commands
in a separate command window. For example, to load keys for
generatekey that were preloaded in the preceding example, open
second command window and give the command:
C:\nfast\bin\preload generatekey hwcrhk
300
racs
racs
The racs utility creates a new Administrator Card Set to replace a set
that was created with the new-world utility.See Replacing an
Administrator Card Set with racs on page 225.
Usage
racs [-m|--module=MODULE]
Options
-m, --module=MODULE
301
rfs-setup
rfs-setup
This utility creates a default remote file system on the client. You run
rfs-setup when you first configure a client. See Setting up client
cooperation on page 53 for details of client configuration.
Usage
C:\nfast\bin\rfs-setup.exe
C:\nfast\bin\rfs-setup.exe
C:\nfast\bin\rfs-setup.exe
C:\nfast\bin\rfs-setup.exe
[-c|--configfile=FILENAME] [-f|--force]
<ADDRESS> module_ESN keyhash
--gang-client module_ip_address module_ESN keyhash
--gang-client --write-noauth module_IP_address
Options
-c, --configfile=FILENAME
302
rfs-setup
--write-noauth
module_IP_address
303
rfs-sync
rfs-sync
This utility synchronises the kmdata between a cooperating client and
the remote file system it is configured to access. It should be run when
a cooperating client is initialised in order to retrieve data from the
remote file system and also whenever a client needs to update its local
copy of the data or, if the client has write access, to commit changes
to the data. See Chapter 3: Getting the module working for more
details about client cooperation.
Usage
C:\nfast\bin\rfs-sync.exe [-U|--update] [-c|--commit] [-s|--show] [--remove] [--setup
[setup_options] ip_address]
Options
-U, --update
304
rfs-sync
--setup
305
rfs-sync
the task ID of the lock owner. As a last resort, you can use the rfs-sync
command-line utility to remove lock files. In such a case, the --killlock option forcibly removes the lock file.
306
rtc
rtc
The rtc utility reads the time from a modules onboard real-time
clock. It can also be used to set the clock.
Usage:
rtc [[-g|--get-clock]|[-t|--set-clock [-a|--no-admin-keys] [-A|--adjust]]] [-m|-module=MODULE] TIME
These options tell rtc to read the modules clock time. This
is the default if no action option is specified.
-t, --set-clock
These options tell rtc to read or write the clock of the module
MODULE. If MODULE is not specified, the default is 1.
307
rtc
In this command:
--module=MODULE tells rtc to set the clock and adjust the drift
rate.
rtc returns a message similar to this:
time on module 1 is 2001-03-21 12:33:12
Note
In this command:
--adjust tells rtc to set the clock and adjust the drift rate.
308
rtc
TIME is the time to which to set the clock in the form YYYY-MMDD/HH:MM:SS, where -, /, and : are arbitrary delimiter
characters that can be any non-numeric character.
Unless you give the --no-admin-keys option, rtc prompts you for the
number of cards required from the Administrator Card Set to enable
it to set the real-time clock.
If you do not specify a time, rtc uses the time from the host computer's
clock.
If you specify a time, rtc asks you to confirm the operation. This
feature enables you to check that you have entered the time correctly.
309
slotinfo
slotinfo
The slotinfo utility returns information about the tokens that are
present in a module. slotinfo can also be used to format a token.
Usage
C:\nfast\bin\slotinfo -m|--module=MODULE [-s|--slot=SLOT]
Module selection
-m, --module=MODULE
Use of the --format option is deprecated. If you use slotinfo with the
--format option to format a token, it does not remove the card from the
security world lists and cannot erase cards in FIPS 140-2 level 3
compliant security worlds.
slotinfo does not update the security world host data. If you are using
310
slotinfo
Output
slotinfo --module=1 returns information in the format:
Slot Type Token IC Flags Details
#0 Smartcard present 1 A
#1 Software Tkn - 0
In this output:
Type Unconnected means that the slot is a remote slot for this
module, but the hardserver has failed to import it. The reason for
the failure is given in the Details field.
311
sppupgradekeys
sppupgradekeys
The sppupgradekeys utility upgrades keys created on older payShield
installations so that they can be used with newer payShield
installations. You can use the optional EXPORTFILE to specify (by
name) those keys that are to be allowed to be exported in attended
operations.
Note
Usage
sppupgradekeys [options] psiname [EXPORTFILE]
Options
-m, --module=MODULE
312
sppupgradekeys
Key worlds
psiname
This is the name of the payShield installation that you are
going to import the key into. psiname must consist of 16, or
fewer, lower case alphanumeric characters.
EXPORTFILE
This is a file containing lines of the form:
NAME
313
stattree
stattree
The stattree utility returns the statistics gathered by the nCipher server
and modules.
Usage
C:\nfast\bin\stattree [<node> [<node> [...]]]
Output
Running the stattree utility displays a snapshot of statistics currently
available on the host machine. Statistics are gathered both by the
hardserver (relating to the server itself, and its current clients) and by
each attached module.
Statistics are displayed in the form of a tree. At each node in the tree,
either a set of statistics or a list of sub-categories is displayed. Each
node has a label which consists of one of the following:
Times are listed in seconds. Other numbers are integers, which are
either real numbers, IP addresses, or counters. For example, a result
-CmdCount 74897 means that there have been 74,897 commands
submitted.
314
stattree
If node is provided, stattree uses the value given as the starting point
of the tree and displays only information at or below that node in the
tree. Values for node can be numeric or textual. For example, to view
the object counts for local module number 3:
$ stattree PerModule 3 ModuleObjStats
+#PerModule:
+#3:
+#ModuleObjStats:
-ObjectCount
6
-ObjectsCreated
334
-ObjectsDestroyed
328
315
stattree
The value of node must be a node tag; it must identify a node in the
tree and not an individual statistic. Thus, the following command does
not work:
$ stattree PerModule 3 ModuleObjStats ObjectCount
+#PerModule:
+#3:
+#ModuleObjStats:
Unable to convert 'ObjectCount' to number or tag name.
Node tags
These hold statistics for each module:
Category
Contains
ModuleJobStats
ModulePCIStats
ServerGlobals
Connections
PerModule
316
stattree
Category
Contains
ModuleJobStats
ModulePCIStats
ModuleObjStats
ModuleEnvStats
Statistics IDs
ID
Value
Uptime
CmdCount
ReplyCount
CmdBytes
ReplyBytes
CmdMarshalErrors
317
stattree
ID
Value
ReplyMarshalErrors
ClientCount
MaxClients
DeviceFails
DeviceRestarts
QOutstanding
DevOutstanding
LongOutstanding
318
stattree
ID
Value
RemoteIPAddress
HostWriteCount
HostWriteErrors
HostWriteBadData
HostWriteOverruns
HostWriteNoMemory
HostReadCount
HostReadErrors
HostReadEmpty
HostReadUnderruns
319
stattree
ID
Value
HostReadDeferred
HostReadTerminated
PFNIssued
PFNRejected
PFNCompleted
ANIssued
ChanJobsIssued
ChanJobsCompleted
320
stattree
ID
Value
CPULoadPercent
HostIRQs
ChanJobErrors
HostDebugIRQs
HostUnhandledIRQs
HostReadReconnect
ObjectsCreated
The number of times a new object has been put into the
object store. This appears under the modules
ModuleObjStats node.
ObjectsDestroyed
ObjectCount
321
stattree
ID
Value
CurrentTempC
MaxTempC
MinTempC
MemTotal
MemAllocKernel
MemAllocUser
322
323
Note
324
2.
This appendix assumes that you have installed the nCipher server as
a service. This is the default installation procedure described in
Chapter 3: Getting the module working.
Where commands are described, it is assumed that you have installed
the nCipher software in the default location, C:\nfast\. If you have
chosen to install the nCipher software in another directory, replace
references to this directory with the name of the directory in which
you have chosen to install the software.
This chapter describes how to upgrade module firmware for
nShield/payShield modules only. If you have another module refer to
the corresponding chapter in the appropriate Administrator Guide.
Key data
The firmware upgrade process destroys all persistent data held in a
key management module.
325
2.
3.
326
Figure 6
PCI modules
PCI modules
If you have a PCI module, you can upgrade the firmware without
having to open your computer case, provided that the override switch
is off. (Refer to the installation instructions in the Hardware
Installation Guide for information on accessing the override switch
and switching it off.)
To upgrade the firmware on a PCI module, follow these steps:
1.
2.
327
Figure 7
PCI modules
Status LED
on off
Clear switch
Mode switch
M
O
I
J1 override
J2 unused
Smart card
connector
DC power
3.
4.
Note
If the PCI module is still in the operational state, it means that the
override switch is on. Refer to the installation instructions in the
Hardware Installation Guide for information on accessing the
override switch and switching it off.
5.
6.
C:\nfast\bin\loadrom E:\firmware\ver\filename.nff
328
8.
Reset the module by pressing the clear button until the LED
flashes short pulses to indicate that the module is in preinitialization state. Alternatively, issue the nopclearfail command.
9.
10. Reset the module by pressing the clear button or by issuing the
nopclearfail command.
11. Log in to the host as normal.
329
330
On nCSS User and CipherTools CD-ROMs, you are also offered the
psusr payShield User standard component bundle.
The component bundles consist of various individual components.
The hwsp Hardware Support (mandatory) bundle contains the nCipher
server and kernel device drivers:
hwsp Hardware Support (mandatory) bundle
nfdrv Windows device drivers
nfserv Hardserver process executables and scripts
sdrv nFast Win 2000 driver signatures
cfgall Hardserver config file support
nflog Logging library support
The ctls Core Tools (recommended) bundle contains all the nCipher
command-line utilities, including generatekey, low level utilities, and
test programs:
ctls Core Tools (recommended) bundle
convrt Command line key conversions
nftcl Command line key management (Tcl)
nftcl Command line key generation and import
nfuser Low level utilities and test programs
nfuser Command line remote server management
opensl nftcl certificate generation utility
sworld Command line key management (C)
tclsrc Tcl run time
tclstf Small Tcl utilities
nftcl Command line key generation and import
tct2 Trusted Code Tool 2 command-line utility
pysrc Python source for developers
nfpy nFPython header files
331
nCipher recommends that you always install the ctls Core Tools
bundle.
Note
The Core Tools bundle includes the tclsrc Tcl run times tools for
creating the security world, KeySafe, and new-world. This does not
affect any other installation of Tcl on your computer.
The javasp Java Support (including KeySafe)s Java applications,
including KeySafe:
javasp Java Support (including KeySafe) bundle
jutils Java utilities
jutils JNI shared library for jutils.jar
kmjava Java Key Management classes
ksafe KeySafe 2
nfjava nFast Java generic stub classes
nftcl Java Key Management Support
332
333
334
Individual Components
hwcrhk Crypto Hardware Interface (CHIL) plugin
jcecsp nCipherKM JCA/JCE provider classes
mscapi CSP support files
mscapic nCipher Win 2000 domestic strength CSP
ncsnmp nCipher SNMP monitoring agent
pkcs11 nCipher pkcs11 library
CipherTools CD-ROM
nCipher supplies the following component bundles and additional
components on the CipherTools CD-ROM:
Component Bundles
hwsp Hardware Support (mandatory)
ctls Core Tools (recommended)
javasp Java Support (including KeySafe)
psusr payShield User
ctd CipherTools Developer
jd Java Developer
335
CodeSafe CD-ROM
Individual Components
hwcrhk Crypto Hardware Interface (CHIL) plugin
jcecsp nCipherKM JCA/JCE provider classes
mscapi CSP support files
mscapic nCipher Win 2000 domestic strength CSP
ncsnmp nCipher SNMP monitoring agent
pkcs11 nCipher pkcs11 library
sslyp Open SSL source code patch file
CodeSafe CD-ROM
nCipher supplies the following component bundles and additional
components on the CodeSafe CD-ROM:
Component Bundles
hwsp Hardware Support (mandatory)
ctls Core Tools (recommended)
javasp Java Support (including KeySafe)
csd CodeSafe Developer
jd Java Developer
Individual Components
gccsrc Prebuilt arm-gcc for Codesafe/C
gccsrc Prebuilt powerpcm-gcc for Codesafe/C
hwcrhk Crypto Hardware Interface (CHIL) plugin
jcecsp nCipherKM JCA/JCE provider classes
mscapi CSP support files
mscapic nCipher Win 2000 domestic strength CSP
ncsnmp nCipher SNMP monitoring agent
pkcs11 nCipher pkcs11 library
336
KeySafe
To use KeySafe, install the ctls Core Tools and the javasp Java Support
(including KeySafe) bundles.
337
Windows CSP
If you require the Windows CSP, you must install the CSP
components:
338
For instructions on how to activate the agent after installation, see the
Operator Guide appropriate to your module type.
339
Description
NFAST_DEBUG
NFAST_HOME
NFAST_HWCRHK_LOGFILE
NFAST_KMDATA
NFAST_KMLOCAL
340
C Environment variables
Environment variables
Variable
Description
NFAST_NFKM_TOKENSFILE
NFAST_NFKM_TOKENSSELECT
NFAST_SEE_MACHINEENCKEY_DEFAULT
NFAST_SEE_MACHINEENCKEY_module
NFAST_SEE_MACHINEIMAGE_DEFAULT
NFAST_SEE_MACHINEIMAGE_module
NFAST_SEE_MACHINESIGHASH_DEFAULT
NFAST_SEE_MACHINESIGHASH_module
341
C Environment variables
Environment variables
Variable
Description
NFAST_SERVER_PORT
NFAST_SERVER_PRIVPORT
NFLOG_CATEGORIES
NFLOG_SEVERITY
NFLOG_DETAIL
NFLOG_FILE
OPENSSL_HWCRHK_LOG
342
FATAL
2.
SEVERE
3.
ERROR
4.
WARNING
5.
NOTIFICATION
343
6.
Function
0x00000001
0x00000002
0x00000004
external_pid
0x00000008
external_tid
0x00000010
external_time_t
0x00000020
stack_backtrace
0x00000040
This flag shows the stack file with the log stack_file
entry.
0x00000080
logdetail flags
stack_line
344
Hexadecimal
flag
Function
logdetail flags
0x00000100
msg_severity
0x00000200
msg_categories
0x00000400
0x00000800
0x00001000
0x00002000
msg_file
345
NFLOG_CATEGORIES
Description
nflog
nflog-stack
memory-host
memory-module
gs-stub
gs-stubbignum
gs-stubinit
gs-dumpenv
nfkm-getinfo
nfkm-newworld
nfkm-admin
nfkm-kmdata
nfkm-general
nfkm-keys
346
Category
Description
nfkm-preload
nfkm-ppmk
serv-general
serv-client
serv-internal
serv-startup
servdbg-stub
servdbg-env
servdbg-underlay
servdbg-statemach
servdbg-perf
servdbg-client
servdbg-messages
servdbg-sys
hwcrhk
pkcs11-sam
pkcs11
This category logs all other messages from the PKCS #11
library.
rqcard-core
rqcard-logic
rqcard-logic
347
If none of the four environment variables are set, the default behavior
is to log nothing, unless this is overridden by any individual library.
If any of the four variables are set, all unset variables are given
default values.
Note
Value
Output
Function calls and error messages are sent to the log file.
348
Output in log
DL_None
NONE
DL_EFatal
FATAL
"Fatal error:"
DL_EError
ERROR
"Error:"
DL_Fixup
WARNING
"Fixup:"
DL_Warning
WARNING
"Warning:"
DL_EApplic
ERROR
"Application error:"
DL_Assumption
NOTIFICATION
"Unsafe
assumption:"
DL_Call
DEBUG2
">> "
DL_Result
DEBUG3
"< "
DL_Arg
DEBUG4
"> "
10
DL_Detail
DEBUG5
"D "
11
DL_DetailMutex
DEBUG6
"DM "
349
Hardserver debugging
Hardserver debugging
Hardserver debugging is controlled by specifying one or more
servdbg-* categories (from the NFLOG_CATEGORIES environment
variable) in the hardserver configuration file (see Hardserver
configuration file on page 85). However, unless you also set the
NFAST_DEBUG environment variable to a non-zero value, no
debugging is produced (regardless of whether or not you specify
servdbg-* categories in the hardserver configuration file). This
behavior helps guard against the additional load debugging places on
the CPU usage; you can set the desired servdbg-* categories in the
hardserver configuration file, and then enable or disable debugging by
setting the NFAST_DEBUG environment variable.
Note
350
00000000
00000001
00000010
00000100
00001000
00010000
00100000
01000000
10000000
351
NONE =
0x00000000 (debugging off)
MESS_NOTIFICATIONS = 0x00000001 (occasional messages including important errors)
MESS_VERBOSE =
0x00000002 (all messages)
MESS_RESOURCES =
0x00000004 (resource allocations)
FUNC_TRACE =
0x00000008 (function calls)
FUNC_VERBOSE =
0x00000010 (function calls + arguments)
REPORT_CONTEXT =
0x00000020 (calling context e.g ThreadID and time)
FUNC_TIMINGS =
0x00000040 (function timings)
NFJAVA_DEBUGGING =
0x00000080 (Output NFJAVA debugging info)
2.
352
3.
Convert the total to a decimal and specify this as the value for the
variable.
For example, to set NFJAVA_DEBUGGING and
MESS_NOTIFICATIONS, include the line:
NFJAVA_DEBUG=129
353
Description
cardpp
cfg-reread
checkmod
ckimportbackend
ckinfo
cklist
354
E Installed Utilities
Installed Utilities
Utility
Description
ckmechinfo
ckrsagen
cksigtest
config
createocs
cryptest
cspcheck
cspimport
cspmigrate
355
E Installed Utilities
Installed Utilities
Utility
Description
cspnvfix
csptest
csputils
des_kat
dump_marshalled
enquiry
floodtest
fwcheck
genkeyprops
generatekey
hardserver
356
E Installed Utilities
Installed Utilities
Utility
Description
iisinstallcert
initunit
key2pem
keytst
key-xfer-im
killrecov
kmfile-dump
kptest
loadkeys
loadrom
357
E Installed Utilities
Installed Utilities
Utility
Description
mkaclx
mk-reprogram
ncdate
ncthread-test
ncversions
new-world
nffwd
nfkminfo
nopclearfail
nvram-backup
358
E Installed Utilities
Installed Utilities
Utility
Description
nvram-sw
payshield-config
payshield-info
payshield-install
pollbare
postrocs
ppmk
preload
pubkey-find
359
E Installed Utilities
Installed Utilities
Utility
Description
racs
randchk
rdlinene
rfs-sync
rtc
sigtest
slotinfo
sppupgradekeys
stattree
360
361
trap
362
Default settings
Default settings
By default, installing nCipher support software for Windows 2000 or
Windows 2003 also installs the nCipher SNMP agent but does not
activate it. The nCipher SNMP agent can be specifically excluded
from an nCipher installation by deselecting the box associated with
the SNMP agent in the installation component list. The default
installation directory for the nCipher Management Information Base
(MIB) and the SNMP configuration files (snmp.conf and snmpd.conf)
is %NFAST_HOME%\etc\snmp\.
Log in as Administrator.
2.
3.
363
Further Information
Further Information
Protecting the nCipher SNMP installation
The nCipher SNMP Agent allows other computers on the network to
connect to it and make requests for information. The nCipher agent is
based on the NET-SNMP code base, which has been tested but not
fully reviewed by nCipher. nCipher strongly recommends that the
nCipher agent be deployed only on a private network or protected
from the global Internet by an appropriate firewall.
The default nCipher SNMP installation allows read-only access to the
Management Information Base (MIB) with any community string.
There is no default write access to any part of the MIB.
Every effort has been taken to ensure the confidentiality of
cryptographic keys even when the SNMP agent is enabled. In
particular, the nCipher module is designed to prevent the theft of keys
even if the security of the host system is compromised, provided that
the Administrator Cards are used only with trusted hosts. Care must
be used when changing the configuration of the nCipher SNMP agent.
nCipher strongly advises that you set up suitable access controls in
snmpd.conf, or a firewall, to protect the agent and the information it
can return.
364
Further Information
Care has also been taken to ensure that malicious attackers are unable
to flood your module with requests by flooding your SNMP agent.
Command results from administration or statistics commands are
cached, and therefore the maximum rate at which the agent sends
commands to the module is throttled. See <Undefined CrossReference> for details on setting the cache time-outs.
Make sure you protect the configuration files if you are storing
sensitive information in them.
By default, the nCipher SNMP configuration file (snmp.conf) is
located in the $NFAST_HOME\etc\snmp\ directory. In this directory,
the agent looks for files with the extension of .conf.
Note
365
Further Information
366
keytable
This directive sets the initial state of the key table to none, all,
or query. See listKeys in Administration sub-tree overview
on page 369.
Manager configuration
The manager application is the interface through which the user is
able to perform network management functions. A manager
communicates with agents using SNMP primitives (get, set, trap) and
is unaware of how data is retrieved from, and sent to, managed
devices. This form of encapsulation raises two main issues:
the manager can communicate with agents running on any IPaddressable machine.
367
It is more useful if the manager can see the MIB tree present at each
managed node. The MIB module descriptions for a particular node
must be parsed by a manager-specific MIB compiler and converted to
configuration files. These files are read by the manager application at
run time.
The nCipher SNMP agent is designed to monitor all current nCipher
modules. The SNMP agent can monitor e-commerce accelerator and
key management modules, working with all supported versions of
nCipher firmware (contact Support at nCipher for details of supported
firmware).
MIB functionality
The nCipher MIB module separates module information into the
following categories:
368
These categories form the top-level nodes of the nCipher sub-tree; the
functionality of the first category is in the administration sub-tree, and
the second category is in the statistics sub-tree. The top-level tree also
contains 3 items that it would be useful to check at-a-glance:
Node name
R/W
Type
Remarks
hardserverFailed
TruthValue
modulesFailed
TruthValue
load
Unsigned32
369
R/W
Type
Remarks
SecurityWorld
TruthValue
hardserverRunning
Enum
1: Running
2: NotRunning
noOfModules
Unsigned32
hsVersion
DisplayString
[global]speedIndex
Unsigned32
[global]minQ
[global]maxQ
Unsigned32
swState
DisplayString
listKeys
R/W
Enum
1: none
2: all
3: query
4: resetquery
serverFlags
DisplayString
remoteServerPort
Gauge
swGenTime
DisplayString
swGeneratingESN
DisplayString
370
R/W
Type
Remarks
hashKNSO
MHash
hashKM
MHash
hashKRA
MHash
hashKRE
MHash
hashKFIPS
MHash
hashKMC
MHash
hashKP
MHash
hashKNV
MHash
hashKRTC
MHash
hashKDSEE
MHash
hashKFTO
MHash
371
R/W
Type
Remarks
adminQuorumK
Unsigned
adminQuorumN
Unsigned
adminQuorumM
Unsigned
adminQuorumR
Unsigned
adminQuorumP
Unsigned
adminQuorumNV
Unsigned
adminQuorumRTC
Unsigned
adminQuorumDSEE
Unsigned
adminQuorumFTO
Unsigned
372
R/W
Type
Remarks
moduleAdminIndex
Integer
mode
Enum
1: Operational
2: Pre-init
3: Init
4: Pre-maint
5: Maint
6: AccelOnly
7: Failed
8: Unknown
fwVersion
DisplayString
serialNumber
DisplayString
moduleType
DisplayString
productName
DisplayString
hwPosInfo
DisplayString
moduleSecurityWorld
TruthValue
smartcardState
DisplayString
373
Node name
R/W
Type
Remarks
moduleSWState
Enum
Current module and security world state
1: unknown
2: usable
3: maintmode
4: uninitialized
5: factory
6: foreign
7: accelonly
8: failed
9: unchecked
10: initmode
11: preinitmode
12: outofrange
moduleSWFlags
DisplayString
hashKML
MHash
moduleFeatures
DisplayString
moduleFlags
DisplayString
versionSerial
Gauge
hashKNETI
MHash
longQ
Gauge
connectionStatus
DisplayString
connectionInfo
DisplayString
machineTypeSEE
DisplayString
374
R/W
Type
Remarks
slotAdminModuleIndex R
Unsigned32
slotAdminSlotIndex
Unsigned32
slotType
Slot type
Enum
1: Datakey
2: Smart card
3: Emulated
4: Soft token
5: Unconnected
6: Out of range
7: Unknown
slotFlags
DisplayString
slotState
Enum
1: Unused
2: Empty
3: Blank
4:
Administrator
5: Operator
6: Unidentified
7: Read error
8: Partial
9: Out of range
cardset.
slotListFlags
DisplayString
slotShareNumber
Unsigned32
slotSharesPresent
DisplayString
375
R/W
Type
Remarks
hashKLTU
MHash
cardsetName
DisplayString
cardsetK
Unsigned32
cardsetN
Unsigned32
cardsetFlags
DisplayString
cardsetNames
DisplayString
cardsetTimeout
Unsigned32
cardsetGenTime
DisplayString
376
R/W
Type
Remarks
keyAppname
DisplayString
Application name
keyIdent
DisplayString
keyHash
MHash
keyRecovery
Enum
1: Enabled
2: Disabled
3: No key
4: Unknown
5: Invalid
6: Unset
keyProtection
Enum
1: Module
2: Cardset
3: No key
4: Unknown
5: Invalid
6: Unset
keyCardsetHash
MHash
keyFlags
DisplayString
keyExtraEntities
Unsigned32
keySEEInteg
DisplayString
keyGeneratingESN
DisplayString
keyTimeLimit
Gauge
keyPerAuthUseLimit
Gauge
377
If these values are set, they are taken as required attributes for filtering
the list of available keys; if multiple attributes are set, the filters are
combined (AND rather than OR).
The following table gives details of the nodes in the key query subtree (enterprises.nCipher.nC-series.administration.keyQuery):
Node name
R/W
Type
keyQueryAppname
R/W
DisplayString
Application name
keyQueryIdent
R/W
DisplayString
keyQueryHash
R/W
DisplayString
keyQueryRecovery
R/W
Enum
1: Enabled
2: Disabled
3: No key
4: Unknown
5: Invalid
6: Unset
keyQueryProtection
R/W
Enum
1: Module
2: Cardset
3: No key
4: Unknown
5: Invalid
6: Unset
keyQueryCardsetHash
R/W
DisplayString
keyQueryFlags
R/W
DisplayString
keyQueryExtraEntities
R/W
Unsigned32
keyQuerySEEInteg
R/W
DisplayString
keyQueryGeneratingES R/W
N
DisplayString
keyQueryTimeLimit
R/W
Gauge
keyQueryPerAuthUseL R/W
imit
Gauge
Remarks
378
R/W
Type
moduleStatsIndex
Integer
Remarks
Module number of this row (for
moduleStatsTable)
[hs]uptime
Counter32
cmdCount[All]
Counter32
cmdBytes[All]
Counter32
cmdErrors[All]
Counter32
replyCount[All]
Counter32
replyBytes[All]
Counter32
replyErrors[All]
Counter32
Returned as for cmdCount. When permodule total, aggregate all the different
error states into one counter. When
aggregated, returned value is combined
module errors added to hardserver
marshalling/unmarshalling errors.
379
Node name
R/W
Type
clientCount
Counter32
maxClients
Counter32
deviceFails
Counter32
deviceRestarts
Counter32
load[All]
Counter32
outstandingCmds
Counter32
objectCount
Counter32
clock
DisplayString
currentTemp
DisplayString
maxTemp
DisplayString
nvRAMInUse
Counter32
volatileRAMInUse
Counter32
Remarks
R/W
Type
Remarks
netHSMStatsIndex
Integer
netHSMUptime
Counter32
netHSMCPUUsage
Gauge32
netHSMUserMem
Gauge32
netHSMKernelMem
Gauge32
netHSMCurrentTemp
DisplayString
netHSMMaxTemp
DisplayString
380
Node name
R/W
Type
Remarks
netHSMCurrentTemp2
DisplayString
netHSMMaxTemp2
DisplayString
netHSMPower5V
DisplayString
netHSMPower12V
DisplayString
netHSMFanSpeed
Gauge32
netHSMFan2Speed
Gauge32
netHSMFan3Speed
Gauge32
netHSMIPAddress
IpAddress
IP address of netHSM
netHSMDescription
DisplayString
R/W
Type
Remarks
compIndex
Integer
Table index
compName
DisplayString
Component name
compOutput
Component
output name
Component name
compMajorVersion
Gauge
compMinorVersion
Gauge
compPatchVersion
Gauge
compRepository
DisplayString
compBuildNumber
Gauge
Repository name
381
Usage
e:\ncipher\devel\ncsnmp\src\ntbuild\agent\snmpd.exe -register [param list] |
-unregister |
[-h] [-v] [-f] [-a] [-d] [-V] [-P PIDFILE):] [-q] [-D] [-p NUM]
[-L] [-l LOGFILE] [-r]
In this command:
-h
382
383
-D
384
385
snmpbulkwalk
386
nCipher addresses
nCipher Corporation Ltd.
nCipher Inc.
Cambridge, UK
Jupiter House
Station Road
Cambridge
CB1 2JD
UK
Tel:
Fax:
Tel:
Fax:
800-NCIPHER
800-6247437
+1 (781) 994 4000
+1 (781) 994 4001
E-mail:
E-mail:
sales@ncipher.com
support@ncipher.com
sales@us.ncipher.com
support@ncipher.com
Internet addresses
Web Site:
http://www.ncipher.com/
Online Documentation:
http://active.ncipher.com/documentation/
Note