000025949 - Keon Certificate Authority with nCipher HSM load sharing

Document created by RSA Customer Support Employee on Jun 16, 2016Last modified by RSA Customer Support Employee on Apr 21, 2017
Version 2Show Document
  • View in full screen mode

Article Content

Article Number000025949
Applies ToKeon Certificate Authority 6.5.1
nCipher Hardware Security Module
IssueKeon Certificate Authority with nCipher HSM load sharing
An nCipher HSM module ignores the Xudad.conf setpin directive when a failover occurs
CauseWhere more than one nCipher HSM makes up part of a Security world, the first device may be initialized by the "setpin" directive in xudad.conf so that it is not necessary for a operator to input the OCS password when the private key of the CA is used. If the current HSM does a failover to a second HSM, then the OCS password is required to be entered manually on the vetting page.

This occurs because the current designed behavior for the setpin directive is that it is processed only at the time xudad starts up, and the design of the password processing (for security reasons) has KCA remove all trace once the first nCipher unit is logged into. The net effect is that when the second HSM is activated, it too must have a login.
ResolutionAt the current time, this is the correct behavior for KCA running with multiple  HSM devices.
Legacy Article IDa21026