000020145 - Setting up an external nCipher box for use with Keon Certificate Authority

Document created by RSA Customer Support Employee on Jun 16, 2016Last modified by RSA Customer Support Employee on Apr 21, 2017
Version 4Show Document
  • View in full screen mode

Article Content

Article Number000020145
Applies TonCipher Hardware Security Module
Keon Certificate Authority
Keon Key Recovery Module
Sun Solaris 2.8
IssueSetting up an external nCipher box for use with Keon Certificate Authority
ResolutionThe following steps take an nCipher box from any unknown state (provided it is not faulty) to running for use with Keon Certificate Authority using nCipher Release 5.04 (NOTE: different commands are used for Release 6).

NOTE: For most steps there are alternatives; for full details of these and the use of non-standard options, see the nCipher documentation. These steps are meant as an outline to enable rapid start with the most commonly used options.

NOTE: The steps outlined below assume the software has been installed into the default location (/opt/nfast) and that /opt/nfast/bin has been added to the PATH variable

1. Set the box into pre-initialization mode using the following steps:

 a. Press and hold the initialization button on the back of the box (do not release it)
 b. Press and hold for about 2 seconds the clear button on the front of the box
 c. Release the reset button and watch the flashing blue light; after a few seconds you should get steady short flashes
 d. Release the Initialization button at the back of the box

2. Ensure no existing key data is on the system:

        rm /opt/nfast/kmdata/local/world

This assumes the software has been installed into the default location and that any existing data is not required.

3. Run the command to create a new Security World (note there a few ways to do this outlined in the nCipher documentation). This will create a FIPS 140-1 level 3 system; in this example, we are using a 1 of 1 cardset which is unusual but will demonstrate the procedure. For more information, read about cardsets in the nCipher documentation.

        sw-init --acs-n 1 --acs-k 1 --recovery --fips

Answer the interactive questions when prompted:

        Please confirm - Initialize new security system and program these module(s)?
                - Answer "yes"
        Please insert new administrator card #1 in module #1.
                - Insert a new blank card and press the "Enter" key (see Reusing old nCipher administration cards)
        Now, please enter new passphrase for this card:
                - Type in a passphrase (PIN)
        Then, please reenter the passphrase for this card:
                - Re-type your selected passphrase

4. Switch the nCipher box into running in operational mode by pressing the clear button on the front

5. Now create an operator card set (OCS). Leave one of your admin cards in the machine - this is needed because we are using FIPS 140-1 level 3 (see nCipher documentation).

In the example below, we are creating an operator cardset called 'Corporate'; the cardset is 'persistent' (-p), and as with the administration cardset, we are using 1 of 1 cards.

        createocs -F0 -f -p -t 0 -k 1 -n 1 1 0 Corporate
        
        Insert new operator card 1 into module 1 slot 0 and press return:
                - Insert a new blank card and press the Enter key
        Passphrase for new operator card 1:
                - Type in a passphrase (PIN)                
        Verify passphrase for new operator card 1:
                - Re-type your selected passphrase

The system is now ready for use with Keon Certificate Authority and Keon Key Recovery Module.

In a live environment, it is recommended not to use a 1 of 1 cardset. Also, you may want to repeat step 5 to make different cardsets to carry out different tasks. The steps above allow a quick start of a nCipher system to run with KCA; for a live environment, read ALL documentation thorough and plan your options carefully. RSA Security Professional Services can offer a wealth of experience in this area, and can provide advice on how best to design a complete system.
Legacy Article IDa14808

Attachments

    Outcomes