000026643 - What is process to change the nCipher Operator Card Set (OCS) in RSA Certificate Manager?

Document created by RSA Customer Support Employee on Aug 26, 2016Last modified by RSA Customer Support Employee on Apr 21, 2017
Version 2Show Document
  • View in full screen mode

Article Content

Article Number000026643
Applies ToRSA Certificate Manager (RCM)
RSA Certificate Manager 6.7
nCipher Hardware Security Module (HSM)
nCipher NetHSM
IssueAll keys but the Production CA key is protected by the Systems OCS cardset.  The Production CA key is protected by what we call the Issuer OCS cardset.
Attempting to replace the current card set for RCM so we can create a remotely enabled set of cards. The previous card set was working properly but was not remotely enabled.  Keysafe shows everything converted correctly.  It shows the key recover count moved from the old cardset to the new cardset.  Named the new cardset CA Systems OCS ? QA whereas the old cardset was named CA Systems OCS.   The key files in kmdata/local show the new date.
ResolutionIn order to use a different OCS, follow the instructions below.
The OCS name is stored with the objects referring to nCipher based keys.
When you replace an OCS, the new OCS name should be the same as the original one.  Let's say the original one was called OCS-1, you would created a new OCS called OCS-temp to replace OCS-1 and move all keys to OCS-temp, then remove the original OCS-1, and then create a new OCS called OCS-1 to replace OCS-temp and move all keys to the new OCS-1, and finally remove OCS-temp as it is no longer needed.
Legacy Article IDa53346