install Of nShield HSM Card Problems

Document ID : KB000007603
Last Modified Date : 14/02/2018
Show Technical Document Details
Issue:

This article is focused on 3 possible issues you may run into, while configuring the HSM card for the first time.

 

Once we configure Gateway and create the DB, then it is time to setup the HSM card and create a Security World.

You could do this manually:

 

Put the MOI switch into the I position

“Clear” the module using the clear button or the nopclearfail c1 command

Load the security world using /opt/nfast/bin/new-world –l    ( that’s a lower case L)

You will be prompted for the ACS   (Administrator Card Set)

When the process completes put the MOI switch to O

Clear the module again.

 

or we could do it via ssgconfig menu,

 

First switch the card to ‘I’ mode (switch on the card)

create a Security World, initialize Security card and enable HSM card.  

 

Now put the switch back to O mode and reboot the server

 

During this process, you might run into a few issues. First 2 issues are more common than, third possible issue which is very rare but possible.

 

1. You might get a ServerNotRunning error when trying to configure a Security World

2. You might get an error InvalidModule 

3. HSM card won't stay in Initialize mode 

 

 

Environment:
CA API Gateway Hardware appliance with HSM card
Resolution:

First Two issues:

Once you install the card and re-image the box, you will have to create a new security world (SW) in order to enable the card so the gateway can use it.

 

1.  First switch the card to ‘I’ mode (switch on the card)

You might get error when trying to configure a SW

ServerNotRunning – you will need to start service nc_hardserver

 

2.  Once you have it running, the next situation you might encounter is getting an error InvalidModule

You will have to run ./root/sealsys customize  in order to install HSM drivers

 

3.  Now, you should be ok to install the HSM card

 

Details on above steps and example:

[root@server.domain ~]# service nc_hardserver start

waiting for nCipher server to become operational ...

nCipher server now running

[root@server.domain ~]# cd /

[root@server.domain /]# ./root/sealsys customize

Stopping snmpd:                                            [  OK  ]

'ncsnmpd' server now running

Starting snmpd:                                            [  OK  ]

Info: An nShield card appears to be installed.

 Success: nShield drivers have been configured.

[root@server.domain /]#

 

The third possible situation you may encounter is when we try to put the HSM card into initializing mode ‘I’ on the switch, the card never actually switches to ‘I’ mode, it just stays in Operational, the ‘O’ mode.  We are not able to create a new Security World as a result.

 

There is another switch, on the CARD itself, under the cover of the server panel. The switch that locks out or overrides the MOI switch. That switch is located on the PCI board - identified as D and E

if that switch is in the ON position (closest to the support plate) then the MOI switch is inoperable.

 

 

You would first have to change the position of D and E

hsm.png

 

Additional Information:

If you run into other issues pertaining to the HSM card, please open a CA Support case.