Security: Entrust nShield CardSet Operations

Preload CardSet

Preload without High Availability (HA):
Each k/m CardSet can be used without quorum restrictions. There are no restrictions on the number of cards required for the preload process.

Preload with High Availability (HA):
A quorum of 1/N is required, where N is equal to or greater than the number of HSMs connected.
One card from the target CardSet must be inserted in the reader in each HSM.

To start the process click Preload CardSet in the line of the CardSet to be operated.
The keys of this CardSet are preloaded into all connected modules.

In the CardSet Operations section you get the overview of all currently loaded CardSets.
These CardSets can not be created via the Software Appliance in Webconf but via the Entrust nShield internal tools or while setting up the HSM itself.
This applies to the data from the columns:
Name: set by the user
Quorum: Minimum number of cards and corresponding PINs required to access the CardSet
Timeout : defined by the user
If a timeout is defined, all preloaded keys are removed from the HSM memory when this time is reached. To be able to access the keys again, the preloading must be carried out again.
Flags: non-persistent, persistent and for the location: local-only or remoteable.

The Preloaded column is dependent on the Actions column which indicates whether the corresponding CardSet is already preloaded on the appliance.

Configure Preload HA is only available if no CardSet has been preloaded.
The Quorum has to be at least 1/2. This is a prerequisite for the HA, so that in the event of a failure, e.g. a loss of connection, the remaining card is sufficient to unlock the other connected HSMs using the passphrase pin.

Important to take into account is that Persistent and Non-Persistent configured cards result into different behavior.

Persistent: with a persistent card set, the keys are still preloaded when you remove the last card from the HSM.
Persistent mode should only be used if a threat analysis of the environment has shown that it is certain that the application keys will remain operational after the last operator card set has been removed.
Non-Persistent: for a non-persistent card set, all preloaded keys are removed from the memory as soon as the last card entered in a card set is removed (the buttons are still there, but the preload can no longer use them).

Click Preload CardSet to start.

A pop up window informs you that the EJBCA application will be restarted after a successful preload.

Confirm with Start preload.

Click Start preload to continue.

A guided setup window for preloading the CardSet opens.

The following steps depend on the number of modules present and whether there are already cards in all/some of the modules.

In each scenario, the setup provides Input fields or scroll-down menus that must be actively operated. e.g.

• Choose Module to determine the module order.
  A drop-down menu displays the serial numbers of the connected HSMs.
  Click Submit to continue.
  

  

• Provide a Passphrase for the card previously submitted.
  Click Unlock to continue.
  

  

  
  Repeat for all present cards inserted in modules in the quorum.

A pop-up window will show after the last provided passphrase that the preload was successful.

To revert this setting the Action column provides the button Stop Preload.

Click Stop Preload and a pop-up window will appear.
Click Confirm to undo the preload process for the CardSet.
The application of the Software Appliance will restart.

Configure Preload HA

Configure preload for card set operations on multiple nShield HSM devices within High Availability (HA) scenarios.

In the scenario that an HSM is available again after a failure, it was previously necessary to manually restart the HSM driver. The Configure Preload HA function avoids the restart.

If preload is invoked it will:

• load all requested keys of the selected CardSet

• periodically check for added or removed modules

• or check for keys becoming unloaded on existing modules

Prerequisites:

The following requirements must be met for the Preload HA to be available.

To be able to use high availability successfully, the following requirements must be met:

• there must always be a card of the CardSet in the card reader for each HSM to be operated

• the PIN of each card has to be the same

• The Quorum K/N has to be at least 1/2. See above for further regulations.

• If the Configure Preload HA function is to be used, K must always be set to 1.

Click Configure Preload HA to open the corresponding form.

• Name: the Name of the CardSet to be loaded for HA. is already preset.

• Passphrase: provide the Passphrase of the CardSet.

Unlike in Preload CardSet, in HA mode all cards in the CardSet must have the same Passphrase!

Click Submit to finish.

A banner on top of the screen confirms that nCipher preload HA configured successfully.

The HSM driver and the Software Appliance application are restarted and the nCipher driver will attempt to preload the configured CardSets in HA mode until the configuration is removed.

To revert this setting the Action column provides the button Remove Preload HA Configuration.

Click Remove Preload HA Configuration and a pop-up window will appear.
Click Confirm to undo the preload process for the HA Configuration.
The application of the Software Appliance will restart.