This article is focused on 3 possible issues you may run into, while configuring the HSM card for the first time.
Once we configure Gateway and create the DB, then it is time to setup the HSM card and create a Security World.
You could do this manually:
Put the MOI switch into the I position
“Clear” the module using the clear button or the nopclearfail c1 command
Load the security world using /opt/nfast/bin/new-world –l ( that’s a lower case L)
You will be prompted for the ACS (Administrator Card Set)
When the process completes put the MOI switch to O
Clear the module again.
or we could do it via ssgconfig menu,
First switch the card to ‘I’ mode (switch on the card)
create a Security World, initialize Security card and enable HSM card.
Now put the switch back to O mode and reboot the server
During this process, you might run into a few issues. First 2 issues are more common than, third possible issue which is very rare but possible.
1. You might get a ServerNotRunning error when trying to configure a Security World
2. You might get an error InvalidModule
3. HSM card won't stay in Initialize mode
CA API Gateway Hardware appliance with HSM card
First Two issues:
Once you install the card and re-image the box, you will have to create a new security world (SW) in order to enable the card so the gateway can use it.
1. First switch the card to ‘I’ mode (switch on the card)
You might get error when trying to configure a SW
ServerNotRunning – you will need to start service nc_hardserver
2. Once you have it running, the next situation you might encounter is getting an error InvalidModule
You will have to run ./root/sealsys customize in order to install HSM drivers
3. Now, you should be ok to install the HSM card
Details on above steps and example:
[[email protected] ~]# service nc_hardserver start
waiting for nCipher server to become operational ...
nCipher server now running
[[email protected] ~]# cd /
[[email protected] /]# ./root/sealsys customize
Stopping snmpd: [ OK ]
'ncsnmpd' server now running
Starting snmpd: [ OK ]
Info: An nShield card appears to be installed.
Success: nShield drivers have been configured.
[[email protected] /]#
The third possible situation you may encounter is when we try to put the HSM card into initializing mode ‘I’ on the switch, the card never actually switches to ‘I’ mode, it just stays in Operational, the ‘O’ mode. We are not able to create a new Security World as a result.
There is another switch, on the CARD itself, under the cover of the server panel. The switch that locks out or overrides the MOI switch. That switch is located on the PCI board - identified as D and E
if that switch is in the ON position (closest to the support plate) then the MOI switch is inoperable.
You would first have to change the position of D and E
<Please see attached file for image>
<Please see attached file for image>src="/servlet/servlet.FileDownload?file=0150c000004AKRIAA4" alt="hsm.png" width="543" height="650">
If you run into other issues pertaining to the HSM card, please open a CA Support case.