Task 6: Configuring an nCipher Security World

Security World is an nCipher proprietary concept. Each Security World is comprised of an HSM unit and the following two sets of smart cards:

  • ACS (the Administrator Card Set): this contains credentials for managing a specific Security World and for use with recovery operations.

  • OCS (the Operator Card Set): this controls access to the Application Keys (for example, for applications such as ActivID KMS and ActivID CMS).

Each Security World also includes the keys and certificates that are encrypted by the Security World Key and stored on the computer where the Security World has been created (in the C:\ProgramData\nCipher\Key Management Data\ directory).

Note:

  • Each Security World is stored in a different subdirectory (kmdata_nn). Before you can use a Security World HSM with ActivID KMS, you must first configure the Security World on the HSM. Key materials are stored in the nCipher Security World.

  • During the HSM cloning process using ActivID KMS, the Security World is also cloned onto other HSMs.

The following are the two procedures for creating a new Security World:

  • Creating a new Security World and Administrator Card Set

  • Creating a new Operator Card Set

Creating a New Security World and Administrator Card Set

To create a new Security World, you must use the nCipher KeySafe. Perform the following steps to create a new Security World.

  1. Turn on your PC system and launch the nCipher KeySafe utility.

  2. Click Modules to display the Initialize Security World page.

    3. Note: In this Initialize Security World page example, the number of defined administrator cards in set (N) is 3 and the number of defined administrator cards for access (K) is 1. For example, this combination of N and K card settings allows multiple administrators to perform administrative tasks.

  3. Enter the appropriate values for your Security World by completing the following tasks in the Initialize Security World page:

    1. Enter the number of cards in the Enter Total Number of administrator cards in set (N) text box; in this example, it is 3 (N=3).

    2. Enter the number of cards in the Enter number of administrator cards required for access (K) text box; in this example, it is 1 (K=1).

    3. Click to select AES (Advanced Encryption Standard) or DES3 (Triple Data Encryption Standard) in the Protection Mode pull-down menu. The mode you select determines the algorithm used to protect the keys in the Security World Key.

    4. Click to select Yes or No from the FIPS Federal Information Processing Standard 140-2 level III compliant options. The security level you select is applicable to your HSM and only applies to the Security World being created. This security level has nothing to do with the security level that the HSM physically supports.

    5. Click to select Yes or No from the Permit receipt of remote operator card shares options. It is recommended that you accept the No option (which is the default).

    6. No selection is required at this time for the Set advanced options.

    7. No selection is required at this time for the Set SEE options. SEE refers to Secure Engine Execution. This setting is not required for the HSM to work in the ActivID KMS / CMS environment.

    8. Click Initialize Security World to display the Create Administrator Card Set page.

  4. Insert the first of the N set of administrator cards (in the example N=3), which displays the Set Card Protection Pass Phrase page.

    KeySafe displays a page where you set a pass phrase (PIN) to protect the card with a single, independent pass phrase that is required each time that the card is used.

  5. In the Set Card Protection Pass Phrase page, perform the following tasks:

    1. Click to select the Yes option.

    2. Enter the pass phrase (PIN) in the Enter pass phrase text box.

    3. Enter the pass phrase again to confirm it in the Enter pass phrase again text box.

    4. Click OK.

  6. Repeat this same procedure for the second and third set of smart cards. When the Security World has been created, the following message window displays.

  7. In the Security World successfully initialized window, click OK.

  8. Reboot your client system.

  9. Launch KeySafe and verify that the HSM can be contacted and the Security World has been created (you should see an entry corresponding to the new Security World).

Creating a New Operator Card Set

Complete the following procedure to create an Operator Card Set that protects access to the ActivID CMS keys. To create a new operator card set, complete the following tasks.

  1. Launch KeySafe.

  2. Click Cards.

  3. Click Create New OCS which displays the Create Operator Card Set page.

  4. Enter the appropriate values for your Operator Card Set by responding to the parameter and prompts and completing the following tasks in this page:

    1. Enter a new card set name (for example, CMS) in the Enter Operator Card Set name text box.

    2. Click the No option from the Permit this card to be used remotely? option choices.

    3. Click the Yes option from the Do you want the card set to be persistent? option choices.

      When you click Yes for persistent, the keys protected by an OCS card remain available in the module even if the card is removed from the nCipher card reader (It is recommended that you use this option). This mode enables multiple applications to access the HSM simultaneously without requiring multiple operators to insert their cards during a session.

    1. Click to the No option from the Do you want to set a timeout? option choices. If you choose to set a timeout period, this maximum duration cannot be longer than one year in length.

    2. Enter the number of cards in the Enter Total Number of administrator cards in set (N) text box (the total number cannot exceed 64).

    3. Enter the number of cards in the Enter number of administrator cards required for access (K) text box (the number of cards required for access must be less than or equal to the total number of cards).

    Warning! For an Administrator Card Set, the total number of cards is (N) and the number of administrator cards required for access is (K). This same formula applies for an Operator Card Set. As per nCipher Security World requirements, if you cannot present the proper number of cards (K/N) if and when required, the keys that are protected using this card may be unusable.

  5. Click Create OCS.

    This window prompts you to set card protection similar to when you created pass phrases for N cards for the ACS (see step 5 in Creating a New Security World and Administrator Card Set for details).

    You need to enter a pass phrase (equivalent to an HSM Operator PIN), and enter a confirmation pass phrase for all the cards when prompted. When you are finished creating the Operator Card Set, the HSM is ready for use in ActivID KMS and ActivID CMS.