Procedure 2: Configuring the nCipher Security World

Security World is an nCipher proprietary concept. Each Security World is comprised of an HSM unit and smart cards:

  • ACS (the Administrator Card Set), which contain credentials for managing a specific Security World and to use for recovery operations.

  • OCS (the Operator Card Set), which control access to the Application Keys (for example, ActivID KMS and ActivID CMS).

Each Security World also includes keys and certificates that are encrypted by the Security World Key and stored on the computer where the Security World has been created (in the C:\ProgramData\nCipher\Key Management Data directory).

Note:

  • Each Security World is stored in a different subdirectory (kmdata_nn). Before you can use a Security World HSM with ActivID KMS, you must configure the Security World on the HSM. Key materials are stored in the nCipher Security World.

  • During the HSM cloning process using ActivID KMS, the Security World is also cloned onto other HSMs.

There are two procedures for creating a new Security World:

To create a new Security World, you must use the nCipher KeySafe utility and complete the following steps.

Warning! ActivID CMS only supports a value of K=1; other values do not work.

  1. Set the HSM to its pre-initialization state. For a PCI-E HSM, you must manually set the Mode switch on the PCI card to (I).

  2. Turn your PC On.

  3. Launch the nCipher KeySafe utility.

  4. Click Modules to display the Initialize Security World page.

    The following illustration is an example of Security World configuration for multiple administrators.

  5. Respond to the parameter prompts to configure your Security World. Perform the following steps.

    1. Enter a value in the Enter TOTAL number of administrator cards in set (N): text box (in this example, N=3).

    2. Enter a value in the Enter number of administrator cards required for access (K): text box (in this example, K=1).

    3. Select either AES or DES3 from the Protection Mode drop-down menu. The mode you choose selects the algorithm that will be used to protect the Security World keys.

    Note: The example illustrates the number of administrator cards (ACS: Administrator Card Set) as 3/1 (N/K), which allows multiple administrators to perform administrative tasks.

  6. Select the FIPS 140-2 level III-compliant option (Yes or No), which sets the security level (FIPS 140-2 or FIPS 140-3) that is applicable for your HSM. This security level only applies to the Security World to be created and does not define the security level that the HSM physically supports.

  7. Accept the default No option for the Permit receipt of remote operator card shares prompt.

    8. Important:

    • Do not select the Advanced options (the Set advanced options setting is not required at this time).

    • Do not select the SEE options (the Set SEE options setting is not required for the HSM to work in the ActivID CMS environment; SEE refers to Secure Engine Execution).

  8. Click Initialize Security World. You will be prompted to insert your administrator card.

  9. Insert the first of the N administrator cards (in the example N=3).

    KeySafe displays a page where you can set a pass phrase (PIN) that protects the card using a single, independent pass phrase that is required each time the card is used.

  10. Select Yes to set a pass phrase.

  11. Enter and confirm a pass phrase, and then click OK.

  12. Repeat this procedure to configure the second and third smart cards. When the Security World has been initialized, the following confirmation message is displayed.

  13. Click OK.

  14. Set the HSM back to Operational (O) mode using the Mode switch on the back panel, and then reboot your system.

  15. Launch KeySafe and verify that the HSM can be contacted, and that the Security World has been created (you should see an entry corresponding to the new Security World).

To create an Operator Card Set to protect access to the ActivID CMS keys, complete the following steps.

  1. Launch KeySafe.

  2. Click Cards.

  3. Click Create New OCS, which displays the Create Operator Card Set window.

  4. Respond to the parameter prompts to configure your Security World. Perform the following tasks.

    1. Enter a new card set name (for example, CMS) in the Operator Card Set name field.

    2. Select No for the Permit this card to be used remotely? option.

    3. Select Yes for the Do you want the card set to be persistent? option. When you click Yes to have the card set to be persistent, the keys protected by an OCS card remain available in the module even if the card is removed from the nCipher card reader.

      Important: It is recommended that you set this option, which enables several applications to access the HSM at the same time without forcing multiple operators to insert their cards during a session.

    4. Click No for the Do you want to set a timeout? option (if you choose to set a timeout, this value cannot exceed one year in length).

    5. Enter a value for the total number of cards in the set (N). The total number of cards in the OCS cannot exceed 64.

    6. Enter the number of cards required for access (K).  The number of cards required for access must be less than or equal to the total number of cards in use.

    Warning! As per nCipher Security World requirements, if you cannot present the proper number of cards (K/N) if and when required, then the keys that are protected using that card may be unusable. As previously described in the Administrator Card Sets, the total number of cards in an ACS set is (N) and the number of administrator cards required for access is (K). This formula is the same for an Operator Card Set.

  5. Click Create OCS. You will be prompted to set card protection, just as when you created pass phrases for N cards for the ACS (as done previously when you set the pass phrase).

  6. When prompted, enter and confirm a pass phrase (equivalent to HSM Operator PIN) for all the cards.

When you have finished creating the Operator Card Set, the HSM is ready for use in ActivID KMS and ActivID CMS.