Task 3: Configuring a Remote File System

The Remote File System (RFS) contains a copy of the Security World data which serves as a backup. For details about creating an nCipher Security World, see Task 6: Configuring an nCipher Security World. The RFS needs to be located on a separate server or on a client system (running either ActivID KMS or ActivID CMS). You must execute KeySafe from the system where the RFS is created.

You must repeat the same procedure performed in Task 1 on the server where the RFS resides (see Task 1: Installing the nCipher Software for details). The Task 1 procedure installs the nCipher software environment and the utility necessary to create the RFS.

Note:

There is one RFS for each HSM unit. In the following example, the command set enables several clients to connect to the HSM (where the client can be the system running ActivID KMS or ActivID CMS). The RFS configuration accepts access by cooperating client machines, where the client can either be authenticated or non-authenticated.
In the following example, there are references to KNETI, which is the nCipher integrity key of the HSM (installed when the HSM is shipped). This is the key used for authentication between the HSM and clients.

The first step in the following procedure involves making a choice between the two options below. Determine which option you plan to use and select either Option 1 or Option 2.

Option 1: For an Authenticated Client with KNETI Authorization

Option 1 enables the client to connect to the RFS with KNETI authorization.

Note: If necessary, in the following commands and examples, replace C:\Program Files with your nCipher installation directory.

On the server system, enter the following command:

Copy

C:\Program Files\nCipher\nfast\bin>rfs-setup --force --gang-client <IP CLIENT> <netHSM ESN> <netHSM KNETI HASH>

The IP address identified as IP CLIENT is the IP address for the client system connected to the HSM, for example:

Copy

C:\Program Files\nCipher\nfast\bin>rfs-setup --force --gang-client 192.168.5.170 683E-33D9-2AF5 95a316146da7d9feb1fb0258746baed9990776c7

The result:

Copy

Removing old remote_file_system entries with remote_esn 683E-33D9-2AF5
Adding read-only remote_file_system entries
Ensuring the directory C:\ProgramData\nCipher\Key Management Data\local exists
Adding new writable remote_file_system entries
Ensuring the directory C:\ProgramData\nCipher\Key Management Data\local\sync-store exists
Saving the new config file and configuring the hardserver
Done

Option 2: For an Unauthenticated Client without KNETI Authorization.

Option 2 enables the client to connect to the RFS without KNETI authorization (use this option if you trust the current network environment).

Note: If necessary, in the following commands and examples, replace C:\Program Files with your nCipher installation directory.

On the server system, enter the following command:

Copy

C:\Program Files\nCipher\nfast\bin>rfs-setup --gang-client --write-noauth <IP CLIENT>

For example:

Copy

C:\Program Files\nCipher\nfast\bin>rfs-setup --gang-client –write-noauth 192.168.5.170

The result:

Copy

Adding read-only remote_file_system entries
Ensuring the directory C:\ProgramData\nCipher\Key Management Data\local exists
Adding new writable remote_file_system entries
Ensuring the directory C:\ProgramData\nCipher\Key Management Data\local\sync-store exists
Saving the new config file and configuring the hardserver
Done

Important: You must repeat one of the two options listed for the first step in the procedure for each client involved.

Synchronize the client(s).

You must synchronize the kmdata between the cooperating client and the RFS. The rfs-sync command is sent each time that a client is initialized so that it retrieves data from the RFS. The synchronization is executed from each client involved.

Note: The following example, for an unauthenticated client, is provided for illustration purposes only.

On each client system, enter the following command:
Copy
```
C:\Program Files\nCipher\nfast\bin>rfs-sync --setup --no-authenticate < File Server IP>
```

The File Server IP represents the IP address for the server system where the RFS resides, for example:

Copy

C:\Program Files\nCipher\nfast\bin>rfs-sync --setup --no-authenticate 192.168.5.93

The result:

Copy

No current RFS synchronization configuration.
Configuration successfully written; new config details:
Using RFS at 192.168.5.93:9004: not authenticating.

To display the configuration summary, enter the following command:
Copy
```
C:\Program Files\nCipher\nfast\bin>rfs-sync –show
```

The result:

Copy

Using RFS at 192.168.5.93:9004: not authenticating