Troubleshooting nShield HSM Configuration

This section provides brief tips on how to start analyzing the nShield HSM configuration if you encounter issues or error conditions. If you do, then contact the HID Global or nCipher Technical Support Services and provide them with the appropriate information needed to start diagnosis or resolve the issue.

Checking the Module State

The enquiry utility returns information about the status of the HSM. This utility tool is located in the bin subdirectory of the nCipher directory (for example, <installdir>\nCipher\nFast\bin\enquiry.exe).

Check for any entry that starts with Mode, which indicates whether the module is currently in an operational state or is non-operational. If the module appears to be non-operational, you need to check the status LED on the PCI or PCIe card. If the Status LED is continuously on, then this indicates that the module is working properly. If the LED is either off, or if it flashes irregularly, then you must check the nCipher Hardware Installation.pdf in the nCipher Installation package (refer to the section on Troubleshooting nCipher Modules for details).

About Log File

To activate the logs, refer to Appendix D in the nShield_Admin.pdf of the nCipher Installation package for details.

Insecure Key Used Too Long After Creation

If ActivID CMS fails to run at least two days or more after the HSM having been migrated to FIPS, be sure to add the longterm flag to CKNFAST_OVERRIDE_SECURITY_ASSURANCES in the cknfastrc file. See also Preparing the nShield Solo for Use with ActivID KMS.