Accessing the nShield Connect from ActivID KMS/CMS

This section provides a brief description of the process by which you prepare the nShield Connect HSM for use with ActivID KMS and with ActivID CMS.

The following procedure briefly summarizes the process of preparing the nShield Connect for use with ActivID KMS.

  1. Copy the PKCS #11 cknfast-64.dll file to the ActivID KMS directory.

    The cknfast-64.dll file is located in the <installdir>\nCipher\nfast\toolkits\pkcs11\ directory.

  2. Make sure that the cknfastrc configuration file (located in <installdir>\nCipher\nfast\cknfastrc) contains only the following two lines:

    Copy 
    CKNFAST_OVERRIDE_SECURITY_ASSURANCES=tokenkeys;unwrap_mech;unwrap_kek;explicitness
    CKNFAST_NO_ACCELERATOR_SLOTS=1
    Note: All keys that are injected using ActivID KMS are located in the Security World created using the directions described in this section (see Task 6: Configuring an nCipher Security World). You can view the key labels and attributes using ActivID KMS or using the KeySafe utility (see next illustration).
    Important: If you are migrating from a HSM containing extractable keys, you need to add the longterm flag to CKNFAST_OVERRIDE_SECURITY_ASSURANCES in the cknfastrc file.

  3. Launch KeySafe.

  4. Click Keys and click List Keys to display the Key Listing window.

The following procedure briefly summarizes the process of preparing the nShield Connect for use with ActivID CMS.

  1. Copy <installdir>\nCipher\nfast\cknfastrc to the same location on the ActivID CMS server.

    Note: You do not need to copy the file if ActivID CMS will be installed from scratch with HSM support. Instead, you just need to provide the right path during the ActivID CMS setup.

  2. Restart the ActivID CMS server.

    Important: Once ActivID CMS is installed, if the PKCS#11 library path is changed after upgrading the nCipher Security World software (for example, version 12.50 or higher), you must update the crystoki.ini file, found in %PROGRAMDATA%\HID Global\Credential Management System\Shared Files, as follows:

      Copy
      LibNT=C:/Program Files/nCipher/nfast/toolkits/pkcs11/cknfast.dll

Accessing HSM Tokens from ActivID KMS/CMS

Depending upon how the nShield Connect HSM was configured, it may expose one or more HSM tokens to ActivID KMS and ActivID CMS.

ActivID KMS forces the operator to select the HSM token to use during an ActivID KMS session when there is more than one token available. If there is only a single HSM token, that token is automatically selected. Each HSM token is identified by a slot ID number as well as a token name. To identity an HSM token, ActivID KMS displays both the slot ID and token name for each HSM token.

Important: The slot ID cannot be used as the unique identifier for an HSM that manages several tokens because the HSM re-orders the slot ID depending on the availability of tokens.

To choose the correct token, configure an ActivID CMS file, which includes either the recorder slot ID or token name. For example, for ActivID CMS for Windows, perform the following steps:

  1. Locate the cmsslot.ini file on the ActivID CMS distribution.

  2. In the <CMS_distribution>\HSM folder:

    1. Copy the cmsslot.ini file to the Windows folder of your ActivID CMS server.

    1. In the cmsslot.ini file specify either a TokenName or a SlotID (if the cmsslot.ini file is not found, ActivID CMS chooses to connect to the slot that has the fewer number of sessions).

    Note: If High Availability has been configured, the cmsslot.ini file must contain a reference to either a physical token or to a virtual token.

  3. Locate the %PROGRAMDATA%\HID Global\Credential Management System\Local Files\pkcs11.cfg file and add the following line:

    Copy 
    slot=xxxxxx

    4. where xxxxx is the SlotID.