Accessing the nShield Solo from ActivID KMS/CMS

This section provides a brief description of the process by which you prepare the nShield Solo HSM for use with ActivID KMS and with ActivID CMS.

As described in previous sections, an nShield Solo HSM is installed on the system where ActivID KMS is installed. Following best practices, the ActivID KMS and ActivID CMS are installed and running on different systems.

For specific details on preparing the HSM for use with ActivID KMS, refer to Installing and Using ActivID KMS for more information; (this section is not intended to replace the Installing and Using ActivID KMS section). The following steps summarize the preparation process:

  1. Copy the PKCS #11 cknfast-64.dll file to the ActivID KMS directory.

    2. The cknfast-64.dll file is located in the <installdir>\nCipher\nfast\toolkits\pkcs11\ directory.

  2. Make sure that the cknfastrc configuration file (located in <installdir>\nCipher\nfast\cknfastrc) contains only the following two lines:

    Copy 
    CKNFAST_OVERRIDE_SECURITY_ASSURANCES=tokenkeys;unwrap_mech;unwrap_kek;explicitness
    CKNFAST_NO_ACCELERATOR_SLOTS=1
    Note: All keys injected using ActivID KMS are located in the Security World you created previously using the directions in this documentation. You can view the key labels and attributes using ActivID KMS or by using the KeySafe utility (illustrated in the figure below).
    Important: If you are migrating from an HSM containing extractable keys, you need to add the longterm flag to CKNFAST_OVERRIDE_SECURITY_ASSURANCES in the cknfastrc file.

  3. Click Keys, and then click List Keys.

To install the HSM on the ActivID CMS server, perform the following steps:

  1. Install the HSM and the nCipher software on the ActivID CMS server, but do not create the Security World. Instead, you must use the Security World created for the ActivID KMS system. To copy the Security World configuration to the ActivID CMS server, copy the kmdata\local directory from the ActivID KMS system to the same location on the ActivID CMS server.

  2. Copy <installdir>\nCipher\nFast\cknfastrc to the same location on the ActivID CMS server.

    3. Note: You do not need to copy the file if ActivID CMS will be installed from scratch with HSM support. Instead, you just need to provide the right path during the ActivID CMS setup.

  3. To enable any administrator to run KeySafe, in the <installdir>\nCipher\nFast\kmdata\preload directory, change the NTFS permissions to include modified rights for the local administrator group. The default user with permission to start KeySafe is limited to the user who installed it.

    Important: Once ActivID CMS is installed, if the PKCS#11 library path is changed after upgrading the nCipher Security World software (for example, version 12.50 or higher), you must update the crystoki.ini file, found in %PROGRAMDATA%\HID Global\Credential Management System\Shared Files, as follows:

      Copy
       LibNT=C:/Program Files/nCipher/nfast/toolkits/pkcs11/cknfast.dll