Configuring Allowed Smart Cards for an nShield HSM

When using an nShield HSM with a FIPS 140-2 Level 3 Security World a FIPS authorization token is required to authorize most operations, including the creation of keys. This is provided by an ACS or OCS card which must be loaded in the HSM or presented using a remote admin client. Cards are usually configured when setting up an HSM, so Entrust recommends leaving one of the configured OCS cards in the HSM slot to satisfy this requirement.

nShield HSMs include a security feature that checks the serial numbers of the cards as well as checking they are part of an OCS for this HSM. This allows the admin to disable a card if necessary.

The Card List tab of the nShield HSM Server Settings page In the KeyControl Vault Management webGUI allows you to control which card serial numbers are accepted. The tab is only available if the HSM is using a FIPS 140-2 Level 3 Security World and displays the current setting and details of any card serial numbers you have entered.

There are 3 basic modes:

  • Accept All Cards—Does not check the card serial number. You can enter or leave this mode by selecting Actions > Accept All Cards. If the entry in the menu is preceded by a checkmark, it is enabled. Select Actions > Accept All Cards to disable.

  • Reject All Cards—Does not allow any cards, so all operations requiring one will fail. You can enter or leave this mode by selecting Actions > Reject All Cards. If the entry in the menu is preceded by a checkmark, it is enabled. Select Actions > Reject All Cards to disable.

  • Allow listed enabled cards—If neither of the modes is selected, any cards in the list that are Enabled will be allowed, and all other cards will be rejected.

Select a card from the list and then select a choice from the actions menu to delete, disable, or enable the selected card. You can add a card to the list by selecting Actions > Add Card. You can also add or edit a description for a card.

Procedure 

  1. Log into the KeyControl Vault Management webGUI using an account with Security Admin privileges.

  2. In the top menu bar, click Settings.
  3. In the System Settings section, click HSM Server Settings.

  4. On the nShield HSM Server Settings page, select the Card List tab.

  5. Add or update your cards as necessary.