4.4 FIPS 140-2 level 3 authorization for generating or importing keys

When an nCipher HSM is in FIPS140-2 level 3 mode, there are some additional requirements that you must meet for the HSM to perform certain operations. This includes key generation by GenMaster, and key generation or key ceremony import from MyID workflows such as Manage GlobalPlatform Keys or Key Manager.

If these requirements are not met, some operations will fail, and the following error may be reported:

PKCS11 error: 0x800000e0 : FIPS token not present

4.4.1 nShield Security World software version 13 and later

To make the HSM FIPS authorized, you must insert an admin or operator card, either into the HSM card slot or into a card reader connected to the HSM through the nShield remote admin client. If the card is not present, MyID cannot use the HSM.

4.4.2 nShield Security World software prior to version 13

The HSM is FIPS authorized when a PIN is supplied to it. If your security world is already PIN protected (for example, operator card with PIN), then it will already be FIPS authorized and this step will not be necessary. Otherwise, before performing the operation in MyID that would perform the key generation or key import, you can manually FIPS authorize the HSM.

To generate or import keys, the following requirement must be met:

  1. Run the KeySafe program.
  2. Highlight the module in the tree view, then click Keys on the left hand side.

  3. In the main window, click Generate Key.

    The Generate Key page is displayed.

  4. Select PKCS#11 in the list, and click Next.

  5. Set the following options:

    • Protected By – set to module.

    • Key type – set to AES.

    • Key size – set to 256.

    You must also provide a unique key name; for example:

    testFIPSauth

    By generating a test key through KeySafe, KeySafe will prompt for a card and PIN to be entered if it has not already been FIPS authorized.

    KeySafe displays a message that says:

    FIPS authorization successfully loaded

    Afterward, you can delete the test key using KeySafe to keep the system tidy.

    MyID can now perform key generation or key import.

  6. In the event of the HSM being restarted, FIPS authorization will be lost, and this procedure can be repeated if necessary. Note that in MyID under normal circumstances, keys are only generated or imported as part of occasional setup steps, so there is no need to repeat this procedure in day to day running of the system.