3.1 Install HSM hardware and software
Follow the instructions that come with the nShield hardware to install the hardware and the software. The exact details of hardware installation will differ depending on the exact model of HSM.
The nShield support software must be installed on the MyID® application server. Install all of the features provided in the installation program.
3.1.1 Security Assurance Mechanism
The nShield Security Assurance Mechanism means that the HSM will disable any keys that were not generated on the HSM after 48 hours – this means that any factory keys that you import onto the HSM will be disabled.
When you install the nShield client software on the MyID application server, by default the Security Assurance Mechanism is enabled.
Warning: If you do not disable the Security Assurance Mechanism, any imported factory keys expire after 48 hours.
To disable the Security Assurance Mechanism:
-
Open the cknfastrc file in the nfast directory.
-
To disable the Security Assurance Mechanism, set the following option:
-
CKNFAST_OVERRIDE_SECURITY_ASSURANCES
Set this option to all to disable the Security Assurance Mechanism. If the option already exists in the file with a value other than all, set the value to all. If the option does not already exist, add it to the file:
CKNFAST_OVERRIDE_SECURITY_ASSURANCES=all
-
- Save the cknfastrc file.
- Restart the MyID KeyServer.