Manage Gateway nShield HSM Status Menu

The Manage Gateway nShield HSM status menu is used to configure your nShield Solo+ hardware security module.
gateway10
The Manage Gateway nShield HSM status menu is used to configure your nShield Solo+ hardware security module.
(1) Not all menu options apply to the nShield Connect. (2) Advanced users may wish to program their nShield Solo+ directly, as this offers greater configurability than using the menu options.
Menu Options
Access the menu from: Gateway main menu > option
6
(Manage HSM) > option
1
(Manage Gateway nShield HSM status).
This menu allows you to configure the nCipher nShield Hardware Security Module on the Layer7 API Gateway Appliance What would you like to do? 1) Manage Gateway nCipher nShield HSM status 2) Create new security world 3) Program into existing security world 4) Use manually-programmed security world X) Exit menu Please make a selection:
Option
Description
1) Manage Gateway nShield HSM status
Enable or disables the Gateway use of the nShield HSM. Note the following:
  • Enabling the HSM generates a new random master passphrase using the HSM's hardware random number generator. The database password and the cluster passphrase are automatically re-encrypted with the new master passphrase.
  • Disabling the HSM resets the master passphrase back to the default
    7layer
    . You can change the passphrase. After the HSM is disabled, the software DB becomes the default keystore. See also: Manage Keystore.
2) Create new security world
Initializes the nShield card and creates a new security world cardset. Choose this option if there is no existing security world with which to program the card. If there is, use option 3 (Program into existing security world) instead.
For detailed information on using this option, see "Create a New Security World Using the Gateway" in Configure the nShield Solo+.
You cannot use option 2 to create a security world for the nShield Connect appliance. You must create the security world manually. For more information, see Configure the nShield Connect.
Advanced users can program a new security world directly into the nShield module, without using this menu option. This is described under "Manually Programmed Security Worlds" in Configure the nShield Solo+.
3) Program into existing security world
Programs the nShield card into an existing security world. You need at least two cards from the security world’s cardset, along with the passphrases.
For detailed information on using this option, see "Program Into an Existing Security World Created Using the Gateway" under Configure the nShield Solo+.
You cannot use option 3 to program into existing security worlds for the nShield Connect appliance. You must program the security world manually. For more information, see Configure the nShield Connect.
Advanced users can choose to manually program into a new security, without using this menu option. This is described under "Manually Programmed Security Worlds" in Configure the nShield Solo+.
4) Use manually-programmed security world
Directs the Gateway to use a security world that has been manually programmed using one of the setup options under "Manually Programmed Security Worlds" in Configure the nShield Solo+.
The Gateway checks the status of a security world in the database and takes the following actions:
  • No world information present in database:
    If the database does not contain a security world, the new world is copied to the database.
  • Matching world information already in database:
    If the database already contains a matching security world, no further action is required.
  • Conflict with security world in database:
    If the database already contains a different security world, you are prompted to delete and replace it with the security world on the disk. Type "
    proceed
    " (without the quotes) to continue. Entering anything else cancels the process.
You may be prompted to choose a keystore ID. See "Choosing a Gateway Keystore" below for for details.
Choosing a Gateway Keystore
When enabling nShield support with a manually programmed security world (option
4
), you may be prompted to choose a keystore ID to be used by the
Layer7 API Gateway
as the "nCipher nShield HSM" keystore. This occurs if the database does not yet contain a designated keystore ID and more than one keystore ID is present.
More than one keystore ID is present on the local node. Please choose a keystore ID for the Gateway to use as its "nCipher nShield HSM" keystore: 0b77a92f68c4568d059da676279673fd2abf7562 (contains 1 object) 67422c431301bcac9f256e6ada4a23d92ff2133b (contains 0 objects) 9a9307c169fc94240b7b1b1f61319763e5fe7510 (contains 3 objects) Enter the first few unique digits of the keystore ID to use that keystore ID with the Gateway. Enter "list" to see a list of available IDs. Enter "list " followed by a keystore ID to attempt to list its contents (assumes module-protection). Choice (list|<ID>|list <ID>):
Respond with one of the following:
  • Enter
    list
    to redisplay the list of available keystore IDs.
  • Enter
    list
    <ID>
    to view the contents of a particular keystore ID (see below for details)
  • Enter the
    <ID>
    of a keystore to select it. You do not need to enter the entire ID—the first few unique characters suffice.
Using the "list <ID>" command
You can inspect the contents of a particular keystore by entering "list" followed by the first few unique characters of the keystore ID; for example:
list 9a9
Enter the first few unique digits of the keystore ID to use that keystore ID with the Gateway. Enter "list" to see a list of available IDs. Enter "list " followed by a keystore ID to attempt to list its contents (assumes module-protection). Choice (list|<ID>|list <ID>): list 9a9 Keystore ID 9a9307c169fc94240b7b1b1f61319763e5fe7510 contains 3 entries: ssl, 2048 bit RSA, CN=l7tech.example.com acme, 1024 bit RSA, CN=acme warehouse, 2048 bit RSA, CN=global
After inspecting the keystore, you can either enter its ID to select it, or use the
list
command to redisplay the list of available keystore IDs or inspect another keystore.