Adding or restoring a module to a Security World:
• erases the Security World data on the module’s internal file system
• reads the required number of cards (K) from the ACS so that it can re-create the secret
• reads the Security World data from the remote file system
• uses the secret from the ACS to decrypt the Security World key
• stores the Security World key in the module’s nonvolatile memory.
After adding a module to a Security World, you cannot access any keys that were protected by a previous Security World that contained that module.
Note It is not possible to program a module into two separate Security Worlds simultaneously.
To add a module to a Security World:
1 If the module already belongs to a Security World, erase it from the Security World to which it belongs, as described in Erasing a module from a Security World on page 121.
2 From the main menu, select Security World mgmt > Module initialization > Load Security World.
3 Specify whether the module can use the Remote Operator feature import slots. For more information, see Remote Operator Card Sets on page 243.
4 At the prompt, insert an Administrator Card, and enter its pass phrase if required.
5 Continue to insert Administrator Cards when prompted until you have inserted the number required to authorize module reprogramming.
Transferring keys between Security Worlds
You must enter Administrator Cards in the client computer to transfer keys between Security Worlds. If your security policy does not permit this, do not attempt to carry out this procedure.
You use the command-line utilities mk-reprogram and key-xfer-im are used to transfer keys between Security Worlds.
Note To transfer existing Security World data into an SP800-131 Security World, use
Transferring keys between Security Worlds
To transfer keys between Security Worlds:
1 Ensure that the source Security World (from which you will transfer keys) has the necessary features enabled:
- OCS and/or softcard replacement.
- Key recovery or module-protected keys.
Note The destination Security World does not need to have these options enabled.
2 Move the Security World files (by default, these are the files in the %NFAST_KMDATA%\local Security World directory) for the source and destination Security Worlds into directories named source and destination respectively. For more information, see Security World files on page 97.
3 Decide which Security World to use as the working Security World when running the key-xfer-im command-line utility.
The working Security World can be any Security World that is not compliant with FIPS 140-2 level 3. If both your source and destination security are compliant FIPS 140-140-2 level 3, you can create a temporary, dummy Security World that is not compliant with FIPS 140-2 level 3 to use as the working Security World.
The following table shows various possible configurations:
Note In this table, “FIPS” refers to Security Worlds that are compliant with FIPS 140-2 level 3 and “non-FIPS” refers to Security Worlds that are not compliant with FIPS 140-2 level 3.
FIPS FIPS Dummy source and
destination
--Transferring keys between Security Worlds
4 Ensure that you have a quorum for each relevant card set:
- ACS for the source and destination Security Worlds (and for the dummy Security World, if needed when both the source and destination are compliant with FIPS 140-2 level 3).
- OCSs for the destination Security World.
Note If necessary, create OCSs for the destination Security World. For more information, see Creating Operator Card Sets (OCSs) on page 127.
5 Add the HSM to the working Security World. For more information, see Adding or restoring a module to the Security World on page 107.
6 Program the module key (or keys) from Security Worlds that are not the working Security World into the working Security World by running a command of the form:
mk-reprogram --owner <working_security_world_dir> add <non-working_security_world_dir>
In this command, <working_security_world_dir> is the Security World directory of the working Security World and <non-working_security_world_dir> is the working directory for the Security World that is not the working Security World. In the following example, the working Security World is the destination Security World:
mk-reprogram --owner C:\nfast\destination\local add C:\nfast\source\local
Supply any appropriate ACS cards (and pass phrases) as prompted.
If you are using a dummy Security World to transfer keys between two Security Worlds that are compliant with FIPS 140-2 level 3, you must run mk-reprogram twice: once to transfer module keys from the source and destination Security Worlds to the dummy Security World, as in the following example commands:
mk-reprogram --owner C:\nfast\Dummy\local add C:\nfast\Dummy\source\local mk-reprogram --owner C:\nfast\Dummy\local add C:\nfast\destination\local
7 Transfer a key (or keys) by running the key-xfer-im command-line utility:
key-xfer-im SOURCE-KMDATA-LOCAL DESTINATION-KMDATA-LOCAL NEW-PROTECT KEY-FILE [KEY-FILE ...] [NEW-PROTECT KEY-FILE [KEY-FILE ...]]
In this command:
Transferring keys between Security Worlds
<SOURCE-KMDATA-LOCAL>
The full path name of the kmdata file for the source Security World.
<DESTINATION-KMDATA-LOCAL>
The full path name of the kmdata file for the target Security World.
<NEW-PROTECT>
The protection for the key in the target Security World.
You must specify either --module or --cardset. If you specify --cardset, it must be followed by the key hash for the destination card set.
In addition, you can also specify options to configure the key protection further:
--export-leave
This option is used to leave the key’s list of operations requiring authorization from the Administrator Card Set (ACS)= the same. This is the default.
--export-add
This option is used to add export to the key’s list of operations requiring authorization from the ACS. This option is available only when exporting keys from a strict FIPS 140-2 level 3 Security World into a non-strict FIPS 140-2 level 3 Security World.
--export-delete
This option is used to remove export from the key’s list of operations requiring authorization from the ACS. This option is available only when exporting keys from a non-strict FIPS 140-2 level 3 Security World into a strict FIPS 140-2 level 3 Security World.
--aclbase-recovery
This option is used to base the Access Control List (ACL) of the exported key on the ACL in the recovery key blob. This is the default.
--aclbase-working
This option is used to base the ACL of the exported key on the ACL in the working key blob.
Transferring keys between Security Worlds
<KEY-FILE>
This is the full path of source kmdata file for the key. The module must have module keys from both worlds: program it into one world with new-world and use
mk-reprogram to add the other module key. If transferring between Strict FIPS-140 level 3 and non-strict worlds, the module’s owning world must be non-strict.
The following example command demonstrates transfer of a module key between source and destination Security Worlds that are both compliant with FIPS 140 2 level 3:
key-xfer-im C:\example\source\local\ C:\example\destination\local --module C:\example\source\local\key_pkcs11_ua753157d8a9b86e943c5e4a6c100963f26839749a
The following example command demonstrates transfer of a card set key from a source Security World that is compliant with FIPS 140 2 level 3 to a destination Security World that is not:
key-xfer-im C:\example\destination\local C:\example\destination\local --cardset 1234578..cardsethash...abcdef --export-add
C:\nfast\example\local\key_pkcs11_ua753157d8a9b86e943c5e4a6c100963f26839749a
The following example command demonstrates transfer of a card set key from a source Security World that is not compliant with FIPS 140 2 level 3 to a destination Security World that is :
key-xfer-im C:\example\source\local C:\example\destination\local --cardset 1234578..cardsethash...abcdef --export-delete C:\example\source\local\key_pkcs11_ua753157d8a9b86e943c5e4a6c100963f26839749a
Supply appropriate cards and pass phrases for the ACS (source Security World) and OCSs (destination Security World) as prompted.
Note You could use any directory instead of the example directory shown in these example commands.
8 If necessary, copy the Security World files to the Security World directory (by default,
%NFAST_KMDATA%\local), and then add the HSM to the destination Security World. For more information, see Adding or restoring a module to the Security World on page 107.