6. Operation
For additional procedural guidance on operational issues (describing how the HSM
should be initially configured/setup), see Commissioning. Refer to that chapter as well for
operational guidance.
6.1. Patching policy
A patching policy should be defined and actively implemented. Specifically:
•
The latest version of the nShield firmware/software should be installed.
•
Any host operating systems should be a current, supported version with the latest
patches applied.
•
It is recommended that anti-virus software is installed on the host system and
maintained with automatic updates.
•
If KeySafe or a java-based client application is deployed then a version of Java as
advised in the Installation Guide with any available patches should be installed.
6.2. Set the RTC time
Set the nShield Edge, nShield Solo and nShield Connect RTC using an accurate trusted
local time source at regular intervals to mitigate any clock drift.
6.3. Operator Card Set (OCS) quorum configurations
6.3.1. Share keys across multiple HSMs
An OCS can enable the same keys for use in a number of different HSMs at the same
time.
However, it does mean that if you have a non-persistent OCS, you have to leave one of
the cards in an appropriate card slot of each HSM. If you have created an OCS in which K
is more than half of N, you can share the keys it protects simultaneously amongst
multiple modules as long you have enough unused cards to form a K/N quorum for the
additional HSMs. For example, with a 3/5 OCS, you can load keys onto 3 HSMs because,
after loading the key on the first device, you still have 4 cards left. After loading the key
on a second device, you still have 3 cards left. After loading the key onto a third device,
you have only 2 cards left, which is not enough to create the quorum required to load the
key onto a fourth device.
However, in this instance, the guidance outlined in Access Control regarding security
nShield® Security Manual 42 of 90
To Next Page
Loading...
Need help?
General
