ADC

Configure the HSM for an instance on an SDX 14030/14060/14080 FIPS appliance

First check the state of your FIPS card to verify that the driver loaded correctly, and then initialize the card.

At the command prompt, type:

show fips

FIPS Card is not configured

Done
<!--NeedCopy-->

If the driver is not loaded correctly, the message “ERROR: Operation not permitted - no FIPS card present in the system” appears.

Initialize the FIPS card

Important:

Verify that the /nsconfig/fips directory has successfully been created on the appliance.

Do not save the configuration before you restart the appliance for the third time.

Perform the following steps to initialize the FIPS card:

  1. Reset the FIPS card (reset fips).
  2. Restart the appliance (reboot).
  3. Set the security officer password for partitions 0 and 1, and the user password for partition (set fips -initHSM Level-2 <soPassword> <oldsoPassword> <userPassword> -hsmLabel NSFIPS).

    Note: The set or reset command takes more than 60 seconds to run.

  4. Save the configuration (saveconfig).
  5. Verify that the password encrypted key for the main partition (master_pek.key) has been created in the /nsconfig/fips/ directory.
  6. Restart the appliance (reboot).
  7. Verify that the FIPS card is UP (show fips).

Initialize the FIPS card by using the CLI

At the command prompt, type the following commands:

reset fips

reboot

set fips -initHSM Level-2 <soPassword> <oldsoPassword> <userPassword> -hsmLabel <string>
<!--NeedCopy-->

Note: The following message appears when you run the set fips command:

This command will erase all data on the FIPS card. You must save the configuration (saveconfig) after executing this command. [Note: On MPX/SDX 14xxx FIPS platform, the FIPS security is at Level-3 by default, and the -initHSM Level-2 option is internally converted to Level-3]  Do you want to continue?(Y/N)y

saveconfig

reboot

show fips
<!--NeedCopy-->

Example:

reset fips

Done

reboot

set fips -initHSM Level-2 so12345 so12345 user123 -hsmLabel NSFIPS

This command will erase all data on the FIPS card. You must save the configuration (saveconfig) after executing this command. [Note: On MPX/SDX 14xxx FIPS platform, the FIPS security is at Level-3 by default, and the -initHSM Level-2 option is internally converted to Level-3]  Do you want to continue?(Y/N)y

Done

saveconfig

Done

reboot

show fips

    FIPS HSM Info:
    HSM Label : NSFIPS
    Initialization : FIPS-140-2 Level-2
    HSM Serial Number : 3.0G1532-ICM000228
    HSM State : 2
    HSM Model : NITROX-III CNN35XX-NFBE
    Hardware Version : 0.0-G
    Firmware Version : 1.0
    Firmware Build : NFBE-FW-1.0-48
    Max FIPS Key Memory : 1000
    Free FIPS Key Memory : 1000
    Total SRAM Memory : 557396
    Free SRAM Memory : 238088
    Total Crypto Cores : 4
    Enabled Crypto Cores : 4
Done
<!--NeedCopy-->
Configure the HSM for an instance on an SDX 14030/14060/14080 FIPS appliance