Configure the HSM for an instance on an SDX 14030/14060/14080 FIPS appliance
First check the state of your FIPS card to verify that the driver loaded correctly, and then initialize the card.
At the command prompt, type:
show fips
FIPS Card is not configured
Done
<!--NeedCopy-->
If the driver is not loaded correctly, the message “ERROR: Operation not permitted - no FIPS card present in the system” appears.
Initialize the FIPS card
Important:
Verify that the
/nsconfig/fips
directory has successfully been created on the appliance.
Do not save the configuration before you restart the appliance for the third time.
Perform the following steps to initialize the FIPS card:
- Reset the FIPS card (
reset fips
). - Restart the appliance (
reboot
). -
Set the security officer password for partitions 0 and 1, and the user password for partition (
set fips -initHSM Level-2 <soPassword> <oldsoPassword> <userPassword> -hsmLabel NSFIPS
).Note: The set or reset command takes more than 60 seconds to run.
- Save the configuration (
saveconfig
). - Verify that the password encrypted key for the main partition (master_pek.key) has been created in the /nsconfig/fips/ directory.
- Restart the appliance (
reboot
). - Verify that the FIPS card is UP (
show fips
).
Initialize the FIPS card by using the CLI
At the command prompt, type the following commands:
reset fips
reboot
set fips -initHSM Level-2 <soPassword> <oldsoPassword> <userPassword> -hsmLabel <string>
<!--NeedCopy-->
Note: The following message appears when you run the set fips command:
This command will erase all data on the FIPS card. You must save the configuration (saveconfig) after executing this command. [Note: On MPX/SDX 14xxx FIPS platform, the FIPS security is at Level-3 by default, and the -initHSM Level-2 option is internally converted to Level-3] Do you want to continue?(Y/N)y
saveconfig
reboot
show fips
<!--NeedCopy-->
Example:
reset fips
Done
reboot
set fips -initHSM Level-2 so12345 so12345 user123 -hsmLabel NSFIPS
This command will erase all data on the FIPS card. You must save the configuration (saveconfig) after executing this command. [Note: On MPX/SDX 14xxx FIPS platform, the FIPS security is at Level-3 by default, and the -initHSM Level-2 option is internally converted to Level-3] Do you want to continue?(Y/N)y
Done
saveconfig
Done
reboot
show fips
FIPS HSM Info:
HSM Label : NSFIPS
Initialization : FIPS-140-2 Level-2
HSM Serial Number : 3.0G1532-ICM000228
HSM State : 2
HSM Model : NITROX-III CNN35XX-NFBE
Hardware Version : 0.0-G
Firmware Version : 1.0
Firmware Build : NFBE-FW-1.0-48
Max FIPS Key Memory : 1000
Free FIPS Key Memory : 1000
Total SRAM Memory : 557396
Free SRAM Memory : 238088
Total Crypto Cores : 4
Enabled Crypto Cores : 4
Done
<!--NeedCopy-->