Summary
An nShield HSMi, already registed in a KMS environment. needs to have its IP address changed.
Process
-
Log in to KMS and delete the registration of the HSM that is to be moved to a new IP address
- Navigate to the HSM Management page
- Select the HSM
- Select the Actions > Delete Registration command
- Stop the Datacard Key Manager Server and Datacard HSM Server services on the KMS server.
-
In Windows Explorer, navigate to the location of the HSM configuration file. Note the default location is:
%NFAST_KMDATA%\hsm-<esn>\config
-
Make a new copy of the
config
file and edit the copy, updating the '
addr=
' and 'netmask=
' lines in the[nethsm_eth]
section to reflect the new IP address the HSM is moving to. Note: thegateway=
line in this section must remain set to0.0.0.0
-
If needed, in the
[nethsm_gateway]
section, update thegateway=
line. - Save the edited copy of the HSM configuration file
-
Navigate to the location of the RFS configuration file. The default location is
%NFAST_KMDATA%\config
-
Edit the
config
file at this location to update any instances of
remote_ip=
that refer to the current HSM IP address. The new IP address is the address the HSM is moving to - Save the edited RFS configuration file
- Open an administrative command prompt, navigate to the location of the edited copy of the HSM configuration file.
-
Push the edited copy using the command:
cfg-pushnethsm -a <current HSM IP> <edited config filename>
-
Confirm that the push of the edited configuration file succeeded by:
- Verifying that the last updated date/time of the HSM config file has changed to the current date/time
-
Opening the file to verify that the updated
addr=
entries reflect the changes made to the edited copy of the configuration file
-
In the admin command prompt, reboot the HSM using the command:
nethsmadmin -m <module number> -r
- Restart the nFast Server service on the RFS server
-
Verify that the HSM is communicating with the nFast Server service using the command:
nopclearfail -m <module number> -n
- Start the Datacard HSM Server service, then start the Datacard Key Manager Server service
- Log in to KMS and re-register the HSM on the HSM Management page using the Actions > Register nShield command