Skip to main content

HSM - Changing the IP Address of a Registered nShield HSMi

Problem

If an nShield HSMi that is already registered in a KMS environment needs to have its IP address changed, the following process may be used to change the configuration of the HSM and its associated RFS.

Summary

An nShield HSMi, already registed in a KMS environment. needs to have its IP address changed.


Process

  1. Log in to KMS and delete the registration of the HSM that is to be moved to a new IP address
    1. Navigate to the HSM Management page
    2. Select the HSM
    3. Select the Actions > Delete Registration command
  2. Stop the Datacard Key Manager Server and Datacard HSM Server services on the KMS server.
  3. In Windows Explorer, navigate to the location of the HSM configuration file. Note the default location is: %NFAST_KMDATA%\hsm-<esn>\config
  4. Make a new copy of the config file and edit the copy, updating the ' addr= ' and ' netmask= ' lines in the [nethsm_eth] section to reflect the new IP address the HSM is moving to. Note: the gateway= line in this section must remain set to 0.0.0.0
  5. If needed, in the [nethsm_gateway] section, update the gateway= line.
  6. Save the edited copy of the HSM configuration file
  7. Navigate to the location of the RFS configuration file. The default location is %NFAST_KMDATA%\config
  8. Edit the config file at this location to update any instances of remote_ip= that refer to the current HSM IP address. The new IP address is the address the HSM is moving to
  9. Save the edited RFS configuration file
  10. Open an administrative command prompt, navigate to the location of the edited copy of the HSM configuration file.
  11. Push the edited copy using the command: cfg-pushnethsm -a <current HSM IP> <edited config filename>
  12. Confirm that the push of the edited configuration file succeeded by:
    1. Verifying that the last updated date/time of the HSM config file has changed to the current date/time
    2. Opening the file to verify that the updated addr= entries reflect the changes made to the edited copy of the configuration file
  13. In the admin command prompt, reboot the HSM using the command: nethsmadmin -m <module number> -r
  14. Restart the nFast Server service on the RFS server
  15. Verify that the HSM is communicating with the nFast Server service using the command: nopclearfail -m <module number> -n
  16. Start the Datacard HSM Server service, then start the Datacard Key Manager Server service
  17. Log in to KMS and re-register the HSM on the HSM Management page using the Actions > Register nShield command