Problem
If an nShield HSMi that is already registered in a KMS environment needs to have its IP address changed, the following process may be used to change the configuration of the HSM and its associated RFS.
Summary
An nShield HSMi, already registed in a KMS environment. needs to have its IP address changed.
Process
-
Log in to KMS and delete the registration of the HSM that is to be moved to a new IP address
- Navigate to the HSM Management page
- Select the HSM
- Select the Actions > Delete Registration command
- Stop the Datacard Key Manager Server and Datacard HSM Server services on the KMS server.
-
In Windows Explorer, navigate to the location of the HSM configuration file. Note the default location is:
%NFAST_KMDATA%\hsm-<esn>\config
-
Make a new copy of the
config
file and edit the copy, updating the '
addr=
' and 'netmask=
' lines in the[nethsm_eth]
section to reflect the new IP address the HSM is moving to. Note: thegateway=
line in this section must remain set to0.0.0.0
-
If needed, in the
[nethsm_gateway]
section, update thegateway=
line. - Save the edited copy of the HSM configuration file
-
Navigate to the location of the RFS configuration file. The default location is
%NFAST_KMDATA%\config
-
Edit the
config
file at this location to update any instances of
remote_ip=
that refer to the current HSM IP address. The new IP address is the address the HSM is moving to - Save the edited RFS configuration file
- Open an administrative command prompt, navigate to the location of the edited copy of the HSM configuration file.
-
Push the edited copy using the command:
cfg-pushnethsm -a <current HSM IP> <edited config filename>
-
Confirm that the push of the edited configuration file succeeded by:
- Verifying that the last updated date/time of the HSM config file has changed to the current date/time
-
Opening the file to verify that the updated
addr=
entries reflect the changes made to the edited copy of the configuration file
-
In the admin command prompt, reboot the HSM using the command:
nethsmadmin -m <module number> -r
- Restart the nFast Server service on the RFS server
-
Verify that the HSM is communicating with the nFast Server service using the command:
nopclearfail -m <module number> -n
- Start the Datacard HSM Server service, then start the Datacard Key Manager Server service
- Log in to KMS and re-register the HSM on the HSM Management page using the Actions > Register nShield command