HSM - Changing the IP Address of an RFS System after the Security World has been created

Problem

If an RFS system, that has already been configured with a Security World, needs to have its IP address changed, the following process may be used to change the configuration of the RFS and any associated nShield HSMi.

Summary

An RFS system that has already been configured with a Security World needs to have its IP address changed.

Process

  1. In Windows Explorer, navigate to the location of each HSM configuration file. Note: the default location is: %NFAST_KMDATA%\hsm-<esn>\config
  2. Make a new copy of the config file and edit the copy, updating it to reflect the IP address the RFS will move to:
  • The ' addr= ' entry of the [hs_clients] section
  • The ' remote_ip= ' entry in the [rfs_client] and [config_op] sections
  1. Open an administrative command prompt, and force push the edited HSM configuration file using the command: cfg-pushnethsm -a <HSM IP> -n <edited config filename>
  2. Update the IP address of the RFS system, and reboot the RFS server
  3. On the RFS server, open an administrative command prompt and re-push the edited HSM configuration file using the command: cfg-pushnethsm -a <HSM IP> <edited config filename>
  4. Confirm that the push of the edited configuration file succeeded by:
    1. Verifying that the last updated date/time of the HSM config file has changed to the current date/time
    2. Opening the file to verify that the changes made to the edited HSM configuration file in Step 2 are reflected in the current config file
  5. Using the administrative command prompt, reboot the HSM using the command: nethsmadmin -m <HSM module number> -r
  6. Restart the nFast Server service, then verify communication between the RFS and HSM using the administrative command prompt, and running the command: nopclearfail -m <HSM module number> -n
  7. Restart the Datacard HSM Server service
  8. Verify the status of the HSM in the HSM Management page of KMS

Note : if the RFS is installed on the same system as SQL Server and KMS (i.e. a single server configuration) the connection string for the SQL Server and the HSM Server registration may need to be updated if it not set as localhost or 127.0.0.1