Previous Topic: Changing Hardware Security Module Information After the InstallationNext Topic: Database Reference

CA RiskMinder Windows Installation GuideChanging Hardware Security Module Information After the InstallationChanging HSM Configuration Post-Installation

Changing HSM Configuration Post-Installation

During the installation process, the RiskMinder installer prompts you to specify this HSM-related information. However, if you want to change the HSM configurations later, such as changing the data encryption mode and configuring other HSM information that is needed by RiskMinder, then perform the following steps:

  1. Navigate to the following location: 
    <install_location>\Arcot System\conf\
  2. Take a backup of securestore.enc.
  3. Delete the existing securestore.enc file from <install_location>\Arcot System\conf\.
  4. To change the data encryption mode from software (S/W) to hardware (chrysalis or nfast), and configure the HSM information that RiskMinder needs:
    1. Navigate to the following location: 
      <install_location>\Arcot System\conf\
    2. Open arcotcommon.ini in a text editor.
    3. In the [arcot/crypto/device] section:
      • Set the HSMDevice parameter to chrysalis for Luna HSM.

      or

      • Set the HSMDevice parameter to nfast for nCipher netHSM.
    4. Depending on the HSM that you are configuring, set the sharedLibrary parameter to the location where the HSM library file is located:
      • The default location of the Luna HSM library is <SYSTEM_DRIVE>:\Program Files\LunaSA\cryptoki.dll.

      or

      • The default location of the nCipher netHSM is <SYSTEM_DRIVE>:\nfast\bin\cknfast.dll.

      Note: See arcotcommon.ini for more information about the other HSM configuration parameters available in this section.

    5. Save and close the arcotcommon.ini file.
  5. Navigate to the following location, where the DBUtil tool is available: 
    <install_location>\Arcot System\tools\platform\
  6. Run the DBUtil tool with the following commands:

    Note: The database user (<Database_Username>) that you specify in the following commands is case-sensitive.

    1. dbutil -init <HSM_Key_Label>

      Note: The <HSM_Key_Label> corresponds to the 3DES key that resides in the HSM.

      The preceding command creates a securestore.enc file with the specified key label. The generated file in stored in the <install_location>\Arcot System\conf\ location.

    2. dbutil -i <HSM_Module_Name> <HSM_Password>

      Note: The <HSM_Module_Name> is chrysalis for Luna HSM, and nfast for nCipher netHSM.

      The preceding command initializes the HSM.

    3. dbutil -pi <DSN_Name> <Database_Password> -h <HSM_Password> -d <HSM_Module_Name>

      Note: <DSN_NAME> refers to the ODBC DSN that RiskMinder Server uses to connect to the RiskMinder database. <Database_Password> refers to the password used to connect to the database.

      The preceding command initializes the RiskMinder Server data to be encrypted by using HSM.

    4. dbutil -pi <Database_Username> <Database_Password> -h <HSM_Password> -d <HSM_Module_Name>

      Note: <Database_Username> refers to the user name used to connect to the RiskMinder database. <Database_Password> refers to password used to connect to the database.

      The preceding command initializes Administration Console and the User Data Service data to be encrypted by using HSM.