Previous Topic: Changing Hardware Security Module Information After the InstallationNext Topic: Database Reference

CA RiskMinder UNIX Installation GuideChanging Hardware Security Module Information After the InstallationChanging HSM Configuration Post-Installation

Changing HSM Configuration Post-Installation

During RiskMinder installation, the installer prompts you to specify HSM-related information. Perform the following steps if you want to change the HSM configuration later.

  1. Navigate to the following location: 
    <install_location>/arcot/conf/
  2. Take a backup of the securestore.enc file.
  3. Delete the existing securestore.enc file from <install_location>/arcot/conf/.
  4. To change the data encryption mode from software (S/W) to hardware (chrysalis or nfast), and configure the HSM information that RiskMinder needs:
    1. Navigate to the following location: 
      <install_location>/arcot/conf/
    2. Open arcotcommon.ini in a text editor.
    3. In the [arcot/crypto/device] section:
      • Set the HSMDevice parameter to chrysalis for Luna HSM.

      or

      • Set the HSMDevice parameter to nfast for nCipher netHSM.
    4. Depending on the HSM that you are configuring, set the sharedLibrary parameter to the location where the HSM library file is located:
      • The default location of the Luna HSM library is /usr/lunasa/lib/libCryptoki2.so.

      or

      • The default location of the nCipher netHSM is /opt/nfast/toolkits/pkcs11/libcknfast.so.

      Note: See "arcotcommon.ini" for more information about the other HSM configuration parameters available in this section.

    5. Save and close the arcotcommon.ini file.
  5. Navigate to the following location, where the DBUtil tool is available: 
    <install_location>/arcot/tools/platform/
  6. Run the DBUtil tool with the following commands:

    Note: The database user (<Database_Username>) that you specify in the following commands is case-sensitive.

    1. dbutil -init <HSM_Key_Label>

      Note: The <HSM_Key_Label> corresponds to the 3DES key that resides in the HSM.

      The preceding command creates the securestore.enc file with the specified key label. The generated file in stored in the <install_location>/arcot/ directory.

    2. dbutil -i <HSM_Module_Name> <HSM_Password>

      Note: The <HSM_Module_Name> is chrysalis for Luna HSM, and nfast for nCipher netHSM.

      The preceding command initializes the HSM.

    3. dbutil -pi <DSN_Name> <Database_Password> -h <HSM_Password> -d <HSM_Module_Name>

      Note: <DSN_NAME> refers to the ODBC DSN that RiskMinder Server uses to connect to the RiskMinder database. <Database_Password> refers to the password used to connect to the database.

      The preceding command initializes the RiskMinder Server data to be encrypted by using HSM.

    4. dbutil -pi <Database_Username> <Database_Password> -h <HSM_Password> -d <HSM_Module_Name>

      Note: <Database_Username> refers to the user name used to connect to the RiskMinder database. <Database_Password> refers to password used to connect to the database.

      The preceding command initializes Administration Console and the User Data Service data to be encrypted by using HSM.