Está en la página 1de 60

nShield

Hardware Installation Guide

www.thalesgroup.com/iss
Version: 3.8
Date: 6 January 2011
Part Number: N-001027-X
Copyright 2011 Thales e-Security Limited. All rights reserved.
2011 Thales e-Security Limited. All rights reserved.
Copyright in this document is the property of Thales e-Security Limited. It is not to be reproduced, modified,
adapted, published, translated in any material form (including storage in any medium by electronic means
whether or not transiently or incidentally) in whole or in part nor disclosed to any third party without the prior
written permission of Thales e-Security Limited neither shall it be used otherwise than for the purpose for which
it is supplied.
CodeSafe, KeySafe, nCipher, nFast, nForce, nShield, payShield, and Ultrasign are registered trademarks of
Thales e-Security Limited or nCipher Corporation Limited.
CipherTools, CryptoStor, CryptoStor Tape, keyAuthority, KeyVault, nCore, netHSM, nFast Ultra, nForce Ultra,
nShield Connect, nToken, SafeBuilder, SEE, and Trust Appliance are trademarks of Thales e-Security Limited or
nCipher Corporation Limited.
All other trademarks are the property of the respective trademark holders.
Information in this document is subject to change without notice.
Thales e-Security Limited makes no warranty of any kind with regard to this information, including, but not limited
to, the implied warranties of merchantability and fitness for a particular purpose. Thales e-Security Limited shall
not be liable for errors contained herein or for incidental or consequential damages concerned with the
furnishing, performance or use of this material.
Commercial Computer Software - proprietary
This computer software and documentation is Commercial Computer Software and Computer Software
Documentation, as defined in sub-paragraphs (a)(1) and (a)(5) of DFAR 252.227-7014, Rights in
Noncommercial Computer Software and Noncommercial Computer Software Documentation. Use,
duplication or disclosure by the Government is subject to the Thales standard US Terms And Conditions for the
Product.
Patents
UK Patent GB9714757.3. Corresponding patents/applications in USA, Canada, South Africa, Japan and
International Patent Application PCT/GB98/00142.
Other patents pending.
EMC compliance
The use of hand held or mobile radio equipment with a rated output power of 4W or more should not be
permitted within a radius of 2m of this equipment.
FCC class A notice
This device complies with Part 15 of the FCC rules. Operation is subject to the following two conditions:
1 This device may not cause harmful interference, and
2 this device must accept any interference received, including interference that may cause undesired
operation.
This equipment has been tested and found to comply with the limits for a Class A digital device, pursuant to Part
15 of the FCC Rules. These limits are designed to provide reasonable protection against harmful interference
when the equipment is operated in a commercial environment. This equipment generates, uses, and can radiate
radio frequency energy and, if not installed and used in accordance with the instruction manual, may cause
harmful interference to radio communications. Operation of this equipment in a residential area is likely to cause
harmful interference in which case the user will be required to correct the interference at his own expense.
UL Listed Accessory
Some of the Thales modules are UL Listed Accessories. These may be identified by the UL Mark applied, as a
label, to the back panel. These products should only be used with Listed ITE.
European class A notice
Part Number: N-001027-X
nShiNov10

Version: 3.8
Date: 06 January 2011

nShield: Hardware Installation Guide 3.8 2


This device has been tested and found to comply with the requirements of the EMC directive 2004/108/EEC
as a Class A product to be operated in a commercial environment at least 10m away from domestic television
or radio. In a domestic environment this product may cause radio interference in which case the user may be
required to take adequate measures.

nShield: Hardware Installation Guide 3.8 3


Contents

Chapter 1: Introduction 6
About this guide 6
Additional documentation 6
Using this guide 7
Technical conventions 11
Handling HSMs 11
Temperature and humidity recommendations 12
Contacting Support 14
Recycling and disposal information 15

Chapter 2: Installing nShield PCI and PCIe modules 16


Before installing an nShield PCI or PCIe module 16
Environmental requirements 18
Power requirements 18
Installing an nShield PCI or PCIe module 18
Fitting an nShield PCIe module with a low profile bracket 19
Fitting an EMI filter to an nShield PCI module 20
Fitting a smart card reader 20
After installing the nShield PCI or PCIe module 21

Chapter 3: Installing the nShield Connect 22


Environmental requirements 22
Power requirements 22
Safety 23
Before installing the nShield Connect 23
Optional: Mounting the nShield Connect in the rack 24
Further options for installing the nShield Connect 30
Connecting the nShield Connect 30
Checking the installation 32
Installing the software 32

nShield: Hardware Installation Guide 3.8 4


Chapter 4: Troubleshooting 33
All nShield HSMs: checking operational status 33
Enquiry utility 33
Status LED 34
nShield PCI and PCIe modules only: checking operational status 35
nCipher server 35
Mode switch 36
nShield Connect only: checking operational status 37
Audible warnings 37
Orange warning LED 38
Checking the physical security of the nShield Connect 38
Display screen 39
Checking the log messages 40
Log messages for an nShield PCI or PCIe module 40
Log messages for the nShield Connect 41
Log message types 41
Utility error messages 43
BadTokenData error in nShield modules 43
nShield Connect only: Power supply unit (PSU) and fan tray replacement 43
Replacing the fan tray module 43
Replacing the PSU 47

Appendix A: Morse code error messages 50


Reading Morse code 50
Runtime library errors 50
Hardware driver errors 52
Maintenance mode errors 55
Operational mode errors 56

Appendix B: nShield Connect maintenance 57


Flash testing the nShield Connect 57

Appendix C: Approved accessories for nShield Connect 58

Appendix D: Product returns 59

Addresses 60

nShield: Hardware Installation Guide 3.8 5


Chapter 1: Introduction

About this guide


This guide is for the person physically installing the nShield module. It provides hardware
installation and troubleshooting information for the following hardware security modules
(HSMs) on all supported operating systems:

nShield PCI module

nShield PCI Express (PCIe) module

nShield Connect

This guide does not explain how to install:

nToken modules (model number nC2023P-000 or nC2021E-000). To install an nToken, see


the nToken Installation Guide.

nShield Edge modules (model number nC30nnU-10 or nC40nnU-10). To install an nShield


Edge, see the nShield Edge Quick Start Guide.

These guides are provided in the documents directory of your installation disc.

Additional documentation
You can find additional documentation, including User Guides, in the document directory of the
DVD-ROM for your product.

For information about installing software and enabling additional features (such as client
licences), see the appropriate User Guide.

For the latest information about your product, see the release notes in the release directory of your
installation disc.

Note We strongly recommend familiarizing yourself with the information provided in the release
notes before using the hardware and the software supplied on your installation disc.

nShield: Hardware Installation Guide 3.8 6


About this guide

Using this guide

Typographical conventions

Note The word Note indicates important supplemental information.

If there is a danger of static damage, this is indicated by the reaching hand symbol in the
margin.

En cas de risque lectrostatique, le symbole dune main tendue lindique dans la marge.

Besteht die Gefahr von Schden durch elektrostatische Aufladung, wird dies am Rand
durch ein Warnsymbol mit einer greifenden Hand angezeigt.

If there is a danger of loss or exposure of key material (or any other security risk), this is
indicated by a security triangle in the margin.

En cas de risque de perte ou dexposition dun composant clef (ou pour tout autre risque li
la scurit), un triangle de scurit lindique dans la marge.

Besteht die Gefahr des Verlustes oder der Kompromittierung Schlsselmaterial (oder ein
anderes Sicherheitsrisiko), wird dies am Rand durch ein Sicherheitsdrcken angezeigt.

If there is a danger of damage to the hardware, this is indicated by a caution triangle in the
margin. If you see this symbol on the product itself, see the relevant section of this guide.

Si une dtrioration du matriel est possible, un triangle davertissement lindique dans la


marge. Si ce symbole apparat sur le produit lui-mme, reportez-vous la partie
correspondante de ce guide.

Besteht die Gefahr eines Hardware-Schadens, wird dies am Rand durch ein Warndreieck
angezeigt. Falls Sie dieses Symbol auf dem Produkt selbst bemerken, schlagen Sie im
zutreffenden Abschnitt dieses Handbuchs nach.

If there is a danger of electric shock to the user, this is indicated by a warning triangle in the
margin.

Si un choc lectrique est possible pour lutilisateur, un triangle davertissement lindique


dans la marge.

Besteht die Gefahr eines Stromschlags fr den Anwender, wird dies am Rand durch ein
Warndreieck angezeigt.

nShield: Hardware Installation Guide 3.8 7


About this guide

nShield Connect safety warnings


Always observe the following safety precautions with the nShield Connect:

Only connect to earthed supply sockets. The nShield Connect is of Class 1 construction and
must be earthed.

Only connect to a mains power outlet with a voltage that corresponds with that displayed
on the rating plate. The rating plate is located on the base of the unit, towards the rear.

To allow the nShield Connect to be disconnected, ensure that either the cordset IEC sockets
or the mains plugs are easily accessible.

To isolate power, remove all mains cables from the nShield Connect (see the instruction
displayed at the rear of the unit, above the PSU(s)).

Always use the mains cables supplied with the nShield Connect.

The M4 stud on the rear panel of the nShield Connect is a functional earthing terminal for
EMC purposes. Do not connect protective earth bond conductors to this terminal.

Do not connect RJ45 sockets to network equipment outside the building or to


telecommunications equipment.

nShield: Hardware Installation Guide 3.8 8


About this guide

Avertissements relatifs la scurit pour le nShield Connect

Avec le nShield Connect, conformez-vous systmatiquement aux prcautions de scurit


suivantes:

Neffectuez de branchement quaux prises dalimentation relies la terre. Le nShield


Connect est un matriel de Classe 1 et il doit tre reli la terre.

Neffectuez de branchement qu une prise dalimentation lectrique prsentant une


tension correspondant celle indique sur la plaque signaltique. La plaque signaltique est
situe en dessous du produit.

Pour dconnecter le nShield Connect, assurez-vous que les cordons secteur IEC ou les
prises lectriques sont facilement accessibles.

Pour isoler le courant, retirez tous les cbles lectriques du nShield Connect (reportez-vous
aux instructions affiches larrire de lunit, au dessus de chaque bloc dalimentation).

Utilisez systmatiquement les cbles lectriques fournis avec le nShield Connect.

Le goujon M4 situ sur le panneau arrire du nShield Connect constitue une mise la terre
fonctionnelle destine la CEM. Ne branchez pas de conducteurs protecteurs de mise la
terre ce terminal.

Ne branchez pas les prises RJ45 un quipement rseau situ lextrieur du btiment
ou lquipement de tlcommunications.

nShield: Hardware Installation Guide 3.8 9


About this guide

nShield Connect- Sicherheitswarnungen

Beachten Sie bei Verwendung des nShield Connect stets folgende Sicherheitsvorkehrungen:

Nur mit geerdeten Anschlussbuchsen verbinden. Das nShield Connect hat die Bauklasse 1
und muss geerdet werden.

Nur mit Steckdosen verbinden, deren elektrische Spannung der Angabe auf dem
Leistungsschild entspricht. Das Leistungsschild ist an der Unterseite des Gertes nahe der
Rckseite angebracht.

Stellen Sie sicher, dass die IEC-Buchsen des Kabelsets bzw. die Netzstecker gut zugnglich
sind, damit Sie das nShield Connect jederzeit abtrennen knnen.

Um das Modul von der Stromversorgung abzutrennen, entfernen Sie alle Netzkabel von
dem nShield Connect siehe hierzu Anweisungen auf der Rckseite der Einheit ber den
einzelnen Stromversorgungseinheiten (PSUs).

Verwenden Sie ausschlielich die dem nShield Connect beiliegenden Netzkabel.

Der M4-Stift auf der Rckseite des nShield Connect ist ein Funktionserdungsterminal zur
EMV-Filterung. Verbinden Sie keine Schutzerdungsleiter mit diesem Terminal.

Verbinden Sie RJ45-Stecker nie mit Netzwerkgerten auerhalb des Gebudes oder mit
Telekommunikationsausrstung.

nShield: Hardware Installation Guide 3.8 10


About this guide

Technical conventions

Model numbers
Model numbering conventions are used to distinguish different Thales HSMs. In the table below,
n represents either any single-digit integer or the letter K (denoting 1000).

Model number Used for


nCnnnnP-nnn or nCnnnnP-nK0 Thales nCipher product line hardware security device with a PCI
interface.
nCnnnnE-nnn Thales nCipher product line hardware security device with a PCI
express interface.
nCnnnnN-nnn or nCnnnnN-nK0 netHSM
NH2047 nShield Connect 6000
NH2040 nShield Connect 1500
NH2033 nShield Connect 500
nC2023P-000 An nToken (PCI interface).
nC2021E-000 An nToken (PCI express interface).
nC10nnP-nnn or nC10nnE-nnn Any Thales nCipher product line hardware security device that does
not support key management (nFast module).
nC30nnP-nnn, nC30nnE-nnn, Any Thales nCipher product line hardware security device that
nC40nnP-nnn or nC40nnE-nnn, or supports key management (nShield PCI module, nShield PCIe module,
NH2047, NH2040, and NH2033 nShield Connect).
nC30nnU-10 or nC40nnU-10 An nShield Edge module.

Handling HSMs
An HSM is a solid-state device that can withstand normal handling. However, do not drop an
HSM or expose it to excessive vibration.

Always disconnect your computer from the power supply before attempting to install
hardware. Often the plug is the only ground (earthing point) for your computer or 19 rack.
If you remove the plug, ensure that a grounded (earthed) contact remains.

nShield PCI and PCIe modules


PCI or PCIe modules can be damaged by static discharge: do not touch the pins on the PCI
or PCIe connectors, or the exposed area of the module.

nShield: Hardware Installation Guide 3.8 11


About this guide

Leave the module in its anti-static bag until you are ready to install the module. When handling
internal modules, always wear an anti-static wrist strap that is connected to a grounded metal
object. You must also ensure that the computer frame is grounded while you are installing or
removing an internal module.

To fit an internal module, you usually need to dismantle your computer. Installation must be
performed with care. To avoid damage to the module, or to your computer, and to avoid
personal injury, follow the safety precautions in this guide and all safety instructions
provided by the manufacturer of your computer.

nShield Connect
The handling and installation of the nShield Connect must be performed by experienced
personnel. Two competent persons are required to lift the nShield Connect to a level above head
height (for example, during installation in a rack or when placing the unit on a high shelf for
storage). Always consult your company health and safety policy before attempting to lift and
carry heavy equipment (such as the nShield Connect) by hand.

If you are installing the nShield Connect in a 19 rack, be careful of sharp edges when
disassembling and assembling the optional slide rail components.

nShield Connect Packaged Unpackaged Comments


Weight 19.5 11.5 Kg Weights given are for a dual PSU
unit.
Packaged weight includes the
unit, printed documentation and
approved accessories (see
Approved accessories for nShield
Connect on page 58).
Dimensions 190 x 590 x 890 43.4 x 430 x 690mm The unit is compatible with 1U
19 rack systems.
Measurements given are height x
width x length/depth. If inner
slide rails are attached, width of
unpackaged unit is 448mm.

Temperature and humidity recommendations


We recommend that your HSMs operate within the following environmental conditions.

nShield: Hardware Installation Guide 3.8 12


About this guide

nShield PCI and PCIe modules

Environmental conditions Operating range Unit Comments


Min. Max.
Ambient operating 10 35 C Subject to sufficient air flow.
temperature
Storage temperature -20 70 C -
Operating humidity 10 90 % Relative. Non-condensing at
35C.
Storage humidity 0 85 % Relative. Non-condensing at
35C.

Cooling requirements

Adequate cooling of your module is essential for trouble-free operation and a long operational
life.

During operation you can check the actual and maximum temperature of your HSM with the
supplied stattree utility. If your HSM exceeds the safe operating temperature, the HSM stops
operating and displays the SOS-T error message (see Operational mode errors on page 56).

Temperature-sensitive label

Some nShield PCI and PCIe modules have a temperature-sensitive label that indicates the
maximum temperature to which the module has ever been exposed.

The label shows six temperatures between 29C and 82C with a small white square representing
each temperature. The white squares become permanently grayed if the module is ever exposed
to that temperature. It is normal for the first two squares, 29C and 40C, to be grayed.

nShield: Hardware Installation Guide 3.8 13


Contacting Support

nShield Connect

Environmental conditions Operating range Unit Comments


Min. Max.
Guaranteed operating 10 35 C Guaranteed performance
temperature within this temperature range.
Operating temperature 5 40 C -
Storage temperature -20 70 C -
Operating humidity 10 90 % Relative. Non-condensing at
35C.
Storage humidity 0 85 % Relative. Non-condensing at
35C.
Pressure 0 2000 M -

The nShield Connect is designed to operate in moderate climates only. Never operate the
unit in dusty, damp or excessively hot conditions.

Never install, store or operate the nShield Connect at locations where the unit may be
subject to dripping or splashing liquids.

Cooling requirements

Adequate cooling of your nShield Connect is essential for trouble-free operation and a long
operational life. During operation, you can check the actual and maximum temperature of your
unit with the stattree utility supplied by Thales.

If the internal module of the nShield Connect exceeds the safe operating temperature, the unit
stops operating and displays the SOS-T error message (see Operational mode errors on page 56).

If the entire unit overheats, the unit will either shutdown or turn on the orange warning LED and
display a critical error message onscreen (see Orange warning LED on page 38).

To help ensure adequate cooling, check that the front and the rear vents on the nShield
Connect are not blocked.

Contacting Support
To obtain support for your product, visit http://iss.thalesgroup.com/en/Support.aspx and click
Support for nCipher product line.

nShield: Hardware Installation Guide 3.8 14


Recycling and disposal information

Before contacting the Support team, click Guidance for contacting Support to see the information
that the team requires. When you have collected the required information, click Submit Technical
Query to see the Support team contact information.

Recycling and disposal information


A Takeback and Recycle program is provided in compliance with the WEEE (Waste Electrical
and Electronic Equipment) directive for the recycling of electronic equipment.

The program enables you to return an obsolete or excess nCipher-branded product, which is then
disposed of in an environmentally safe manner. For further information or to arrange the safe
disposal of your product, e-mail recycling@ncipher.com.

nShield: Hardware Installation Guide 3.8 15


Chapter 2: Installing nShield PCI and PCIe
modules

This chapter describes how to install nShield PCI and PCIe modules.

Before installing an nShield PCI or PCIe module


Before you install your nShield PCI or PCIe module, check the packing list in the module box.
The packing list contains a full list of items shipped with that module. If anything is missing,
contact Support.

Check the module to ensure that there has been no attempt to subvert the security of the system:

If your nShield PCI or PCIe module has a temperature-sensitive label, check the label on the
top of the module to ensure that the module has not been exposed to excessive temperatures
(see Temperature and humidity recommendations on page 12).

Check the epoxy resin security coating or metal lid of your module for obvious signs of
damage.

If you install your module with an external smart card reader, check that:

- the reader is directly connected to the module (or directly connected to the EMI filter, if
a filter is fitted)

- the cable has not been tampered with.

Check that the two switches on the module, if fitted, are in the off position.
Figure 1 Jumper switch positions

Off On
Check that the Mode switch, if fitted, is in the center operational position (see Figure 2).

Note After installing the module, check the module regularly to ensure that it has not been
tampered with during operation.

nShield: Hardware Installation Guide 3.8 16


Before installing an nShield PCI or PCIe module

Figure 2 Back panel and switches (nShield PCI module (left) and nShield PCIe module (right))

D
A E
B

Label Description
A Status LED
B Clear switch
C Mode switch
D Override jumper (shown in off position)
E Unused jumper (shown in off position)
F Smart card connector (D-type connector on nShield PCI module (left), mini-DIN
connector on nShield PCIe module (right))

Note The configuration of connectors varies between modules, and may not be as shown in
Figure 2.

nShield: Hardware Installation Guide 3.8 17


Installing an nShield PCI or PCIe module

Environmental requirements
When installing the nShield PCI or PCIe module, ensure that there is good air flow around it. To
maximize air flow, use a PCI or PCIe slot with no neighboring nShield modules if possible. If air
flow is limited, consider fitting extra cooling fans to your computer case.

Failure to provide adequate cooling may result in damage to the nShield module or the
computer into which the module is fitted.

Always handle your nShield PCI or PCIe module correctly. For more information, see
Handling HSMs on page 11.

Power requirements

Module Supply voltage Maximum current (I) Maximum power


nShield PCI module 5.5V 2.5A 14W
nShield PCIe module 3.3V 1.9A 6.3W
12V 0.3A 3.6W

Note Ensure that the power supply in your computer is rated to supply this electric power.

Provided that your computer has the required electric power and sufficient cooling, you can
install multiple nShield PCI or PCIe modules in your computer.

Installing an nShield PCI or PCIe module


To install an nShield PCI or PCIe module, complete the following steps:

1 Shut down the computer and disconnect from the power supply.

2 Open the computer case and locate an empty PCI or PCIe slot, as appropriate. If necessary,
follow the instructions supplied by your computer manufacturer.

3 Insert the contact edge of the nShield PCI or PCIe module into the empty slot. Press the card
firmly into the connector to ensure that:

- the contacts are fully inserted in the connector

- the back panel is correctly aligned with the access slot in the chassis.

nShield: Hardware Installation Guide 3.8 18


Installing an nShield PCI or PCIe module

4 Install the bracket screw that secures the nShield PCI or PCIe module to the computer chassis.

5 Replace the computer case.

Fitting an nShield PCIe module with a low profile bracket


Before installing an nShield PCIe module in a low height card slot, you must replace the standard
full height bracket with the low profile bracket supplied with the module.
Figure 3 Removing the full height bracket (left) and fitting the low profile bracket (right)

To fit the low profile bracket to the module, complete the following steps:

1 Remove the two screws from the solder side of the nShield PCIe module.

2 Remove the full height bracket.

3 Fit the low profile bracket to the component side of the module.

4 Insert the two screws into the solder side of the module to secure the bracket. Do not over
tighten the screws.

nShield: Hardware Installation Guide 3.8 19


Installing an nShield PCI or PCIe module

Fitting an EMI filter to an nShield PCI module


Some nShield PCI modules are supplied with an EMI filter fitting kit. The kit contains an EMI
filter, two tubular spaces, and two threaded bolts. You may need to fit an EMI filter to comply
with the FIPS 140-2 level 3 standard.

Note An EMI filter is unnecessary for nShield PCIe modules.

To fit an EMI filter, complete the following steps:

1 Place a tubular spacer between the flanges on one side of the EMI filter.

2 From the pin-end of the EMI filter (the end with the nine small metal pins), insert the bolt
through the flanges and the tubular spacer. The threaded end of the bolt must protrude from
the flange at the hole-end of the EMI filter (the end with the nine small holes in black plastic).
Figure 4 Installing the EMI filter

3 Repeat the preceding steps for the flanges on the other side of the EMI filter.

4 Fit the hole-end of the EMI filter to the 9-pinned port on your nShield PCI module.

Fitting a smart card reader


Fit the smart card reader into the smart card connector on the back panel of the nShield PCI or
PCIe module.

Note A D-Type to Mini-DIN adapter cable is supplied with nShield PCIe modules.

nShield: Hardware Installation Guide 3.8 20


After installing the nShield PCI or PCIe module

After installing the nShield PCI or PCIe module


After installing the module, you must install the nCipher software.

Although methods of installation vary from platform to platform, the nCipher software should
automatically detect the module on your computer, and install the drivers. No system restart is
required.

For more information, see the appropriate User Guide for your module type.

nShield: Hardware Installation Guide 3.8 21


Chapter 3: Installing the nShield Connect

This chapter describes how to install an nShield Connect. For more information about connecting
the unit to the network, and configuring the unit for connection to one or more clients on the
network, see the nShield Connect and netHSM User Guide.

Note You cannot install or configure the nShield Connect remotely.

Environmental requirements
To ensure good air flow through and around the nShield Connect after installation, do not obstruct
either the fans and vents at the rear of the unit or the vent at the front of the unit.

Always handle HSMs correctly. For more information, see Handling HSMs on page 11.

Power requirements
The nShield Connect draws up to 220 watts:

2.0A at 110V AC 60Hz.

1.0A at 220V AC 50Hz.

Note nShield Connect PSUs are compatible with international mains voltage supplies.

nShield: Hardware Installation Guide 3.8 22


Before installing the nShield Connect

Safety
Only connect to earthed supply sockets. The nShield Connect is of Class 1 construction and
must be earthed.

Neffectuez de branchement quaux prises dalimentation relies la terre. Le nShield


Connect est un matriel de Classe 1 et il doit tre reli la terre.

Nur mit geerdeten Anschlussbuchsen verbinden. Das nShield hat die Bauklasse 1 und
muss geerdet werden.

The M4 stud on the rear panel of the nShield Connect is a functional earthing terminal for
EMC purposes. Do not connect protective earth bond conductors to this terminal.

Le goujon M4 situ sur le panneau arrire du nShield Connect constitue une mise la terre
fonctionnelle destine la CEM. Ne branchez pas de conducteurs protecteurs de mise la
terre ce terminal.

Der M4-Stift auf der Rckseite des nShield Connect ist ein Funktionserdungsterminal zur
EMV-Filterung. Verbinden Sie keine Schutzerdungsleiter mit diesem Terminal.

For more safety information concerning the nShield Connect, see nShield Connect safety
warnings on page 8.

Before installing the nShield Connect


Before installing the nShield Connect:

Carefully unpack the nShield Connect.

Retain all parts of the nShield Connect packaging, including the outer (brown) shipping
carton, in case the unit needs to be returned. Your warranty or maintenance agreement
does not cover returned units that are damaged due to shipping in non-approved packaging.

Check the packing list in the unit box. The packing list contains a full list of items shipped with
that unit. If any item is missing, contact Support.

Check the physical security of the nShield Connect. For more information, see the nShield
Connect Physical Security Checklist.

Breaking the security seal or dismantling the unit results in any remaining warranty cover,
the maintenance and support agreement, or both being rendered void.

nShield: Hardware Installation Guide 3.8 23


Optional: Mounting the nShield Connect in the rack

Check the optional slide rail components. A pair of slide rails are used to mount the nShield
Connect in a 19 rack. If any components are missing, contact Support.

Optional: Mounting the nShield Connect in the rack


The nShield Connect is a 19 1U-height device that you can mount in a rack. The instructions
provided are for a rack with rectangular (window) holes. Consult your rack vendor for assistance
in mounting the unit in other types of rack.

Mounting the unit in a rack is just one of the installation options available to you (see Further
options for installing the nShield Connect on page 30).

Do not mount the equipment in the rack in such a way as to cause a hazardous condition
through uneven mechanical loading.

A pair of slide rails are used to mount the nShield Connect in a 19 rack. The optional slide rail
components supplied with the nShield Connect are described in the following table and
referenced throughout the procedure for mounting the unit in the rack. You require the following
tools to carry out this installation:

A slotted screwdriver.

A 7mm spanner.

A cage nut insertion tool.

nShield: Hardware Installation Guide 3.8 24


Optional: Mounting the nShield Connect in the rack

Figure 5 Table: Optional slide rail components

Component Description Number of Key to


components figures

Inner slide rail 2 A

Outer slide rail 2 B

Mounting bracket (front) 2 C

Mounting bracket (rear) 2 D

To fix the mounting brackets to the outer slide rails:


Screw M4 x 8mm 8* E
Pan Head
Nut M4 8 F
Washer M4 8 G

To fix the completed outer slide rails to the rack:

Nut bar M5 4 H

Screw M5 x 12mm 8* I
Pan Head
Nut Caged Narrow M6 10 * J

To fix the inner slide rails to the sides of the nShield Connect:
Screw M4 x 6mm 10 * K
Pan Head

* The 8mm and 12mm screws are in the bag marked DZ63460-4. The 6mm screws and cage nuts
are in a separate bag.

The inner slide rail and the outer slide rail, when fully assembled and installed, comprise a 26
telescopic runner.

Note Depress the safety catch on each of the runners to separate them into their component
parts (inner and outer slide rails) before you begin the process of mounting the nShield
Connect in a 19 rack. The safety catches are shown in Figure 11.

Be careful of sharp edges when disassembling and assembling slide rail components.

nShield: Hardware Installation Guide 3.8 25


Optional: Mounting the nShield Connect in the rack

To mount the nShield Connect in the rack:

1 Fit the cage nuts to the rack. The cage nuts help secure the outer slide rails to the rack. You
must fit:

- Three cage nuts (for each side) into the window holes at the front of the rack.

- Two cage nuts (for each side) into the window holes at the rear of the rack.
Figure 6 Fitting the cage nuts into the window holes in the rack

Note In Figure 6, the two-headed arrow indicates the distance between the inside faces of the
front and rear cage nuts. Measuring this distance can help you adjust the outer slide rails
to the correct length for your rack (see Step 3).

2 Fit the front and rear rail brackets to each of the outer slide rails, using the supplied M4 x
8mm pan head slotted screws, M4 nuts and M4 washers.

Fit the screws so that the nuts and washers are on the outside of the rail assembly, as shown
in Figure 7.

Note Due to the wide variation in rack sizes, there are a number of different holes in the outer
slide rails. Use the holes that achieve the best fit for your rack.

nShield: Hardware Installation Guide 3.8 26


Optional: Mounting the nShield Connect in the rack

Figure 7 Fitting the rail brackets to the outer slide rails

F G D

3 Fit the outer slide rails to the rack, using the supplied M5 nut bars and M5 x 12mm slotted
pan head screws. Two of the three cage nuts fitted to the front of the rack, and both the cage
nuts at the rear of the rack, act as spacers as the screws pass through and engage with the nut
bars (see Figure 8).

Note If required, the orientation of the M5 nut bars can be reversed to achieve further width
adjustment.

Ensure that the ends of the rails with the plastic inserts are at the front of the rack. Adjust the
length of the slide rails, if required. Do not tighten the screws before testing the fit of the outer
rails (see Step 5).

nShield: Hardware Installation Guide 3.8 27


Optional: Mounting the nShield Connect in the rack

Figure 8 Fitting the outer slide rails to the rack

J
I

4 Fit the inner slide rails to the sides of the nShield Connect, using the M4 x 6mm slotted pan
head screws. Check that all the screws are tight.
Figure 9 Fitting the inner slide rails to the unit

K
A

nShield: Hardware Installation Guide 3.8 28


Optional: Mounting the nShield Connect in the rack

5 Before sliding the nShield Connect into the rack, ensure that:

- The ball retainer for each of the outer slide rails is drawn forward to the very front of the
rack. You can damage the slide rails if the inner slide rails do not connect properly with
the ball retainers (see Figure 10).

- The unit is perfectly horizontal and parallel to the rails. Positioning the unit correctly
means that the movement of the ball retainers is synchronised as you slide the unit into
the rack. Careful positioning also helps to protect the rails from damage caused by
misalignment.
Figure 10 Draw the ball retainer to the front of the rack

You might find it easier with two people lifting the unit.

6 After ensuring that the inner slide rails have connected properly with the outer slide rails,
slide the nShield Connect into the rack until the unit is stopped by the spring safety catches.

Push the spring safety catches inwards (towards the unit) and continue sliding the unit into
the rack carefully, ensuring you do not trap your fingers.

nShield: Hardware Installation Guide 3.8 29


Optional: Mounting the nShield Connect in the rack

Figure 11 Sliding the nShield Connect into the rack

B
B
A

7 After ensuring that the slide rails are fitted correctly, tighten the slide rail brackets, then use
the two thumb screws on either side of the nShield Connect to lock the unit into position in
the rack.

Further options for installing the nShield Connect


Mounting the nShield Connect in a rack is only one of the installation options available.

To install the unit in a cabinet or a shelf, fit the four self-adhesive rubber feet (supplied with the
unit) to the bottom of the nShield Connect. An X is scored into the chassis at each of the four
corners on the bottom of the unit as a guide to placing the feet.

Take due account of the weight and dimensions of the unit when selecting a location for
storage or installation (see Handling HSMs on page 11).

Connecting the nShield Connect

Connecting the optional USB keyboard


As an alternative to performing all configuration operations with the controls on the front panel,
you can connect and use a US or UK keyboard. You might find this easier for entering dates and
IP addresses. You connect the keyboard to the USB connector on the front of the unit:

nShield: Hardware Installation Guide 3.8 30


Optional: Mounting the nShield Connect in the rack

Figure 12 Connecting the optional USB keyboard

Connecting Ethernet and power cables


The nShield Connect is an Ethernet network device, capable of supporting up to 100m of
Ethernet cable. You must use a CAT5e UTP cable or better when connecting the unit to a 100Mbit
or 1Gbit Ethernet device. You must use a CAT3 cable or better for 10Mbit connections.

The connectors for Ethernet cables and mains power cables are at the rear of the unit. Ensure that:

You connect mains power cables to both the PSUs on a dual PSU nShield Connect.

The rocker switch for each PSU is in the on position.

If the green LED on the PSU is on, the PSU is operational and receiving power. If a power cable
is not fitted correctly, or a rocker switch is not turned on, an audible warning is given and the
orange warning LED on the front panel is turned on.

For more information about:

Audible warnings, see Audible warnings on page 37.

The orange warning LED, see Orange warning LED on page 38.

Identifying and replacing a faulty PSU, see Replacing the PSU on page 47.

nShield: Hardware Installation Guide 3.8 31


Checking the installation

Figure 13 Connecting Ethernet and power cables (dual PSU nShield Connect shown)

B
A
C

Key Description
A Green LED (if on, confirms power is on)
B Rocker switch (to turn PSU on and off)
C Ethernet cable (two Ethernet connectors are available)
D Mains power cables. Dual PSU nShield Connect shown (connect a mains
cable to a single PSU nShield Connect in the same way)

Ensure all power cables are routed to avoid sharp bends, hot surfaces, pinches and
abrasion.

Checking the installation


Before installing the nCipher software, check the installation of the nShield Connect. Ensure that:

The nShield Connect has been safely and securely installed in its selected location (whichever
installation option was selected).

The mains cables and Ethernet cable are securely fitted.

The unit powers up successfully when you turn on the PSU(s) at the rear of the unit.

Installing the software


After installing the nShield Connect, you must then install the nCipher software on the client
computer and the computer designated as your remote file system. For more information, see the
nShield Connect and netHSM User Guide.

nShield: Hardware Installation Guide 3.8 32


Chapter 4: Troubleshooting

This chapter describes what to do if you have an issue with your nShield HSM, or your nCipher
software.

All nShield HSMs: checking operational status


The following methods of checking operational status are common to all nShield HSMs.

Enquiry utility
Run the enquiry utility to check that your HSM is working correctly. You can find the enquiry
utility in the bin subdirectory of the nCipher directory. This is usually:

C:\Program Files\nCipher\nfast for Windows.

/opt/nfast for Unix-based systems.

If the HSM is working correctly, the enquiry utility returns the message:

Server:
enquiry reply flags none
enquiry reply level Six
...
Module #1:
...
mode operational
version #.##.#

If the output from the enquiry utility does not show mode operational, you can use the Status LED
to discover the status of the HSM.

nShield: Hardware Installation Guide 3.8 33


All nShield HSMs: checking operational status

Status LED
The blue Status LED indicates the operational status of the HSM.

Status LED Status indicated Meaning


Off Power off or Standby mode There is either no power supply to the
HSM or the HSM is in standby mode. If you
suspect that there is no power supply,
check that your HSM is properly
connected and switched on.

If you believe the power supply has failed,


contact Support.
On, occasionally blinks off Operational mode The HSM is in operational mode and
accepting commands. The more
frequently the Status LED blinks off, the
greater the load on the HSM.
Flashes two short pulses, Initialization mode Existing security world data on the HSM
followed by a short pause has been erased. If you still have a valid
Administrator Card Set and the host
security world data, you can reprogram
the module into your current security
world as described in the User Guide.
Otherwise, you must create a new security
world and reissue keys. You can no longer
use smart cards that formed part of your
existing Operator Card Sets.

You can place your nShield Connect in


initialization mode with the front panel
controls. A yellow footer is displayed at the
bottom of the display screen when the unit
is in initialization mode (see Display screen
on page 39).
The nShield Connect is automatically
placed in the initialization mode after a
security world is created. For more
information, see the nShield Connect and
netHSM User Guide.

nShield: Hardware Installation Guide 3.8 34


nShield PCI and PCIe modules only: checking operational status

Status LED Status indicated Meaning


Flashes two long pulses Maintenance mode Used for reprogramming the HSM with
followed by a pause new firmware.

Existing security world data on the module


has been erased. If you still have a valid
Administrator Card Set and the host
security world data, you can reprogram
the module into your current security
world as described in the User Guide.
Otherwise, you must create a new security
world and reissue keys. You can no longer
use smart cards that formed part of your
existing Operator Card Sets.

The nShield Connect only goes into


maintenance mode during a software
upgrade. A red footer is displayed at the
bottom of the display screen when the unit
is in maintenance mode (see Display
screen on page 39).
Flashes SOS, the Morse code Error If a command does not complete
distress code (flashes three successfully, the module normally writes
short pulses, three long pulses, an error message to the log file and
three short pulses) continues to accept further commands. If
a module encounters an unrecoverable
error, it enters the error mode. In the
error mode, the module does not respond
to commands and does not write data to
the bus.
After flashing SOS, the Status LED flashes
an error code in Morse code. See
Appendix A: Morse code error
messages.

nShield PCI and PCIe modules only: checking operational


status
The following methods of checking operational status are specific to nShield PCI and PCIe
modules.

nCipher server
An application can only communicate with an nShield PCI or PCIe module if the nCipher server
program is running. If the server is not running, the enquiry utility returns the message:

NFast_App_Connect failed: ServerNotRunning

nShield: Hardware Installation Guide 3.8 35


nShield PCI and PCIe modules only: checking operational status

Restart the nCipher server, and run the enquiry utility again. For information on restarting the
server program, see the nShield User Guide.

Mode switch
The Mode switch on the back panel controls the mode of nShield PCI and PCIe modules. To
prevent accidental operation of the Mode switch, turn on the override switch on the HSM. If this
override switch is on, the HSM ignores the position of the Mode switch.

If your nShield PCI or PCIe module does not enter initialization or maintenance mode:

1 Check that the override switch is off (see Figure 2).

2 Clear the module in either of two ways:

- Run the command:

nopclearfail -clear --all

- Press the Clear switch.

nShield: Hardware Installation Guide 3.8 36


nShield Connect only: checking operational status

Figure 14 Back panel and switches (nShield PCI module (left) and nShield PCIe module (right))

D
A E
B

Label Description
A Status LED
B Clear switch
C Mode switch
D Override jumper (shown in off position)
E Unused jumper (shown in off position)
F Smart card connector (D-type connector on nShield PCI module (left), mini-DIN
connector on nShield PCIe module (right))

nShield Connect only: checking operational status


The following methods of checking operational status are specific to the nShield Connect.

Audible warnings
An audible warning is given for some critical errors relating to the PSUs on the nShield Connect.

An audible warning is given when one of the PSUs on a dual PSU nShield Connect is powered
and turned on and the other is disconnected or turned off. Unless there is a problem with one of
the PSUs, the audible warning is turned off when:

nShield: Hardware Installation Guide 3.8 37


nShield Connect only: checking operational status

Mains power cables are connected to both PSUs.

The rocker switch on each PSU is in the on position.

The orange warning LED on the front panel, which accompanies the audible warning, is also
turned off.

If the audible alarm continues, there may be a problem with a PSU. Before investigating the issue
further, you can switch off the audible alarm by navigating to the Critical errors screen. The
orange warning LED, which accompanies the audible alarm, remains on until the issue is
resolved.

For more information about:

Identifying and replacing a failed PSU, see Replacing the PSU on page 47.

The orange warning LED, see the section below.

Orange warning LED


If the orange warning LED is on, the nShield Connect has encountered a critical error (for
example, overheating or PSU failure) that demands immediate action. For a list of critical errors,
navigate to System information > View h/w diagnostics > Critical errors.

Checking the physical security of the nShield Connect


The physical security measures implemented on the nShield Connect includes tamper detection
functionality, which helps alert you to tampering in an operational environment. For more
information about the tamper detection functionality on the unit, including the tamper warning
messages that are displayed in the event of tamper, see either the nShield Connect Physical
Security Checklist or the nShield Connect and netHSM User Guide.

nShield: Hardware Installation Guide 3.8 38


nShield Connect only: checking operational status

Display screen
When the nShield Connect is in maintenance or initialization mode, a color-coded footer is
displayed at the bottom of the display screen. No footer is displayed when the unit is in
operational mode.

Footer color Text in footer Meaning


Yellow Initialization The system is rebooting or waiting
for an Administrator Card to be
inserted.
Red Maintenance An administrative task is being
performed. This mode is only
entered during firmware upgrades.

Do not interrupt power to the nShield Connect during a firmware upgrade.

Note The blue Status LED flashes to indicate the status of the internal security module. For more
information about the blue Status LED, see Status LED on page 34.

Power button
The power button, in combination with the display screen, indicates the general status of the
nShield Connect.

Note The display screen turns off automatically if the front panel buttons are inactive for more
than three minutes. Press any front panel button to turn the display screen back on.

Power button Display screen Status


On On, displaying menus and The nShield Connect is operational.
dialogs.
On On, displaying messages but The nShield Connect is running an
not displaying labels for the upgrade. A color-coded footer indicates
navigation buttons. the specific status: yellow for initialization,
red (maintenance) for upgrade.
On, flashes occasionally On, displaying messages but The nShield Connect is performing start-
not displaying labels for the up.
navigation buttons.
Mostly off, flashes occasionally Off The nShield Connect is in standby mode
(that is, it has been powered down from
the front panel using the Power button).
Press the Power button to turn it on.

nShield: Hardware Installation Guide 3.8 39


Checking the log messages

Power button Display screen Status


Flashing regularly On, with Critical Error The nShield Connect is unable to start-up
message. or has failed. The error message
describes the problem. If you can remedy
the problem, do so, and press the Power
button to restart the unit. Otherwise,
contact Support.
Flashing irregularly Off A low-level critical error has occurred.

Ethernet LEDs
There are two LEDs for each of the two Ethernet ports on the nShield Connect. The Ethernet
LEDs indicate the status of the connection with other Ethernet devices.

Ethernet LEDs Status


Flashing regularly The status of the Ethernet link is currently unknown (the
Ethernet LEDs will flash when the nShield Connect is powering
up).
Off There is no Ethernet link. The Ethernet cable is either not
connected to the nShield Connect or the cable is not
connected to a functioning Ethernet device.
On, green only Indicates a 10Mb or 100Mb Ethernet link.
On, green and orange Indicates a 1Gb Ethernet link.

Checking the log messages

Log messages for an nShield PCI or PCIe module


The environment variable NFAST_SERVERLOGLEVEL determines what types of message you
see in your log. The default is to display all types of message. For more information on
NFAST_SERVERLOGLEVEL, see the nShield User Guide.

The nCipher server writes log messages to:

The event log in Windows Operating Systems.

log/logfile in the nCipher directory (normally opt/nfast/log directory) in Unix-based Operating


Systems.

nShield: Hardware Installation Guide 3.8 40


Checking the log messages

Log messages for the nShield Connect


To view log messages from the main menu of the nShield Connect:

1 Select System > System information

2 Select either:

- View system log

- View hardserver log

For more information about using the front panel controls to view and select menu items, see the
nShield Connect and netHSM User Guide.

The client can also store logs, where they can be configured to contain different types of message.

Log message types

Information
This type of message indicates routine events:

nFast Server service: about to start


nFast Server service version starting
nFast server: Information: New client clientid connected
nFast server: Information: New client clientid connected - privileged
nFast server: Information: Client clientid disconnected
nFast Server service stopping

Notice
This type of message is sent for information only:

nFast server: Notice: message

Client
This type of message indicates that the server has detected an error in the data sent by the client
(but other clients are unaffected):

nFast server: Detected error in client behaviour: message

nShield: Hardware Installation Guide 3.8 41


Checking the log messages

Serious error
This type of message indicates a serious error, such as a communications or memory failure:

nFast server: Serious error, trying to continue: message

If you receive a serious error, even if you are able to recover, contact Support.

Serious internal error


This type of message indicates that the server has detected a serious error in the reply from the
module. These messages indicate a failure of either the module or the server:

nFast server: Serious internal error, trying to continue: message

If you receive a serious internal error, contact Support.

Start-up errors
This type of message indicates that the server was unable to start:

nFast server: Fatal error during startup: message nFast Server service version failed init. nFast Server
service version failed to read registry

Reinstall the server as described in the appropriate User Guide for your module type. If
reinstallation does not solve the problem, contact Support.

Fatal errors
This type of message indicates a fatal error for which no further reporting is available:

nFast server: Fatal internal error

or

nFast server: Fatal runtime error

If you receive either of these errors, contact Support.

nShield: Hardware Installation Guide 3.8 42


Utility error messages

Utility error messages

BadTokenData error in nShield modules

Some nShield modules are equipped with a rechargeable back-up battery for maintaining real-
time clock (RTC) operation when the module is powered down. This battery normally lasts for
up to two weeks.

If the module is without power for an extended period, the RTC time is lost. When this happens,
attempts to read the clock (for example, using the ncdate or rtc utilities) returns a BadTokenData
error status.

The correct procedure in these cases is to reset the clock and leave the module powered up for at
least ten hours to allow the battery to recharge. No other nonvolatile data is lost when this occurs.

nShield Connect only: Power supply unit (PSU) and fan tray
replacement
The nShield Connect is designed for high availability. Power supply unit (PSU) or fan tray
module failure should not occur during the life of the product. In the very rare event that a PSU
or fan tray module requires replacement, contact Support before carrying out the replacement
procedure.

Always handle HSMs correctly. For more information, see Handling HSMs on page 11.

Replacing the fan tray module


The nShield Connect fan tray module contains the main cooling fans and the back-up batteries
for the tamper detection functionality. The fan tray module is outside the security boundary, and
can be safely replaced without activating a tamper event. Fan tray modules should not be
modified in any way. Faulty fan tray modules should be returned for recycling (see Recycling and
disposal information on page 15).

Note The back-up batteries on the fan tray module provide reserve capacity (a guaranteed
minimum of 3 years) for the tamper detection functionality when the nShield Connect is in
an unpowered state.

nShield: Hardware Installation Guide 3.8 43


nShield Connect only: Power supply unit (PSU) and fan tray replacement

If you receive any of the following error messages, accompanied by the orange warning LED,
follow the related action in the table below:

Error message Action


Single fan fail Contact Support
Many fans fail Replace fan tray
Battery power low Replace fan tray

If the error message is Single fan fail, the nShield Connect can continue operating under the
specified operating environment. Although you are advised to contact Support, the limited nature
of such a failure means you can replace the fan tray module at your convenience.

If the error message is either Many fans fail or Battery power low, you must replace the fan tray
module immediately.

Before you begin the replacement procedure, press the power button on the front panel to power
down the nShield Connect. The unit is now in standby mode. Removing the fan tray module
without powering down will cause the unit to shut down to prevent damage from overheating.

We recommend that you keep the nShield Connect powered in standby mode when replacing the
fan tray module. This provides auxiliary power to feed the tamper circuitry and allows you to
replace the fan tray at your convenience. However, if you do remove mains power, you must
install the replacement fan tray within one hour to ensure that a tamper event is not activated.

Note Tamper detection functionality remains operational for at least an hour after the fan tray
module is removed for replacement.

If a replacement fan tray is immediately at hand, you can remove the faulty fan tray module from
the unit and install the replacement fan tray module in less than an hour. The process of removing
and replacing the fan tray cover does not affect the nShield Connect or the tamper detection
functionality.

For more information about the physical security measures implemented on the nShield Connect,
see the nShield Connect and netHSM User Guide.

To replace the fan tray module (as shown in Figure 15):

1 If the unit is rack mounted, loosen the thumb screws (D) and carefully pull the unit out of the
rack (checking the cabling) until the slide rail latches lock.

2 Using the T10 Torx screwdriver supplied with your replacement fan tray module, remove the
fan tray cover (A) by carefully removing the four retaining screws (C). Retain the screws.

nShield: Hardware Installation Guide 3.8 44


nShield Connect only: Power supply unit (PSU) and fan tray replacement

3 Remove the fan tray module (F).

Note Use the handle bar (B) on the front of the fan tray module to pull the fan tray module from
the chassis. Removing the fan tray module may require a firm pull.

4 Install the replacement fan tray module in the chassis carefully. Ensure that the fan tray
module is:

- Slotted into the mounting rail (G).

- Fully seated in the chassis.

If the fan tray module is not fully seated, the fans may not work when you place the nShield
Connect in operational mode. You may also receive a low battery warning. If you encounter
such an issue, check for obstructions in the chassis cavity and reseat the fan tray module.

Do not use a screwdriver or other tools to lever the fan tray module in or out of the chassis
cavity as this can cause damage to the EMC gasket (E).

5 Replace the fan tray cover (A) over the fan tray module, taking care to align the four screw
holes in the fan tray cover with the four screw holes on the unit. Using the T10 Torx
screwdriver, secure the fan tray cover with the screws retained in Step 2.

Note Take care not to overtighten the screws.

6 If the unit is rack mounted, unlock the slide rail latches and carefully push the unit back into
the rack. Lock it in place with the thumb screws (D), and check the cabling.

7 Restart the nShield Connect using the power button on the front panel. Monitor start up to
ensure that no problems are reported.

nShield: Hardware Installation Guide 3.8 45


nShield Connect only: Power supply unit (PSU) and fan tray replacement

Figure 15 Removing and replacing the fan tray module

B
A

G
F
E

D
C

Key Description
A Fan tray cover.
B Handle bar. Use the handle bar to pull the fan tray module out of the chassis and
push the replacement fan tray module into the chassis cavity.
C Four retaining screws used to secure the fan tray cover. Remove and replace
using a T10 Torx screwdriver.
D Thumb screw (secures the fan tray cover in the rack).
E EMC gasket fitted to the edges of the fan tray module front grill. Take care not to
damage the EMC gasket when pushing fan tray module into the chassis cavity.
F Fan tray module.
G Mounting rail.

nShield: Hardware Installation Guide 3.8 46


nShield Connect only: Power supply unit (PSU) and fan tray replacement

Replacing the PSU


If the nShield Connect is fitted with dual PSUs, the orange warning LED comes on and an
onscreen error message is displayed if a PSU fails. Although you are advised to contact Support,
the unit can continue to operate normally and you can replace the failed PSU at your convenience.
There is no need to power down the unit when you replace the failed PSU.

Note In addition to the orange warning LED, an audible warning is given when a PSU fails on a
dual PSU nShield Connect. The audible warning is turned off when you navigate to the
Critical errors screen. For more information, see Audible warnings on page 37.

If the PSU fails on a unit with a single PSU, the unit shuts down. However, all key data is
preserved, and tamper functionality remains operational. To return a unit with a single PSU to
normal operation, you must replace the PSU.

Note We guarantee a minimum battery life of up to three years for the nShield Connect, even if
it is never connected to mains power during this time.

nShield: Hardware Installation Guide 3.8 47


nShield Connect only: Power supply unit (PSU) and fan tray replacement

Figure 16 Replacing the PSU (dual PSU unit shown)

D E
C

A B

Key Description
A Green LED
B Retaining screw (M3 x 6mm). Remove and replace using a Pozidrive No.1
screwdriver
C Rocker switch (to turn the PSU on and off)
D PSU
E Handle for pulling the PSU out of the chassis

Note Figure 16 illustrates an example PSU replacement operation on the right-hand PSU in a
dual PSU nShield Connect. You can perform the PSU replacement operation on any PSU,
regardless of whether the unit is dual PSU or single PSU.

nShield: Hardware Installation Guide 3.8 48


nShield Connect only: Power supply unit (PSU) and fan tray replacement

To replace the PSU:

1 Step for dual PSU units only: An onscreen message is displayed stating that a PSU has failed.
An audible warning is also given (see Audible warnings on page 37).

To identify the failed PSU:

a Go to the rear of the unit where the PSUs are located.

b Check the green LED on each of the PSUs. If the LED is off, check that the rocker switch
on the PSU has not been turned to the off position.

c If the LED remains off, even after the rocker switch has been turned to the on position,
then you must replace the PSU.

2 Remove the mains cable from the failed PSU. Using a Pozidrive No.1 screwdriver, remove
the retaining screw from the failed PSU. Retain the screw.

3 Remove the failed PSU, as shown in Figure 16.

4 Install the replacement PSU. Ensure that the PSU is:

- Correctly orientated (the green LED should be on the bottom left of the PSU).

- Correctly seated in the chassis.

5 Replace the retaining screw retained in Step 2 and tighten securely using the Pozidrive No.1
screwdriver. Reconnect the mains cable and turn the PSU rocker switch to the on position.

Single PSU nShield Connect: The unit restarts as soon as power is applied. Monitor start up to
ensure that no problems are reported.

Dual PSU nShield Connect: Check that the green LED for the replacement PSU is on and that
the display screen no longer indicates PSU failure.

nShield: Hardware Installation Guide 3.8 49


Appendix A: Morse code error messages

If a module encounters an unrecoverable error, it enters the error state. In the error state, the
module does not respond to commands and does not write data to the bus.

The blue Status LED flashes the Morse distress code (SOS: three short pulses, followed by three
long pulses, followed by three short pulses). The Morse distress code is followed by one of the
error codes listed in the tables shown in this appendix.

Errors are a rare occurrence. If any module goes into the error state, except as a result of you
issuing the Fail command, contact Support, and give full details of your set up and the error code.

Contact Support even if you successfully recover from the error by taking the recommended
action. For troubleshooting information, see Chapter 4: Troubleshooting.

Reading Morse code


The following guidelines are useful when reading Morse code messages from the HSM:

the duration of a dash (-) is 3 times the duration of a dot (.)

the gap between components of a letter has the same duration as a dot

the gap between letters has the same duration as a dash

the duration of the gap between repeated series of letters (a Morse code word gap) is 7 times
the duration of a dot.

Runtime library errors


Memory failures can occur if the HSM is exposed to excessive heat. If you experience these
errors, check the ventilation around the HSM. The HSM generates considerable heat and, if not
well ventilated, may be running hot, even if the rest of your server room is at an appropriate
temperature.

nShield: Hardware Installation Guide 3.8 50


Runtime library errors

The runtime library error codes in the following table could be caused by either bugs in the
firmware or by faulty hardware:

Code Meaning Action


OLA --- .-.. .- RAM test failure (early in Reset HSM
startup)
Debug serial output failed
OLB --- .-.. -... Reset HSM
SIGABRT: assertion failure
OLC --- .-.. -.-. and/or abort() called Reset HSM
Interrupt occurred when
OLD --- .-.. -.. disabled Reset HSM
SIGSEGV: access violation
OLE --- .-.. . Reset HSM
SIGSWI: illegal SWI called
OLF --- .-.. ..-. Reset HSM
SIGSTAK: out of stack space
OLI --- .-.. .. Reset HSM
SIGFPE: unsupported
OLJ --- .-.. .--- arithmetic exception (such as Reset HSM
division by 0)
SIGOSERROR: runtime library
OLK --- .-.. -.- internal error Reset HSM
SIGUNKNOWN: invalid signal
OLL --- .-.. .-.. raised Reset HSM
SIGILL: illegal instruction
OLM --- .-.. -- Reset HSM
SIGFATALPANIC: error in
OLN --- .-.. -. error handling code Reset HSM

Codes OLA, OLB, OLD, and OLE are more likely to indicate a hardware problem than a
firmware problem.

To reset a unit that is in an error state, turn off the unit and then turn it on again.

nShield: Hardware Installation Guide 3.8 51


Hardware driver errors

Hardware driver errors


In general, the hardware driver error codes described in the following table indicate that some
form of automatic hardware detection has failed. Besides indicating simple hardware failure, one
of these error codes could indicate that there is a bug in the firmware or that the wrong firmware
has been loaded:

Code Meaning Action


HB .... -... Debug serial port init. failed Contact Support
HC .... -.-. Processing thread Contact Support
initialization failed
HD .... -.. Failure reading unique Contact Support
serial number
HE .... . EEPROM failed on Contact Support
initialization
HI .... .. Interrupt controller init. Contact Support
failed
HM .... -- System hardware init. Contact Support
failed
HO .... --- Token interface Contact Support
initialization failed
HP .... .--. Internal PCI bus fault Contact Support
HR .... .-. Random number Contact Support
generator failed
HT .... - Timer init. failed Contact Support
HHD .... .... -.. Unique serial number Contact Support
detection failed
HHG .... .... --. Config. jumper detection Contact Support
failed
HHI .... .... .. Failure of either interrupt Contact Support
controller hardware
detection or Token I/O
hardware detection
HHM .... .... -- DSP hardware detection Contact Support
failed
HHP .... .... .--. PCI bus hardware Contact Support
detection failed
HHR .... .... .-. RTC hardware detection Contact Support
failed or random number
generator detection failed
HMn .... -- # DSP n failed self-test at Contact Support
start up
HCnCA .... -.-. # -.-. .- CPU n failed self-test; no Contact Support
memory for cached RAM
test

nShield: Hardware Installation Guide 3.8 52


Hardware driver errors

Code Meaning Action


HCnCC .... -.-. # -.-. -.-. CPU n failed self-test; CPU Contact Support
ID check failed
HCnCF .... -.-. # -.-. ..-. CPU n failed self-test; Contact Support
freeing memory for cached
RAM test
HCnCG .... -.-. # -.-. --. CPU n failed self-test; Contact Support
setting up cached RAM
test
HCnCR .... -.-. # -.-. .-. CPU n failed self-test; read Contact Support
error during cached RAM
test
HCnCR .... -.-. # -.-. .-- CPU n failed self-test; write Contact Support
error during cached RAM
test
HCnKE .... -.-. # -.- . CPU n failed self-test; DES Contact Support
known-answer test
HCnKF .... -.-. # -.- ..-. CPU n failed self-test; Contact Support
Triple-DES known-answer
test
HCnKH .... -.-. # -.- .... CPU n failed self-test; SHA- Contact Support
1 known-answer test
HCnKM .... -.-. # -.- -- CPU n failed self-test; Contact Support
HMAC-SHA1 known-
answer test
HCnKS .... -.-. # -.- -- CPU n failed self-test; DSA Contact Support
known-answer test
HCnLC .... -.-. # .-.. -.-. CPU n failed self-test; Contact Support
locking check
HCnPS .... -.-. # .--. ... CPU n failed self-test; test Contact Support
terminated at start
HCnSA .... -.-. # ... .--. CPU n failed self-test; no Contact Support
memory for uncached
RAM test
HCnSF .... -.-. # ... ..-. CPU n failed self-test; Contact Support
freeing memory for
uncached RAM test
HCnSR .... -.-. # ... .-. CPU n failed self-test; read Contact Support
error during uncached
RAM test
HCnSW .... -.-. # ... .-- CPU n failed self-test; write Contact Support
error during uncached
RAM test
HCnTS .... -.-. # - ... CPU n failed self-test; could Contact Support
not start test

nShield: Hardware Installation Guide 3.8 53


Hardware driver errors

Note In the table above, the symbol # stands for a given numerals Morse code representation:

Numeral Morse
1 .----
2 ..---
3 ...--
4 ....-
5 .....
6 -....
7 --...
8 ---..
9 ----.
0 -----

nShield: Hardware Installation Guide 3.8 54


Maintenance mode errors

Maintenance mode errors


The following error codes indicate faults encountered when a HSM is in the maintenance mode:

Code Meaning Action


ID .. -.. Copies of metadata do not Contact Support
match when trying to run
image
IH .. .... Bad metadata: hash Repeat firmware upgrade
mismatch
II .. .. Execution image does not Contact Support
match metadata
IL .. .-.. Bad metadata: either bad Repeat firmware upgrade
length or bad metadata when
running loadboot application
IM .. -- Bad metadata: malformed Repeat firmware upgrade
ImageMetaData
IP .. .--. Bad metadata: bad padding Repeat firmware upgrade
IR .. .-. Bad metadata: extra bytes at Repeat firmware upgrade
end
IS .. ... Image entry point not found Contact Support
IU .. ..- Bad metadata: ROM blank Repeat firmware upgrade
IX .. -..- Bad metadata: malformed Repeat firmware upgrade
header
JH .--- .... Both copies of metadata Contact Support
invalid
HZE .... --.. . Monitor checksum failed Contact Support
KFE -.- ..-. . Flash sector erase failed Repeat firmware upgrade
KFP -.- ..-. .--. Flash sector program failed Repeat firmware upgrade
MMB -- -- -... No memory for download Contact Support
buffer

Note For instructions on upgrading HSM firmware, see the appendix in the appropriate User
Guide for your HSM type.

nShield: Hardware Installation Guide 3.8 55


Operational mode errors

Operational mode errors


The following runtime library error codes could be caused by either bugs in the firmware or by
faulty hardware:

Code Meaning Action


D -.. Fail command received Reset HSM by turning it off
and then on again.
T - Temperature of the HSM has Restart your host computer,
exceeded the maximum and improve HSM cooling.
allowable
IE .. . EEPROM data failed Reinitialize unit.
checksum
IK .. -.- KNSO not set Contact Support
GGG --. --. --. Failure when performing Contact Support
ClearUnit or Fail command

nShield: Hardware Installation Guide 3.8 56


Appendix B: nShield Connect maintenance

The nShield Connect contains no user-serviceable parts except for PSUs and the fan tray module.
Replacing a PSU or fan tray module will not affect FIPS 140-2 validations for the unit, or result
in a tamper event. However, in the very rare event that a PSU or fan tray module requires
replacement, contact Support before carrying out the replacement procedure.

For more information about replacing either a PSU or the fan tray module, see nShield Connect
only: Power supply unit (PSU) and fan tray replacement on page 43.

Breaking the security seal or dismantling the unit results in any remaining warranty cover,
the maintenance and support agreement, or both being rendered void.

Mains power plugs on UK cordsets contain a 5A fuse (BS1362). Only replace with the same
type and rating of fuse. If a replacement fuse fails immediately, contact Support. Do not
replace with a higher value fuse.

Flash testing the nShield Connect


The nShield Connect is designed to comply with IEC/EN 60950-1 but should be tested only by
trained safety professionals. Because the unit is fitted with radio frequency interference
suppressors, it is recommended that only a D.C. test be performed.

Repeated application of the flash test can damage safety insulation.

nShield: Hardware Installation Guide 3.8 57


Appendix C: Approved accessories for nShield
Connect

The following optional parts can be included with your order for the nShield Connect, or
purchased retrospectively:

Part Part number Comments


Slide rail assembly AC2050 Optional slide rail assembly and fixing
kit. For details of contents, see Figure 5.
USB keyboard M-030099-L For more information about using a
USB keyboard with the nShield Connect,
see Connecting the optional USB
keyboard on page 30.

In addition, you can purchase the following optional parts separately:

Part Part number Comments


Replacement fan tray AC2064 Spare part includes installation
module instructions.
Replacement PSU AC2057 Spare part includes installation
instructions.

If you have an enquiry about any of the parts listed, contact Support.

nShield: Hardware Installation Guide 3.8 58


Appendix D: Product returns

If you wish to return your nShield product (nShield PCI/PCIe module or nShield Connect),
please contact Support for instructions first at http://iss.thalesgroup.com/en/Support.aspx.

nShield: Hardware Installation Guide 3.8 59


Addresses

Americas
2200 North Commerce Parkway, Suite 200, Weston, Florida 33326, USA
Tel: +1 888 744 4976 or + 1 954 888 6200
sales@thalesesec.com

Europe, Middle East, Africa


Meadow View House, Long Crendon, Aylesbury, Buckinghamshire HP18 9EQ, UK
Tel: + 44 (0)1844 201800
emea.sales@thales-esecurity.com

Asia Pacific
Units 4101, 41/F. 248 Queens Road East, Wanchai, Hong Kong, PRC
Tel: + 852 2815 8633
asia.sales@thales-esecurity.com

Internet addresses
Web site: www.thalesgroup.com/iss
Support: http://iss.thalesgroup.com/en/Support.aspx
Online documentation: http://iss.thalesgroup.com/Resources.aspx
International sales offices: http://iss.thalesgroup.com/en/Company/Contact%20Us.aspx