Follow

How to: Support for persistent OCS cardsets for nCipher HSMs

Applies To:

Trust Protection Platform 14.1 and greater

Subject:

How to support persistent OCS cardsets for nCipher HSMs  (script attached)

 

Venafi Trust Protection Platform can optionally integrate with an HSM to protect key material. nCipher HSMs can be configured with operator cardsets (OCS) that are configured in ‘persistent’ mode. This mode allows an application to access HSM key material after the OCS card is removed from the HSM card reader; a common configuration with a network based HSM that supports several applications. With a persistent OCS card, applications must maintain an active connection with the HSM at all times; if this connection is terminated due to a network issue, server restart, or a process restart, the OCS card needs to be re-inserted in the HSM

By default, IIS recycles application pools that host the VTPP web services every 29 hours and terminates application pools if they are idle for 20 minutes. As a result, VTPP web services that access the HSM will lose their connection with the HSM and will require that the OCS card be physically present in the HSM to bring the webservices back up.

To resolve this, Venafi recommends that application pool recycling and idle timeout be disabled for the Venafi application pools. The attached script can be used to set the application pool recycling intervals to ‘0’ to ensure that recycling is disabled.

To use the script:

  1. Copy the SetAppPoolTimeouts.cmd script to each VTPP server
  2. Execute the script as follows from a command prompt: ‘SetAppPoolTimeouts 00 00  
    (Optional if HSM with persistent OCS cardset is in use)
  3. Insert the OCS card into the HSM
  4. Restart IIS with ‘iisreset’
  5. Remove OCS card from HSM
  6. Login to WebAdmin and Aperture and verify that the consoles can be accessed

 

Alternatively, the timeouts can be changed manually via the IIS Manager. To use this method:

  1. Login to a server where Aperture and/or WebAdmin are being hosted.
  2. Open Internet Information Service (IIS) Manager.
  3. Navigate to the Application Pools node under the web server
  4. Select the Aperture application pool
  5. Select Advanced Settings
  6. Set “Idle Time-out (minutes)” to 0 (zero)
  7. Set “Regular Time Interval (minutes)” to 0 (zero)
  8. Click Ok
  9. Repeat steps 4-8 for the VEDAdmin, VEDClient, VEDScep, and VEDWebSDK application pools.
    (Optional if HSM with persistent OCS cardset is in use)
  10. Insert the OCS card into the HSM
  11. Restart IIS with ‘iisreset’
  12. Remove OCS card from HSM
  13. Login to WebAdmin and Aperture and verify that the consoles can be accessed

 

Was this article helpful?
0 out of 0 found this helpful

Comments