No clue why nCipher’s docs don’t tell you how to actually install or upgrade the software they accompany, but they don’t. I have an existing article on installing the Security World software on CentOS 7, but at the time of that writing 12.10 was the current. There have been many new features added to the later versions of nShield Connect firmware, not the least of which finally being LACP support across the two ethernet interfaces so you can have redundancy for network equipment outages. There have also been new versions of the actual encryption/communications portions of the software and hardware, which you’ll need an updated client version to take advantage of if your HSM’s have also been upgraded.
Now, before we go any further; while upgrading the client software usually has zero issues, you must be aware that upgrading HSM firmware will destroy your security world. If it’s actively handling transactions, those will also break. You can only upgrade a production HSM’s firmware by taking it out of production, preparing the administrative card set (physically local, or with all the card holders near their card readers if you run remote administration), performing the update, and then re-loading the security world onto it.
So, moving along. You may find that you’ve received the security world client software, not to be confused with the actual ‘security world’ representing your HSM-protected encryption key, in a number of formats, from physical media to ISO’s, tar files, or zips of either of those. I’ve found they do often take one of two naming schemes:
SecWorld_Lin64-12.80.4.zip (with ISO inside) SecWorld-linux64-user-12.40.2.zip SecWorld-linux64-user-12.40.2.iso optThales.tgz
The prefixes are consistent, and then the rest is just versioning and format.
My experience has been that you are expected to untar files from the root of the filesystem and that they’ll end up in /opt/nfast. Untar at the wrong place and who knows where you’ll end up putting them.
First step; stop the hardserver (client software). This will be either systemd or init script:
# systemd systemctl stop nc_hardserver # init script /etc/rc.d/init.d/nc_hardserver stop
Anyway, assuming you have things mounted in /mnt, you’ll probably find the format is one of the following:
Version 12.40.2 and older:
/mnt/linux/libc6_11/amd64/nfast/ctls/agg.tar /mnt/linux/libc6_11/amd64/nfast/dsserv/user.tar /mnt/linux/libc6_11/amd64/nfast/hwcrhk/gnupg.tar /mnt/linux/libc6_11/amd64/nfast/hwcrhk/user.tar /mnt/linux/libc6_11/amd64/nfast/hwsp/agg.tar /mnt/linux/libc6_11/amd64/nfast/javasp/agg.tar /mnt/linux/libc6_11/amd64/nfast/jcecsp/user.tar /mnt/linux/libc6_11/amd64/nfast/nhfw/agg.tar /mnt/linux/libc6_11/amd64/nfast/pkcs11/user.tar /mnt/linux/libc6_11/amd64/nfast/ratls/agg.tar /mnt/linux/libc6_11/amd64/nfast/snmp/agg.tar /mnt/linux/libc6_11/amd64/nfast/version.txt
Version 12.50 – no idea, I never had this version of the files.
Version 12.60 through at least 12.80.4, the last version I’ve touched as of the time of this post:
/mnt/linux/amd64/ctd.tar.gz /mnt/linux/amd64/ctls.tar.gz /mnt/linux/amd64/devref.tar.gz /mnt/linux/amd64/hwsp.tar.gz /mnt/linux/amd64/javasp.tar.gz /mnt/linux/amd64/jd.tar.gz /mnt/linux/amd64/ncsnmp.tar.gz /mnt/linux/amd64/raserv.tar.gz
From / extract all of them for the appropriate version of the target release you’re moving to.
Switch to /opt/nfast/sbin/ and run the install file there, i.e. ./install
It will ask no questions, so hopefully you did the untar correctly, it’s just going to blast through install all on its own now whether you like it or not. If it finds an existing install, it will upgrade it. It will also restart the hardserver at the end, so only run it when you’re ready for that to happen.