Resetting the HSM to factory settings
Note
This feature is only available if you are using ProtectToolkit 7.3.0 or newer with ProtectServer 3 HSM Firmware 7.03.00 or newer.
This section describes how to reset a ProtectServer 3 HSM to factory settings. Resetting the HSM to factory settings does the following:
-
Erases all cryptographic material on the HSM.
Note
This can also be accomplished by tampering the HSM. For more information, refer to Tampering or decommissioning the HSM.
-
Erases all ProtectServer Identity Certificates (PICs), ProtectServer Identity Keys (PIKs), ProtectServer Owner Certificates (POCs), and Protectserver Owner Keys (POKs) on the HSM.
-
Erases all functionality modules (FMs) installed on the HSM.
You may need to reset an HSM to factory settings if you are decommissioning it, shipping it back to Thales for an RMA, or repurposing it for your organization. For more information about the RMA process, refer to RMA and shipping back to Thales.
Resetting a ProtectServer 3 PCIe to factory settings
There are two ways to reset a ProtectServer 3 PCIe to factory settings.
-
Using ProtectToolkit 7 to reset a ProtectServer 3 PCIe to factory settings - use this method under normal operating conditions.
-
Using the factory reset application to reset a ProtectServer 3 PCIe to factory settings - use this method if the HSM cannot be accessed through ProtectToolkit 7.
Using ProtectToolkit 7 to reset a ProtectServer 3 PCIe to factory settings
You can reset the ProtectServer 3 PCIe to factory settings by using the ctconf command-line utility.
Prerequisites
- HSM Administrator PIN
To reset a ProtectServer 3 PCIe to factory settings with ctconf
Run the following ctconf command:
ctconf --factory-reset
Using the factory reset application to reset a ProtectServer 3 PCIe to factory settings
If the ProtectServer 3 PCIe cannot be accessed through ProtectToolkit 7, you can reset it to factory settings by using the hsmfactoryreset utility, which Thales includes with ProtectToolkit 7.3.0 and newer.
Prerequisites
-
The ProtectServer 3 PCIe driver is installed on the workstation that is used to run hsmfactoryreset.
-
The ProtectServer 3 PCIe is physically connected to the workstation that is used to run hsmfactoryreset.
To reset a ProtectServer 3 PCIe to factory settings with the factory reset application
Run hsmfactoryreset <device> from a command prompt on the workstation.
For more information about the options that are available while using the hsmfactoryreset utility, refer to hsmfactoryreset.
Resetting a ProtectServer 3 Network HSM to factory settings
If you are using a ProtectServer 3 Network HSM, use the following PSESH command to reset the HSM to factory settings:
psesh:>hsm factoryreset
The HSM in the appliance of the ProtectServer 3 Network HSM is reset to factory settings.
Tip
If you are performing a full factory reset of the ProtectServer 3 Network HSM, reset the appliance to factory settings by completing the procedures described in Resetting the ProtectServer 3 Network HSM appliance to factory settings.