payShield 10K Installation and User Guide
©Thales Group
Page 324
All Rights Reserved
Authorize Activity (A)
Variant
Key Block
Online
Offline
Secure
Authorization:
Not required
Command:
A
Function:
To authorize the HSM to perform certain specified activities.
In command line mode, the operator specifies which activities are to be
authorized.
In menu mode, the operator is prompted to enter the activities.
In both cases, the specified activities are authorized by submitting two
Security Officer cards or passwords, which must correspond to the LMK being
authorized.
Authorized activities can be made persistent, in which case they are retained
even if the power to the HSM is cycled.
Authorization:
The HSM does not require any authorization to run this command.
Inputs:
•
LMK Identifier: 2 numeric digits
•
Activities to be authorized.
•
Timeout value: Number of minutes before HSM will revoke chosen
authorized activity. Where the security setting
Enforce Authorization Time
Limit
has been set to "YES" (i.e. to the PCI HSM compliant value) then
console commands can be authorized for a maximum period of 12 hours
(720 minutes).
•
PIN (if applicable): 5 to 8 alphanumeric characters. The PIN must be
entered within 60 seconds of being requested. (4-digit PINs on legacy cards
will also be accepted.)
•
Either:
o
Smartcards (RLMKs are supported) with authorizing both
passwords.
o
Password: 16 alphanumeric characters.
•
Use "-h" to display help.
Outputs:
•
Text messages as shown in examples.
Syntax:
Syntax:
A
[<
Activity
>] [<
Activity
>] ...
Activity
: <
Category
>.[<
Sub-category
>].[<
Interface
>][:<
Timeout
>]
Category
= generate|component|genprint|import|export|pin|audit|admin|diag|
misc|
command
Sub-category (for 'generate|import|export') = key type code, e.g. 001 for ZPK.
Sub-category (for 'pin') = mailer|clear
Interface
= host|console
Timeout
= value in minutes or 'p' for persistent. (A maximum of 12 hours (720
minutes) is applied to Console commands.}
Names may be shortened but must remain unique.
Errors:
•
Invalid LMK identifier - no LMK loaded or entered identifier out of range.
•
Card not formatted - card is not formatted.
•
Not a LMK card - card is not formatted for LMK or key storage.
•
Smartcard error; command/return: 0003 - invalid PIN is entered.
•
Invalid PIN; re-enter - a PIN of less than 4 or greater than 8 is entered.