Thales payShield 10K Installation And User Manual Download Page 402

Page: 402 / 470

payShield 10K Installation and User Guide

©Thales Group

Page 400

Generate a MAC on an IPB (MI)

Variant



Key Block



Online



Offline



Secure



Authorization:

Required

Activity:

misc.console

Command:

Function:

To generate a MAC on the Cryptogram component of a CAP IPB.

Authorization:

The HSM must be either in the Authorized State, or the activity

misc.console

must be authorized, using the Authorizing Officer cards of the relevant LMK.

Inputs:

•

LMK identifier: indicates the LMK to use when generating the MAC.

•

8 byte IPB represented as 16 hex ASCII characters.

Outputs:

•

4 byte MAC over the plaintext IPB input data.

Errors:

•

Invalid LMK identifier - no LMK loaded or entered identifier out of range.

•

Command only allowed from Authorized - the HSM is not authorized to

perform this operation.

•

IPB is not 8 bytes. Please re-enter - the validation of the IPB failed.

•

Warning: Less than 16 '1'bits in IPB - the IPB contains less than 16 '1' bits.

Example:

Online-AUTH>

Enter LMK id:

Enter IPB:

FFFFFFFF00000000

MAC: FB1A 3C1A

Online-AUTH>

Note:

The result of the "MI" command gives no indication as to the LMK scheme or LMK identifier used in the

command. When this value is used with other (host) commands, the user must ensure that the correct LMK
is specified in the command.

Summary of Contents for payShield 10K

Page 1: ...cpl thalesgroup com payShield 10K Installation and User Guide PUGD0535 006 ...

Page 2: ...and conditions with regard to the information contained herein including all implied warranties of merchantability fitness for a particular purpose title and non infringement In no event shall Thales be liable whether in contract tort or otherwise for any indirect special or consequential damages or any damages whatsoever including but not limited to damages resulting from loss of use data profits...

Page 3: ... Session Key 1 16 1 8 Key Shares 1 16 1 9 Host Commands supporting multiple LMKs 1 17 1 9 1 LMK Usage in Host Commands 1 18 1 10 payShield 10K license packages 1 19 1 11 Trusted Management Device TMD 1 21 1 11 1 Introduction 1 21 1 11 2 Background 1 21 1 11 3 Description 1 21 1 11 4 How Keys Are Shared With payShield and 3rd Parties 1 22 1 11 5 Example Sequence of Steps to Set Up and Transfer Keys...

Page 4: ...f switch 3 41 3 2 5 PCIe card interface 3 41 3 2 6 Ethernet ports 3 41 3 2 7 USB Type A port 3 41 3 2 8 Erase Button and LED 3 41 3 2 9 Ground Lug 3 41 4 Installation 4 43 4 1 Pre installation tasks 4 43 4 1 1 Mechanical and Electrical Specifications 4 43 4 1 1 1 Physical Characteristics 4 43 4 1 1 2 Power Considerations 4 43 4 1 1 3 Environmental Considerations 4 44 4 1 1 4 Battery consideration ...

Page 5: ...ng into payShield Manager 8 89 8 3 Top Tab descriptions 8 91 8 3 1 Summary Tab 8 91 8 3 2 Status Tab 8 91 8 3 3 Operational Tab 8 92 8 3 4 Domain Tab 8 93 8 3 5 Configuration Tab 8 93 8 4 Virtual Console Tab 8 94 8 4 1 Quick Links 8 94 8 4 2 Terminate Session 8 94 8 5 Lower screen icons 8 94 8 5 1 payShield 10K States 8 95 8 5 1 1 Online 8 95 8 5 1 2 Offline 8 95 8 5 1 3 Secure 8 95 8 5 1 4 Switch...

Page 6: ...MK 8 139 8 8 1 8 Replace an installed LMK 8 140 8 8 1 9 Set the Default LMK 8 140 8 8 1 10 Set the Management LMK 8 141 8 8 1 11 Enter Authorized State 8 142 8 8 1 12 Single Authorization Mode 8 143 8 8 1 13 Multiple Authorization Mode 8 143 8 8 1 14 Key Change Storage 8 143 8 8 1 15 Install LMK from RLMK card set 8 143 8 8 1 16 Delete an installed LMK 8 144 8 8 1 17 Replace an Old LMK 8 144 8 9 D...

Page 7: ...rds 9 185 9 6 Generating LMK Component Cards 9 186 9 6 1 HSM LMK Cards 9 186 9 6 2 payShield Manager RLMK Cards 9 186 9 7 Creating Copies of LMK Component Cards 9 186 9 7 1 Duplicating HSM LMK cards 9 186 9 7 2 Duplicating a payShield Manager RLMK card 9 187 9 8 Loading the new LMK 9 187 9 8 1 Using the Console 9 187 9 8 1 1 Loading or forming the LMK 9 187 9 8 1 2 Checking the LMK 9 187 9 8 2 Usi...

Page 8: ...05 Appendix A Console Commands 10 207 Appendix B Configuring Ports Using the Console 11 449 B 1 Configure the Management Port 11 449 B 2 Configure the Printer Port 11 451 B 3 Configure the Host Ports 11 451 B 3 1 Configuring the Software 11 451 B 3 1 1 Message Header Length 11 452 B 3 1 2 Ethernet Communications 11 452 B 3 1 3 Software Parameters 11 453 Appendix C Commission payShield Manager usin...

Page 9: ...d Section 8 6 1 Summary Dashboard on page 99 payShield Monitor Summary License updated Section 8 7 7 1 License Summary how to update Licensing on page 123 payShield Monitor Software tab modified Section 8 7 6 1 Software how to update software on page 122 004a April 2020 Minor editorial changes 005 October 2020 payShield 10K 10G Ethernet Hardware Platform Variant support documented in Chapter 5 pay...

Page 11: ...latory Users Warnings and Cautions Note Console Commands are now included in this manual Appendix A 1 2 Audience The manual s audience includes Network installers Trusted officers data security administrators Physical key holders Physical card holders Compliance officers 1 3 payShield 10K General Description The payShield 10K payment hardware security module HSM provides cryptographic functions to...

Page 12: ...1 4 Typical Configuration A typical payShield 10K configuration consists of two or more payShield units connected as live units A multi unit configuration permits concurrent operation for high throughput and under control of the application program provides automatic and immediate backup in the event of a fault in a single unit Typically redundancy is built into the system design by providing more...

Page 13: ... commands mainly involving plain text data are entered by the user via the associated HSM console The flow of data through components is represented in the figure that follows The throughput of the HSM depends on the types of commands that are executed and the method and speed of the Host connection 1 5 Smart cards The payShield 10K uses smart cards to provide a convenient means of handling sensit...

Page 14: ...that is also created by the user on an HSM This root private key is normally described as a Customer Trust Authority CTA Operations payShield Manager Smart Card HSM Smart Card Formatting Can only be formatted using payShield Manager Can only be formatted using the FC command using USB C console Save Settings Alarm Host Security Audit Command Pin Block Can be used to save payShield 10K settings via...

Page 15: ...n and it is quite possible to have non overlapping security groups created via the same CTA In addition to having matching CTAs whitelists within each HSM define which smart cards can communicate with a specific HSM and what role they possess 1 7 Keys 1 7 1 Encryption Mechanism The HSM mechanism for encryption of locally stored keys uses a double length DES key i e the Local Master Key LMK stored ...

Page 16: ...nly be used to encrypt keys in the key block format Note The term Key Block LMK refers to the key block method of encrypting keys a Key Block LMK is not itself stored in the key block format For an HSM to operate the LMKs must be created and loaded Because the DES AES algorithms depend on a key for secrecy and because the security of all keys and data encrypted for storage depend on the LMKs they ...

Page 17: ...ibuted manually or automatically under a previously installed TMK It is used to distribute data encrypting keys within a local non shared network to an ATM or POS terminal or similar The TMK is used to encrypt other TMKs or keys of a lower level for transmission For local storage a TMK is encrypted under one of the LMK pairs The payShield 10K supports the use of a single length double length or tr...

Page 18: ...ength or triple length DES PVK 1 7 9 Card Verification Key A Card Verification Key CVK is similar to a PIN Verification Key but for Card information instead of a PIN The payShield supports the use of a single length double length or triple length DES CVK 1 7 10 Master Session Key The master session key management scheme involves setting up a master key between two communicating parties for example...

Page 19: ...Host commands sent via TCP IP have been directed to the HSM s Well Known Port and this continues to be supported However Host commands directed to the Well Known Port 1 will automatically use LMK Id 00 Host commands directed to the Well Known Port 2 will automatically use LMK Id 01 etc The situation for an HSM using the default Well Known Port value of 1500 is summarized in the table below Field L...

Page 20: ...mmands using key blocks the LMK that is identified in the key block header s is used if the Delimiter and LMK Identifier are present in the command message then all LMK identifiers must agree If the Delimiter and LMK Identifier are present at the end of the command message then the specified LMK is used in the command processing For commands received via the Ethernet Host port using TCP IP the HSM...

Page 21: ...remium package 25 cps Premium package 25 cps Premium issuing and processing package containing all core functionality available for the payShield 10K platform PS10 PRM S Premium package 60 cps Premium package 60 cps Premium issuing and processing package containing all core functionality available for the payShield 10K platform PS10 PRM M Premium package 250 cps Premium package 250 cps Premium iss...

Page 22: ...Manager license License to operate payShield Manager remotely as well as locally PS10 LIC LMKx2 payShield LMK x 2 license License for multiple LMKx2 PS10 LIC LMKx5 payShield LMK x 5 license License for multiple LMKx5 PS10 LIC LMKx10 payShield LMK x 10 license License for multiple LMKx10 PS10 LIC LMKx20 payShield LMK x 20 license License for multiple LMKx20 PS10 LIC FF1 FF1 license License enables ...

Page 23: ...d enter their components individually into a secure system In the past it has been acceptable to enter the components directly into the payment HSM such as the payShield 10K using the Console interface However the latest PCI standards require use of a Secure Cryptographic Device SCD such as the Thales Trusted Management Device TMD This replaces the Thales Key Management Device KMD which is end of ...

Page 24: ...ayShield 10K and third parties Other options are available for example to secure the transfer of keys Note keys can be transferred in both directions Phase Internal System External Party Key Secure Method of Transfer Set Up TMD payShield 10K MZMK Component form on Smart Card TMD Third Party ZMK Components in Printed Form TMD payShield 10K ZMK Encrypted under MZMK Production payShield 10K Third Par...

Page 25: ...he MZMK into the host application c Host application uses host command A6 or BY to translate the ZMK from encryption under the MZMK to encryption under the LMK and stores in the host application for subsequent use Note Instead of using a host command in step c Console Command IK can be used with the payShield Manager Virtual Console or the standard Console to translate the ZMK from encryption unde...

Page 26: ...ed with Console Command KE There are also a number of alternative options provided with the TMD and these are documented in the TMD manual These include Except for the first MZMK subsequent MZMK can be generated using the TMD and stored in component form on smart card Console Command FK is then used to import from components on smart card and display the key encrypted under the LMK This is then en...

Page 27: ...mote HSM Manager If you have set up LMK cards using the old Remote HSM Manager migrate the cards to payShield Manager using the payShield 9000 Once migrated the cards can be used on the payShield 10K Note pay Shield 9000 cards storing security command or PIN Block configuration settings cannot be used on the payShield 10K Conversely payShield 10K cards storing security command or PIN Block configu...

Page 28: ...the remote licenses with minimal set up at a later date 2 1 3 Modifications made to the console commands Command Description CC Configure Console Removed Command because the console is now self configuring QC Query Console Removed Command because the console is now self configuring SNMPADD Add SNMP Modified for payShield 10K MIB SNMP DEL Delete SNMP Modified for payShield 10K MIB TRAP Displays Tra...

Page 29: ... static IP Route Removed this command was only relevant to HSM 8000 This can be done using the CH command and entering the gateway address CS Configure Security Modified for 10K QS Query Security Modified for 10K DT Diagnostic Test Modified for 10K added new tolerances for Voltage and Temperature and added hot swappable fans and power supplies AUDITOPTIONS Set up audit options Modified for 10K AUD...

Page 30: ...l Field Replaceable and Hot Swappable Management port connections Six USB A ports Ethernet for local remote management USB C port on front panel USB A port on rear panel Ethernet for local remote management Ethernet for AUX payShield Monitor Host interface connectivity Dual 10 100 1000 Mbps Ethernet Async and FICON Dual 10 100 1000 Mbps Ethernet PCIe slot for FICON or 10Gig Ethernet supported afte...

Page 31: ...Front Panel Health Solid Red Unit booting application initialization in process payShield failed diagnostic test or there are errors in the error log Front Panel Tamper Off No Tamper has been detected Front Panel Tamper Solid Red A high Tamper has been detected contact Thales support Front Panel Tamper Flashing Red A medium Tamper has been detected customer key material has been erased Front Panel...

Page 32: ...esistant and responsive design Fully locked down chassis lid with no ability to open Tamper sensors for chassis lid crypto processor cover motion voltage and temperature Two levels of tamper Medium tamper erases all sensitive data High tamper erases all sensitive data and permanently disables use of the unit Sensitive data immediately erased in the event of any tamper attempt Compliance with PCI H...

Page 33: ...een made to payShield Monitor and SNMP There is a new payShield 10K MIB The SNMP port list is modified to allow the user to select between AUX port and Management ports only Host ports are no longer supported SNMP V1 V2 have been removed and community strings are no longer displayed only version 3 is supported Consequently the prompt that was in the SNMP console commands for version has been remov...

Page 34: ...on the payShield 9000 if you want to keep the same domain This means updating the payShield 9000 to version 3 0 or above and then going through the payShield 9000 migration process as outlined in the payShield 9000 payShield Manager Manual You will then have your CTA and LMK cards and ADMIN cards on the JAVA cards which can be read by payShield Manager on the payShield 10K Non supported Remote HSM...

Page 35: ...Copying a card at the console 1 Connect the console using the USB C and Tera Term or PuTTY Note The payShield can be in the ONLINE OFFLINE or SECURE mode 2 Use the FC command format card to format X number of the supported cards 3 Put the payShield into SECURE mode 4 Use the DC Duplicate LMK Component Set command to duplicate the component from the old card onto the new card 5 Load the LMK into th...

Page 37: ... unit into the rack each key holder inserts their key into the appropriate lock and turns the lock to the locked position When in the locked position the HSM cannot be removed from the rack The mechanical locking of the unit into the rack provides low level resistance to a direct attack Note that the unit itself cannot be opened To remove the unit from the rack both key holders insert their respec...

Page 38: ...ejected at a standard point in HSM operation For example At completion of a smart card related instruction from payShield Manager At completion of a smart card related Console command When the user presses the Delete key When the user presses CTRL C key combination After a RESET During diagnostic testing 3 1 3 Front panel LEDs There are three LED indicators on the front panel Health illuminating b...

Page 39: ...ty or remotely Note There is also a Service LED on the back of the unit that mirrors the Service LED on the front of the unit Pushing the button toggles the state of the service function between on and off LED Display Indicates Off Power is off White Unit is operating properly Flashing Unit is booting Refer to Section 3 1 3 4 Boot up LED Sequence on page 38 Red Errors exist Using payShield Manager...

Page 40: ... repair The tamper LED indicates if the unit is in a tampered state 3 1 3 4 Boot up LED Sequence As the system powers up the LEDs display changes as the HSM moves through the power up sequence The table below provides a key to the LED sequence 3 1 3 5 Blue LED The blue service LED is indicates that the HSM requires service 3 1 4 Air Inlets The air inlets on the payShield 10K provide a cooling air ...

Page 41: ...power factor corrected high efficiency supply Universal AC Inlet 90 to 264V 50 60 Hz 12V main output and 5V standby Over voltage over current over temperature protection Latching mechanism to hold the supply in place Internal variable speed fan for independent cooling Integral LEDs to provide operational status Management status and control signals on the internal interface 3 2 1 1 Swapping out th...

Page 42: ...an trays There are two redundant fans Each fan has a positive retention latch and a status indicator Each fan tray can be independently removed and replaced without taking the system out of service Each fan tray contains the following elements 20 CFM fan Latching mechanism to hold the tray in the chassis Status LED EEPROM for manufacturing data Temperature based fan speed control 3 2 3 Battery The...

Page 43: ...ndependent network paths to the HSM each port with its own IP address both active 64 threads on each One management port payShield Manager uses this port for communication between the HSM and the Management PC One service port One printer port Note When connecting serial or parallel interface devices to USB ports it is essential that a USB adapter is acquired from Thales Adapters are available for...

Page 45: ... is typically at least 3 feet in the front of the rack and 1 foot behind the rack Attention Read the payShield 10K Regulatory User Warnings and Cautions document prior to installing the payShield 10K 4 1 1 Mechanical and Electrical Specifications 4 1 1 1 Physical Characteristics 4 1 1 2 Power Considerations The payShield 10K is a Class I product and must be connected to a power supply system which...

Page 46: ... key material stored in protected memory while the external AC power is removed Without any AC power the battery will maintain the contents of protected memory for a minimum of 10 years When the HSM is running on AC power the battery is not used and discharge is minimal 4 2 Installation Procedure Typically the HSM is located within a protected corporate data center with multiple layers of security...

Page 47: ...erial number is located along the right edge of the smart card Note Each card may be assigned to an individual security officer Each officer should also maintain a record of their smart card s serial number 8 Store the serial number records in accordance with your security policy 9 Mount the rack a Unpack the Thales box containing the Thales Universal Rack Mount Kit The Mount Kit contains 2 rails ...

Page 48: ...he front and snap it in Tighten the two rear retaining screws Attention Slide the bearing retainer all the way forward to avoid damaging the rail kit when the product is installed f Insert product into the outer rails With both the left and right bearing retainers moved the entire way forward align the inner rails mounted on the product with the outer rails mounted in the rack You may need to appl...

Page 49: ...ct using the console Chapter Commission payShield Manager using Console Commands LED Displays Process All LEDs are turned on Health LED toggles white red twice System LED test power up occurring Health LED flashing white Firmware Validation occurring Health LED solid white Firmware Validation complete Health LED flashing Red Application initialization occurring Solid white or Solid red Solid red i...

Page 51: ...ivers for connection to either copper or optical networks must also be ordered for each port using the part number below As with the standard PS10 S model a Software Package with Performance must be ordered together with the Hardware Platform as well as any optional licenses and hardware accessories as required Support for the PS10 D model is provided in base software version v1 1a and above Part ...

Page 52: ...mands using payShield Manager and using SNMP The speed of the interface is NOT configurable The only option allowed is Auto select The actual value is negotiated by the interface The Optical and Copper transceivers can be 1GbE or 10GbE auto selected by negotiation When the 10G ports are present the QUAD Small Form factor Pluggable SFP ports replace the covered Native Ethernet ports 5 4 Installing ...

Page 53: ... a mixture the media type SFP must match the site requirement Host 1 in port 1 Host 2 in port 2 Management in port 3 AUX in port 4 4 After removing any cable connection dust covers attach the cables to ports 5 5 Power Consumption When using 4 optical ports the max is 70W When using 4 copper ports the max is 80 W When using a mixture the max is 70W to 80W depending on usage ...

Page 55: ...corporate data center with multiple layers of security and access controls With a standard PC with a supported web browser together with the USB connected payShield Manager Reader and payShield Manager smart cards users connect to the payShield 10K via HTTP s using a configured IP address or the HSM s system name To use payShield Manager locally the PC hosting payShield Manager is connected direct...

Page 57: ...ice PC or Workstation with the operating system browser combinations supported by payShield Manager These are given in the release note for each version of payShield 10K software and typically include Windows 10 with either Chrome of Firefox Linux Ubunto with either Chrome or Firefox MAC OSX Mohave with Chrome Administration permissions for the PC or Workstation to install drivers and update the c...

Page 58: ...KEY 3821 Smart Card reader the driver is available on line at https www hidglobal com drivers 7 3 3 Check the Proxy Configuration Your Internet browser will need to be configured to direct traffic through a proxy When you are configuring the browser proxy settings click Use this proxy server for all protocols For Internet Explorer and Mozilla Firefox this setting is via a check box If this is sett...

Page 59: ... Manager locally the PC hosting payShield Manager is connected directly into the payShield 10K s Ethernet management port on the rear panel Local payShield Manager is included in all payShield 10K licence packages To use payShield Manager remotely the PC hosting payShield Manager is connected remotely via the network again to the payShield 10K s Ethernet management port The Remote payShield Manage...

Page 60: ...e name for payShield 10K is serial number mgmt Refreshing the landing page can repair most connectivity issues with accessing the landing page However once logged in refreshing any page will end the current session and you will be required to log back in The Settings Tools Icon Allows card reader configuration the TLS certificate to be downloaded and the Smart Card to be inspected Additionally sel...

Page 61: ...ssage is displayed as shown in the screen shot below follow the steps below Otherwise continue to Section 7 4 3 Configure the Smart Card reader on page 65 Note the following procedure is for Chrome For other browsers payShield Manager will guide the user through a similar but slightly different process to load the required extensions Additional actions are needed to load the Thales Browser Extensi...

Page 62: ...ide Thales Group Page 60 All Rights Reserved 4 Follow the instructions under Possible Solution Enable Extension Component a Click the More icon b Navigate to More tools Extensions c Scroll through the list of Extensions if a Thales Extension is not present Click Get more extensions ...

Page 63: ... and User Guide Thales Group Page 61 All Rights Reserved The Chrome web store opens d Type in Thales and click thales e security The Thales eSecurity Smart Card Bridge Extension displays e Click ADD TO CHROME The system displays ...

Page 64: ...g Confirm that the extension is Enabled Navigate back to More Tools Extensions Scroll to the Thales extension and confirm that the Enabled box is checked 5 Follow the instructions under Possible Solution Install the Local Application Component a Navigate to Start Control Panel Programs Programs and Features b If you find an existing Smart Card Bridge select it and click to Uninstall ...

Page 65: ...uide Thales Group Page 63 All Rights Reserved c Return to your payShield Manager window d Click the blue button as shown below The ThalesScBridge_ChromeFoxFire msi downloads e Click Run The Smart Card Bridge Setup Wizard Opens f Click Next ...

Page 66: ... Group Page 64 All Rights Reserved g Click Next a second time to confirm h Follow the instructions as prompted i Click Back to return to the payShield landing page j Close your payShield session 6 From your Internet browser enter the network name or IP address Example The landing page opens ...

Page 67: ...dow opens Note In the image above the PC has an internal Smart Card reader for example Smart Card 0 Do not Click this internal Smart Card reader It is not a trusted verification device In the example above REINER SCT cyberJack secoder TLS USB1 is the trusted verification device Note If after selecting the trusted verification Smart Card reader you unplug the reader from your PC and or reboot you m...

Page 68: ...ist Step Task Go to Section DONE 1 Load a Security Domain Install an existing security domain This can be a payShield 9000 domain OR Create a new security domain Section 7 5 3 Load the Security Domain on page 73 Section 7 5 2 Create a new Security Domain on page 68 2 Set the HSM Recovery Key HRK passphrases Section 7 5 4 Set HSM Recovery Key HRK passphrases on page 78 3 Create left and right key R...

Page 69: ...e 1 Click Commission The payShield Manager s Commission HSM wizard landing page opens From the landing page you have two options If you already have a Security Domain i e you have previously created a security domain with these cards you are ready to install i e continue to Section 7 5 3 Load the Security Domain on page 73 ...

Page 70: ...art Cards you must know the PIN You will continue to use the existing PIN The system will not prompt you to create a new PIN The existing PIN is not erased 7 5 2 Create a new Security Domain Note A Security Domain is made up of any number of HSMs and a set of Remote Access Cards 1 Expand Create New Security Domain 2 Click Start The Security Domain Parameters window displays 3 Enter your parameters...

Page 71: ... readily available Total Number of Security Domain Shares This is the number of Smart Cards onto which the CTA shares will be distributed Valid values are 3 9 Size of Security Domain Shares Quorum This is the number of Smart Cards holding CTA shares that must be present in order to reassemble a CTA to perform various operations including commissioning a payShield The minimum value is 3 Country Sta...

Page 72: ...d User Guide payShield 10K Installation and User Guide Thales Group Page 70 All Rights Reserved 4 Click Next 5 Follow the wizard instructions to commission each Smart Card i e assign key shares to each security officer s Smart Card ...

Page 73: ...nsert your Smart Card into your Smart Card reader Note If your Smart Card is brand new continue to Step e a If the system detects that you have already commissioned the Smart Card you are alerted Attention If you Click OK information on the card will be lost but the original PIN remains Clicking OK does not erase the PIN b Click OK The system prompts for the original PIN ...

Page 74: ...firm h Press OK on the card reader The system will display Security domain share received card may be removed i Click Next j Remove the card and repeat the process for each card i e for each security officer k After the final security officer has confirmed a PIN click Finish At this point a set of security domain credentials i e a Customer Trust Authority CTA has been created and split into some n...

Page 75: ...d a Security Domain you are associating your payShield to that particular domain You can associate the payShield with the newly created Security Domain just created by following Section 7 5 2 Create a new Security Domain on page 68 or you can add this payShield to an existing Security Domain of your choice Prerequisites The Smart Cards that make up the Security Domain 2 Smart Cards that will funct...

Page 76: ...eserved 3 Each security officer performs the following Place their Smart Card in the reader System prompts Enter PIN Click OK on the PIN pad The system displays 4 Remove card and click Next 5 Repeat the steps above for security officer Note As each officer enters their Smart Card a key share is loaded into the domain ...

Page 78: ...owser in order to trust subsequent TLS connections to the commissioned payShield Depending on your organization s IT policy a PC administrator may be required to perform this configuration Note If you do not need to Download the Certificate Continue to Section 7 5 5 Create Left and Right Remote Access Control key cards on page 79 8 Click Download Certificate to download the certificate The system ...

Page 79: ... Reserved a Insert your Smart Card b Enter your PIN c Press OK The system displays example d Save your file to an appropriate location e Open the certificate for details Note For additional data open the Details tab and the Certification Path tab f Click Install Certificate ...

Page 80: ...hin the last 10 attempts This encompasses all attempts If you do not have HRK passphrases The system prompts you to create them Continue to Step 1 below If you already have HRK passphrases The system prompts you to create your Left Key Card Continue to Section 7 5 5 Create Left and Right Remote Access Control key cards on page 79 1 Enter the HRK passphrases two times The HRK passphrase must contai...

Page 81: ...ts to align with the practices identified in the payShield 10K Security Manual 4 Remove the Smart Card The system prompts you to Designate Commission the Left Key Card 7 5 5 Create Left and Right Remote Access Control key cards If you already have Left and Right key cards i e cards that have been created on a payShield 9000 you may use them 1 Insert a Smart Card into the Smart Card reader 2 Click ...

Page 82: ...d 10K Installation and User Guide Thales Group Page 80 All Rights Reserved The system displays Note PINs are entered via the Smart Card terminal keypad Remember to press OK after entering a PIN 3 Enter the PIN 4 Press OK The system displays 5 Click OK ...

Page 83: ... Installation and User Guide Thales Group Page 81 All Rights Reserved 6 Enter a new PIN 7 Press OK 8 Click Next The system is ready to create the right key card 9 Click Next 10 Insert the Smart Card into the reader ...

Page 84: ...yShield 10K Installation and User Guide Thales Group Page 82 All Rights Reserved 11 Enter the PIN 12 Press OK 13 Insert the card into the Smart Card reader The system prompts 14 Click OK The system starts to process The system prompts completion ...

Page 86: ...of a warranted payShield 1 Log into payShield Manager using the address of the new HSM to be commissioned 2 Select the Commission when it comes up on the browser 3 Remotely load the security domain CTA when prompted by the wizard 4 Set the HRK passphrase for the HSM when prompted by the wizard Passphrases require the following At least 2 upper case characters At least 2 lower case characters At le...

Page 87: ...be undertaken when using payShield Manager with MacOS Catalina Version 10 15 7 and above The procedure describes the steps required using Google Chrome Version 86 0 4240 111 The procedure may vary when using other versions of Chrome or other browsers When accessing the landing page if the following message is shown by the browser carry out the following steps 1 Save the Certificate to the Desktop ...

Page 88: ...Group Page 86 All Rights Reserved 2 Add the Certificate to Keychain Access Open the Keychain Access Application and Navigate to the Certificates panel Drag the certificate into the Certificates panel The certificate is now installed and recognizable to Keychain Access 3 Trust the Certificate ...

Page 89: ...ble click on the certificate in order to manage the system preferences for handling the certificate Expand the Trust panel and set the preference to Always Trust the certificate 4 Restart the Browser System Restart the browser of the system 5 Open payShield Manager Open payShield Manager ...

Page 91: ...ns between Online Offline Secure andAuthorized HSM Firmware and license loading Please note Only one payShield Manager session is allowed at a time When accessing the payShield 10K via the payShield Manager the local console is disabled Once the payShield Manager session ends local console access is restored If the physical keys on the front panel are changed from the online position the payShield...

Page 92: ...mart Card reader Note To reach the Secure state both Right and Left Administrators must perform steps 3 through 5 below 3 Insert your Administrator Smart Card into the Smart Card reader Note If the system does not appear to be reading your Smart Card check your Smart Card reader configuration Section 6 1 3 3 Configure the smart card reader on page 56 4 Enter your PIN 5 Select OK The main page open...

Page 93: ...b Selecting this tab causes the UI to transition to the Summary Perspective shown In this perspective you can view summary information about your HSM 8 3 2 Status Tab Selecting this tab causes the UI to transition to the Status Perspective In this perspective you can View detailed device information Cause a reboot of the HSM ...

Page 94: ...perational Tab Selecting this tab causes the UI to transition to the Operational Perspective In this perspective you can For each individual LMK Replace an LMK Delete an LMK Set an LMK as the default LMK Set an LMK as the default Management LMK Set Authorized Activities For each individual LMK in Key Change Storage Replace an LMK Delete an LMK Verify LMK Smart Card shares Create Authorizing Office...

Page 95: ... Domain Smart Card Create a new Security Domain CTA Change the HRK passphrases Migrate Legacy Cards if the payShield is a migrated unit 8 3 5 Configuration Tab Selecting this tab causes the UI to transition to the Configuration Perspective In this perspective you can View and manage the HSM s Host Interface Settings including Setting the Host message header length Setting and configuring the inter...

Page 96: ...ave the HSM s settings to a Smart Card Reset the HSM s settings to factory default state 8 4 Virtual Console Tab Selecting this tab causes the UI to open a virtual console window Commands can be entered as if you were on the local console at the HSM Note that not all commands are available Commands that require the use of the integrated Smart Card reader are not available 8 4 1 Quick Links Provide...

Page 97: ...on with the Host computer system Usually this state is required when changing configuration parameters 8 5 1 3 Secure In the Secure state the HSM prevents communication with the Host computer system This state is required for certain highly sensitive functions for example generating or loading LMKs into the HSM 8 5 1 4 Switching to Online or Offline State To switch the HSM into the Online or Offli...

Page 98: ...o login the right RACC before the State button would present the option to move to the Secure state 8 5 2 Time Remaining Shows the amount of time left before the automatic termination of the session 8 5 3 Information 8 5 4 User Selecting this button shows information on card user s and allows an individual user to logout of the session by selecting the next to their card s serial number ...

Page 99: ... the system up time and number of LMKs installed 8 5 6 Smart Card Operations Selecting this button allows you to do Smart Card operations such as Change PIN and Inspect Smart Card To change the PIN on a Smart Card select the Change PIN operation and follow the wizard which requires that you insert your Smart Card enter the current PIN and finally enter the new PIN To view the Smart Card details in...

Page 100: ...al login and when not in the middle of a wizard that calls for a Smart Card to be inserted e g Loading an LMK The system will automatically prompt you for you s PIN and begin the authentication process Once the authentication has completed successfully the allowed Host interface state transitions and logged in users will be updated 8 5 7 2 User Logout To logout a logged in user press the button at...

Page 101: ...d with the main page as shown below Each element will be described next The four collapsible sections contained on this page are the following 8 6 1 Summary Dashboard When expanded this section displays a table containing Model Number Serial Number Software Version Base Release the number of LMKs Installed and the presence of an Installed HRK ...

Page 102: ...s a table containing an Error Log counter an Audit Log counter Power Supply Unit status 1 and 2 System Up Time Instantaneous HSM Load and the number of Reboots 8 6 2 1 How to resolve reported errors In the example above the dashboard identifies Failure with Power Supply 2 The payShield 10K handle light is red Follow these steps to resolve 1 Navigate to Status Maintenance 2 Click On ...

Page 103: ...t This light is for informational purposes only and does not impact the status of the payShield 10K in any manner other than turning on the blue service light in on the front and rear panels of the payShield If the service light is turned on or off it will be recorded as an event in the Audit Log 3 Review the error code The Health dashboard reports NotDetected when the power supply is removed Vers...

Page 104: ...0K Installation and User Guide Thales Group Page 102 All Rights Reserved 5 Navigate to Status Health Statistics Diagnostics Maintenance 6 Set the maintenance light to Off Note Turning the maintenance light to off can also be performed manually at the unit ...

Page 105: ...Rights Reserved 8 6 3 Configuration Dashboard When expanded this section displays a table containing Host 1 IP address Host 2 IP addresses the management IP address a summary of the printer configuration PCI HSM compliance and Management Chain of Trust Validation status ...

Page 106: ...st is the Local Master Key Table showing ID AUTH SCHEME ALGORITHM STATUS CHECK and COMMENTS The second table shown is the Key Change Storage Table This table displays ID SCHEME ALGORITHM STATUS CHECK and COMMENTS Note These collapsible menus and the content within are designed to give a quick overview of the current status of the HSM The values cannot be interacted with or changed from the Summary...

Page 107: ...K Installation and User Guide Thales Group Page 105 All Rights Reserved 8 7 Status page The Status Page can be reached by selecting the Status button which is the second button from the left at the top of the frame ...

Page 108: ...Device Information The Device Information section contains a table that displays the System Name of the HSM Unit the Unit Descrip tion Serial Number Unit Info Model number Performance in calls per seconds cps the Date of Manufacture PSU serial numbers and Fan serial numbers Note These fields are for easy viewing and are not editable ...

Page 109: ... showing static statistics about CPU Load Command Totals and Command TPS Cumulative statistics Displays data accumulated since the last time that you reset the utilization data It will continue to accumulate until the next time that the data is explicitly reset The collected data is persistent over re starts and power being switched off Instantaneous statistics Displays data for the current loadin...

Page 110: ...es each Host command has been processed Cmd TPS This data indicates the average transactions per second tps for each command that has been processed The rated performance of the HSM relates to how many CA Host commands the HSM could run in a second The speed a command runs may depend on the options or payload associated with it On Off In Offline or Secure state the Utilization statistics collectio...

Page 111: ...and User Guide Thales Group Page 109 All Rights Reserved Additionally while in the Offline or Secure state Click Refresh to refresh statistics Click Reset to reset the statistics In any state Click Download to save to a text file ...

Page 112: ... Installation and User Guide Thales Group Page 110 All Rights Reserved From the Instantaneous view you may change the measurement period as follows 1 Enter the new value in the Measurement Period field 2 Click Apply Clicking Undo restores the prior setting ...

Page 113: ...ollection of health statistics as well as reset the currently gathered statistics In Offline or Secure state the Health Check Data Collection can be turned on or off using the buttons presented on this page You may reset the Health Check Data in Offline or Secure state when Authorized using the management LMK In any state the Health Check Data can be saved to a text file by selecting Save ...

Page 114: ...eriodically and can be run immediately Tests that are run immediately will display their result s upon completion Automated tests do not report results on this screen Failures of those results are placed in the error log No entry means the tests passed To run test s immediately check the box next to the test and select the Run Tests Now button After a short time the results are displayed next to t...

Page 115: ...nager or directly in front of the payShield using the On Off button This light is for informational purposes only and does not impact the status of the payShield 10K in any manner other than turning on the blue service light in on the front and rear panels of the payShield If the service light is turned on or off it will be recorded as an event in the Audit Log 8 7 4 Error Log The Error Log stores...

Page 116: ... that the log is accurate The hash is computed over the file itself not the value of its contents Copy Pasting the contents into a hash function will give incorrect results Note If the log is very long it may take a while to retrieve and can impact performance of the HSM Selecting Get More returns the next batch of log entries Selecting Reload gets the first batch of log entries Selecting Clear wh...

Page 117: ...nload the UI displays the SHA 256 Hash of the downloaded file Using offline tools you can manually compute the hash and compare your calculation with the value displayed in the UI to ensure that the log is accurate Note The hash is computed over the file itself not the value of its contents Copy Pasting the contents into a hash function will give incorrect results Note If the log is very long it m...

Page 118: ...nostic self test failure test name Optional controlled by Audit diagnostic self tests audit option Disabled by default test name is name of the failed diagnostic self test Firmware update Firmware update attempted Firmware update package validation failed Firmware update failed Firmware update to revision XXXX XXXX and bootstrap version y y y successful failed Firmware update failed is generated w...

Page 119: ... Responses to Host Commands audit option Disabled by default XX is the Host command EE is the error response to the Host command Key Management Smartcard activated card serial number Smartcard PIN changed Key management command XX executed Loaded CTA share from smartcard Stored CTA share on smartcard Smartcard serial number read error card serial number is the smartcard serial number XX is the key...

Page 120: ...ard serial number Below are the various management command strings messages when the command is successful A few of these are configurable enabled disabled via payShield Manager Audit Settings HSM state changed to Online Offline Secure Login Logout Session terminated Single authorized state entered Single authorized state cancelled continued next page Security sensitive management actions commands...

Page 121: ...ck settings modified Fraud settings modified Fraud detection re enabled Enabled Host commands modified Enabled console commands modified Audit settings modified Host commands audit modified Console commands audit modified Remote management commands audit modified Health statistics report generated optional disabled by default Health statistics reset optional disabled by default HRK passphrase set ...

Page 122: ...se updated optional enabled by default Utilstats settings modified optional disabled by default Utilstats state changed optional disabled by default Utilstats reset optional disabled by default Miscellaneous settings modified optional disabled by default Multiple authorized state changed Whitelist modified Session timeout settings modified Management TLS certificate imported Host TLS certificate i...

Page 123: ...ings to factory state Failed to enter single authorized state Failed to modify whitelist Reboot System rebooted due to firmware update System rebooted due to management request System rebooted due to critical diagnostic test failure failed test name Secure Host Comms Certificate not yet valid Unique ID Cert ID Certificate has expired Unique ID Cert ID Error in Cert Not Before Field Unique ID Cert ...

Page 124: ...uild Number was changed to Firmware Version and a new entry Deployment Version has been added Both fields are used only to assist Thales Support The figure below shows both 1 0d and 1 0e screens for clarification purposes To update software 1 Both Left and Right Administrators log on 2 Click the Secure State Once the state is Secure the lock image is removed and the Update Software option is enabl...

Page 125: ...an take several minutes 8 7 7 FIPS Licensing The FIPS Licensing tab has three tabs 8 7 7 1 License Summary how to update Licensing This tab displays data about the connected HSM license information including the performance number the crypto algorithms licensed in the box and the number of licensed LMKs ...

Page 126: ...ge 124 All Rights Reserved To update the license 1 Click Update License Note This can be performed from the offline or secure state 2 Select or drag and drop the file 3 Click Next 4 Continue as prompted 8 7 7 2 Installed Licenses This tab provides a list of all licenses currently installed on the HSM ...

Page 127: ...sts all of the currently available FIPS Validated Algorithms 8 7 8 Import Certificate From this tab when in the secure state you can load a TLS certificate into the payShield 8 7 8 1 General Information payShield 10K supports the use of TLS to secure traffic between Host applications and the HSM TLS v1 2 is the preferred protocol ...

Page 128: ...e Host Communication Certificates 1 The system time has to be set to 24 hour UTC format 2 A CSR needs to have been signed by an external CA to obtain the certificate to import 3 No more than 64 certificates can be imported onto the HSM 4 The maximum length depth for the Chain of Trust is 6 8 7 8 2 TLS Management Follow the steps below to install a certificate for securing payShield Manager connect...

Page 129: ...ts Reserved 1 Both Left and Right Administrators log on 2 Click the Secure State 3 Click the TLS Management tab 4 Select or drag and drop the file 5 Click Next 6 Continue as prompted 8 8 Operational The Operational section handles all functions relating to Local Master Keys ...

Page 130: ...ersions of the payShield Key Block LMKs These are either triple length Triple DES keys or 256 bit AES keys and key separation is provided by parameters in the key block which govern characteristics such as usage and exportability of the protected key Key Block LMKs are newer technology than Variant LMKs and so are still less widely used but provide security benefits This tab provides a table that ...

Page 131: ...o data is stored on the cards The Left and Right LMK cards are used for things that do store data on cards For example they are used for creating CTA shares LMK shares Settings To add authorizing officer functionality to your Left and Right LMK follow the steps below 1 Verify that you are in the Secure state 2 Navigate to the Operational tab ...

Page 132: ...ayShield 10K Installation and User Guide payShield 10K Installation and User Guide Thales Group Page 130 All Rights Reserved 3 Click Generate The Generate LMK screen displays showing the default settings ...

Page 134: ...0K Installation and User Guide payShield 10K Installation and User Guide Thales Group Page 132 All Rights Reserved 6 Click Next 7 Insert your Smart Card into the card reader enter the PIN and press OK 8 Click Next ...

Page 135: ...hales Group Page 133 All Rights Reserved 9 Remove your Smart Card from the card reader 10 Insert the second Smart Card into the card reader 11 Enter your PIN and press OK 12 Click OK 13 Remove the Smart Card from the card reader 14 Click Install ...

Page 136: ...10K Installation and User Guide payShield 10K Installation and User Guide Thales Group Page 134 All Rights Reserved 15 Enter the LMK Parameters 16 Click Next 17 Click your preferences or use the default settings ...

Page 137: ...er Guide Thales Group Page 135 All Rights Reserved 18 Click Next 19 Follow the prompt and insert the first LMK card 20 Enter your PIN and press OK 21 Insert the next LMK card enter your PIN and press OK 22 Click Next to install the LMK ...

Page 139: ...K you wish to verify 3 Enter the PIN 4 Select OK The HSM will read the LMK data from the card and when completed will display a table showing the following LMK Share Quorum Size Scheme Algorithm Status Checksum 8 8 1 3 Create an Authorizing Card When in Offline or Secure state you can create an Authorizing Card used to enter Authorized state for a RLMK card Prerequisite The payShield 10K is in the...

Page 140: ...ve the Authorizing Card upon completion 7 Click OK 8 8 1 4 Duplicate an LMK Card Prerequisite The payShield 10K is in the Secure state 1 Click Duplicate Card A system prompt displays 2 Insert the RLMK card that you wish to duplicate 3 Enter the card s PIN The system reads the RLMK card 4 Click OK A system prompt displays 5 Remove the RLMK card 6 Insert a prior commissioned card 7 Enter the card s ...

Page 141: ...ve been written 9 When complete click OK to return to the main LMK screen 8 8 1 6 Install an LMK from RLMK Card Set 1 Click Install 2 Specify the ID for the new LMK as well as a brief comment describing the LMK 3 Click Next 4 Insert the RLMK card containing the first LMK share for the new LMK 5 Enter the card s PIN 6 Continue inserting LMK share cards when prompted until the entire LMK has been re...

Page 142: ...utton next to the LMK you wish to replace 2 Click Replace 3 Specify the LMK ID for the new LMK as well as a brief comment describing the LMK 4 Click Next 5 Insert the RLMK card containing the first LMK share for the new LMK 6 Enter the card s PIN 7 Continue inserting LMK share cards when prompted until the entire LMK has been read from the card set 8 When all cards have been read click Next to ins...

Page 143: ...n prompted to confirm click OK 8 8 1 10 Set the Management LMK The Management LMK is a specified LMK when using Multiple LMKs that is used by the HSM for purposes that are not linked to a particular LMK for example authenticating audit trail records Prerequisite The payShield 10K is in the Secure state 1 Click the button next to the LMK that you want to make the Management LMK 2 Click Set Manageme...

Page 144: ... selected single or multi authorization from the initial security settings you will either begin to enter the authorized state in single authorization mode or be presented with a menu of authorized activities in multi authorization mode Note Remote authorization will not work if the Initial Security setting Use default card issuer password is checked The payShield Manager only allows Authorization...

Page 145: ...mands When you are finished Click ing commands click Next You will be prompted to enter a card containing the first of the LMK s authorizing PIN or passwords Insert the card and enter the PIN You will then be prompted to enter a card containing the second of the LMK s authorizing passwords Insert the card and enter the PIN Upon success the activities will be authorized following the rules for sing...

Page 146: ...ld LMK that has already been installed by clicking on the button next to the old LMK you wish to remove and Click Delete When prompted click OK to confirm that you want to delete 8 8 1 17 Replace an Old LMK In secure state and authorized under the desired LMK you may replace an installed old LMK by clicking on the button next to the LMK you wish to replace and Click Replace The ID for the old LMK ...

Page 148: ...last of either the Left or Right Key Card If both a Left and Right Key Card have logged into the HSM you may add a new card independent of the HSM s state by entering the Key Card s serial number and Certificate Number in the text box for the appropriate section and click the plus icon Select the Apply button after adding all the desired card serial numbers Note To get the Smart Card s Certificate...

Page 149: ...commission a card by clicking on the Commission Card button Click Next to begin When prompted enter the first CTA card and enter the card s PIN Continue entering cards when prompted until the entire CTA card set has been loaded When the entire CTA has been loaded you will be shown a table containing information on the security domain Click Next to commission your new cards When prompted enter the ...

Page 150: ...10K Installation and User Guide payShield 10K Installation and User Guide Thales Group Page 148 All Rights Reserved Your logged on in the Secure state 1 Navigate to Domain Security Domain 2 Click Commission Card ...

Page 151: ...tion and User Guide Thales Group Page 149 All Rights Reserved 3 Insert one card from your existing CTA into the card reader Note You must move efficiently as this operation will timeout 4 Click Next 5 Click Next 6 Click Next ...

Page 154: ...A card to be copied and enter the card s PIN When prompted remove the CTA card insert a prior commissioned card to write the CTA share onto and enter the card s PIN 8 9 2 4 Create a New Security Domain In secure state you may create a new Security Domain by clicking on the New Domain button You will be prompted to enter the following information Number of Security Domain Shares Quorum Size Country...

Page 155: ... to enter the new passphrase twice in the appropriate boxes and click Next Passphrases require the following At least 2 upper case characters At least 2 lower case characters At least 2 numbers At least 2 special characters Note In order to send the passphrases securely to the payShield the browser requires a commissioned Smart Card e g it can be any one of the security domain s commissioned Smart...

Page 156: ...nstallation and User Guide payShield 10K Installation and User Guide Thales Group Page 154 All Rights Reserved 8 10 Configuration Note Presence of a lock icon indicates the setting action requires proper authorization ...

Page 157: ...1 and 255 the default value is 4 8 10 2 Active Host Interface The current active Host interface for the HSM is emphasized as shown below In this case the Ethernet interface is the current active Host interface In offline or secure state you may choose the Ethernet or FICON as the active Host interface port by selecting the appropriate button completing the settings for the interface as explained b...

Page 158: ...o be set inde pendently The HSM s Host Ethernet interfaces support the delivery of Host commands via TCP IP or UDP IP The two Host Ethernet interfaces support speeds of 10 100 and 1 000 Mbits sec each and require unique IP addresses It is recommended that the Management Ethernet Port be on different IP subnet from the Host Ethernet Ports After making alterations to the Ethernet settings press Appl...

Page 159: ...ost Interface The following items are set up for each Host port MAC address A read only field showing the MAC address of the Host Ethernet port Dynamic If checked this port will be configured using DHCP instead of manually configured and the Network Name field becomes editable while the IP address Subnet mask and Gateway fields become read only Network Name The HSM will specify this user friendly ...

Page 160: ...not employed a default gateway address for the payShield 10K s Host port may be specified This is the IP address of the default gateway in the network Example 192 168 001 001 Configured Port Speed The speed and duplexity at which the Host port is to run Actual Port Speed A read only field that displays the actual speed as reported by the Ethernet interface 8 10 3 2 Access Control List ACL In this ...

Page 161: ...and minus icons in each section 8 10 3 3 TCP UDP In this section TCP and UDP protocol settings may be altered provided the unit is in offline or secure state The following options are available Protocol Specify which protocols TCP and or UDP the HSM should accept as incoming connections If unchecked any incoming traffic conforming to that protocol will be discarded Note that it is not valid to un ...

Page 162: ...munications Port The base port to be used for communication with connecting Hosts Table 5 Port Settings Port Protocol Purpose xxxx TCP UDP Well known port for command traffic between host and payShield as defined in host port parameters Default is 1500 Use of this port results in the default LMK being used unless the command explicitly identifies another LMK xxxx n TCP UDP Well known port for comm...

Page 163: ...lained below and selecting the Apply button to commit the changes to the HSM Once configured and still offline or in secure state you may print a test page to the printer using the Print Test Page button Options Printer Port Click the serial or parallel USB adapter that the printer is connected to Note that once the adapter is designated as a printer interface it cannot be used as a Console Port P...

Page 164: ...Default 115200 Data Bits serial only The number of bits per character Default 8 Stop Bits serial only Number of bits sent at the end of each character Default 1 Parity serial only Means of checking for errors in transmission May be set to None Odd or Even Default None Flow Control Specifies whether to use any hardware or software mechanisms to control the flow of data Default None Offline Control ...

Page 165: ...ou may alter the security configuration of the unit when it is in a secure state by adjusting the settings explained below and selecting the Apply button to commit the changes to the HSM Note that changing any settings in the Initial tab result is deleting all the LMKs stored in the unit General Tab Initial Tab ...

Page 167: ...or secure state Select the Apply button to commit the changes to the HSM 8 10 5 1 Management Interface In this section network settings may be adjusted for the Management Ethernet interface The following options are available MAC address A read only field showing the MAC address of the management port Dynamic IP Configuration If checked the management port will be configured using DHCP instead of ...

Page 168: ... IP address on the management network Example 192 168 002 010 Subnet mask When DHCP is not employed you may specify a subnet mask for the payShield 10K s management port This is used to define the network class It is highly recommended that the management network and Host network are not the same Example 255 255 255 000 Gateway When DHCP is not employed you may specify a default gateway address fo...

Page 169: ...detects no user activity After the configured time has elapsed the inactive user will be automatically logged out Session Timeout This timeout begins when you logs in and continuously counts down irrespective of activity When the timer reaches 0 you is automatically logged out The Time Remaining counter seeded with this value is located in the bottom right of the management screen As the time appr...

Page 170: ...r Guide Thales Group Page 168 All Rights Reserved 8 10 5 3 Management TLS Certificate This is the certificate that was created when establishing the security domain CTA 8 10 6 General Settings General Settings include tabs for PIN Blocks Alarms Fraud Date and Time Miscellaneous ...

Page 171: ...ed on the HSM when in offline or secure state A Host system would typically not use all the PIN Block formats supported by the HSM A simple but effective method of locking down the HSM is to disable un check all unused PIN block formats the subsequent use of a disabled format would result in an error code 69 being returned Select the Apply button top commit the changes to the HSM ...

Page 172: ...alarm causing the LMKs to be deleted and the unit will automatically reboot and attempt to clear the tamper state If the alarm condition persists the unit will stop attempting to clear the tamper after 2 attempts and will remain powered on with limited functionality such that LMKs cannot be loaded Deletion of the LMKs prevents the payShield 10K from executing Host commands or console commands whic...

Page 173: ...eleration in all three axes ignoring acceleration due to gravity g The filter is dynamically updated as the device is tilted Motion Sensor tilt threshold values Low Sensitivity 171 milli g Tilt angle 10 0 degrees 1 degree Medium Sensitivity 65 milli g Tilt angle 6 0 degrees 1 degree High Sensitivity 25 milli g Tilt angle 1 5 degrees 1 degree 8 10 6 3 General Fraud This tab allows you to configure ...

Page 174: ...allows you to set the system date and time used by the HSM for audit log entries when the unit is in secure state and properly authorized To set the date and time click the gear icon In the dialogue box that appears Click the new date and time values and click Apply Note Setting the date or time back may prevent the payShield Manager from allowing a user to login Care must be taken when changing t...

Page 175: ... which console and Host commands are to be enabled and which disabled when the unit is in secure state Commands can be enabled or disabled by checking or un checking the appropriate box es in the tables Checked items are enabled unchecked items are disabled A simple but effective method of locking down the HSM is to disable all unused commands the subsequent use of disabled commands would result i...

Page 176: ...payShield 10K Installation and User Guide payShield 10K Installation and User Guide Thales Group Page 174 All Rights Reserved After making changes press the Apply button to commit the changes to the HSM ...

Page 177: ...M s Audit Log The Auditing accordion allows users to Click which items are to be audited and which are not when the unit is offline or in secure state and properly authorized After making changes press the Apply button to commit the changes to the HSM 8 10 8 1 Audit General Certain sensitive functions such as key management authorizations configurations and diagnostic tests are always recorded in ...

Page 178: ...alue Note Notification is provided when the audit log is 80 95 and 100 full Note Typically you do not audit commands that run all the time 8 10 8 2 Audit Console Commands It is possible to audit any of the console commands Activities can be enabled or disabled by checking or unchecking the appropriate box es Checked items are enabled unchecked items are disabled ...

Page 179: ... Rights Reserved 8 10 8 3 Audit Host Commands It is possible to audit any of the Host commands available in the HSM s license Activities can be enabled or disabled by checking or un checking the appropriate box es Checked items are enabled unchecked items are disabled ...

Page 180: ... payShield 10K Installation and User Guide Thales Group Page 178 All Rights Reserved 8 10 8 4 Audit Management Commands In the Manager tab you may enable auditing of all HSM Manager events such as logins state changes and configuration changes ...

Page 181: ...t command volumes Current status of HSM health check factors Note Only SNMP V3 is supported SNMP State This section controls the state of the SNMP service using the following fields Enabled Check this box to enable SNMP reporting uncheck it to disable Enabled on Port Which Ethernet port to use for SNMP traffic You must specify the authentication and privacy algorithms to be used To add a V3 user e...

Page 182: ...on data from a settings Smart Card or reset the HSM to its Factory Default settings Saving your parameter settings allows you to make changes and then if necessary revert to your previous config uration Saving or restoring settings must be done in secure state with proper authorization You may Reset to Factory Settings when in secure state 8 11 Virtual Console The virtual console provides a reduce...

Page 183: ... The following commands may not be used in the virtual console A CO DC EJECT FC GK GS LK LO NP RC RS SS VC XA XD XE XH XI XK XR XT XX and XZ Note In the current implementation of the virtual console a cursor may not be present However the virtual console is still active and functional ...

Page 185: ... The multiple LMK facility can be used to provide separation between multiple clients applications or purposes serviced on the same HSM and they also make the process of migrating LMKs easier 9 3 Overview of the process The LMK Migration process takes keys which are encrypted under an old LMK and re encrypts them under a new LMK Both the old and the new LMKs must be installed in the payShield 10K ...

Page 186: ...ve storage and load the new LMK from component cards into LMK Key Change storage or load the new LMK from component cards into LMK Live storage and load the old LMK from components cards into LMK Key Change storage in the same HSM 3 Re encrypt the operational keys from the old LMK to the new LMK and hold these in a pending new key database 4 Re encrypt PINs from the old LMK to the new LMK and hold...

Page 187: ...anager and the card reader attached to the remote management PC The principles are the same for both types of card although the detail of the processes is different The two types of card are incompatible although either type of card can be created from the other 9 5 Formatting LMK Smart Cards 9 5 1 HSM LMK Cards Before they can be written to Smart Cards must be formatted Cards which have been used...

Page 188: ...er s Operational LMK Operations Local Master Keys tab These cards use a quorum i e m of n approach to define how many of the cards must be used when loading an LMK The operator provides the following information when generating the LMK Number of LMK shares i e n Default 2 Number of shares to rebuild i e m Default 2 Key scheme Variant or Key Block Algorithm Status Live or Test 9 7 Creating Copies o...

Page 189: ...e Console 9 8 1 1 Loading or forming the LMK The LMK is loaded using either the LK console command if the new LMK is to be loaded into LMK Live storage or the LN console command if the new LMK is to be loaded into LMK Key Change storage The payShield 10K must be in the Secure state In addition if the LN console command is being used then the HSM must be in the Authorized state If multiple authoriz...

Page 190: ...them to load into the HSM the new LMK that keys and data to be re encrypted to To migrate keys from encryption under an old current LMK to encryption under the new LMK we also need to have the old LMK loaded in the HSM The old LMK can be left in LMK Lives storage or loaded into LMK Key Change Storage depending on the approach being taken If the old LMK is to be loaded into Key Change Storage this ...

Page 191: ...rom the old key database Sends the encrypted key to the HSM using the BW host command Receives the BX response from the HSM containing the operational key encrypted under the new LMK Puts the operational key encrypted under the new LMK into the new key database 9 10 1 BW Host command This section examines the BW host command as it is used to convert an operational key encrypted under an old LMK of...

Page 192: ... 24 25 Key Type 007 08 LMK pair 26 27 Key Type 008 09 LMK pair 28 29 Key Type 009 0A LMK pair 30 31 Key Type 00A 0B LMK pair 32 33 Key Type 00B 10 Variant 1 of LMK pair 04 05 Key Type 100 42 Variant 4 of LMK pair 14 15 Key Type 402 FF Use this value where the key type is specified after the first delimiter below This allows key types other than those listed above to be specified Key length flag 1 ...

Page 193: ... multiple LMKs on the same HSM this allows the ID of the LMK being migrated to be selected Minimum value 00 maximum value is defined by license This field must be present if the above Delimiter is present If the field is not present then the default LMK will be used End Message Delimiter 1 C Must be present if a message trailer is present Value X 19 Message Trailer n A Optional The contents of the...

Page 194: ...icating the general outcome of the BW command 00 No error 04 Invalid key type code 05 Invalid key length flag 10 Key parity error 44 migration not allowed key migration requested when the security setting Enforce key type 002 separation for PCI HSM compliance has the value Y 45 Invalid key migration destination key type 68 Command disabled or any standard error code Key 16 32 H or 1 A 32 48 H The ...

Page 195: ...mand when it is used to migrate from Variant type LMKs to Key Block type LMKs Only the differences compared to Variant LMK Variant LMK migration are described Field Length Type Notes Message Header m A As for Variant LMK Variant LMK Command Code 2 A Must have the value BW Key Type code 2 H As for Variant LMK Variant LMK Key length flag 1 N As for Variant LMK Variant LMK Key 16 32 H or 1 A 32 48 H ...

Page 196: ...lity for the key encrypted under the Key Bock LMK This information is included in the Key Block header and should be determined using the Exportability Table This field determines how the operational key can be exported e g no export allowed may only be exported as a Key Block Number of Optional Blocks 2 N A value from 00 to 08 identifying how many optional data blocks the user wants to add into t...

Page 197: ...g BX response to the host Field Length Type Notes Message Header m A As for Variant LMK Variant LMK Response Code 2 A Has the value BX As for Variant LMK Variant LMK Error code 2 N As for Variant LMK Variant LMK Key 1 A n A The operational key encrypted under the new Key Block LMK End Message Delimiter 1 C As for Variant LMK Variant LMK Message Trailer n A As for Variant LMK Variant LMK ...

Page 198: ...d Length Type Notes Message Header m A As for Variant LMK Key Block LMK Command Code 2 A Must have the value BW Key Type code 2 H Must be set to FF Key length flag 1 H Must be set to F Key 1 A n A The operational key to be translated encrypted under the old Key Block LMK Delimiter 1 A Must have value Key Type 3 H Must be set to FFF Delimiter 1 A As for Variant LMK Key Block LMK Reserved 1 A As for...

Page 199: ...ier 2 A As for Variant LMK Key Block LMK Optional Block Length 2H As for Variant LMK Key Block LMK Optional Data Block N A As for Variant LMK Key Block LMK End Message Delimiter 1 C As for Variant LMK Key Block LMK Message Trailer n A As for Variant LMK Key Block LMK Field Length Type Notes Message Header m A As for Variant LMK Key Block LMK Response Code 2 A Has the value BX As for Variant LMK Ke...

Page 200: ...MK Live storage This can be done by using the BG host command A host application will take each PIN from the old PIN database re encrypt it using the BG host command and store the re encrypted PIN into the new PIN database 9 15 1 BG Host Command The structure of the BG host command is as follows Field Length Type Notes Message Header m A This field contains whatever the user wants The length of th...

Page 201: ...equired by the user and is returned unchanged in the response Maximum length 32 characters Field Length Type Notes Message Header m A This is a play back of the header provided in the BG command Response Code 2 A Has the value BH Error code 2 N Indicating the general outcome of the BG command 00 No error 68 Command disabled or any standard error code PIN L2 N Or L2 H The PIN encrypted under the ne...

Page 202: ...ontains whatever the user wants The length of the field is defined using the CH console command or Configuration Host Settings in payShield Manager It is subsequently returned unchanged in the response to the host Command Code 2 A Most have the value LO Decimalization Table old LMK 16 H A decimalization table encrypted under the old LMK Delimiter 1 A Value Optional if present the following field m...

Page 203: ... the databases Production host applications are still using the old databases of operational keys PINs and decimalization tables In order to start using the new LMK the following changes must be synchronized Host production applications start using the new databases of operational keys PINs and decimalization tables If the re encryption of keys was done on an HSM with the new LMK in Live storage t...

Page 204: ...ve LMK at LMK 00 LMK 00 is set up as the default LMK This means that it is the LMK that is used by default in host commands where no LMK is identified this provides backwards compatibility to applications developed before the multiple LMK facility was introduced The future new LMK is loaded as LMK 01 in LMK Live storage see Loading the new LMK The existing old LMK which is LMK 00 and is being used...

Page 205: ...ould be deleted once it is no longer needed There are multiple ways of doing this 9 19 1 1 Using the console The LMK can be deleted from Key Change Storage using the DO console command The payShield 10K must be in Secure state 9 19 1 2 Using payShield Manager The LMK is deleted using the button displayed against the LMK in payShield Manager s Operational LMK Operations Key Change Storage tab This ...

Page 206: ...be present LMK Identifier 2 N Where the user is using multiple LMKs on the same HSM this allows the host to select which Old LMK is to be deleted Minimum value 00 maximum value is defined by license This field must be present if the above Delimiter is present If the field is not present then the default LMK will be used End Message Delimiter 1 C Must be present if a message trailer is present Valu...

Page 207: ...ultiple authorize state environment the activity to be authorized is admin console Note that the DM console command also deletes the relevant old key in Key Change Storage avoiding the need to do this separately 9 19 2 2 Using payShield Manager The LMK is deleted using the button displayed against the LMK in payShield Manager s Operational LMK Operations Local Master Keys tab This can only be done...

Page 209: ...by default Refer to the payShield 10K Host Command Manual Enabling and disabling console commands Command syntax or C command code Where enables and disables You can use the wild card character as character 1 or 2 of the command code For example all console commands S all console commands that begin with S Multiple commands can be issued with a cumulative effect For example C disables all console ...

Page 210: ...w Management Port Configuration QM 255 Configure Auxiliary Port CA 256 View Auxiliary Port Configuration QA 258 Configure Alarms CL 259 View Alarm Configuration QL 260 View Change Instantaneous Utilization Period UTILCFG 261 Suspend Resume Collection of Utilization Data UTILENABLE 262 Suspend Resume Collection of Health Check Counts HEALTHENABLE 263 View SNMP Settings SNMP 264 Add an SNMP User SNM...

Page 211: ...K GT 318 Operational Commands 320 Authorization Commands 320 Enter the Authorized State A 321 Cancel the Authorized State C 323 Authorize Activity A 324 Cancel Authorized Activity C 334 View Authorized Activities VA 336 Logging Commands 337 Display the Error Log ERRLOG 338 Clear the Error Log CLEARERR 340 Display the Audit Log AUDITLOG 341 Clear the Audit Log CLEARAUDIT 343 Audit Options AUDITOPTI...

Page 212: ...nts of a Smartcard VC 405 Change a Smartcard PIN NP 406 Read Unidentifiable Smartcard Details RC 407 Eject a Smartcard EJECT 408 DES Calculator Commands 409 Single Length Key Calculator N 410 Double Length Key Calculator 411 Triple Length Key Calculator T 412 payShield Manager Commands 413 Add a RACC to the whitelist XA 414 Decommission the HSM XD 415 Remove RACC from the whitelist XE 416 Commissi...

Page 213: ... s SV 435 Delete Installed Certificate s SD 438 Generate HRK SK 439 Change HRK Passphrase SP 440 Restore HRK SL 441 KMD Support Commands 442 Generate KTK Components KM 443 Install KTK KN 444 View KTK Table KT 445 Import Key encrypted under KTK KK 446 Delete KTK KD 447 Error Responses Excluded from Audit Log 448 ...

Page 214: ... 334 CA Configure Auxiliary Port 256 CH Configure Host Port 239 CK Generate a Check Value 386 CL Configure Alarms 259 CLEARAUDIT Clear the Audit Log 343 CLEARERR Clear the Error Log 340 CM Configure Management Port 253 CO Create an Authorizing Officer Smartcard 404 CONFIGACL Host Port Access Control List ACL Configuration 245 CONFIGCMDS Configure Commands 221 CONFIGPB Configure PIN Block Formats 2...

Page 215: ...and Write Components to Smartcard 360 GT Generate Test LMK 318 HEALTHENABLE Suspend Resume Collection of Health Check Counts 263 HEALTHSTAT View Reset Health Check Counts 290 IK Import Key 378 KD Delete KTK 447 KE Export Key 382 KG Generate Key 374 KK Import Key encrypted under KTK 446 KM Generate KTK Components 443 KN Install KTK 444 KT View KTK Table 445 LK Load LMK 297 LO Load Old LMK into Key ...

Page 216: ... RS Retrieve HSM Settings from a Smartcard 353 SD Delete Installed Certificate s 438 SE Export HSM Certificate s Chain of Trust 433 SETTIME Set the Time 348 SG Generate Certificate Signing Request 428 SI Import Certificate 431 SK Generate HRK 439 SL Restore HRK 441 SP Change HRK Passphrase 440 SNMP View SNMP Settings 264 SNMPADD Add an SNMP User 265 SNMPDEL Delete an SNMP User 266 SS Save HSM Sett...

Page 217: ...311 VA View Authorized Activities 336 VC Verify the Contents of a Smartcard 405 VR View Software Revision Number 279 VT View LMK Table 315 XA Add a RACC to the whitelist 414 XD Decommission the HSM 415 XE Remove RACC from the whitelist 416 XH Commission the HSM 417 XI Generate Customer Trust Authority 418 XK Make an RACC left or right key 311 XR Commission a smartcard 421 XT Transfer existing LMK ...

Page 218: ...Port Access Control List ACL Configuration CONFIGACL 245 Configure Printer Port CP 248 View Printer Port Configuration QP 251 Configure Management Port CM 253 View Management Port Configuration QM 255 Configure Auxiliary Port CA 256 View Auxiliary Port Configuration QA 258 Configure Alarms CL 259 View Alarm Configuration QL 260 View Change Instantaneous Utilization Period UTILCFG 261 Suspend Resum...

Page 219: ...the settings can be re applied after the HSM s return This command also reports whether the HSM is currently configured as it left the factory Authorization Authorization is not required The HSM must be in the secure state Inputs Confirmation that Reset is required Outputs Whether HSM is currently in its factory default state Confirmation of Reset Notes This utility cannot reset firmware or licens...

Page 220: ...to the factory default settings Y N Y Return You selected Yes please confirm to Proceed with reset Y N Y Return Return to factory default state complete The HSM will now reboot automatically This console is exiting due to Terminated Example 2 Secure RESET Return Reset HSM to factory settings Y N Y Return The unit is currently in its factory default state YES Resetting the unit will remove all cust...

Page 221: ...s 1 Software update 2 Install new license Your selection 1 Return This operation will terminate your session and reboot the payShield Do you want to proceed Y N Y Return Attached USB Mass storage devices Ultra USB 3 0 The following update files are available 1 ps10k_update_1 pti 2 ps10k_update_2 pti Your selection choose 0 to exit 1 Return The following update will be applied ps10k_update_1 pti Co...

Page 222: ...all new license Your selection 2 Return Attached USB Mass storage devices Ultra USB 3 0 The following License files are available 1 C4665271228Q licence Your selection 1 Return Are you sure you want to install license C4665271228Q licence Y N Y Return New HSM License is currently being installed Please do not remove power from the HSM New HSM License has been successfully installed ...

Page 223: ... this matches all command codes of the specified type starting with the given first character Authorization The HSM must be in the secure state to enable disable host and console commands The current status of enablement of host and console commands can be viewed in any state Inputs List of host commands to enable List of console commands to enable List of host commands to disable List of console ...

Page 224: ...xample demonstrates the use of the CONFIGCMDS console command using the wildcard character to disable all non core host commands and then enable just those host commands beginning with A Secure CONFIGCMDS Return List of enabled Host commands A0 A4 GG GY List of enabled Console commands GC GS EC FK Enter command code e g CDE or Q to Quit H Return List of enabled Host commands List of enabled Consol...

Page 225: ...bled PIN Block formats 01 ISO 9564 1 ANSI X9 8 format 0 05 ISO 9564 1 format 1 35 MasterCard Pay Now and Pay Later format 41 Visa Amex new PIN only format 42 Visa Amex new old PIN format 47 ISO 9564 1 ANSI X9 8 format 3 48 ISO 9564 1 PIN Block Format 4 AES Online Example 2 This example demonstrates the use of the CONFIGPB console command to enable the use of HSM PIN Block format 03 Secure CONFIGPB...

Page 226: ...s Reserved 47 ISO 9564 1 ANSI X9 8 format 3 48 ISO 9564 1 PIN Block Format 4 AES Enter or followed by PIN Block format or Q to Quit Q Return Save PIN BLOCK settings to smart card Y N Y Return Insert card and press ENTER Return PIN BLOCK settings saved to the smartcard Secure ...

Page 227: ...ion batch size 1 1024 a one to four digit number range 1 to 1024 Single double length ZMKs S D S or D Decimalization table Encrypted Plaintext E P E Enable Decimalization Table Checks Y N Y or N PIN encryption algorithm A B A or B Whether to use the default Card Issuer password or to enter a different value of 8 alphanumeric printable characters Authorized State required when importing DES key und...

Page 228: ...settings chosen see examples below Errors Invalid Entry Card not formatted to save retrieve HSM settings Attempt with another card Y N Notes For software versions which have been PCI HSM certified in order to be PCI HSM compliant a number of security settings must have specific values as follows o Disable Single DES must be Y o Card password authorization local must be C o Restrict PIN block usage...

Page 229: ...port oN ofF F Return Transaction Key Scheme Racal Australian or None R A N N Return User storage key length S D T V SINGLE Return Display general information on payShield Manager Landing page Y N Y Return Default LMK identifier 0 4 0 Return Management LMK identifier 0 4 0 Return LMKs must be erased before remaining parameters can be set Erase LMKs Y N N Return Save SECURITY settings to smartcard Y...

Page 230: ...length ZMKs S D DOUBLE Return Decimalization table Encrypted Plaintext E P P Return Enable Decimalization Table Checks Y N YES Return PIN encryption algorithm A B A Return Use default card issuer password Y N YES Y Return Authorized State required when importing DES key under RSA key Y N YES Return Minimum HMAC key length in bytes 5 64 10 Return Enable PKCS 11 import and export for HMAC keys Y N Y...

Page 231: ... double or triple length key Y N YES The following setting is not PCI HSM compliant Disable Single DES Y N NO Card password authorization local C P C Restrict PIN block usage for PCI HSM compliance Y N YES The following setting is not PCI HSM compliant Enforce key type 002 separation for PCI HSM compliance Y N NO Enforce Authorization Time Limit Y N YES The following setting is not PCI HSM complia...

Page 232: ...ion Table Checks Y N YES Return PIN encryption algorithm A B A Return Use default card issuer password Y N YES N Return Enter card issuer password local Return Password must be 8 characters Enter card issuer password local Return Confirm card issuer password Return Authorized State required when importing DES key under RSA key Y N YES Return Minimum HMAC key length in bytes 5 64 10 Return Enable P...

Page 233: ... for PCI HSM compliance Y N NO Y Return Enforce Authorization Time Limit Y N YES Return Enforce Multiple Key Components Y N YES Return Enforce PCI HSMv3 Key Equivalence for Key Wrapping Y N YES Return Enforce minimum key strength of 1024 bits for RSA signature verification Y N YES Return Enforce minimum key strength of 2048 bits for RSA Y N YES Return These settings will all become PCI HSM complia...

Page 234: ...alization Table Checks Y N YES Return PIN encryption algorithm A B A Return Use default card issuer password Y N YES Y Return Authorized State required when importing DES key under RSA key Y N YES Return Minimum HMAC key length in bytes 5 64 10 Return Enable PKCS 11 import and export for HMAC keys Y N YES Return Enable ANSI X9 17 import and export for HMAC keys Y N YES Return Enable ZEK TEK encryp...

Page 235: ...nd cannot be changed Prevent single DES keys masquerading as double or triple length key YES Single DES DISABLED Card password authorization local C Restrict PIN block usage for PCI HSM Compliance YES Enforce key type separation for PCI HSM compliance YES Enforce Authorization Time Limit YES Enforce Multiple Key Components YES Enforce PCI HSMv3 Key Equivalence for Key Wrapping YES Enforce minimum ...

Page 236: ...mpliant a number of security settings must have specific values as follows o Disable Single DES must be Y o Card password authorization local must be C o Restrict PIN block usage for PCI HSM compliance must be Y o Enforce key type 002 separation for PCI HSM compliance must be Y o Enforce Authorization Time Limit must be Y o Enforce Multiple Key Components must be Y o Enforce PCI HSMv3 Key Equivale...

Page 237: ...rt and export for HMAC keys NO Enable ZEK TEK encryption of ASCII data or Binary data or None NONE Restrict key check values to 6 hex chars YES Enable multiple authorized activities YES Allow persistent authorized activities NO Enable variable length PIN offset NO Enable weak PIN checking NO Enable PIN block Format 34 as output format for PIN translations to ZPK NO Enable translation of account nu...

Page 238: ...or PCI HSM Compliance NO Enforce key type 002 separation for PCI HSM compliance NO Enforce Authorization Time Limit YES Enforce Multiple Key Components YES Enforce PCI HSMv3 Key Equivalence for Key Wrapping YES Enforce minimum key strength of 1024 bits for RSA signature verification YES Enforce minimum key strength of 2048 bits for RSA YES Online ...

Page 239: ...e multiple authorized activities YES Allow persistent authorized activities NO Enable variable length PIN offset NO Enable weak PIN checking NO Enable PIN block Format 34 as output format for PIN translations to ZPK NO Enable translation of account number for LMK encrypted PINs NO Use HSM clock for date time validation YES Additional padding to disguise key length NO Key export and import in trust...

Page 240: ...10K Installation and User Guide Thales Group Page 238 All Rights Reserved Enforce minimum key strength of 1024 bits for RSA signature verification YES Enforce minimum key strength of 2048 bits for RSA YES Online ...

Page 241: ...nce is normally achieved with 4 8 connections depending on the HSM performance model and the commands being processed Running with only a single thread can significantly reduce the throughput of the HSM and means that you will not be able to reach the rated throughput for the machine It is recommended that the Host Ethernet Ports the Management Ethernet Port and the Auxiliary Ethernet Port are all...

Page 242: ... Enable TLS Y N N Y Return ACL Enabled Y N N Y Return Number of connections 1 64 64 5 Return Enter TCP keep alive timeout 1 120 minutes 120 Return Number of interfaces 1 2 2 Return Interface Number 1 IP Configuration Method D HCP or S tatic DHCP S Return Enter IP Address 192 168 200 36 192 168 200 100 Return Enter subnet mask 255 255 255 0 Return Enter Default Gateway Address 192 168 200 3 Return ...

Page 243: ...on The current setting is in parentheses Message header length 1 255 4 Return Disable host connections when no LMKs are installed Y N N Return Host interface E thernet E Return Enter Well Known Port 1500 Return Enter Well Known TLS Port 2500 Return UDP Y N Y N Return TCP Y N Y N Return Enable TLS Y N Y Y Return ACL Enabled Y N N N Return Number of connections 1 64 64 5 Return Enter TCP keep alive ...

Page 244: ...Port This is the publicized TCP Port address of the HSM The Well Known TLS Port This is the publicized TLS Port address of the HSM Transport method TCP UDP TLS Number of TCP connections Each host interface supports this number of connections The TCP Keep_Alive value A number in minutes Whether ACLs are being used The number of host interfaces configured The IP address for each host interface and h...

Page 245: ...000baseT full duplex Interface Number 2 IP Configuration Method static IP address 192 168 202 110 Subnet mask 255 255 255 0 Default Gateway 192 168 202 3 MAC address 00 d0 fa 04 27 63 Port speed 1000baseT full duplex Online Example 2 In this example Ethernet communications using TCP IP and TLS are selected but UDP and unprotected TCP traffic is not allowed i e all traffic must be TLS protected The...

Page 247: ...ies Entries cannot be amended Each of the 2 host ports has its own ACL set Entries can be of the following types o A single IP address o An IP address range o An IP address mask Multiple types of entry can co exist Multiple entries of each type are allowed The IP addresses in an entry can overlap with IP addresses in other entries Outputs Confirmations and errors only Errors IP address formats are...

Page 248: ...ete Quit A D Q A Return Type Single Range Mask S R M S Return IP Address 10 10 41 10 Return Access control list for Interface 1 Single 1 10 10 41 10 Range None Mask None Add Delete Quit A D Q A Return Type Single Range Mask S R M M Return Base IP Address 10 10 40 0 Return Mask 255 255 255 0 Return Access control list for Interface 1 Single 1 10 10 41 10 Range None Mask 2 10 10 40 0 to 10 10 40 255...

Page 249: ...5 255 0 Add Delete Quit A D Q Q Return Secure Example 2 In this example both host interfaces have been configured in the CH command The user simply views the existing ACL for host interface 2 and then exits Secure CONFIGACL Return Interface 1 10 10 100 216 Interface 2 10 10 101 216 Select Interface 1 2 2 Return Access control list for Interface 2 Single 1 10 10 40 22 2 10 10 40 23 3 10 10 40 23 Ra...

Page 250: ...ted using a USB to serial converter cable available from Thales A parallel printer may be connected using a USB to parallel converter cable available from Thales The new settings come into effect immediately after the command has completed Authorization This command does not require any authorization Inputs CR LF order standard or reversed Y or N Selected printer connection Setup Parameters depend...

Page 251: ... BAUD RATES 1 1200 2 2400 3 4800 4 9600 current value 5 19200 6 38400 7 57600 8 115200 Device baud rate ENTER for no change 8 Return DATA BITS 1 5 2 6 3 7 4 8 current value Device data bits ENTER for no change Return STOP BITS 1 1 current value 2 2 Device stop bits ENTER for no change Return PARITY 1 none current value 2 odd 3 even Device parity ENTER for no change Return Flow Control 1 none 2 sof...

Page 252: ...for no change 1 Return Timeout in milliseconds min 1000 max 86400000 1000 Return Delay in milliseconds min 0 max 7200000 0 Return Print test page Y N Y Return Offline Example 3 This example demonstrates the configuration of a printer attached to the HSM via a native USB cable Offline CP Return Reverse the LF CR order Y N N Return The following possible printer devices were found in the system 0 No...

Page 253: ...inter USB Serial Controller by PrintCo located at Rear USB Port has been validated BAUD RATE 38400 DATA BITS 8 STOP BITS 1 PARITY none Flow Control XON XOFF Offline Control none LF CR order reversed NO Timeout 12000 milliseconds Delay 0 milliseconds Print test page Y N N Return Online Example 2 This example demonstrates viewing the configuration of a printer attached to the HSM via a USB to parall...

Page 255: ...SM must be in the offline or secure state to run this command Inputs Whether IP address is manually or automatically derived o If manually derived then the address details must be entered o If using DHCP then a network name may be entered Ethernet speed setting Enable local or remote payShield Manager connection Outputs None Errors None Example 1 In this example the management port has its IP addr...

Page 256: ...now Y N Y Return Offline Example 2 In this example the management port has its IP address set up automatically by a DHCP server Secure CM Return Management Ethernet Interface IP Configuration Method D HCP or S tatic DHCP Return Network Name B4665271226O mgmt HSM Mngmnt Return Enter speed setting for this port SPEED OPTIONS 0 Autoselect 1 10BaseT half duplex 2 10BaseT full duplex 3 100BaseTX half d...

Page 257: ...te payShield Manager connection Errors None Example 1 Online QM Return Management Ethernet Interface IP Configuration Method static IP address 192 168 200 90 Subnet mask 255 255 255 0 Default Gateway 192 168 200 1 MAC address 00 d0 fa 04 27 64 Port speed 1000baseT full duplex payShield Manager connection Disabled Online Example 2 In this example the management port has its IP address set up automa...

Page 258: ...d Inputs Whether IP address is manually or automatically derived o If manually derived then the address details must be entered o If using DHCP then a network name may be entered Ethernet speed setting Outputs None Errors None Example 1 In this example the auxiliary port has its IP address set up manually Offline CA Return Auxiliary Ethernet Interface IP Configuration Method D HCP or S tatic DHCP ...

Page 259: ...iliary Ethernet Interface IP Configuration Method D HCP or S tatic DHCP Return Network Name B4665271226O Aux HSM Aux Return Enter speed setting for this port SPEED OPTIONS 0 Autoselect 1 10BaseT half duplex 2 10BaseT full duplex 3 100BaseTX half duplex 4 100BaseTX full duplex 5 1000BaseT half duplex 6 1000BaseT full duplex Speed setting 0 Return Would you like to apply the changes now Y N Y Return...

Page 260: ...Ethernet speed setting Errors None Example 1 Online QA Return Auxiliary Ethernet Interface IP Configuration Method static IP address 192 168 300 90 Subnet mask 255 255 255 0 Default Gateway 192 168 300 1 MAC address 00 d0 fa 04 43 33 Port speed Ethernet 1000baseT full duplex Online Example 2 In this example the auxiliary port has its IP address set up automatically by a DHCP server Online QA Retur...

Page 261: ...nd Inputs Motion alarm status Low Medium High or Off Save settings to smartcard Yes or No Outputs None Errors Card not formatted to save retrieve HSM settings Attempt with another card Y N Example 1 In this example the setting is being made to a less secure setting Secure CL Return Please make a selection The current setting is in parentheses Motion alarm Low Med High OFF MED F Return LMKs must be...

Page 262: ...ure Authorization Not required Command QL Function To display details of the alarm configuration of the HSM Authorization This command does not require any authorization Inputs None Outputs The Temperature alarm status The Motion alarm status Errors None Example Online QL Return Temperature alarm enabled Motion alarm enabled high sensitivity Online ...

Page 263: ...ization The HSM does not require any authorization to run this command Inputs Amended value for Instantaneous Utilization Period It is suggested that the period should not be set to less than 10 seconds as data collected over very short periods will not be indicative of actual activity Outputs Text messages as in example below Note that resetting of the value requires the HSM to be in Offline or S...

Page 264: ...osed It ensures that tps rates are not diluted by averaging command volumes over the total elapsed time but only over the time that data is being collected Authorization The HSM does not require any authorization to run this command Inputs Whether to change the current state Outputs Text messages as in example below Notes Following a software load collection of Utilization Data will be suspended D...

Page 265: ...on to be suspended if for example data is not required Authorization The HSM does not require any authorization to run this command Inputs Whether to change the current state Outputs Text messages as in example below Notes Following a software load collection of Health Check counts will be suspended Example Offline HEALTHENABLE Return Health check statistics gathering is currently turned ON Suspen...

Page 266: ...nd Health Check data via SNMP Which Ethernet port to use for SNMP traffic Outputs Text messages as in example below Notes The HSM is delivered with no Users set up Example Secure SNMP Return V3 Users None SNMP is currently disabled Enable Y N Y Return 0 Management Port 1 Auxiliary Port SNMP port 0 1 ENTER for no change 0 Return sysName Less than 256 characters payShield 10K Return sysDescr Less th...

Page 267: ...thm Outputs Text messages as in example below Notes The HSM is delivered with no Users set up Example Secure SNMPADD Return Enter user name Less than 20 characters SHADES Return Authentication algorithm N one M D5 S HA S Return Enter authentication password 8 and 20 characters Password1 Return Privacy algorithm N one D ES A ES A Return Enter privacy password 8 and 20 characters Password2 Return Th...

Page 268: ...tate Inputs The index of the user to be deleted Outputs Text messages as in example below Notes The HSM is delivered with no Users set up Example Secure SNMPDEL Return SNMP user table 0 User public Authentication none Privacy none 1 User shades Authentication SHA Privacy DES 2 User none Authentication none Privacy none 3 User md5 Authentication MD5 Privacy none Select user to delete 0 3 1 Return U...

Page 269: ...SNMP Traps Authorization The HSM does not require any authorization to run this command Inputs Whether to Enable Disable individual trap configurations Outputs Text messages as in the example below Notes The HSM is delivered with no SNMP Traps configured Example 1 Offline TRAP Return Trap table is empty no SNMP traps are configured Enable Y N Y Return Offline Example 2 Offline TRAP Return Entry IP...

Page 270: ...s in example below Errors User table is empty please add a V3 user first Failed to add trap destination Notes The HSM is delivered with no SNMP traps configured Example 1 Secure TRAPADD Return Enter IP Address 192 168 100 133 Return Enter Port 162 Return SNMP user table 0 User User1 Authentication SHA Privacy DES Select user 0 0 0 Return The following entry will be added to the table 192 168 100 1...

Page 271: ...the Secure state Inputs Confirmation of deletion Outputs Text messages as in example below Errors Trap table is empty nothing to delete Failed to delete trap destination Notes The HSM is delivered with no SNMP traps configured Example Secure TRAPDEL Return SNMP Trap table 0 Address 192 168 100 133 Port 162 User User1 Select trap to delete 0 0 0 Return Trap destination deleted successfully Delete a...

Page 272: ...uide Thales Group Page 270 All Rights Reserved Fraud Detection Commands The payShield 10K provides the following commands to support fraud detection operations Command Page Configure Fraud Detection A5 270 Re enable PIN Verification A7 273 ...

Page 273: ...nt LMK Inputs Whether and how to respond to Fraud Detection Limit on number of PIN verification failures per minute Limit on number of PIN verification failures per hour Limit on number of PIN attacks detected Outputs None Errors Not Authorized the HSM is not authorized to perform this operation Invalid Entry the value entered is invalid Notes If any of the limits set by this command are exceeded ...

Page 274: ...te 100 PIN verification failures per hour 1000 PIN Attack Limit 100 HSM reaction to Exceeding Fraud Limits O n L ogging only L Return Note that logging is supported only if enabled via the HEALTHENABLE console command or its payShield Manager equivalent Enter limit on PIN verification failures per minute 200 Return Enter limit on PIN verification failures per hour 2000 Return Enter PIN Attack Limi...

Page 275: ...n Authorization The HSM must be in the offline state to run this command The HSM must be either in the Authorized State or the activity audit console must be authorized using the Authorizing Officer cards of the Management LMK Inputs None Outputs None Errors Not Authorized the HSM is not authorized to perform this operation Command only allowed from offline PIN Verification is not currently disabl...

Page 276: ...g console commands to support diagnostic operations Command Page Diagnostic Test DT 275 View Software Revision Number VR 279 View Available Commands GETCMDS 281 Show Network Statistics NETSTAT 283 Test TCP IP Network PING 285 Trace TCP IP route TRACERT 286 View Reset Utilization Data UTILSTATS 288 View Reset Health Check Counts HEALTHSTATS 290 ...

Page 277: ...are all run all the commands default option verbose be verbose in the output battery run the battery diagnostics des run the DES diagnostics health run the health check diagnostics aes run the AES KAT ecdsa run the ECDSA KAT md5 run the MD5 KAT mem run the memory diagnostics psu run the power supply diagnostics rng run the random number generator diagnostics rsa run the RSA KAT rtc run the real ti...

Page 278: ... RNG OK RSA OK Real Time Clock SYNCHRONIZED system time was synchronized with the RTC SHA OK SCR OK Temperature OK Fans OK Voltages OK Health Check Status TCP Server Up UDP Server Up FICON Server Not Enabled Local Remote Manager Server Up Host Ethernet Link 1 Up Host Ethernet Link 2 Up Unit Tampered No Fraud limits exceeded No PIN attack limit exceeded No Diagnostics complete Offline ...

Page 279: ...g MD5 Known Answer Test PASSED MD5 Known Answer Test MD5 OK Running Memory Test PASSED Memory Test Memory OK Power Supply OK Running RNG self tests Attempt 1 PASSED RNG self tests RNG OK Running RSA Known Answer Test PASSED RSA Known Answer Test RSA OK Real Time Clock OK Current Time FNov 16 12 09 54 2018 Running SHA Known Answer Test PASSED SHA Known Answer Test SHA OK SCR OK Temperature OK MSP 3...

Page 280: ...2 11 46 Min 11 43 Max 11 48 V5 5 052 Min 5 032 Max 5 067 MP Core 1 028 Min 1 016 Max 1 038 Crypto Core 1 053 Min 1 052 Max 1 060 Battery 3 595 Min 3 593 Max 3 599 Health Check Status TCP Server Up UDP Server Up FICON Server Not Enabled Local Remote Manager Server Up Host Ethernet Link 1 Up Host Ethernet Link 2 Not Enabled Unit Tampered No Fraud limits exceeded No PIN attack limit exceeded No Diagn...

Page 281: ...l numbers license details and FIPS algorithm information Errors None Notes The software revision reported by the VR command will have one of the following forms xxxx 10xx this indicates that this software has been PCI HSM certified and that the appropriate security settings have been set e g by using the CS Console command to the required values xxxx 00xx this indicates that either o this version ...

Page 282: ...above reflects non PCI compliant settings A PCI compliant example would reflect the following under the PCI HSM Compliance field PCI HSM Compliance Refer to the PCI web site https www pcisecuritystandards org approved_companies_pro viders approved_pin_transaction_security php for current certification status of this version of payShield 10K software Security settings are consistent with the requir...

Page 283: ... Online GETCMDS h l Return List of available Host commands A0 A2 A4 A6 A8 AA AC AE AG AI AK AM AO AQ AS AU AW AY B0 B2 B8 BA BC BE BG BI BK BM BQ BS BU BW BY C0 C2 C4 C6 C8 CA CC CE CG CI CK CM CO CQ CS CU CW CY D0 D2 D4 D6 D8 DA DC DE DG DI DK DM DO DQ DS DU DW DY E0 E2 E4 E6 E8 EA EC EE EG EI EK EM EO EQ ES EU EW EY F0 F2 F4 F6 F8 FA FC FE FG FI FK FM FO FQ FS FU FW FY G0 G2 G4 G6 G8 GA GC GE GG...

Page 284: ...S GETTIME GK GS GT HEALTHENABLE HEALTHSTATS IK IV KD KE KG KK KM KN KT LK LO LN MI N NP NETSTAT PING PV QA QH QL QM QP QS R RC RESET RS SD SE SETTIME SG SI SK SL SP SNMP SNMPADD SNMPDEL SS ST SV T TD TRAP TRAPADD TRAPDEL TRACERT UPLOAD UTILCFG UTILENABLE UTILSTATS V VA VC VR VT XA XD XE XH XI XK XR XT XX XY XZ Host Console Command Hash Value cf7e8a ...

Page 285: ...un this command Inputs Syntax netstat vWeenNcCF Af r netstat V version h help netstat vWnNcaeol Socket netstat vWeenNac i cWnNe M s Options r route display routing table i interfaces display interface table g groups display multicast group memberships s statistics display networking statistics like SNMP M masquerade display masqueraded connections v verbose be verbose W wide don t truncate IP addr...

Page 286: ...n waiting for the socket to close LAST_ACK The remote end has shut down and the socket is closed Waiting for acknowledgement LISTEN The socket is listening for incoming connections CLOSING Both sockets are shut down but we still don t have all our data sent UNKNOWN The state of the socket is unknown Example Offline NETSTAT Return Available Ethernet Interfaces Management Interface 192 168 220 116 A...

Page 287: ... time and when finished s packetsize Send this many data bytes The default is 56 which translates into 64 ICMP data bytes when combined with the 8 bytes of ICMP header data t ttl Use the specified time to live It represents how many hops the packet can go through before being discarded when it reaches 0 The default is 255 w maxwait Specify a timeout in seconds before ping exits regardless of how m...

Page 288: ...m number of hops used in outgoing probe packets The default is 30 hops the same default as is used for TCP connections n Print hop addresses numerically only By default addresses are printed both symbolically and numerically This option saves a nameserver address to name lookup for each gateway found on the path p port The base UDP port number to be used in probes default is 33434 The tracert util...

Page 289: ...value must be a decimal integer in the range 0 to 255 You can use this option to see if different TOSs result in different paths Not all TOS values are legal or meaningful You should find the values t 16 low delay and t 8 high throughput useful w wait_time The time in seconds to wait for a response to a probe default is 5 host The destination hostname or IP number packetsize The probe datagram len...

Page 290: ...ve of which host interface the commands are received over Inputs Whether to print output to HSM attached printer Whether to reset data Outputs Text messages as in example below Note that the number of seconds displayed is not necessarily the number of seconds between the start and end times rather it is the number of seconds during this period when data collection was enabled using the UTILENABLE ...

Page 291: ...50 1 06 BA 14 0 30 BC 34 0 72 BE 42 0 89 BG 5 0 11 BI 11 0 23 BK 128 2 72 Press Enter to continue Return Cmd Code Total Transactions Average TPS BM 10 0 21 LA 2 0 04 Instantaneous HSM Load 17 Instantaneous Host Command Volumes Cmd Code Total Transactions Average TPS BM 10 0 21 LA 2 0 04 Send output to printer Y N Y Return Reset All Stats Y N Y Return All utilization statistics will be reset to 0 C...

Page 292: ...llection of health check data has been suspended at any time the counts relating to Fraud Detection i e failed PIN verifications and PIN Attacks will not represent the values of those counts which will be used by the HSM to trigger return of Error 39 or deletion of LMKs Inputs Whether to print output to HSM attached printer Whether to reset data requires Offline Secure Authorized state Outputs Tex...

Page 293: ... key block format Multiple LMKs It is possible to install multiple LMKs within a single HSM The precise details of the number and type of installed LMKs are controlled via the HSM s license file LMKs are stored in a table within the secure memory of the HSM with each LMK occupying a different slot within the table Each slot has the following attributes Attribute Description LMK ID A 2 digit number...

Page 294: ...activities Old New Status Flag for each LMK held in Key Change Storage indicating whether they are to be used as an old LMK loaded via LO command or a new LMK loaded via LN command LMK Check Value The check value of the LMK Old New LMK Check Value The check value of the old or new LMK held in Key Change Storage Use the console command VT View LMK Table to view the contents of the HSM s LMK table b...

Page 295: ...o support LMK operations Command Page Generate LMK Component GK 294 Load LMK LK 297 Load Old LMK into Key Change Storage LO 303 Load New LMK into Key Change Storage LN 307 Verify LMK Store V 311 Duplicate LMK Component Sets DC 312 Delete LMK DM 313 Delete Old or New LMK from Key Change Storage DO 314 View LMK Table VT 315 Generate Test LMK GT 318 ...

Page 296: ...Block LMK Algorithm o Double length 2DES or triple length 3DES if Variant scheme is selected o Triple length 3DES or AES if Key Block scheme is selected LMK Status Test or Live For an AES Key Block LMK o Number of components o Number of components required to reconstitute the LMK Outputs LMK components written to smartcards LMK component check value Errors Card not formatted use the FC command to ...

Page 297: ...te check ZZZZZZ Remove the smartcard and store it securely Make another copy Y N N Return 1 copies made Repeat the procedure to generate further component sets Secure Example 2 Double length Variant LMK This example generates a double length variant LMK component set and writes the components to a smartcard Secure GK Return Variant scheme or key block scheme V K V Return Enter algorithm type 2 2DE...

Page 298: ...er copy Y N N Return 1 copies made Repeat the procedure to generate further components Secure Example 4 AES Key Block LMK This example generates a set of AES key block LMK components and writes each component to a smartcard Secure GK Return Variant scheme or key block scheme V K K Return Enter algorithm type D DES A AES A Return Enter the number of components to generate 2 9 5 Return Enter the num...

Page 299: ... Management LMK installed i e the LMK IDs identified in the security settings as being the default and management LMKs are empty you will be asked if you wish to make this new LMK the Default Management LMK An error is returned if an attempt is made to load an LMK with a single component where o The LMK is not a test LMK and o The security setting to enforce multiple key components has been set to...

Page 300: ... ZZZZZZ LMK id 00 LMK key scheme Variant LMK algorithm 3DES 2key LMK status Live Comments Live LMK for ABC Bank Confirm details Y N Y Return Use the LO LN command to load LMKs into key change storage Secure Example 2 Triple length Variant LMK This example loads a triple length Variant LMK from smartcards and installs it in the HSM There are already Default and Management LMKs installed Secure LK R...

Page 301: ... components or shares Insert card and press ENTER Return Enter PIN Terminated Secure Example 4 Double or triple length Variant LMK In this example the security setting requiring use of multiple components has been set to YES but the user has attempted to load a non Test LMK using only one component Secure LK Return Enter LMK id 0 4 0 Return Enter comments Return Load LMK from components or shares ...

Page 302: ...e proceeding Erase LMK Y Return Load LMK from components or shares Insert card and press ENTER Return Enter PIN Return Check AAAAAA Load more components Y N Y Return Remove the smartcard Insert the second and subsequent smartcards and repeat the loading procedure When all components have been loaded and the HSM displays the LMK Check value record the check value LMK Check ZZZZZZ LMK id 01 LMK key ...

Page 303: ... must be erased before proceeding Erase LMK Y Return Load LMK from components or shares Insert card and press ENTER Return PIN Return Check AAAAAA Remove the smartcard Insert the second and subsequent smartcards and repeat the loading procedure When all components have been loaded and the HSM displays the LMK Check value record the check value LMK Check ZZZZZZ LMK id 02 LMK key scheme KeyBlock LMK...

Page 304: ... or shares Insert card and press ENTER Return Enter PIN Return Check AAAAAA Remove the smartcard Insert the second and subsequent smartcards and repeat the loading procedure When all components have been loaded and the HSM displays the LMK Check value record the check value LMK Check ZZZZZZ LMK id 02 LMK key scheme KeyBlock LMK algorithm AES 256 LMK status Live Comments Live LMK for XYZ Bank Confi...

Page 305: ...a Key Block LMK into key change storage if a variant LMK is loaded in main memory Load failed check comparison card is blank Not a LMK card card is not formatted for LMK or key storage Card not formatted card is not formatted Smartcard error command return 0003 invalid PIN is entered Invalid PIN re enter a PIN of less than 4 or greater than 8 is entered Command only allowed from Secure Authorized ...

Page 306: ... or shares Insert card and press ENTER Return Enter PIN Return Check AAAAAA Load more components Y N Y Return Remove the smartcard Insert the second and subsequent smartcards and repeat the loading procedure until all old component sets have been loaded When all components have been loaded and the HSM displays the LMK Check value ensure that this is the expected value LMK Check ZZZZZZ LMK id 00 LM...

Page 307: ...ple 3 Double or triple length Variant LMK This example attempts to load a non Test LMK using a single component when the security setting to enforce multiple components has been set to YES Secure AUTH LO Return Enter LMK id 00 Return Enter comments Old LMK for ABC Bank Return Load old LMK from components or shares Insert card and press ENTER Return Enter PIN Return Check AAAAAA Load more component...

Page 308: ...er LMK id 02 Return Enter comments Old LMK for XYZ Bank Return Load old LMK from components or shares Insert card and press ENTER Return Enter PIN Return Check AAAAAA Remove the smartcard Insert the second and subsequent smartcards and repeat the loading procedure until all old component sets have been loaded When all components have been loaded and the HSM displays the LMK Check value ensure that...

Page 309: ...ermitted to load a key block LMK into key change storage if a variant LMK is loaded in main memory Load failed check comparison card is blank Not a LMK card card is not formatted for LMK or key storage Card not formatted card is not formatted Smartcard error command return 0003 invalid PIN is entered Invalid PIN re enter a PIN of less than 4 or greater than 8 is entered Command only allowed from S...

Page 310: ... or shares Insert card and press ENTER Return Enter PIN Return Check AAAAAA Load more components Y N Y Return Remove the smartcard Insert the second and subsequent smartcards and repeat the loading procedure until all new component sets have been loaded When all components have been loaded and the HSM displays the LMK Check value ensure that this is the expected value LMK Check ZZZZZZ LMK id 00 LM...

Page 311: ...ple 3 Double or triple length Variant LMK This example attempts to load a non Test LMK using a single component when the security setting to enforce multiple components has been set to YES Secure AUTH LN Return Enter LMK id 00 Return Enter comments New LMK for ABC Bank Return Load new LMK from components Or shares Insert card and press ENTER Return Enter PIN Return Check AAAAAA Load more component...

Page 312: ...er LMK id 02 Return Enter comments New LMK for XYZ Bank Return Load new LMK from components or shares Insert card and press ENTER Return Enter PIN Return Check AAAAAA Remove the smartcard Insert the second and subsequent smartcards and repeat the loading procedure until all new component sets have been loaded When all components have been loaded and the HSM displays the LMK Check value ensure that...

Page 313: ...LMKs the length of the displayed check value is determined by the CS Configure Security setting Restrict Key Check Value to 6 hex chars For Key Block LMKs the length of the displayed check value is always 6 hex digits Authorization The HSM does not require any authorization to run this command Inputs LMK Identifier 2 numeric digits Outputs Master key check value Errors Invalid LMK identifier no LM...

Page 314: ...uts LMK check value Errors Load failed check comparison card is blank Not a LMK card card is not formatted for LMK or key storage Card not formatted card is not formatted Smartcard error command return 0003 invalid PIN is entered Invalid PIN re enter a PIN of less than 4 or greater than 8 is entered Warning card not blank Proceed Y N LMK card is not blank Overwrite LMK set Y N the smartcard alread...

Page 315: ...dentifier out of range Command only allowed from Secure Authorized the HSM is not in Secure State or the HSM is not authorized to perform this operation or both LMK id xx is the Default and Management LMK ID the default and Management LMKs cannot be deleted Notes LMKs which are the Default or Management LMK cannot be deleted The Default and Management LMK must be re assigned to a new LMK before th...

Page 316: ... location in main LMK memory Authorization The HSM must be in the secure state to run this command Inputs LMK Identifier 2 numeric digits Outputs Display of relevant entry from the key change storage table Errors Invalid LMK identifier no LMK loaded or entered identifier out of range Example Secure DO Return Enter LMK id 01 Return Key change storage table entry ID Scheme Algorithm Status Check Com...

Page 317: ... are active if HSM is configured for multiple authorized activities with X identifying whether Host or Console commands Note that LMKs in key change storage cannot be authorized o Old New Status of key in Key Change Storage Old key is treated as an old LMK New key is treated as a new LMK Note that only LMKs held in Key Change Storage have the Old New status o Scheme The LMK scheme Variant indicati...

Page 318: ...le ID Authorized Scheme Algorithm Status Check Comments 00 No Variant 3DES 2key Test 268604 test variant 01 Yes 1H 1C Variant 3DES 2key Test 268604 test variant 02 Yes 1H 1C Variant 3DES 3key Live 554279 Production 1 Key change storage table No keys loaded in key change storage Secure Example 3 The HSM is configured for single authorized state and only host commands are authorized for LMK 01 conso...

Page 319: ...thorized for each LMK Online AUTH VT Return LMK table ID Authorized Scheme Algorithm Status Check Comments 00 Yes 0H 1C Variant 3DES 3key Live 726135 test variant 02 Yes 1H 0C KeyBlock AES 256 Test 6620CA Mngmnt LMK Key change storage table ID Old New Scheme Algorithm Status Check Comments 00 New KeyBlock 3DES 3key Live 331873 test variant 2 02 New KeyBlock AES 256 Test 9D04A0 New mngmnt LMK Onlin...

Page 320: ...martcards Note This command simply generates a smart card with the known and documented test LMK stored on it The command does not generate a new test LMK Authorization The HSM does not require any authorization to run this command Inputs Type of Test LMK to be generated Prompts for smartcards to be inserted PINs to be entered Outputs Confirmation of Test LMK components being written to smartcards...

Page 321: ...eturn 1 copies made Do you want to generate another Standard Thales Test LMK set Y N N Return Online Example 2 This example writes the two components of the standard AES Key Block Thales Test LMK to two separate smartcards Online GT Return Generate Standard Thales Test LMK Set 1 2DES Variant 2 3DES Variant 3 3DES KeyBlock 4 AES KeyBlock Select Standard Thales Test LMK set to be generated 4 Return ...

Page 322: ...particular LMK then the command will only be authorized for that particular LMK identifier For example if the FK console command Form Key from Components is authorized using the passwords corresponding to the LMK with identifier 00 then only keys encrypted using LMK 00 may be formed using the command It is possible to authorize the HSM using multiple Authorizing Officer cards or passwords so that ...

Page 323: ...rst 2 LMK component cards contain passwords This command is only available when the console command CS Configure Security setting Enable multiple authorized activities Y N is set to N For PCI HSM compliance authentication must use smartcards and PINs not passwords Use of this command will always cause an entry to be made in the Audit Log Console commands remain authorized for 12 hours 720 minutes ...

Page 324: ...de Thales Group Page 322 All Rights Reserved First Officer Password Return Second Officer Password Return Password too long Data invalid please re enter Return AUTHORIZED Console authorizations will expire in 720 minutes 12 hours Online AUTH ...

Page 325: ...s not require any authorization to run this command Inputs LMK Identifier 2 numeric digits Outputs Text messages as shown in example Notes This command is only available when the console command CS Configure Security setting Enable multiple authorized activities Y N is set to N Use of this command will always cause an entry to be made in the Audit Log Errors Invalid LMK identifier no LMK loaded or...

Page 326: ...compliant value then console commands can be authorized for a maximum period of 12 hours 720 minutes PIN if applicable 5 to 8 alphanumeric characters The PIN must be entered within 60 seconds of being requested 4 digit PINs on legacy cards will also be accepted Either o Smartcards RLMKs are supported with authorizing both passwords o Password 16 alphanumeric characters Use h to display help Output...

Page 327: ...compliant value then console commands can be authorized for a maximum period of 12 hours 720 minutes Use of this command will always cause an entry to be made in the Audit Log Activities are described in terms of four fields Category Sub Category Interface and Timeout If the Timeout field is omitted the activity remains authorized until cancelled either by the console command C or the host command...

Page 328: ... Key Block LMK This example authorizes a single activity via the menu Online A Return Enter LMK id 0 9 0 Return No activities are authorized for LMK id 00 List of authorizable activities generate genprint component import export pin audit admin diagnostic misc command Select category pin Return clear mailer Select sub category or RETURN for all mailer Return host console Select interface or RETURN...

Page 329: ...ort host misc console 720 misc host pin console 720 pin host First officer Insert card and enter PIN Return Second officer Insert card and enter PIN Return The following activities are authorized for LMK id 00 admin console 720 720 mins remaining admin host audit console 720 720 mins remaining audit host command console 720 720 mins remaining command host component console 720 720 mins remaining c...

Page 331: ...e y N Y Return List of authorizable activities generate genprint component import export pin audit admin diagnostic misc command Select category export Return 000 100 200 001 002 400 003 006 008 009 109 209 309 409 509 709 00a 00b rsa Select sub category or RETURN for all 001 Return host console Select interface or RETURN for all H Return Enter time limit for export 001 host or RETURN for permanen...

Page 332: ...nter LMK id 0 19 00 Return The following activities are pending authorization for LMK id 00 admin 240 export 001 host persistent generate 000 console 60 First Officer Insert Card for Security Officer and enter the PIN Return Second Officer Insert Card for Security Officer and enter the PIN Return The following activities are authorized for LMK id 01 admin 240 240 mins remaining export 001 host per...

Page 333: ...sc command Select category export Return 01 B0 C0 11 12 13 D0 21 22 E0 E1 E2 E3 E4 E5 E6 31 32 K0 51 52 M0 M1 M2 M3 M4 M5 61 62 63 64 65 P0 71 72 73 V0 V1 V2 Select sub category or RETURN for all 72 Return host console Select interface or RETURN for all C Return Enter time limit for export 72 console or RETURN for permanent 60 Return Enter additional activities to authorize y N Y Return List of au...

Page 334: ...ining export 72 console 60 mins remaining pin clear Online AUTH Example 7 Key Block LMK This example authorizes an additional three activities via the command line Online AUTH a exp 001 con 60 admin 240 misc console Return Enter LMK id 0 1 01 Return Console authorizations will expire in 720 minutes 12 hours The following activities are pending authorization for LMK id 01 admin 240 export 001 conso...

Page 336: ... category Interface Timeout Category generate component genprint import export pin audit admin diag misc command Sub category for generate import export key name e g TPK MK AC etc Sub category for pin mailer clear Interface host console Timeout value in minutes or p for persistent Names may be shortened but must remain unique When canceling an authorized activity which includes a timeout the origi...

Page 337: ...turn Cancel admin 240 194 mins remaining y N Y Return Cancel export 001 host y N N Return Cancel generate 000 console 60 14 mins remaining y N Y Return Cancel pin mailer y N N Return The following activities are authorized for LMK id 00 export 001 host pin mailer Online AUTH Note This example assumes that the activities in the Authorize Activity command Example 3 above are active Example 4 Variant...

Page 338: ...is example applies when multiple authorized activities has been enabled Online AUTH VA Return Enter LMK id 00 Return The following activities are authorized for LMK id 00 admin 240 228 mins remaining export 001 host persistent generate 000 console 60 48 mins remaining Online AUTH Note This example assumes the activities in the Authorize Activity command Example 4 above were authorized 12 minutes a...

Page 339: ...pacity Catastrophic 3 Something abnormal happened and the unit had to reboot to recover Only catastrophic errors cause the HSM to reboot New errors cause the Fault LED on the front panel to flash Whenever the HSM state is altered through power up key lock changes or console commands the Audit log is updated with the action and the time and date The Audit log can also be configured to record execut...

Page 340: ...v2 2 onwards power supply errors are logged as soon as they are detected Example 1 In this example there are no entries in the error log Offline ERRLOG Return Error log is empty Offline Example 2 In this example the Security setting Allow Error light to be extinguished when viewing Error Log is set to NO Offline ERRLOG Return Error Log 3 entries 1 May 01 09 35 00 ERROR 1 Invalid queue size Severit...

Page 341: ...ht should be extinguished Y N Y Return Offline Example 4 Entries in the HSM error log have a hash based integrity check using HMAC In this example the verification of integrity of the entry failed A message indicates that an error happened during the verification process and the entry is shown as Unparsed Offline ERRLOG Return Error Log 3 entries 973 May 31 15 17 35 ERROR FAN 1 is now present Seve...

Page 342: ...R Variant Key Block Online Offline Secure Authorization Not required Command CLEARERR Function To clear the entries in the error log Authorization The HSM must be in the secure state to run this command Inputs None Outputs A confirmation message Errors None Example Secure CLEARERR Return Error log Cleared Secure ...

Page 343: ...and component entry at the Console or payShield Manager When key and component entry are forcibly logged in this way the log entry indicates successful completion of the action The user can as in earlier versions of software use AUDITOPTIONS to specify that the key and component entry commands are logged this will normally result in 2 entries in the audit log one resulting from the AUDITOPTIONS se...

Page 344: ...00000264 15 35 55 01 Jul 2013 Activity component console 123 was authorized for LMK id 0 0000000263 15 08 48 01 Jul 2013 Smartcard activated 20025151 0000000262 15 08 48 01 Jul 2013 Smartcard activated 20025132 0000000261 10 42 32 01 Jul 2013 Host command CA response 00 0000000260 10 36 03 01 Jul 2013 Host command CA response 69 0000000259 10 34 57 01 Jul 2013 System restarted 0000000258 10 32 48 ...

Page 345: ... Authorized State or the activity audit console must be authorized using the Authorizing Officer cards of the Management LMK Inputs None Outputs One of the following text messages Audit Log Cleared Audit Log is empty Errors Command only allowed from Secure Authorized the HSM is not in Secure State or the HSM is not authorized to perform this operation or both Example 1 Secure AUTH CLEARAUDIT Retur...

Page 346: ...he Authorized State or the activity audit console must be authorized using the Authorizing Officer cards of the Management LMK The current list of items being audited can be viewed in online state Inputs Changes to configuration Audited console commands o CXX to enable auditing of console command XX o CXX to disable auditing of console command XX The character can be used as a wildcard when specif...

Page 347: ...he successful completion of the command If the command does not complete successfully e g because it was cancelled by the user then there will be no forcible logging but the entry indicating the command was initiated will still be there if the command was specified in AUDITOPTIONS Audit Error Responses to Host Commands this setting allows any relevant error responses to Host commands to be logged ...

Page 348: ...n Data Resets Y N y Audit Automatic Self Testing Y N y Audit ACL connection failures Y N y Current Audit Counter value is 0000000223 Enter new value decimal digits only or Return for no change Modify Audited Command List Y N y Enter command code e g CDE or Q to Quit CDE Enter command code e g CDE or Q to Quit Enter command code e g CDE or Q to Quit q Audit User Actions YES Audit Error Responses to...

Page 349: ...ld 10K for the audit log entries The user should use this command to adjust the time for the local timezone The time and date can be queried using the GETTIME command The payShield 10K provides the following console commands to support storage and retrieval of HSM settings Command Page Set the Time SETTIME 348 Query the Time and Date GETTIME 349 Set Time for Automatic Self Tests ST 350 ...

Page 350: ...and day Outputs Text messages as in the example below Errors Command only allowed from Secure Authorized the HSM is not in Secure State or the HSM is not authorized to perform this operation or both Response invalid Re enter an invalid value has been entered Example Secure AUTH SETTIME Return Enter hours HH 24 hour format 10 Return Enter minutes MM 08 Return Enter year YYYY 2009 or above 2014 Retu...

Page 351: ...ine Secure Authorization Not required Command GETTIME Function To query the system time and date Authorization The HSM does not require any authorization to run this command Inputs None Outputs The year month and date The time in hours minutes and seconds Errors None Example Online GETTIME Return System date and time Feb 12 10 08 19 2014 Online ...

Page 352: ...tic self tests required for PCI HSM compliance will be run and allows this time to be changed Authorization The HSM does not require any authorization to run this command Inputs Time of day Outputs None Errors None Notes The default time for running the diagnostics is 0900 Example Secure ST Return Self test run time is 09 00 Change Y N y Return Enter hour HH 24 hour format 13 Return Enter minute M...

Page 353: ...the following individual configuration commands have the option to save settings to smartcard CL Configure Alarms to save the Alarm configuration CH Configure Host Port to save the Host port configuration CS Configure Security to save the Security configuration AUDITOPTIONS Audit Options to save the Audit configuration The payShield 10K provides the following console commands to support storage an...

Page 354: ...ent LMK Outputs Confirmation messages that Alarm Host Security Audit Command and PIN Block settings are saved Errors Card not formatted to save retrieve HSM settings Attempt with another card Y N card is not formatted for storing HSM settings Card not formatted Attempt with another card Y N card is not formatted Command only allowed from Secure Authorized the HSM is not in Secure State or the HSM ...

Page 355: ...thorization The HSM must be in the secure state to run this command Additionally the HSM must be either in the Authorized State or the activity admin console must be authorized using the Authorizing Officer cards of the Management LMK Inputs Whether to overwrite each of the groups of saved settings Outputs The Alarm Host Security Audit Command and PIN Block settings stored on the smartcard are lis...

Page 356: ...t YES Enable X9 17 for export YES Solicitation batch size 1024 Single DES ENABLED Prevent single DES keys from masquerading as double or triple length keys NO ZMK length DOUBLE Decimalization tables PLAINTEXT Decimalization table checks enabled YES PIN encryption algorithm A Authorized state required when importing DES key under RSA key YES Minimum HMAC length in bytes 10 Enable PKCS 11 import and...

Page 357: ...ser Action ENABLED Audit Counter 00000183 24 Audited Mgmt commands 0 Audited Host commands Audit Host Errors DISABLED 0 Audited Console commands Overwrite auditlog settings with the settings above Y N n Return 0 Blocked Host commands 0 Blocked Console commands Overwrite command settings with the settings above Y N n Return Pin Block Format 01 ENABLED Pin Block Format 02 ENABLED Pin Block Format 03...

Page 358: ...llowing host commands to support generic key management operations Command Page Generate Key Component GC 357 Generate Key and Write Components to Smartcard GS 360 Encrypt Clear Component EC 364 Form Key from Components FK 367 Generate Key KG 374 Import Key IK 378 Export Key KE 382 Generate a Check Value CK 386 Set KMC Sequence Number A6 388 ...

Page 359: ...de of the key component being generated Inputs LMK Identifier 00 99 Key Length 1 single 2 double 3 triple Key Type See the Key Type Table in the Host Programmer s Manual Key Scheme LMK Identifier 00 99 Key Algorithm if AES LMK 3DES or AES Key Length Single Double Triple length DES key or if AES LMK 128 192 256 bit AES key Key Scheme Key Usage See the Key Usage Table in the Host Programmer s Manual...

Page 360: ...mpatible with previously entered values Example 1 Variant LMK This example generates a double length DES key component in plaintext encrypted form Online AUTH GC Return Enter LMK id 00 Return Enter key length 1 2 3 2 Return Enter key type 001 Return Enter key scheme U Return Clear Component XXXX XXXX XXXX XXXX XXXX XXXX XXXX XXXX Encrypted Component UYYYY YYYY YYYY YYYY YYYY YYYY YYYY YYYY Key che...

Page 361: ...YYY YYYYYY Key check value ZZZZZZ Online AUTH Example 4 AES Key Block LMK This example generates a 128 bit AES key component in plaintext encrypted form Online AUTH GC Return Enter LMK id 02 Return Enter algorithm 3DES AES A Return Enter key length 128 192 256 128 Return Enter key scheme S Return Enter key usage K0 Return Enter mode of use N Return Enter component number 1 9 2 Return Enter exporta...

Page 362: ...gth DES key or if AES LMK 128 192 256 bit AES key Key Scheme Number of components 2 3 Key Usage See the Key Usage Table in the Host Programmer s Manual Mode of Use See the Mode of Use Table in the Host Programmer s Manual Key Version Number 00 99 Exportability See the Exportability Table in the Host Programmer s Manual Optional Block data Smartcard PINs PINs must be entered within 60 seconds of be...

Page 363: ...ted or erased Do not continue Inform the Security Department Various key block field errors the value entered is invalid or incompatible with previously entered values Example 1 Variant LMK This example writes two double length DES key components to two smartcards and encrypts the formed key Online AUTH GS Return Enter LMK id 00 Return Enter key length 1 2 3 1 Return Enter key type 001 Return Ente...

Page 364: ... two double length 3DES key components to two smartcards and encrypts the formed key Online AUTH GS Return Enter LMK id 02 Return Enter algorithm 3DES AES 3 Return Enter key length 1 2 3 2 Return Enter key scheme S Return Enter number of components 2 3 2 Return Enter key usage P0 Return Enter mode of use N Return Enter key version number 00 Return Enter exportability E Return Enter optional blocks...

Page 365: ... optional blocks Y N Y Return Enter optional block identifier 00 Return Enter optional block data L Return Enter more optional blocks Y N N Return Insert card 1 and enter PIN Return Make additional copies Y N N Return Insert card 2 and enter PIN Return Make additional copies Y N N Return Encrypted key S YYYYYYYY YYYYYY Key check value ZZZZZZ Online AUTH ...

Page 366: ...gth Single Double Triple length DES key or if AES LMK 128 192 256 bit AES key Key Scheme Key Usage See the Key Usage Table in the Host Programmer s Manual Mode of Use See the Mode of Use Table in the Host Programmer s Manual Component Number 1 9 Exportability See the Exportability Table in the Host Programmer s Manual Optional Block data Clear Component 16 32 48 hex digits Outputs Component encryp...

Page 367: ...Enter component number 1 9 2 Return Enter exportability E Return Enter optional blocks Y N Y Return Enter optional block identifier 00 Return Enter optional block data L Return Enter more optional blocks Y N N Return Enter component XXXX XXXX XXXX XXXX XXXX XXXX XXXX XXXX Return Encrypted component S YYYYYYYY YYYYYY Key check value ZZZZZZ Online AUTH Example 3 AES Key Block LMK This example encryp...

Page 368: ...ent length 128 192 256 128 Return Enter key scheme S Return Enter key usage K0 Return Enter mode of use N Return Enter component number 1 9 2 Return Enter exportability E Return Enter optional blocks Y N Y Return Enter optional block identifier 00 Return Enter optional block data L Return Enter more optional blocks Y N N Return Enter component XXXX XXXX XXXX XXXX XXXX XXXX XXXX XXXX Return Encrypt...

Page 369: ...AU Components has been set to NO otherwise 2 9 Clear Components 16 32 48 hex digits LMK Identifier 00 99 Key Algorithm if AES LMK 3DES or AES Key Length Single Double Triple length DES key or if AES LMK 128 192 256 bit AES key Key Scheme Component Type for AES keys X xor E encrypted S smartcard Component Type for DES keys X xor E encrypted S smartcard H half T third Number of Components 1 9 if the...

Page 370: ... or key storage Card not formatted card is not formatted Internal failure 12 function aborted the contents of LMK storage have been corrupted or erased Do not continue Inform the Security Department Various key block field errors the value entered is invalid or incompatible with previously entered values Notes Component type H is not permitted for Triple DES keys Use of this command will always cr...

Page 371: ... 3 Variant LMK This example forms a key from encrypted components Online AUTH FK Return Enter LMK id 00 Return Enter key length 1 2 3 2 Return Enter key type 002 Return Enter key scheme U Return Component type X H E S T E Return Enter number of components 1 9 2 Return Enter component 1 U XXXX XXXX XXXX XXXX XXXX XXXX XXXX XXXX Return Component 1 check value XXXXXX Continue Y N y Return Enter compo...

Page 372: ...rn Enter key type 002 Return Enter key scheme U Return Component type X H E S T E Return Enter number of components 2 9 1 Return Invalid Entry Enter number of components 2 9 2 Return Enter component 1 U XXXX XXXX XXXX XXXX XXXX XXXX XXXX XXXX Return Component 1 check value XXXXXX Continue Y N y Return Enter component 2 U XXXX XXXX XXXX XXXX XXXX XXXX XXXX XXXX Return Component 2 check value XXXXXX...

Page 373: ...ne AUTH Example 6 3DES Key Block LMK This example forms a double length 3DES key from components on a smartcard Online AUTH FK Return Enter LMK id 01 Return Enter Key Length 1 2 3 2 Return Enter key scheme S Return Component type X H E S T S Return Enter number of components 1 9 2 Return Insert card 1 and enter PIN Return Component 1 check value XXXXXX Continue Y N y Return Insert card 2 and enter...

Page 374: ...cks Y N N Return Insert card 1 and enter PIN Return Component 1 check value XXXXXX Continue Y N y Return Insert card 2 and enter PIN Return Component 2 check value XXXXXX Continue Y N y Return Encrypted key S YYYYYYYY YYYYYY Key check value ZZZZZZ Online AUTH Example 8 AES Key Block LMK This example forms a 128 bit AES key from encrypted components Online AUTH FK Return Enter LMK id 02 Return Ente...

Page 375: ...heck value XXXXXX Continue Y N y Return Enter component 2 S XXXXXXXX XXXXXX Return Component 2 check value XXXXXX Continue Y N y Return Enter component 3 S XXXXXXXX XXXXXX Return Component 3 check value XXXXXX Continue Y N y Return Encrypted key S YYYYYYYY YYYYYY Key check value ZZZZZZ Online AUTH ...

Page 376: ...he HSM must either be in the Authorized State or the activity export key console must be authorized where key is the key type code of the key being exported The authorization requirement for this command depends solely on the type of export being requested Exported key scheme Authorization No export None S Thales Key Block None R TR 31 Key Block None U T Variant Required Z X Y X9 17 Required If au...

Page 377: ...valid please re enter the encrypted ZMK does not contain the correct characters or the key check value does not contain 6 hexadecimal characters Re enter the correct number of hexadecimal characters Key parity error please re enter the ZMK does not have odd parity on each byte Re enter the encrypted ZMK and check for typographic errors Invalid key scheme for key length the Key scheme is inappropri...

Page 378: ...Return Enter key scheme LMK U Return Enter key scheme ZMK R Return Enter ZMK U XXXX XXXX XXXX XXXX XXXX XXXX XXXX XXXX Return Enter key usage P0 Return Enter mode of use N Return Enter key version number 44 Return Enter exportability N Return Enter optional blocks Y N N Return Key under LMK U YYYY YYYY YYYY YYYY YYYY YYYY YYYY YYYY Key under ZMK R YYYYYYYY YYYYYY Key check value ZZZZZZ Online AUTH...

Page 379: ...Key under LMK S YYYYYYYY YYYYYY Key under ZMK R YYYYYYYY YYYYYY Key check value ZZZZZZ Online Example 6 AES Key Block LMK This example generates a new double length DES key Online AUTH KG Return Enter LMK id 02 Return Enter algorithm 3DES AES 3 Return Enter key length 1 2 3 2 Return Enter key scheme LMK S Return Enter key scheme ZMK Return Enter key usage P0 Return Enter mode of use N Return Enter...

Page 380: ...rt from Variant X9 17 Key Usage See the Key Usage Table in the payShield 10K Host Programmer s Manual Mode of Use See the Mode of Use Table in the payShield 10K Host Programmer s Manual Key Version Number 00 99 Exportability See the Exportability Table in the payShield 10K Host Programmer s Manual Optional Block data For import from a key block format Modified Key Usage Optional Block data Outputs...

Page 381: ... entered identifier out of range Must be in Authorized State or Activity not authorized the key type provided requires the HSM to be in Authorized State Data invalid please re enter the encrypted ZMK does not contain the correct characters or the key check value does not contain 6 hexadecimal characters Re enter the correct number of hexadecimal characters Key parity error re enter key the parity ...

Page 382: ... of use N Return Enter key version number 27 Return Enter exportability N Return Enter optional blocks Y N N Return Key under LMK S YYYYYYYY YYYYYY Key check value ZZZZZZ Online AUTH Example 4 3DES Key Block LMK This example imports a key from TR 31 format Note that a new more restrictive value for the imported key block s Key Usage field is entered during the import process Online IK Return Enter...

Page 383: ...ple 5 3DES or AES Key Block LMK This example imports a key from Thales Key Block format Online IK Return Enter LMK id 01 Return Enter key scheme LMK S Return Enter ZMK S XXXXXXXX XXXXXX Return Enter key S XXXXXXXX XXXXXX Return Key under LMK S YYYYYYYY YYYYYY Key check value ZZZZZZ Online ...

Page 384: ...e of the key being exported The authorization requirement for this command depends on the type of export being requested Exported key scheme Authorization S Thales Key Block None R TR 31 Key Block None U T Variant Required Z X Y X9 17 Required If authorization is required the HSM must either be in the Authorized State or the activity export key console must be authorized where key is the key usage...

Page 385: ...rohibited Errors Invalid LMK identifier no LMK loaded or entered identifier out of range Must be in Authorized State or Activity not authorized the key type provided requires the HSM to be in Authorized State Data invalid please re enter the encrypted ZMK or key does not contain 16 or 32 hex or 1 alpha 32 hex or 1 alpha 48 hex Re enter the correct number of hexadecimal characters Key parity error ...

Page 386: ...XXX XXXX XXXX XXXX XXXX Return Enter key usage P0 Return Enter mode of use N Return Enter key version number 44 Return Enter exportability N Return Enter optional blocks Y N N Return Key under ZMK R YYYYYYYY YYYYYY Key check value ZZZZZZ Online AUTH Example 3 3DES Key Block LMK This example exports a key to X9 17 format Online AUTH KE Return Enter LMK id 01 Return Enter key scheme ZMK X Return Ent...

Page 387: ... LMK This example exports a key to Thales Key Block format Online KE Return Enter LMK id 01 Return Enter key scheme ZMK S Return Enter ZMK S XXXXXXXX XXXXXX Return Enter key S XXXXXXXX XXXXXX Return Enter exportability field for exported key block Return Key under ZMK S YYYYYYYY YYYYYY Key check value ZZZZZZ Online ...

Page 388: ...heck Values If required the HSM must either be in the Authorized State or the activity generate key console must be authorized where key is the key type of the key being used Regardless of the authorization requirement this command examines the Generate flag of the given key type within the Key Type Table to determine whether the check value can be calculated The HSM does not require any authoriza...

Page 389: ...ammer s Manual Internal failure 12 function aborted the contents of LMK storage have been corrupted or erased Do not continue Inform the Security Department Various key block field errors the value entered is invalid or incompatible with previously entered values Example 1 Variant LMK This example generates a check value of a key Online AUTH CK Return Enter LMK id 00 Return Enter key type code 001...

Page 390: ...mand Additionally the HSM must be either in the Authorized State or the activity misc console must be authorized Inputs New sequence number value Outputs None Errors Not Authorized The HSM is not in Authorized State Not Offline The HSM must be offline to run this command Invalid Entry The value entered is invalid Counter can have any value between 00000000 and FFFFFFFF Example Offline AUTH A6 Retu...

Page 391: ...vides the following console commands to support some of the card payment systems host commands Command Page Generate a Card Verification Value CV 390 Generate a VISA PIN Verification Value PV 392 Load the Diebold Table R 394 Encrypt Decimalization Table ED 396 Translate Decimalization Table TD 398 Generate a MAC on an IPB MI 400 ...

Page 392: ...gits Service code 3 decimal digits Outputs Card Verification Value 3 decimal digits Errors Invalid LMK identifier no LMK loaded or entered identifier out of range Command only allowed from Authorized the HSM is not authorized to perform this operation Data invalid please re enter possibly incorrect key length Could also be incorrect PAN card expiry date or service code length or non decimal PAN ca...

Page 393: ...line AUTH Example 2 Variant LMK This example generates a CVV using a double length CVK in variant format Online AUTH CV Return Enter LMK id 00 Return Enter key A U XXXX XXXX XXXX XXXX XXXX XXXX XXXX XXXX Return Enter PAN 1234567812345678 Return Enter expiry date 0694 Return Enter service code 123 Return CVV 321 Online AUTH Example 3 Key Block LMK This example generates a CVV using a CVK in key blo...

Page 394: ...digits of the clear PIN 4 decimal digits Outputs The PIN Verification Value PVV 4 decimal digits Errors Invalid LMK identifier no LMK loaded or entered identifier out of range Command only allowed from Authorized the HSM is not authorized to perform this operation Data invalid please re enter the PVK A PVK B or the PVV data block field is not 16 characters long Re enter the correct number of chara...

Page 395: ...Return PVV NNNN Online AUTH Example 2 Variant LMK This example generates a PVV using a double length PVK in variant format Online AUTH PV Return Enter LMK id 00 Return Enter key A U XXXX XXXX XXXX XXXX XXXX XXXX XXXX XXXX Return Enter PVV data block XXXXXXXXXXX N NNNN Return PVV NNNN Online AUTH Example 3 Key Block LMK This example generates a PVV using a PVK in key block format Online AUTH PV Ret...

Page 396: ...try for a Diebold table Check the table and re enter the data checking for typographic errors Internal failure 12 function aborted the contents of LMK storage have been corrupted or erased Do not continue Inform the Security Department Notes Encryption of the Diebold Table o If the security setting Enforce key type 002 separation for PCI HSM compliance has the value N the Diebold table is encrypte...

Page 397: ...N Y Return Line 02 Line 32 XXXX XXXX XXXX XXXX Return XXXX XXXX XXXX XXXX OK Y N Y Return XXXX XXXX XXXX XXXX XXXX XXXX XXXX XXXX XXXX XXXX XXXX XXXX XXXX XXXX XXXX XXXX XXXX XXXX XXXX XXXX XXXX XXXX XXXX XXXX XXXX XXXX XXXX XXXX XXXX XXXX XXXX XXXX 16 lines of encrypted table are displayed Online AUTH Note The result of the R command gives no indication as to the LMK scheme or LMK identifier used...

Page 398: ...ommended Outputs Encrypted decimalization table 16 Hex characters when using a Variant LMK or a 3DES Key Block LMK 32 Hex characters when using an AES LMK Errors Invalid LMK identifier no LMK loaded or entered identifier out of range Not Authorized the HSM is not authorized to perform this operation Decimalization table invalid the decimalization table is not all decimal or does not contain at lea...

Page 399: ...ge 397 All Rights Reserved Note The result of the ED command gives no indication as to the LMK scheme or LMK identifier used in the command When this value is used with other host commands the user must ensure that the correct LMK is specified in the command ...

Page 400: ...t and 3DES Key Block LMKs the size is 16 hex digits For AES Key Block LMKs the size is 32 hex digits The HSM by default checks that the decimalization table contains at least 8 different digits with no digit repeated more than 4 times This feature may be disabled using the Configure Security parameter Enable decimalization table check Disabling of this feature is not recommended Outputs Encrypted ...

Page 401: ...YYY Online AUTH Example AES Key Block LMK Online AUTH TD Return Enter LMK id 00 Return Enter decimalization table encrypted under old LMK XXXXXXXXXXXXXXXX XXXXXXXXXXXXXXXX Return Decimalization table encrypted under new LMK YYYYYYYYYYYYYYYY YYYYYYYYYYYYYYYY Online AUTH Note The result of the TD command gives no indication as to the LMK scheme or LMK identifier used in the command When this value i...

Page 402: ...d as 16 hex ASCII characters Outputs 4 byte MAC over the plaintext IPB input data Errors Invalid LMK identifier no LMK loaded or entered identifier out of range Command only allowed from Authorized the HSM is not authorized to perform this operation IPB is not 8 bytes Please re enter the validation of the IPB failed Warning Less than 16 1 bits in IPB the IPB contains less than 16 1 bits Example On...

Page 403: ...e Format an HSM Smartcard FC 402 Create an Authorizing Officer Smartcard CO 404 Verify the Contents of a Smartcard VC 405 Change a Smartcard PIN NP 406 Read Unidentifiable Smartcard Details RC 407 Eject a Smartcard EJECT 408 Note DO NOT REPEATEDLY ENTER INVALID PINS A LEGACY SMARTCARD LOCKS AFTER EIGHT SUCCESSIVE INVALID PINS HAVE BEEN ENTERED LEGACY SMARTCARDS CAN BE UNLOCKED BY REFORMATTING WHIC...

Page 404: ...rmat DDMMYY Time 6 numeric characters format hhmmss Issuer ID maximum 35 alphanumeric characters User ID maximum 35 alphanumeric characters Outputs Text messages o Insert card and press ENTER o Format card for HSM settings LMKs H L o Enter new PIN for smartcard o Re enter new PIN o Enter format code o Enter date o Enter time o Enter Issuer ID o Enter User ID o Format complete o Card already format...

Page 405: ...ing card Formatting card Enter new PIN for Smartcard Return Re enter new PIN Return Enter time hhmmss 153540 Return Enter date ddmmyy 261093 Return Enter User ID Joe Small Return Enter Issuer ID Big Bank plc Return Format complete Online Example 2 Online FC Return Insert card and press ENTER Return Card already formatted continue Y N Y Return Format card for HSM settings LMKs H L H Return Erasing ...

Page 406: ... run this command Inputs Smartcard PIN 5 to 8 alphanumeric characters PINs must be entered within 60 seconds of being requested Outputs Text messages Insert Card for Component Set 1 or 2 and enter the PIN Insert Card for Authorizing Officer and enter the PIN Copy Complete Errors Card not formatted card not formatted Not a LMK card card is not formatted for LMK or key storage Smartcard error comman...

Page 407: ...ariant LMKs the length of the displayed check value is determined by the CS Configure Security setting Restrict Key Check Value to 6 hex chars o For Key Block LMKs the length of the displayed check value is always 6 hex digits Comparison Pass or Fail Text messages o Check o Compare with card Errors Card not formatted card not formatted Not a LMK card card is not formatted for LMK or key storage Sm...

Page 408: ...c characters PINs must be entered within 60 seconds of being requested Outputs Text messages o Insert Card and press ENTER o Enter current PIN o Enter new PIN for smartcard o Re enter new PIN o PIN change completed Errors Card not formatted card not formatted Not a LMK card card is not formatted for LMK or key storage Smartcard error command return 0003 an invalid PIN was entered Invalid PIN re en...

Page 409: ...eger o Date as stored on card format YY MM DD o Time as stored on card format hh mm ss o User ID as stored on card free format alphanumeric o Issuer ID as stored on card free format alphanumeric o Data Zone Size as stored on card decimal integer o Max Data Free as stored on card decimal integer Errors Card not formatted card not formatted Not a LMK card card is not formatted for LMK or key storage...

Page 410: ...card EJECT Variant Key Block Online Offline Secure Authorization Not required Command EJECT Function To eject the smartcard from the smartcard reader Authorization The HSM does not require any authorization to run this command Inputs None Outputs None Errors None Example Online EJECT Return Online ...

Page 411: ...tor Commands The payShield 10K provides the following console commands to support the encryption and decryption of data with a given plaintext single double or triple length DES key Command Page Single Length Key Calculator N 410 Double Length Key Calculator 411 Triple Length Key Calculator T 412 ...

Page 412: ...any authorization to run this command Inputs Key no parity required 16 hexadecimal characters Data block 16 hexadecimal characters Outputs The data encrypted with the key The data decrypted with the key Errors Data invalid please re enter the entered data does not comprise 16 hexadecimal characters Re enter the correct number of hexadecimal characters Example Online N Return Enter key XXXX XXXX XX...

Page 413: ...n this command Inputs The double length key odd parity is required 32 hexadecimal characters Data block 16 hexadecimal characters Outputs The data encrypted with the key The data decrypted with the key Errors Data invalid please re enter the entered data does not comprise 32 hexadecimal characters Re enter the correct number of hexadecimal characters Example Offline Return Enter key XXXX XXXX XXXX...

Page 414: ...is command Inputs The triple length key odd parity is required 48 hexadecimal characters Data block 16 hexadecimal characters Outputs The data encrypted with the key The data decrypted with the key Errors Data invalid please re enter Re enter the correct number of hexadecimal characters Example Offline T Return Enter key XXXX XXXX XXXX XXXX XXXX XXXX XXXX XXXX XXXX XXXX XXXX XXXX Return Single Dou...

Page 415: ...list XA 414 Decommission the HSM XD 415 Remove RACC from the whitelist XE 416 Commission the HSM XH 417 Generate Customer Trust Authority XI 418 Make an RACC left or right key XK 420 Commission a smartcard XR 421 Transfer existing LMK to RLMK XT 422 Decommission a smartcard XX 424 HSM commissioning status XY 425 Duplicate CTA share XZ 426 Note that the HSM s private key the certified public key an...

Page 416: ...ion Not required Command XA Function To add a RACC to the whitelist on the HSM Authorization The HSM must be in Secure state to run this command Inputs None Outputs None Example 1 Secure XA Return Insert payShield Manager Smartcard and press ENTER Return Enter PIN Return Do you want to add card XYZ123 to the whitelist Y Return Card XYZ123 added to whitelist Secure ...

Page 417: ...Offline Secure Authorization Not required Command XD Function To decommission the HSM by deleting the payShield Managers keys and groups Authorization The HSM must be in Secure state to run this command Inputs None Outputs None Example 1 Secure XD Return Do you want to erase the payShield Manager s keys and groups Y N Y Return Secure ...

Page 418: ...ne Secure Authorization Not required Command XE Function To remove an RACC from the whitelist Authorization The HSM must be in Secure state to run this command Inputs None Outputs None Example 1 Secure XE Return Choice ID Type 1 ABC321 restricted 2 XYZ123 restricted Which RACC do you want to remove 1 Return Card ABC321 removed from whitelist Secure ...

Page 419: ...ll Customer Trust Authority CTA payShield Manager smartcards available Insert first CTA payShield Manager Smartcard and press ENTER Return Enter PIN Return Insert CTA payShield Manager Smartcard 2 of 3 and press ENTER Return Enter PIN Return Insert CTA payShield Manager Smartcard 3 of 3 and press ENTER Return Enter PIN Return Starting the commissioning of the HSM process Please insert left key car...

Page 420: ...name Florida Return Locality Name eg city Plantation Return Organization Name eg company Thales Return Organizational Unit Name eg section Production Return Common Name e g server FQDN or YOUR name CTA CTA Return Email Address info thalesesec com Return Enter number of Customer Trust Authority private key shares 3 9 3 Return Enter number of shares to recover the Customer Trust Authority private ke...

Page 421: ...l Rights Reserved CTA share written to smartcard Insert payShield Manager Smartcard 3 of 3 and press ENTER Return Enter new PIN for smartcard Return Re enter new PIN Return Working CTA share written to smartcard Successfully generated a Customer Trust Authority Secure ...

Page 422: ...d XK Function Defines a RACC as either a left or right key in the whitelist on the HSM Authorization The HSM must be in Secure state to run this command Inputs Left or Right card type Outputs None Example 1 Secure XK Return Insert payShield Manager Smartcard and press ENTER Return Enter PIN Return Do you want to make ABC321 a L eft or R ight key L Return Card ABC321 is now a left key Secure ...

Page 423: ...ilable Insert first CTA payShield Manager Smartcard and press ENTER Return Enter PIN Insert CTA payShield Manager Smartcard 2 of 3 and press ENTER Return Enter PIN Insert CTA payShield Manager Smartcard 3 of 3 and press ENTER Return Enter PIN Enforce a PIN change on first use Y N N Return Insert a payShield Manager Smartcard to be commissioned and press ENTER Return Enter new PIN for smartcard Ret...

Page 424: ...he LMK and then split it among shares onto the pre commissioned payShield Manager RLMK cards Authorization The HSM must be in Secure state to run this command Inputs Number of shares to split LMK into Number of Components required to reconstitute LMK Outputs None Example 1 Secure XT Return Please have all the local LMK components and enough commissioned RACCs to receive the LMK ready Insert card a...

Page 425: ... to smartcard Want to test the reassembly of the LMK Y Return Please have all the RLMK shares ready Insert RLMK card and press ENTER Return Enter PIN Return LMK share 1 read 1 of 2 Card Check E0CBF4 Insert RLMK card and press ENTER Return Enter PIN Return LMK share 2 read 2 of 2 Card Check E0CBF4 LMK Check 268604 Secure ...

Page 426: ...martcard Authorization The HSM may be in any state to run this command Inputs None Outputs None Example 1 Secure XX Return Please insert card to decommission and press ENTER Return Warning Resetting a payShield Manager Smartcard to its original state will erase all key material from the card Are you sure Y N Y Return payShield Manager Smartcard successfully decommissioned Would you like to decommi...

Page 427: ...000A Issued by Development Factory TTA Validity Sep 26 15 35 30 2018 GMT to Sep 20 15 35 30 2043 GMT Unique ID B655F28FD784A9C2A5169FF4F4DD41EA D61B5F4A Customer Trust Authority Installed Yes 2 Issued to TES LC Issued by TES LC Validity Oct 5 13 11 12 2018 GMT to Sep 29 13 11 12 2043 GMT Unique ID 9FEACF2E361A2BADA0E2E9238D121E1D 27871B3A Root HSM Public Key Certificate Installed Yes 3 Issued to A...

Page 428: ...ction To duplicate a CTA share smartcard Authorization The HSM must be in Secure state to run this command Inputs None Outputs None Example 1 Secure XZ Return Insert a CTA share payShield Manager Smartcard to be duplicated Enter PIN Return Working Please insert a commissioned payShield Manager smartcard and press ENTER Return Enter PIN Return Working CTA share written to smartcard Secure ...

Page 429: ...native memory stick should be used The HSM s certificate signing request CSR structure is compliant with PKCS 10 The client must use the same key type as is included in the HSM s CSR The HSM uses certificate formats compliant with X 509 The payShield 10K provides the following console commands to manage the HSM s private key the certified public key and the CA self signed public key certificate to...

Page 430: ...name when saving to USB memory stick Outputs Prompts as above Key generation message Prompt to save to USB memory stick Certificate Signing Request Errors File exists replace Notes The HRK must be installed using the SK console command prior to using this command The exported file will automatically have the extension CSR The size of RSA keys used is 2048 bits The size of ECDSA keys used is either...

Page 431: ...TIFICATE REQUEST MIIC2TCCAcECAQAwgZMxCzAJBgNVBAYTAlVLMRcwFQYDVQQIEw5HcmVhdGVyIExv bmRvbjEPMA0GA1UEBxMGTG9uZG9uMREwDwYDVQQKEwhCYW5rIFhZWjETMBEGA1UE CxMKT3BlcmF0aW9uczERMA8GA1UEAxMISFNNLTAwMDIxHzAdBgkqhkiG9w0BCQEW EGJpbGxAYmFua3h5ei5jb20wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIB AQC JhIisca5k7l5YIRNcDcq QMb3jHzhQIbME4O9zDhTtmINFM7YrvZ6N2Sy1TU za1cPf9JKR2X5D3ukaICtkTwxArj1WRnU2UnINTYeO0RWeBaouxO4ijSvz...

Page 432: ...TIFICATE REQUEST MIIC2TCCAcECAQAwgZMxCzAJBgNVBAYTAlVLMRcwFQYDVQQIEw5HcmVhdGVyIExv bmRvbjEPMA0GA1UEBxMGTG9uZG9uMREwDwYDVQQKEwhCYW5rIFhZWjETMBEGA1UE CxMKT3BlcmF0aW9uczERMA8GA1UEAxMISFNNLTAwMDIxHzAdBgkqhkiG9w0BCQEW EGJpbGxAYmFua3h5ei5jb20wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIB AQDBJAjJVtpE2Covk13BpZCACN6hUoQeLRv62 M3Lioa ckvrIDaFxRTmlBGAof nZR3uRXSRz5oo3MX fG4QXuLCGujFPHUfdnJRFIGnxoxkrrXn5OyxtokLwd...

Page 433: ... pair must be installed using the SG console command prior to using this command The file s to be imported must have the extension CRT A maximum certificate chain length of 6 is supported The required format for the USB memory stick is FAT32 The Operating System used in the payShield 10K supports most types of USB memory stick but may not have the drivers for some of the newer types If difficultie...

Page 434: ...ady been installed see Example 1 and so the HSM indicates that the Chain of Trust is complete Secure SI Return Select File 1 HSM 0001 crt 2 BankXYZRootCA crt 3 Client crt 4 ClientRootCA crt File 1 Return Imported CA signed HSM Certificate Issued to HSM 0001 Issued by Bank XYZ Validity May 21 15 05 51 2013 GMT to May 21 15 05 51 2014 GMT Unique ID 2050 AC03FAD5 Chain of Trust validated Bank XYZ Roo...

Page 435: ...above Prompt to save to USB memory stick Certificate Chain of Trust is displayed at the console and if requested saved to the USB memory stick Errors File exists replace Notes The HSM s public private key pair must be installed using the SG console command prior to using this command The exported file will automatically have the extension CRT A maximum certificate chain length of 6 is supported Th...

Page 436: ...QQHEwxMb25nIENyZW5kb24xDzANBgNVBAoTBlRoYWxlczEM MAoGA1UECxMDUE1HMR4wHAYDVQQDExVwYXlTaGllbGQgQ2VydGlmaWNhdGUxMzAx BgkqhkiG9w0BCQEWJGphbWVzLnRvcmp1c3NlbkB0aGFsZXMtZXNlY3VyaXR5LmNv bTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBANTFR dFeafMZsMwgeOK vWxjmaUOP6z5mK qeD4wYvNP5cv1GVqKoMFTNkJL jeBSyo39IR0T4AoalroUb6F yi76nmv0VVqFgPWIS92bRBozGp8dZU09aJQGCuOIjEvKuUtddWrpp0ClFEnTXXsx LpfjTal5vSl D9lazkMiFxdi7OU...

Page 437: ...un this command Inputs Certificate to be displayed in full Outputs The HSM s public private key pair must be installed using the SG console command prior to using this command Prompts as above List of currently installed certificates Status of HSM s private key installed or not installed HSM Certificate installed maximum of 1 certificate Client Certificate s installed maximum of 10 certificates CA...

Page 438: ...May 5 09 24 10 2023 GMT Unique ID C14FF9DE78FB441A D221289A Root 4 Issued to Bank XYZ Issued by Bank XYZ Validity May 9 10 59 22 2013 GMT to May 7 10 59 22 2023 GMT Unique ID 9C8FC713FAA31010 AC03FAD5 Root Chain of Trust validated Bank XYZ Root Select an item to view 1 Return Certificate Data Version 3 0x2 Serial Number 8273 0x2051 Signature Algorithm sha1WithRSAEncryption Issuer C UK ST Greater L...

Page 439: ...Reserved Digital Signature Non Repudiation Key Encipherment Signature Algorithm sha1WithRSAEncryption b8 e9 e9 8f 2e f9 50 93 a1 8b 8d 0b e5 fd ef 6f 6c 05 59 0d df 85 b7 48 c6 02 d9 16 f9 80 e5 c9 c2 69 7f 06 2b ba 18 9f Do you wish to view another certificate N Return Online ...

Page 440: ...certificate Example 1 This example demonstrates the use of the SD console command to remove a client certificate from the HSM Secure SD Return HSM Private Key installed Yes HSM Certificate installed 1 Issued to HSM 0002 Issued by Bank XYZ Validity May 21 15 05 51 2013 GMT to May 21 15 05 51 2014 GMT Unique ID 2050 AC03FAD5 Client certificate s installed 2 Issued to APP 0001 Issued by Applications ...

Page 441: ...on The HSM must be in the secure state to run this command Inputs Passphrases 1 2 each entered twice for verification Outputs Prompts as above Passphrase rules Creating HRK message Key synchronization message Notes The HRK replaces the RMK used in previous versions of software Example 1 This example demonstrates the use of the SK console command to generate an HRK Secure SK Return NOTE Passphrase ...

Page 442: ...he HRK replaces the RMK used in previous versions of software Example 1 This example demonstrates the use of the SP console command change administrator 1 s HRK passphrase Secure SP Return NOTE Passphrase rules as follows 1 Must be between 8 and 30 characters long 2 Can contain spaces 3 Must be comprised of at a minimum 2 digits 2 uppercase characters 2 lowercase characters 2 symbols e g 4 Cannot ...

Page 443: ...tion The HSM must be in the secure state to run this command Inputs Passphrases 1 2 Outputs Prompts as above Restoring HRK message Key synchronization message Errors HRK already loaded Notes The HRK replaces the RMK used in previous versions of software Example 1 This example demonstrates the use of the SL console command to generate an HRK Secure SL Return Enter administrator 1 passphrase Enter a...

Page 444: ... Device KMD is now end of sale and has been replaced by the Trusted Management Device TMD see Section 1 11 earlier in this document for further information This section describes the set of console commands that facilitate the operation of the Thales Key Management Device KMD in a PCI PIN compliant manner Command Page Generate KTK Components KM 443 Install KTK KN 444 View KTK Table KT 445 Import K...

Page 445: ...s PINs to be entered Outputs Check value of smartcards Check value of new KTK Example 1 This example demonstrates the use of the KM console command to generate two KTK components on smartcards Secure KM Return Enter number of components 2 3 2 Return Insert blank card and enter PIN Return Writing keys Checking keys Device write complete check ZZZZZZ Make another copy Y N N Return 1 copies made Inse...

Page 446: ...ample 1 This example demonstrates the use of the KN console command to install a KTK in KTK Id 01 using two smartcards Secure KN Return Enter KTK id 00 19 01 Return Enter comments KTK for KMD in secure room Return KTK in selected location must be erased before proceeding Erase KTK Y N Y Return Load KTK in components Insert card and enter PIN Return Check ZZZZZZ Load more components Y N Y Return In...

Page 447: ...n To display the KTK table Authorization None Inputs None Outputs List of installed KTKs Example 1 This example demonstrates the use of the KT console command to display the list of all KTKs currently installed in the HSM Online KT Return KTK table ID Scheme Algorithm Check Comments 01 Variant 3DES 2key 292489 KTK for KMD in secure room 03 Variant 3DES 2key 549235 KTK for 2nd KMD Online ...

Page 448: ...e must be authorized Inputs LMK Identifier Key Type Code Key Scheme LMK KTK Identifier Key encrypted under KTK Outputs Key encrypted under LMK Example 1 This example demonstrates the use of the KK console command to import a double length DES ZMK key type 000 from encryption under KTK Id 01 to encryption under LMK Id 02 Online AUTH KK Return Enter LMK id 02 Return Enter Key type 000 Return Enter K...

Page 449: ...rization None Inputs KTK Identifier Outputs Display of relevant entry from KTK table Example 1 This example demonstrates the use of the KD console command to delete a previously installed KTK KTK Id 01 from the HSM Secure KD Return Enter KTK id 01 Return KTK table entry ID Scheme Algorithm Check Comments 01 Variant 3DES 2key 292489 KTK for KMD in secure room Confirm KTK deletion Y N Y Return KTK d...

Page 450: ...ch may require attention by the HSM Administrators or Security Officers are logged The following non 00 error responses are not included in the Audit Log Not Audited if error response is Cmnd 01 02 43 A6 X BC X BE X BK X BY X CG X CK X X CM X CO X CQ X CU X DA X X DC X DE X DU X X EA X X EC X EE X EG X EI X F0 X F2 X FA X FU X G2 X G4 X GO X GQ X GS X GU X J0 X K2 X KE X KO X P0 X PG X PY X QQ X Q...

Page 453: ...command characters e g the LK command cannot be successfully entered as L K When entering sensitive clear text data use the inhibit echo back facility to ensure that the HSM does not echo the data to the console screen This is set at configuration using the CS Configure Security command Instead of displaying the data the HSM displays a star for each character entered Note New values take effect im...

Page 454: ...be opened as appropriate It is recommended that the Management Ethernet port and Host Ethernet port s have independent IP subnets Table 7 Port settings with Firewall Port Protocol Purpose 20 TCP FTP for software and license updates 21 TCP FTP for software and license updates 161 UDP SNMP Requests Utilization and Health Check data 162 UDP SNMP traps 5002 UDP sysid 5003 UDP Software update managemen...

Page 455: ...mmands B 3 Configure the Host Ports The payShield HSM Host interfaces can be configured using the Console to emulate a number of types of data communications equipment and control equipment At the end of the configuration the user is given the option to save the host interface settings to a smart card B 3 1 Configuring the Software Prerequisites The HSM is in either the secure state or the offline...

Page 456: ...characters header which the Host can use to identify the transaction or for any other purpose The HSM returns the string unchanged to the Host in the response message The length of the header can be set to any value between 1 and 255 the default value is 4 B 3 1 2 Ethernet Communications The payShield Host port provides two auto sensing Ethernet interfaces which support 10 base T 100 base TX or 10...

Page 457: ...e published TCP port address of the HSM in the range 0000010 to 6553510 representing an address in the range 000016 to FFFF16 The IP address for each of the host ports i e the Internet Protocol addresses of the unit s host ports in the system The addresses are four decimal numbers each not exceeding 255 The subnet mask for each host port used to define the network class This is four decimal number...

Page 459: ...ommand traffic between host and payShield as defined in host port parameters Default is 1500 Use of this port results in the default LMK being used unless the command explicitly identifies another LMK xxxx n TCP UDP Well known port for command traffic between host and payShield where LMK n 1 is to be used For example if the default well known port has been defined as 1500 then 1501 is used if LMK ...

Page 461: ... or remotely installed by the customer i e the Customer Trust Authority or CTA Key management material on an HSM can be in one of two states Warranted The payShield only has the Pre placed Trust This is the factory default state A unit will return to this state upon tamper Commissioned The payShield has Customer Trust i e the customer has placed trust elements on the HSM The Pre placed Trust is on...

Page 462: ...ormatted for LMK type cards The trusted officers that will hold the shares in the Customer Trust Authority are present C 3 Procedure All commands are entered via the console terminal C 3 1 Secure the HSM 1 Place the HSM in the Secure state Place the keys in the locks located on the front of the unit Turn the keys to the locked position C 3 2 Generate a Customer Trust Authority The XI console comma...

Page 463: ...es to recover the Customer Trust Authority private key 3 3 3 Return Issued to CTA Issued by CTA Validity Jan 9 10 28 49 2015 GMT to Jan 3 10 28 49 2040 GMT Unique ID EE3CB7CE8343B464CC04278188CF7EB3 3DE05514 Root Insert payShield Manager Smart Card 1 of 3 and press ENTER Return Enter new PIN for smart card Return Re enter new PIN Return Working CTA share written to smart card Insert payShield Mana...

Page 464: ...ority that was just created and prompt you to store the CTA components onto smart cards Issued to Group1 Issued by Group1 Validity Apr 9 07 02 16 2015 GMT to Apr 2 07 02 16 2040 GMT Unique ID B07EA9A049325E02BF84B48A3644CCC3 702788CA Root Insert payShield Manager Smart Card 1 of 3 and press ENTER Follow the on screen directions One by one place a smart card into the integrated reader of the HSM Ea...

Page 465: ... turned on the HRK is generated with default passphrases The passphrase can be the same among one or more payShields based upon your organization s security policy C 3 4 Commission the HSM The XH console command commissions the factory warranted HSM Note The presence of two trusted officers is required along with the following The Customer Trust Authority smart cards i e the CTA cards that you jus...

Page 466: ...ds to change the lock state of the HSM 1 At the prompt enter XH and press ENTER Secure XH ENTER One by one insert and assign a PIN for each smart card The HSM creates the CTA private key Example Secure XH Return Please have all Customer Trust Authority CTA payShield Manager smart cards available Insert first CTA payShield Manager Smart Card and press ENTER Return Enter PIN Return Insert CTA payShi...

Page 467: ...ds Authorizing Officer cards Restricted cards Administrator cards both Right and Left cards 1 From the payShield Manager landing page Click Login 2 Follow this link to continue Section 8 9 2 1 Commission a Smart Card on page 147 Note A link is provided to return you to the section below C 3 6 Migrate LMK Cards to become RLMK Cards The XT console command transfers an existing HSM LMK stored on lega...

Page 468: ...key LMK status Test Is this the LMK you wish to transfer Y N Y Return Enter the number of shares to split the LMK into 2 9 2 Return The number of shares required to reconstitute the LMK is fixed for variants 2 Return Insert a commissioned card 1 of 2 and press ENTER Return Enter PIN Return Card Check E0CBF4 LMK share written to smart card Insert a commissioned card 2 of 2 and press ENTER Return En...

Page 469: ... team of knowledgeable and friendly support staff are available to help If your product is under warranty or you hold a support contract with Thales do not hesitate to contact us using the link below For more information consult our standard Terms and Conditions for Warranty and Support https supportportal thalesgroup com csm ...

Page 470: ...Contact us For all office locations and contact information please visit cpl thalesgroup com contact us cpl thalesgroup com ...

Search results

Summary of Contents for payShield 10K

Reviews:

Related manuals for payShield 10K

Brands by name

Popular brands

Thales payShield 10K, Installation And User Manual

Search results

Summary of Contents for payShield 10K

Reviews:

Related manuals for payShield 10K

Brands by name

Popular brands