payShield 10K Installation and User Guide
©Thales Group
Page 321
All Rights Reserved
Enter the Authorized State (A)
Variant
Key Block
Online
Offline
Secure
Authorization:
Not required
Command:
A
Function:
To set the HSM into the Authorized State.
The HSM prompts for either Smartcards or Passwords, as applicable, which
must correspond to the LMK being authorized.
Authorization:
The HSM does not require any authorization to run this command.
Inputs:
•
LMK Identifier: 1 or 2 numeric digits.
•
PIN (if applicable): 5 to 8 alphanumeric characters. The PIN must be
entered within 60 seconds. (4-digit PINs on legacy cards will also be
accepted.)
•
Either:
o
Smartcards (RLMKs are supported) with authorizing both
passwords.
o
Password: 16 alphanumeric characters.
Outputs:
•
Text messages as shown in examples.
Notes:
•
If the CS setting "Card/Password authorization" is set to "Card", then the
passwords required to put the HSM into the Authorized State will be read
from smartcards. Note that only the first 2 LMK component cards contain
passwords.
•
This command is only available when the console command CS (Configure
Security) setting "Enable multiple authorized activities [Y/N]" is set to "N".
•
For PCI HSM compliance, authentication must use smartcards and PINs,
not passwords.
•
Use of this command will always cause an entry to be made in the Audit
Log.
•
Console commands remain authorized for 12 hours (720 minutes).
Errors:
•
Invalid LMK identifier - no LMK loaded or entered identifier out of range.
•
Card not formatted - card is not formatted.
•
Not an LMK card - card is not formatted for LMK or key storage.
•
Smartcard error; command/return: 0003 - invalid PIN is entered.
•
Invalid PIN; re-enter - a PIN of less than 5 or greater than 8 digits is entered.
•
Data invalid; please re-enter - the password is an invalid length.
Example 1:
This example authorizes the HSM using smartcards.
Online>
A
<Return>
Enter LMK id [0-9]:
00
<Return>
First Officer:
Insert card and enter PIN:
********
<Return>
Second Officer:
Insert card and enter PIN:
********
<Return>
AUTHORIZED
Console authorizations will expire in 720 minutes (12
hours).
Online-AUTH>
Example 2:
This example authorizes the HSM using passwords.
Online>
A
<Return>
Enter LMK id [0-4]:
1
<Return>