manualshive.com logo in svg

ZAZO TsmWeb TSM500i, User Manual


Share
Download
background image

 

TSM500i and TsmWeb User Guide (PCI HSM v3) (PR-D2-1037 Rev 1.1)

| Page 19 

 

 

 

 

 

 

Zazoo Limited, Co. No 9265606 | Directors: Dr S C P Belamant (French), 

Mr H G Kotze, Mr P M Belamant | Company Secretary: Ms C W van Straaten 

www.zazooltd.com 

2.8.2

 

Authenticate HSM - Request Step 

 

On the 

TSM Operators

 page click on “Authenticate HSM and Set Initial Passwords” tab. 

 

Select “Request” from the “Action” drop down menu. Click on 

REQUEST

 

Write the “Expected Response” down and keep this safe. It will be of the form “ER12345678”. 

 

Copy the “Token” into the text file. The token will comprise 112 ascii-hex characters. 

 

Send the “Token” (Device Authentication Token) to Prism (the Manufacturer) so that the HSM can be 
authenticated before control is transferred to the Customer. 

 

In the same email, provide the manufacturer with the names and email addresses of the two crypto 
officers that will be established during the ‘FINALIZE’ step of this process. This information should be 
provided on a company letterhead. Sample wording for the request is provided in a template on the 
support CD that is provided with the HSM. 

Having issued the Request and sent  the token to the Manufacturer,  DO NOT initiate the Request 
step  again  prior  to  completing  the  Finalize  step  detailed  below.  Authenticating  the  HSM  uses  a 
challenge-response  mechanism.  The  Finalize  step  will  only  work  if  it  is  in  response  to  the  last 
challenge issued. 

 

2.8.3

 

Authenticate HSM - Finalise Step 

To perform this operation you must have completed the Request step and received the necessary 
response from the Manufacturer (Prism). The tokens will be emailed individually to the 2 officers 
identified in the Request step.  

Both officers need to be present simultaneously to complete this step. 

 

 

Confirm that both crypto officers have received their Control Transfer Tokens from the Manufacturer. 

 

Confirm that the Expected Response that was returned by the Manufacturer matches the expected 
response that was recorded in the first step. 

 

Select “Finalise” from the “Action” drop down menu.  

 

Ensure that the KCED is attached to the appropriate port of the HSM before proceeding. 

Whenever the KCED is connected to the HSM, the Cryptographic Officers must inspect the HSM, the 
externally connected device, and the inter-connecting cable for any signs of tampering or insertion 
of a bugging device. 

 

Officer 1 will be required to enter their name and token. The token will be of the form “0187654321” 

 

Officer 2 will be required to enter their name and token. The token will be of the form “0287654321” 

 

Click on 

FINALISE

 

Officer 1 will be required to enter and confirm their password via the KCED. 

Make a record of the 

password and keep in a safe place

 

Officer 2 will be required to enter and confirm their password via the KCED. 

Make a record of the 

password and keep in a safe place

 

A password must be at least 7 digits in length, using digits in the range 0 to 9. 

Summary of Contents for TsmWeb TSM500i

Page 1: ...M as well as the TsmWeb interface used to manage this HSM Company Confidential The information in this document is intended only for the person or the entity to which it is addressed and may contain c...

Page 2: ...kaging in an anti static bag in foam padded box Failure to do so could result in damage to the HSM The original packaging should be kept in a safe place in case it becomes necessary to transport the H...

Page 3: ...13 2 6 NETWORK SETUP RECOVERY 14 2 6 1 Use the LCD MENU to set the IP address 14 2 7 TSM WEB INTERFACE 15 2 7 1 Invoking TSM WEB for a TSM500i PCIe 15 2 7 2 Invoking TSM WEB for a TSM500i NSS 15 2 7 3...

Page 4: ...eys 27 3 HSM PASSWORD MANAGEMENT 28 3 1 How to add a Crypto Officer 28 3 2 How to change an existing password 29 3 3 Reset One Password 30 3 4 Reset CSPs clear all passwords and set passwords 31 4 ONG...

Page 5: ...11 Disabling and Enabling SSL TLS 40 4 11 1 Disable TLS from the LCD MENU 40 4 11 2 Disable or Enable TLS from TSM WEB 40 4 12 Upgrading TSM500i firmware 41 4 13 Upgrading TSM500i NSS System Software...

Page 6: ...s responsibility to procure and setup a server that will house the TSM500i PCIe Note that a physical computer is required the TSM500i PCIe cannot be installed in a virtual machine It is also necessar...

Page 7: ...the KCED port on the front panel In the case of a TSM500i PCIe it connects to the RED port on the connector panel this is the connector closest to the status LEDs Whenever the KCED is connected to th...

Page 8: ...A two step process is used to authenticate the HSM at the place of initial deployment and to simultaneously set the initial 2 crypto officer passwords This process is used to transfer control of the...

Page 9: ...liance guidelines that are a good reference for creating security procedures A valuable source of information is the PCI PIN Security Requirements At minimum the following issues should be addressed T...

Page 10: ...packaging and hardware are intact Also verify that is no sign of physical damage Verify that the hardware has not tampered Power on hardware and if red status LED is permanently ON then the hardware...

Page 11: ...Access to the expansion slot may differ for machines from different vendors please refer to your vendor documentation Remove the TSM500i from the protective static bag To prevent Electro Static Discha...

Page 12: ...a healthy maintenance state If the module is required to be in the operational state it will need to be reset ON 1 FLASH Tampered state Remove and physically inspect the module according to standard s...

Page 13: ...Driver folder of the TSM5XX Support CD to select the appropriate driver for your Windows operating system Install Conductor and TSM WEB Run TSM5XX PCI_Installer exe provided on the TSM5XX Support CD...

Page 14: ...LCD display After about 30 seconds the following prompt will be displayed briefly for menu Press and hold down the red button and green button on the front panel until a MAIN MENU appears on the LCD...

Page 15: ...Enter http localhost as the URL into your Web Browser when using TSM500i PCIe Note that TSM WEB and Conductor must have been installed see section 2 5 2 7 2 Invoking TSM WEB for a TSM500i NSS When us...

Page 16: ...after clicking I understand the risks 2 7 3 1 Setting Admin Password for the first time If no admin user password has been set the user will be presented with a screen titled TSM WEB Set Admin Passwor...

Page 17: ...nutes of inactivity This timeout period can be configured via Preference Manager page on TSM WEB When using TSM WEB on a TSM500i NSS you will always be required to enter a password When using a TSM500...

Page 18: ...read the Access Control Mode that is reported The Access Control Mode specifies 1 Whether the module is in the Loader state i e running the Boot Loader Loader Tampered state or in the Operational sta...

Page 19: ...in response to the last challenge issued 2 8 3 Authenticate HSM Finalise Step To perform this operation you must have completed the Request step and received the necessary response from the Manufactu...

Page 20: ...successful completion of the above step the HSM will have been authenticated to have originated from the Manufacturer and verified to have not been modified 2 8 4 Add additional crypto officers Refer...

Page 21: ...rt daylight saving time The HSM s date and time is a Critical Security Parameter for certain cryptographic functions and should be corrected at this point This service requires two Crypto Officers to...

Page 22: ...eration it is strongly recommended that the Default trace level be used This will log all errors and most warnings Selecting either of the other two options Verbose or Debug will result in performance...

Page 23: ...o login to TSM WEB 2 11 2 Configuring Account and Password Policy TSM WEB account and password policy is configured in the Preference Manager which is accessed by clicking Preference Manager from the...

Page 24: ...ash drive using the LCD MAIN MENU Power the TSM500i NSS off Insert a USB flash drive into the USB port on the front panel of the TSM500i NSS Power it on again and hold down the red button and green bu...

Page 25: ...tate is AC OPERATIONAL and then click Login on the TSM Management page The TSM Management page will reload after the cryptographic officers have successfully logged in to the TSM500i Select the tab la...

Page 26: ...refer to the KCED Installation and User Guide for details on how to use the Key Component Entry Device KCED Procedure Click on the TSM Management page Two cryptographic officers must login using the K...

Page 27: ...list of permissions represented by respective mnemonics as shown in the permissions table Once all of the required permissions have been entered and those to be unset removed click on Set permissions...

Page 28: ...r connecting cable for any signs of tampering or insertion of a bugging device Requirements Logged into TSM WEB and the KCED connected to the TSM500i This service can only be performed if the module i...

Page 29: ...the KCED is connected to the HSM the Cryptographic Officers must inspect the HSM the externally connected device and the inter connecting cable for any signs of tampering or insertion of a bugging dev...

Page 30: ...r These tokens will only be sent to the email specified on the signed letter The tokens may only be used once where after they will not function Whenever the KCED is connected to the HSM the Cryptogra...

Page 31: ...where after they will not function Both crypto officers must be present during this command Whenever the KCED is connected to the HSM the Cryptographic Officers must inspect the HSM the externally con...

Page 32: ...me of the TSM500i NSS reported at bottom of TSM WEB home page and the time of the HSM are correct and synchronized If not setting the date and time in accordance with section 2 9 will set both clocks...

Page 33: ...ng the procedure provided by the vendor of the software that drives the TSM500i 2 Export the encrypted keys from the database to a CSV Excel file 3 Use Excel to make necessary format changes to ensure...

Page 34: ...red is visible to nobody except the custodian responsible for the component otherwise the SMK could be compromised 4 4 3 Translate Keys Note After loading the Migration SMK you will need to reload the...

Page 35: ...the above the status report also provides an Audit Log containing all module Bootloader Audit Log entries This audit log gives the date and time of events such as hardware resets operator logins tamp...

Page 36: ...until a MAIN MENU appears on the LCD display The arrow keys may be used to select the required option For details on how to navigate and use the MAIN MENU refer to section 2 6 1 or APPENDIX B LCD SEQ...

Page 37: ...USB flash drive that has the NSS_BACKUPS directory from a previous backup operation is required for a restore Switch the TSM500i NSS off The flash drive should be plugged into the USB Service port on...

Page 38: ...e Prism TSM WEB service to be stopped and then restarted once the backup is complete Backup the files tsmweb sqlite and tsmweb prop found in C Program Files Prism TsmWeb using a file backup program e...

Page 39: ...wd option to ERASE the current Admin Password Once this has been done a new Admin Password may be set as described in section 2 7 3 1 4 9 2 Config Reset Selecting the Config reset option from the RESE...

Page 40: ...gorithm can be changed via the Preferences Manager both RSA and EC key types are supported It must be noted however that EC is not supported in Internet Explorer but has been tested successfully in bo...

Page 41: ...han the current version then the Crypto Officer role will need to be assumed When updating the TSM500i firmware the Access Control Mode should be BL LOADER_ROLE_OFFICER if loading firmware of same typ...

Page 42: ...o time to provide an update to one or more of the software components that run on the TSM500i NSS embedded computer If you receive an NSS software upgrade from Prism the mechanism for these software u...

Page 43: ...environment for a different purpose This service can only be performed if the module is in the Loader state and requires both Crypto Officers to have logged in i e Access Control Mode must be BL LOAD...

Page 44: ...CER Before clearing the tamper it is advisable to first ascertain the cause of the tamper To do this select the TSM Status page from the side menu and observe what is reported under the headings Activ...

Page 45: ...y the comma character No field may contain a comma Using double quotes to enclose a field that contains a comma is not valid The double quotes will be assumed to be part of the field value Leading and...

Page 46: ...in the output file Key space ID Number The ID of the key space under which the key is encrypted Key Type Number The key type as used by the MCM API Key Hex string The key encrypted under the current K...

Page 47: ...User Guide PCI HSM v3 PR D2 1037 Rev 1 1 Page 47 Zazoo Limited Co No 9265606 Directors Dr S C P Belamant French Mr H G Kotze Mr P M Belamant Company Secretary Ms C W van Straaten www zazooltd com APPE...

Page 48: ...and TsmWeb User Guide PCI HSM v3 PR D2 1037 Rev 1 1 Page 48 Zazoo Limited Co No 9265606 Directors Dr S C P Belamant French Mr H G Kotze Mr P M Belamant Company Secretary Ms C W van Straaten www zazoo...

Page 49: ...ards and Technology NSS Networked Security Server refer to TSM500i NSS PC Personal Computer often used to refer to any Windows based computer PCI 1 Payment Card Industry when referring to security sta...

Reviews:

No comments

Related manuals for TsmWeb TSM500i

Magnat Audio MC 200 Faq preview
MC 200
Brand: Magnat Audio Pages: 2
YASKAWA A1000 Series Installation Manual preview
A1000 Series
Brand: YASKAWA Pages: 34
CSS SafetyNet Quick Install Manual preview
SafetyNet
Brand: CSS Pages: 2
Konica Minolta Network Setup Network Setup Manual preview
Network Setup
Brand: Konica Minolta Pages: 38
Western Digital My Net N750 Start Here Manual preview
My Net N750
Brand: Western Digital Pages: 8
ADTRAN 617600026F1 Quick Start Manual preview
617600026F1
Brand: ADTRAN Pages: 9
ForeScout CounterACT Quick Installation Manual preview
CounterACT
Brand: ForeScout Pages: 28
NETGEAR RAXE500 User Manual preview
RAXE500
Brand: NETGEAR Pages: 169
ESD ECS-CPCIs/FPGA Hardware Manual preview
ECS-CPCIs/FPGA
Brand: ESD Pages: 28
Thermalright AXP-100H MUSCLE Manual preview
AXP-100H MUSCLE
Brand: Thermalright Pages: 36
Lanner electronics EM-566 Series Manual preview
EM-566 Series
Brand: Lanner electronics Pages: 59
B&B Electronics EIR208 Series Quick Start Manual preview
EIR208 Series
Brand: B&B Electronics Pages: 2
3Com 3C433279A Release Note preview
3C433279A
Brand: 3Com Pages: 12
Logicube ZCLONE User Manual preview
ZCLONE
Brand: Logicube Pages: 56
OPTO 22 PCI-AC48 User Manual preview
PCI-AC48
Brand: OPTO 22 Pages: 28
H3C SecPath F50X0 Series Manual preview
SecPath F50X0 Series
Brand: H3C Pages: 41
LevelOne NVR-0432 User Manual preview
NVR-0432
Brand: LevelOne Pages: 142
ORiNG IES-3082GC User Manual preview
IES-3082GC
Brand: ORiNG Pages: 101

Brands by name

Popular brands

Load more brands