TSM500i and TsmWeb User Guide (PCI HSM v3) (PR-D2-1037 Rev 1.1)
| Page 25
Zazoo Limited, Co. No 9265606 | Directors: Dr S C P Belamant (French),
Mr H G Kotze, Mr P M Belamant | Company Secretary: Ms C W van Straaten
www.zazooltd.com
2.13
PREPARE TSM FOR OPERATION: LOAD CSPs
This section covers operational preparation for all TSM500i HSMs except those that are running STS
firmware.
The most important CSP in a HSM is usually the
Storage Master Key
(
SMK
). This key is used to encrypt all other
keys which are stored in a key database (outside the HSM). Without the SMK, the HSM is unable to perform
any processing.
2.13.1
Generating SMK components
This service is only available then the TSM500i is in the
Privileged
mode.
Click on the
TSM Management
page
Two cryptographic officers must login using the KCED in order to enter the AC:Privileged mode. To
login, check that the current state is AC:OPERATIONAL and then click
Login
on the TSM Management
page.
The TSM Management page will reload after the cryptographic officers have successfully logged in to
the TSM500i. Select the tab labelled “Generate Key” on this page.
Note that this tab will not be available if the current TSM state is not AC:PRIVILEGED.
Select the required key length from the drop down menu labelled “Key Length”.
Select the required number of components from the drop down menu labelled “Components”.
Select “DES/TDES” as the Key algorithm from the drop down menu labelled “Algorithm”
Select “Standard DES/TDES key check algorithm” from the drop down menu as “Verification method”
Select the required parity from the drop down menu labelled “Parity”.
Click on
Generate Components
.
The key components generated should be displayed on the KCED. Follow prompts on the KCED to
ensure secrecy of the components.
Proper measures must be taken to ensure that the component being entered is visible to nobody
except the custodian responsible for the component otherwise the SMK could be compromised.
