TSM500i and TsmWeb User Guide (PCI HSM v3) (PR-D2-1037 Rev 1.1)
| Page 28
Zazoo Limited, Co. No 9265606 | Directors: Dr S C P Belamant (French),
Mr H G Kotze, Mr P M Belamant | Company Secretary: Ms C W van Straaten
www.zazooltd.com
3
HSM PASSWORD MANAGEMENT
3.1
How to add a Crypto Officer
This process cannot be used for setting initial passwords. Refer to section 2.8 for details on how to set
passwords on initial deployment.
This process requires dual control and is therefore only possible if 2 crypto officers are able to authenticate
themselves. It cannot be used where passwords have been forgotten!
Whenever the KCED is connected to the HSM, the Cryptographic Officers must inspect the HSM, the
externally connected device, and the inter-connecting cable for any signs of tampering or insertion
of a bugging device.
Requirements:
Logged into TSM-WEB and the KCED connected to the TSM500i.
This service can only be performed if the module is in the
Loader state
Dual authentication – two Crypto Officer must have authenticated themselves, using the KCED to
login.
Process:
Click on “Manage Operators” tab on the
TSM Operators
page.
To add an operator check “NEW OPERATOR”.
Set the “NAME” field with the name of the new officer. Click on
ADD OPERATOR
.
Follow the on screen instructions on the KCED. When prompted (twice), enter the new password on
the KCED.
A password must be at least 7 digits in length, using digits in the range 0 to 9.
Make a record of your password and keep in a safe place.
ENSURE THAT YOU FULLY UNDERSTAND THE CONSEQUENCES OF LOSING YOUR PASSWORD!
If all crypto officers forget their passwords, there is NO way to reset the HSM passwords without
ERASING ALL CSPs.
