Utimaco CryptoServer Se Series User manual
CryptoServer PCIe
Se-Series
Operating Manual
Imprint
Copyright 2017
Utimaco IS GmbH
Germanusstr. 4
D-52080 Aachen
Germany
Phone
+49 (0)241 / 1696-200
Fax
+49 (0)241 / 1696-199
Internet
http://hsm.utimaco.com
e-mail
Document Version
1.1.6
Date
2017-02-08
Status
Final
Document No.
M010-0004-en
All Rights reserved
No part of this documentation may be reproduced in any form (printing, photocopy or
according to any other process) without the written approval of Utimaco IS GmbH or be
processed, reproduced or distributed using electronic systems.
Utimaco IS GmbH reserves the right to modify or amend the documentation at any time
without prior notice. Utimaco IS GmbH assumes no liability for typographical errors and
damages incurred due to them.
All trademarks and registered trademarks are the property of their respective owners.
Table of Contents
Page 3 of 28
Table of Contents
1Introduction ................................................................................................................................5
1.1 About this Manual ...................................................................................................................... 5
1.1.1 Target Audience for this Manual .......................................................................................... 5
1.1.2 Contents of this Manual ....................................................................................................... 5
1.1.3 Document Conventions ........................................................................................................ 5
1.2 Other Manuals ............................................................................................................................ 6
1.3 Import and Export Regulations................................................................................................... 8
1.4 Damage in Transit ...................................................................................................................... 8
1.5 Deliverables................................................................................................................................ 8
2General Safety Advice ................................................................................................................. 9
2.1 Moving and Storing .................................................................................................................... 9
2.2 Battery......................................................................................................................................10
2.3 Safely Transporting the CryptoServer......................................................................................10
2.4 Environmental Temperature.....................................................................................................11
3Components of CryptoServer Se (PCIe) .....................................................................................12
4Unpacking and Handling............................................................................................................13
4.1 General Notes...........................................................................................................................13
4.2 Installing the CryptoServer Se..................................................................................................14
4.3 Removing the CryptoServer Se.................................................................................................15
5Installation of the CryptoServer Driver Software........................................................................16
5.1Installation on Windows Operating Systems............................................................................16
5.1.1 Installing the Driver ............................................................................................................ 16
5.1.2 Performing a Functional Test.............................................................................................17
5.1.3 Updating the Driver............................................................................................................. 18
5.1.4 Uninstalling the Driver........................................................................................................19
5.2 Installation on Linux Operating Systems .................................................................................19
5.2.1 Compiling/Installing the Driver...........................................................................................19
5.2.2 Performing a Functional Test.............................................................................................20
5.2.3 Updating the Driver............................................................................................................. 21
5.2.4 Uninstalling the Driver........................................................................................................21
6Replacing the Battery................................................................................................................22
7Disposing of the CryptoServer Se ..............................................................................................26
8Technical Data...........................................................................................................................27
9Contact Address for Support Queries ........................................................................................28
Table of Contents
Page 4 of 28
Introduction
Page 5 of 28
1Introduction
Thank you for purchasing our CryptoServer Se-Series security system (referred to below as
CryptoServer Se). We hope you are satisfied with our product. Please do not hesitate to
contact us if you have any complaints or comments.
1.1 About this Manual
In this operating manual you will find all the necessary information for using the hardware of
the CryptoServer Se as well as essential security instructions that are to be followed in order
to ensure that the device can be operated safely.
1.1.1 Target Audience for this Manual
This manual is intended for system administrators who bring the CryptoServer Se into service
and administer it.
1.1.2 Contents of this Manual
Chapter 2 provides safety instructions that should be read carefully, before unpacking the
CryptoServer Se and bringing it into operation.
Chapter 3 shows the different components of the CryptoServer Se.
Chapter 4 contains some general notes about how to safely unpack and handle the
CryptoServer Se, as well as general description of the procedure for installation and
uninstallation of the CryptoServer Se PCIe plug-in card.
Chapter 5 describes how to install the CryptoServer Se driver on the host computer, update,
test and remove it under Windows and Linux operating systems.
Chapter 6 provides instructions on how to replace the battery of the CryptoServer Se.
Chapter 7 gives information about what needs to be taken into account when disposing of the
CryptoServer Se.
Chapter 8 is an overview of CryptoServer Se's essential technical data.
Chapter 9 provides the manufacturer's contact data in case you have questions on
CryptoServer Se or problems occurred while operating the CryptoServer Se.
1.1.3 Document Conventions
We use the following conventions in this manual:
Bold
Items of the Graphical User Interface (GUI), e.g., menu options
Monospaced
File names, folder and directory names, commands, file outputs,
programming code samples
Italic
References and important terms
Introduction
Page 6 of 28
We have used icons to highlight the most important notes and information.
Here you find important safety information that should be followed.
Here you find additional notes or supplementary information.
1.2 Other Manuals
The CryptoServer is supplied as a PCI-Express (PCIe) plug-in card in the following series:
■CryptoServer CSe-Series
■CryptoServer Se-Series
■CryptoServer Se-Series Gen2
The CryptoServer LAN (appliance) is supplied in the following series:
■CryptoServer LAN CSe-Series
■CryptoServer LAN Se-Series
■CryptoServer LAN Se-Series Gen2
We provide the following manuals on the product CD for the CryptoServer PCIe CSe- and Se-
Series and Se-Series Gen2 plug-in cards and for the CryptoServer LAN (appliance) CSe-, Se-
and Se-Series Gen2:
Quick Start Guides
You will find these Manuals in the main folder of the SecurityServer product CD. They are
available only in English, do not cover all possible scenarios, and are intended as a
supplement to the product documentation provided on the SecurityServer product CD.
■CryptoServer LAN - Quick Start Guide
If you are looking for step-by-step instructions on how to bring the CryptoServer LAN into
service, how to prepare a computer (Windows 7) for the CryptoServer administration and
how to start administrating your CryptoServer with the Java-based GUI CryptoServer
Administration Tool (CAT), read this document.
Introduction
Page 7 of 28
■CryptoServer PCIe - Quick Start Guide
If you are looking for step-by-step instructions on how to bring the CryptoServer PCIe plug-
in card into service, how to install the CryptoServer driver on a computer with minimal
RHEL 7.0 installation and how to start administrating your CryptoServer with the
CryptoServer Command-line Administration Tool (csadm), read this document.
Manuals for System Administrators
You will find these manuals on the product CD in the following folder:
…Documentation\Administration Guides\
■CryptoServer - Manual for System Administrators
If you need to administer a CryptoServer PCIe plug-in card or a CryptoServer LAN using
the CryptoServer Administration Tool (CAT), read this manual. Furthermore, this manual
provides a detailed description of the CryptoServer functions, required for the correct and
effective operation of the product.
■CryptoServer LAN - Manual for System Administrators
If you need to administer a CryptoServer LAN (appliance), read this manual. Since a
CryptoServer plug-in card is integrated into the CryptoServer LAN, please read the
CryptoServer - Manual for System Administrators, as well.
■CryptoServer LAN/CryptoServer - Troubleshooting
If problems occur while you are using a CryptoServer PCIe plug-in card or a CryptoServer
LAN (appliance), read this manual.
■CryptoServer LAN/CryptoServer
PKCS#11 CryptoServer Administration Tool –Manual for System Administrators
If you need to administer the PKCS#11 R2 interface with the PKCS#11 CryptoServer
Administration Tool (P11CAT), read this manual.
■CryptoServer LAN/CryptoServer
CryptoServer Command-line Administration Tool - csadm - Manual for System Administrators
If you need to administer a CryptoServer PCIe plug-in card or a CryptoServer LAN using
the CryptoServer Command-line Administration Tool (csadm), read this manual (only
English version available).
Operating Manuals
You will find these manuals on the product CD in the following folder:
…Documentation\Operating Manuals\. They contain all the necessary information for
using the hardware of the CryptoServer PCIe plug-in card respectively the CryptoServer LAN
(appliance).
Introduction
Page 8 of 28
1.3 Import and Export Regulations
The export and use of CryptoServer Se outside Germany is subject to the legal foreign trade
regulations of the Federal Republic of Germany and requires the appropriate authorization.
The import of CryptoServer Se is subject to the legal requirements or other regulations that
apply in the particular destination (import license).
Please contact your own national import authorities for more detailed information.
1.4 Damage in Transit
By purchasing CryptoServer Se you have acquired a device that has been carefully tested and
packed for delivery. Nevertheless, damage may occur during transport or improper temporary
storage.
If you discover that the transport boxes are damaged when they arrive, please immediately
contact your reseller or Utimaco IS GmbH (the address and telephone number are given in
Chapter 9 of the current document). Please have the delivery note and the device's serial
number ready
1.5 Deliverables
The CryptoServer Se deliverables include:
■one CryptoServer Se PCI Express plug-in card
■one CryptoServer PCIe Se-Series Operating Manual (this Manual)
You can also use smartcards to administer the CryptoServer Se. These smartcards, and also
the appropriate PIN pad can be purchased from Utimaco IS GmbH.
You cannot use PIN pads and smartcards that were not purchased from Utimaco IS GmbH to
administer the CryptoServer Se.
General Safety Advice
Page 9 of 28
2General Safety Advice
Please follow all the warnings, safety notes and instructions given on the device or in this
introduction. If you fail to do so, Utimaco IS GmbH will not accept any responsibility for any
resulting damage caused.
The hardware security module CryptoServer Se is fitted with a sensor which will delete all the
data from the device if it is physically tampered with, or if the environmental temperature rises
above, or falls below, the permitted operating temperature range.
Please read the safety instructions below carefully, before unpacking the device and bringing
it into operation, to ensure that the device can be operated safely, and to prevent the
CryptoServer Se sensors from deleting data by mistake.
Always keep these instructions handy, in a safe place.
Do not attempt to repair the CryptoServer Se in any way.
2.1 Moving and Storing
When moving and storing the device, follow these instructions:
■The CryptoServer Se should only be moved and stored in its original packaging.
■Do not subject the device to impacts and vibrations or any other physical events that may
damage the packaging.
■You must make sure that the CryptoServer Se is always stored at temperatures between -
10 °C and +55 °C (+14 °F and +131 °F).
■If the device is to be stored for a longer time period, please ensure that the battery
replacement time is not exceeded.
■Keep this Manual together with your CryptoServer Se so that it is handy if you need to
reinstall the system.
■The PCIe connector is fragile, and can be damaged or even broken during movement and
transport by force and acceleration of the computer chassis, where the CryptoServer is
installed in.
■There is a point of mechanical stress on the printed circuit board (PCB) near the PCIe
bracket, which can be damaged.
■The maximum permissible deflection of the CryptoServer's PCB across its surface during
movement and transport is restricted to 2 mm.
General Safety Advice
Page 10 of 28
For these reasons careful attention is required during transport, movement and storage of the
CryptoServer plug-in cards all series. We strongly recommend to remove the CryptoServer
PCIe plug-in card from the computer prior to any planned transport or movement. All
cryptographic keys stored on the plug-in card remain securely maintained during the transport
or movement since the CryptoServer is continuously supplied with power by a battery.
2.2 Battery
One 3 V lithium battery ensures that the CryptoServer Se sensors and the erase circuit are
always able to function correctly, that is, as long as the CryptoServer is not installed in a
computer or even if the computer, where it is installed in, is switched off. This battery can
power the CryptoServer for at least six months, and is already in use when the device is
supplied.
This battery is not rechargeable.
If the CryptoServer Se is operated in a computer that is not itself switched on, you must
change the battery at regular intervals. If you do not do so, an alarm might be triggered and
all the data on the device may be lost.
2.3 Safely Transporting the CryptoServer
To ensure the safe transport of the CryptoServer plug-in card proceed as follows:
1. Check the battery state with the csadm command GetBattState.
▣Example on a Windows operating system:
C:\>csadm Dev=PCI:0 GetBattState
▣Example on a Linux operating system:
C:\>csadm Dev=/dev/cs2 GetBattState
If the residual battery power is displayed as ok, for example,
Carrier Battery: ok (3.068 V),
continue with step 3.
If the residual battery power is displayed as low, for example,
Carrier Battery: low (2.650 V),
continue with step 2.
2. Replace the battery by a new one (3 V, Lithium, FDK CR 12600 SE-T1 with soldering tags,
or similar type). You will find step-by-step instructions on how to do that in chapter 6 of
the current document. Please note that this battery ensures the power supply of the
CryptoServer Se for at least six months.
General Safety Advice
Page 11 of 28
3. Remove the CryptoServer plug-in card from the computer. Follow the instructions for
removing PCIe plug-in cards as specified in the operating manual for your computer as
well as the instructions in chapter 4.3 of the current document.
4. Put the CryptoServer plug-in card into an antistatic wrapping and in the original packaging.
If you need an original packaging or/and antistatic wrapping, please contact the
manufacturer Utimaco IS GmbH.
5. After reaching destination, put the computer, where the CryptoServer plug-in card should
be installed in, to the required position, and then install the CryptoServer plug-in card.
Follow the instructions for installing PCIe plug-in cards as specified in the operating
manual for your computer as well as the instructions in chapter 4.2 in the current
document.
2.4 Environmental Temperature
CryptoServer Se must only be operated and stored in a particular temperature range.
■You must make sure that the CryptoServer Se is always stored at temperatures between -
10 °C and +55 °C (+14 °F to +131 °F).
■You must make sure that the CryptoServer Se is always operated at temperatures
between +10 °C and +45 °C (+50 °F to +113 °F).
If the environmental temperature drops out of the permitted range, the device sensor will
delete all the data on it.
Components of CryptoServer Se (PCIe)
Page 12 of 28
3Components of CryptoServer Se (PCIe)
The CryptoServer Se consists of the following components:
1PCI Express bus (PCIe x1) of the PCIe plug-in card
2Battery
To supply power to the sensors and quenching system when the computer is switched
off
3Encapsulated processor
This mechanical protection prevents cryptographic data from being manipulated or
extracted
4Capacitor
Continues supplying power for approximately five minutes whilst a battery is being
replaced
5Serial port COM2 (internal)
Port, for example, for an internal chip card reader or PIN pad
6Serial port COM1 (external)
Port for connecting peripheral devices such as a PIN pad or a log terminal
7USB port (external)
USB 2.0 port for peripheral devices such as a PIN pad
8USB port (internal)
Port strip for additional USB 2.0 connection
Unpacking and Handling
Page 13 of 28
4Unpacking and Handling
The CryptoServer Se is supplied with several encryption keys already stored on it. You cannot
operate the device unless these keys are present. For this reason, take great care when
unpacking and then installing the device.
The CryptoServer Se is also already fitted with a battery when it is supplied. This battery is
already in operation and therefore all the individual contact points and components are
already supplied with power.
The CryptoServer Se is packaged in a special anti-static wrapping. Please retain this
wrapping in case you need to store or transport the device.
The CryptoServer Se must always be stored in this specific anti-static wrapping. This is
because many other types of anti-static wrap are more conducting and may cause a short
circuit on the contact points that supply power.
When unpacking and installing the device, follow all the standard guidelines for working with
electrical devices and take all the applicable protective measures.
In particular, you must note the following points.
Never place the bottom of the circuit board on a surface that can conduct electricity (for
example, the metal cover of a computer), as this can cause a short-circuit.
Take care that the circuit board never touches a metallic object (such as a screwdriver or
wedding ring).
Never touch the contacts on the backside of the circuit board.
4.1 General Notes
The CryptoServer Se is fitted with a system of sensors that can tell whether it is being
operated within a permitted temperature range.
During normal operations, the internal temperature of the CryptoServer Se must not exceed
62 °C (143 °F). If it does, the device will switch off automatically. Consequently, you must
ensure that the CryptoServer Se is cooled to below this temperature.
To ensure that the internal temperature is not exceeded, the environmental temperature
should not be more than 45 °C (113 °F).
For this reason, it is important you note the following installation instructions:
■The computer in which you want to install the CryptoServer Se must be sited in a cool, well
ventilated place.
Unpacking and Handling
Page 14 of 28
■Do not place it near sources of heat or in direct sunlight.
■You must ensure that the expansion slot in which CryptoServer Se is installed lies in the
computer's ventilation airstream.
■The CryptoServer Se should only be inserted below other plug-in cards that radiate heat.
■Ensure that you keep one expansion slot free between all other plug-in cards, or other
devices, and the CryptoServer Se.
If you cannot implement this configuration, we strongly recommend you install a PCIe slot
cooling fan directly beside the CryptoServer Se device.
4.2 Installing the CryptoServer Se
Follow the instructions for installing PCIe plug-in cards as specified in the operating manual
for your computer. This is only a general description of the procedure:
1. Switch off the computer.
2. Unplug all cables.
3. Open the computer case.
4. Select a free PCIe expansion slot and remove the corresponding slot cover on the rear
face of the computer.
5. Insert the CryptoServer PCIe plug-in card in the computer's PCIe expansion slot. Make
sure the card fits securely.
6. Close the computer case.
7. Reconnect the cables.
8. Switch the computer on again.
Unpacking and Handling
Page 15 of 28
4.3 Removing the CryptoServer Se
You will need to remove the CryptoServer Se to change its battery or to store or transport it.
Follow the instructions for removing PCIe plug-in cards as specified in the operating manual
for your computer.
1. Switch off the computer.
2. Unplug all cables.
3. Open the computer case.
4. Remove the CryptoServer Se carefully from the PCIe slot. You must never use a tool (for
example, screwdriver) to lever the card out of the slot.
5. Close the computer case.
6. Reconnect all cables.
Please note that the heat sink of the CryptoServer Se remains very hot for quite a while after
you have switched off the computer. Please allow the heat sink to cool down first before you
remove the CryptoServer Se.
Installation of the CryptoServer Driver Software
Page 16 of 28
5Installation of the CryptoServer Driver Software
You can find the list of all currently supported operating systems in the document
CS_PD_SecurityServer_SupportedPlatforms.pdf on the product CD in the folder
…\Documentation\Product Details.
The following sections describe how to install the CryptoServer Se driver in the host computer,
update it, and then remove it, under a number of different operating systems.
5.1 Installation on Windows Operating Systems
After you have installed the CryptoServer Se, the next time you restart the host computer, the
Windows operating system will recognize the new plug-in card and start the hardware
installation wizard. The installation wizard guides you through the procedure for selecting and
installing the driver.
To install or upgrade the CryptoServer driver, you need these files:
■CryptoServer.sys (driver program)
■CryptoServer.inf (installation script for Windows 32-bit) or
CryptoServer_x64.inf (installation script for Windows 64-bit)
■cryptoserver.cat (catalog file)
You can find the files on the product CD in the following directory:
For 32-bit Windows operating system
Software\Windows\x86-32\Driver
.
For 64-bit WIndows operating system
Software\Windows\x86-64\Driver
.
5.1.1 Installing the Driver
You must have local Administrator rights for the host computer (Windows), where the
CryptoServer driver shall be installed on.
To install the CryptoServer driver on a computer with a Windows operating system, proceed
as follows:
1. Select the installation from the product CD supplied with the device.
2. Select one of the following directories on the product CD:
▣For a 32 bit Windows operating system
…\Software\Windows\x86-32\Driver
Installation of the CryptoServer Driver Software
Page 17 of 28
▣For a 64 bit Windows operating system
…\Software\Windows\x86-64\Driver
3. Click OK to confirm your selection.
4. Click Next.
The driver installation starts. You will see a message that the driver has been signed by
Utimaco IS GmbH.
5. Click on Installation.
This installs the driver. You will then see a message to say that the driver has been
installed successfully.
6. Click Close to close the installation wizard.
7. Open the Windows Device Manager. The CryptoServer Se appears as the CryptoServer Se-
Series device under Cryptographic Devices.
5.1.2 Performing a Functional Test
If you want to check if the driver has been installed correctly and that the CryptoServer Se is
functioning as it should, please follow these steps:
1. Use the Windows Start menu to select the Run option.
2. Enter cmd in the window that now opens.
3. Then click OK to open the command line window.
4. Input the following command sequence to start the csadm administration tool from the
product CD to determine the status of the CryptoServer Se. This assumes that your
CD/DVD drive is the D: drive, and that you are using a 32-bit Windows operating system.
D:
cd Software\Windows\x86_32\Administration
set CRYPTOSERVER=PCI:0
Installation of the CryptoServer Driver Software
Page 18 of 28
csadm GetState
If you are using a 64-bit Windows operating system please replace in the example above
the path Software\Windows\x86-32\Administration by the path
Software\Windows\x86-64\Administration.
If the driver has been installed correctly and the CryptoServer Se is functioning as it
should, you should see output that is similar to the following:
mode = Operational Mode
state = INITIALIZED (0x020aff84)
temp = 36.1 [C]
alarm = OFF
bl_ver = 3.00.2.1 (Model: Se-Series)
uid = df000011 0c3d2a01 | =*
adm1 = 53653530 20202020 43533434 34383739 | Se50 CS444879
adm2 = 53656375 72697479 53657276 65720000 | SecurityServer
adm3 = 494e5354 414c4c45 44000000 00000000 | INSTALLED
If you cannot communicate with the CryptoServer Se, check that the PCIe plug-in card has
been installed correctly. Also check in the Windows Device Manager to see whether the driver
has been installed correctly. After that, repeat the functional test.
If you still cannot communicate with the CryptoServer Se, please contact either the reseller
who supplied this CryptoServer Se or the Utimaco IS GmbH Customer Service team.
5.1.3 Updating the Driver
If you want to update the driver later on, proceed as follows:
1. Open the Device Manager.
2. Click with the right-hand mouse button on CryptoServer Se-Series, and select the context
menu option Update Driver Software….
3. Select the option Browse my computer for driver software.
4. Click on Browse… .
The remaining steps you must follow to select and install the new driver are the same as
those for installing the driver for the first time as described in Chapter 5.1 of this manual.
Installation of the CryptoServer Driver Software
Page 19 of 28
5.1.4 Uninstalling the Driver
You must uninstall the driver from your computer before you remove the CryptoServer Se.
It is not possible to uninstall the driver after you have removed the CryptoServer Se from the
computer.
If you want to uninstall the driver, please follow the steps below.
1. Open the Device Manager.
2. Click with the right-hand mouse button on CryptoServer Se-Series, and select the context
menu option Uninstall.
3. In the next window, click OK to confirm that you want to uninstall the driver.
4. Also select the option for deleting the driver software from your computer.
The CryptoServer Se driver will now be uninstalled and removed from your computer. After
you close the wizard, the CryptoServer Se-Series is also deleted from the Device Manager
display.
5. Shut down the Windows operating system before removing the CryptoServer Se plug-in
card.
5.2 Installation on Linux Operating Systems
Due to the architecture of the Linux kernel, it is unfortunately not possible to provide a driver
that is ready for installation.
For this reason, the CryptoServer driver for Linux is supplied as source code on the product
CD and must be compiled on the target system.
5.2.1 Compiling/Installing the Driver
To compile the driver, the following files are required:
■Source code of the CryptoServer driver
■Complete source code tree of the Linux kernel you are using
You will find the source code files of the driver on the product CD in the
Software/Linux/Driver
directory.
Installation of the CryptoServer Driver Software
Page 20 of 28
To compile and install the driver for the Linux kernel please read and follow the instructions
in the README file on the product CD in the
…/Software/Linux/Driver
directory.
You should have root permissions for performing the CryptoServer driver
compilation/installation on a Linux operating system.
5.2.2 Performing a Functional Test
To check that the driver has been installed correctly and that the CryptoServer Se is working
properly, follow these steps:
1. Open a command shell.
2. Change to your home directory with the cd command.
3. Go to the mount point for your CD-/DVD-ROM.
The system may already have created it for you:
cd /media/cdrom or cd /media/cdrom0
If not, create it yourself:
mkdir /media/cdrom
4. Input the following command sequence to start the csadm administration tool from the
product CD to determine the status of the CryptoServer Se. In the following example we
assume that you are using a 32-bit Linux operating system.
cd Software/Linux/x86_32/Administration
export CRYPTOSERVER=/dev/cs2
./csadm GetState
If you are using a 64 bit Linux operating system please replace the path
cd Software/Linux/x86_32/Administration in the example above by the path
cd Software/Linux/x86_64/Administration.
If the driver has been installed correctly, and the CryptoServer Se is working properly, you
should see output that is similar to the following:
mode = Operational Mode
state = INITIALIZED (0x00100004)
temp = 36.1 [C]
alarm = OFF
bl_ver = 3.00.2.1 (Model: Se-Series)
This manual suits for next models
1
Table of contents
