Zazo Tsmweb tsm500i User manual

Tel: +44 207 340 6300 |Fax: +44 207 340 6301 | Email: info@zazooltd.com

Address: 111 Buckingham Palace Road, London, SW1W 0SR, United Kingdom

Zazoo Limited, Co. No 9265606 | Directors: Dr S C P Belamant (French),

Mr H G Kotze, Mr P M Belamant | Company Secretary: Ms C W van Straaten

www.zazooltd.com

TSM500i and TsmWeb User Guide (PCI HSM v3)

June 2018

Document number:

PR-D2-1037 Rev 1.1

Release date:

June 2018

Prepared by:

SS, RP

Synopsis:

This document describes the PCI HSM v3.0

TSM500i Hardware Security Module (HSM) as well

as the TsmWeb interface used to manage this

HSM.

Company Confidential

The information in this document is intended only for the person or the entity to which it is addressed and

may contain confidential and/or privileged material. Any views, recreation, dissemination or other use of or

taking of any action in reliance upon this information by persons or entities other than the intended

recipient, is prohibited.

Disclaimer

Prism Payment Technologies (Pty) Ltd makes no representations or warranties whether expressed or implied

by or with respect to anything in this document, and shall not be liable for any implied warranties of

merchantability or fitness for a particular purpose or for any indirect, special or consequential damages.

Tel: +44 207 340 6300 |Fax: +44 207 340 6301 | Email: info@zazooltd.com

Address: 111 Buckingham Palace Road, London, SW1W 0SR, United Kingdom

Zazoo Limited, Co. No 9265606 | Directors: Dr S C P Belamant (French),

Mr H G Kotze, Mr P M Belamant | Company Secretary: Ms C W van Straaten

www.zazooltd.com

Important Notes

This document only applies to a TSM500i that has Boot Loader v1.5.0.0 or later. Earlier versions of

the boot loader do not have the same dual control requirements as mandated by PCI HSM v3.0.

Refer to document no. PR-D2-0854 “TSM500i and TsmWeb User Guide” for an HSM with BL v1.2.x.x

or BL v1.4.x.x.

Do NOT use the TSM500i without following all of the appropriate security procedures detailed in

Section 2.

The TSM500i HSM is shipped with no passwords for the Crypto Officer roles. The two crypto

appointed officers must authenticate the HSM on initial deployment and set their passwords in

accordance with section 2.8. This step is used to transfer control of the HSM from the Manufacturer

to the Customer.

The TSM500i should always be transported in its original packaging (in an anti-static bag in foam

padded box). Failure to do so could result in damage to the HSM. The original packaging should be

kept in a safe place in case it becomes necessary to transport the HSM to a different location.

Document Structure

This document comprises the following sections:

Section 1: TSM500 Overview

This section contains information that describes your TSM500i Hardware Security Module (HSM), its interfaces

and its status indicators. It is very important to read this section before proceeding with installation and

operation of your TSM500i HSM.

Section 2 : Installation and Security Procedures

This section outlines the correct handling and installation of a TSM500i. It also describes the setup and security

procedures that must be followed when commissioning an HSM.

Follow all the steps provided in Section 2 to get your new TSM500i operational.

Section 3 : HSM Password Management

This section provides details on how to use and manage your crypto officer passwords on a TSM500i that is

PCI HSM v3 certified.

Section 4 : Ongoing maintenance

This section provides details on how to use and manage your TSM500i after initial deployment. In includes

information on additional settings and services available through TSM-WEB and the NSS LCD Menu.

TSM500i and TsmWeb User Guide (PCI HSM v3) (PR-D2-1037 Rev 1.1)| Page 3

Zazoo Limited, Co. No 9265606 | Directors: Dr S C P Belamant (French),

Mr H G Kotze, Mr P M Belamant | Company Secretary: Ms C W van Straaten

www.zazooltd.com

Contents

1TSM500i OVERVIEW ................................................................... 6

1.1 TSM500i-PCIe DESCRIPTION................................................................................................... 6

1.2 TSM500i-NSS DESCRIPTION..................................................................................................... 6

1.3 KCED DESCRIPTION ................................................................................................................ 7

2INSTALLATION & SECURITY PROCEDURES............................... 8

2.1 QUICK GUIDE: FROM INSTALLATION TO OPERATION ......................................................... 8

2.2 ESTABLISH SECURITY PROCEDURES ....................................................................................... 9

2.3 INSPECT AND INSTALL HARDWARE ..................................................................................... 10

2.3.1 Hardware Inspection.......................................................................................................................... 10

2.3.2 TSM500i-NSS Hardware Installation .................................................................................................. 10

2.3.3 TSM500i-PCIe Hardware Installation ................................................................................................ 11

2.4 CHECK PHYSICAL INDICATORS (LEDs) ............................................................................... 12

2.5 INSTALL DRIVERS, CONDUCTOR & TSM-WEB ..................................................................... 13

2.6 NETWORK SETUP & RECOVERY............................................................................................ 14

2.6.1 Use the LCD MENU to set the IP address ........................................................................................ 14

2.7 TSM-WEB INTERFACE............................................................................................................. 15

2.7.1 Invoking TSM-WEB for a TSM500i-PCIe ............................................................................................. 15

2.7.2 Invoking TSM-WEB for a TSM500i-NSS ............................................................................................... 15

2.7.3 Setting the TSM-WEB admin password............................................................................................ 16

2.7.4 Using TSM-WEB for the first time ........................................................................................................ 17

2.7.5 Accessing TSM-WEB through a different subnet ........................................................................... 17

2.8 AUTHENTICATE HSM AND SET INITIAL PASSWORDS ........................................................... 18

2.8.1 Put the TSM500i into the Loader State ............................................................................................ 18

2.8.2 Authenticate HSM - Request Step ................................................................................................... 19

2.8.3 Authenticate HSM - Finalise Step ..................................................................................................... 19

2.8.4 Add additional crypto officers ......................................................................................................... 20

2.9 SET DATE AND TIME............................................................................................................... 21

2.9.1 [Optional Step] Set Date and Time ................................................................................................. 21

2.9.2 Put the TSM500i back into the Application State.......................................................................... 21

2.10 CONFIGURING AND TESTING CONDUCTOR ..................................................................... 22

2.10.1 Configuring Conductor on the TSM500i-NSS.................................................................................. 22

2.10.2 Configuring Conductor on the TSM500i-PCIe ............................................................................... 22

2.11 SETUP TSM-WEB ACCESS CONTROL.................................................................................... 23

2.11.1 Create users ......................................................................................................................................... 23

TSM500i and TsmWeb User Guide (PCI HSM v3) (PR-D2-1037 Rev 1.1)| Page 4

Zazoo Limited, Co. No 9265606 | Directors: Dr S C P Belamant (French),

Mr H G Kotze, Mr P M Belamant | Company Secretary: Ms C W van Straaten

www.zazooltd.com

2.11.2 Configuring Account and Password Policy ................................................................................... 23

2.11.3 Change Auto-Logoff Timeouts ......................................................................................................... 23

2.11.4 Disable the default admin account ............................................................................................... 23

2.12 BACKUP NSS SETTINGS.......................................................................................................... 24

2.13 PREPARE TSM FOR OPERATION: LOAD CSPs ..................................................................... 25

2.13.1 Generating SMK components.......................................................................................................... 25

2.13.2 Loading SMK components................................................................................................................ 26

2.13.3 [Optional] Setting the TSM500i HSM’s Operational Permissions ................................................. 27

2.14 CONFIGURING & TESTING CLIENT SOFTWARE................................................................... 27

2.14.1 Generating and Loading Operational Keys.................................................................................. 27

3HSM PASSWORD MANAGEMENT .......................................... 28

3.1 How to add a Crypto Officer ............................................................................................. 28

3.2 How to change an existing password .............................................................................. 29

3.3 Reset One Password............................................................................................................ 30

3.4 Reset CSPs, clear all passwords, and set passwords....................................................... 31

4ONGOING MAINTENANCE .................................................... 32

4.1 Check Operational vs Privileged state ............................................................................. 32

4.2 Check Date & Time ............................................................................................................. 32

4.3 Preference Manager........................................................................................................... 32

4.4 Storage Master Key Migration............................................................................................ 33

4.4.1 Select Migration Menu and Login ................................................................................................... 33

4.4.2 Load a Migration SMK........................................................................................................................ 34

4.4.3 Translate Keys....................................................................................................................................... 34

4.4.4 Set the Migration SMK as the Active SMK ...................................................................................... 34

4.4.5 Delete the Migration SMK.................................................................................................................. 34

4.5 TSM500i Status Information.................................................................................................. 35

4.6 NSS Log Files .......................................................................................................................... 35

4.7 NSS LCD Menu ...................................................................................................................... 36

4.8 Backup and Restore ............................................................................................................ 37

4.8.1 Backup & Restore on a TSM500i-NSS ............................................................................................... 37

4.8.2 Backup & Restore on a TSM500i-PCIe ............................................................................................. 38

4.9 Reset NSS to Default Settings.............................................................................................. 39

4.9.1 Admin Passwd ..................................................................................................................................... 39

4.9.2 Config Reset......................................................................................................................................... 39

4.9.3 Factory Reset ....................................................................................................................................... 39

4.10 SSL/TLS Certificate ................................................................................................................ 40

TSM500i and TsmWeb User Guide (PCI HSM v3) (PR-D2-1037 Rev 1.1)| Page 5

Zazoo Limited, Co. No 9265606 | Directors: Dr S C P Belamant (French),

Mr H G Kotze, Mr P M Belamant | Company Secretary: Ms C W van Straaten

www.zazooltd.com

4.11 Disabling and Enabling SSL / TLS ........................................................................................ 40

4.11.1 Disable TLS from the LCD MENU ....................................................................................................... 40

4.11.2 Disable or Enable TLS from TSM-WEB ............................................................................................... 40

4.12 Upgrading TSM500i firmware .............................................................................................. 41

4.13 Upgrading TSM500i-NSS System Software......................................................................... 42

4.14 Force a tamper condition .................................................................................................. 43

4.15 Clear tamper ........................................................................................................................ 44

APPENDIX A –KEY MIGRATION FILE FORMAT .......................... 45

A.1 File structure .......................................................................................................................... 45

A.2 Field types ............................................................................................................................. 45

A.3 Fields ...................................................................................................................................... 46

APPENDIX B –LCD SEQUENCE................................................... 47

APPENDIX C - LIST OF ABBREVIATIONS...................................... 48

TSM500i and TsmWeb User Guide (PCI HSM v3) (PR-D2-1037 Rev 1.1)| Page 6

Zazoo Limited, Co. No 9265606 | Directors: Dr S C P Belamant (French),

Mr H G Kotze, Mr P M Belamant | Company Secretary: Ms C W van Straaten

www.zazooltd.com

1TSM500i OVERVIEW

The TSM500i is a Hardware Security Module (HSM) and is also referred to as the TSM or HSM in this

document. These terms are used interchangeably in the remainder of this document. This document only

applies to a TSM500i that has Boot Loader v1.5.0.0 or later.

1.1 TSM500i-PCIe DESCRIPTION

The TSM500i-PCIe is a Hardware Security Module (HSM) with a PCI Express

interface. It also includes a serial interface for loading Critical Security

Parameters (CSPs).

When using a TSM500i-PCIe, it is the user’s responsibility to procure and

setup a server that will house the TSM500i-PCIe. Note that a physical

computer is required –the TSM500i-PCIe cannot be installed in a virtual

machine. It is also necessary to install drivers and other support software

such as Conductor, TSM-WEB and the Java 2 Runtime Environment.

1.2 TSM500i-NSS DESCRIPTION

The TSM500i-NSS is a network appliance that includes a TSM500i-PCI packaged together with an embedded

computer system. This solution has an Ethernet interface and also includes a serial interface for loading CSPs.

A 2-line LCD display provides basic status information.

The embedded computer system in a TSM500i-NSS is pre-installed with the following: an interface service

called Conductor, the TSM-WEB application and supporting drivers. This configuration is easier to manage

than the TSM500i-PCIe. Below is a simplified view of what is inside the TSM500i-NSS and how it inter-

connects.

TSM500i and TsmWeb User Guide (PCI HSM v3) (PR-D2-1037 Rev 1.1)| Page 7

Zazoo Limited, Co. No 9265606 | Directors: Dr S C P Belamant (French),

Mr H G Kotze, Mr P M Belamant | Company Secretary: Ms C W van Straaten

www.zazooltd.com

1.3 KCED DESCRIPTION

The Key Component Entry Device (KCED) is secure handheld terminal that is used for the following purposes:

Entry of Cryptographic Passwords (refer section 2.8 and section 3)

Entry of Key Components (refer section 2.13)

Generation of Key Components (refer section 2.13)

The KCED connects directly to the TSM500i hardware security module by means of a serial interface. In the

case of a TSM500i-NSS, it connects to the “KCED” port on the front panel. In the case of a TSM500i-PCIe, it

connects to the RED port on the connector panel (this is the connector closest to the status LEDs).

Whenever the KCED is connected to the HSM, the Cryptographic Officers must inspect the HSM, the

externally connected device, and the inter-connecting cable for any signs of tampering or insertion of a

bugging device.

Note: Examples of signs that a device might have been tampered with or substituted include unexpected

attachments or cables plugged into the device, missing or changed security labels, broken or differently

coloured casing, or changes to the serial number or other external markings

TSM500i-PCIe KCED PORT

TSM500i LEDs

TSM500i LEDs TSM500i-NSS KCED PORT

The above photographs identify the 9-way connector to be used by the KCED on the TSM500i-PCIe and

TSM500i-NSS.

TSM500i and TsmWeb User Guide (PCI HSM v3) (PR-D2-1037 Rev 1.1)| Page 8

Zazoo Limited, Co. No 9265606 | Directors: Dr S C P Belamant (French),

Mr H G Kotze, Mr P M Belamant | Company Secretary: Ms C W van Straaten

www.zazooltd.com

2INSTALLATION & SECURITY PROCEDURES

2.1 QUICK GUIDE: FROM INSTALLATION TO OPERATION

(See 2.2)

The TSM500i and its Critical Security Parameters (CSPs) must be handled in accordance

with documented security procedures in order to meet the security requirements of the

Banking Industry and standards bodies. Refer to Sample Security producedure.pdf

(See 2.3)

The TSM500i NSS / PCIe hardware must be inspected and then installed in a secure

environment in accordance with the procedures detailed in this user guide

(See 2.4)

Power on and check physical indicators (LEDs) to confirm that the hardware has been

successfully installed

(See 2.5)

PCIe ONLY: Install device driver. Run TSM500 PCI Installer which installs Conductor,

documentation & TSM-WEB. Install Java J2RE.

(See 2.6)

NSS ONLY: Set the IP address, network mask and default gateway using the LCD Menu

which is accessed via the front panel

(See 2.7)

Enter the IP address into a Web Browser on a PC that is connected to the same subnet to

access TSM-WEB. Set the TSM-WEB admin user account password. Login to TSM-WEB as

admin and perform a basic functionality test.

(See 2.8 & 2.9)

The TSM500i is shipped without Crypto Officer passwords.

A two- step process is used to authenticate the HSM at the place of initial deployment,

and to simultaneously set the initial 2 crypto officer passwords. This process is used to

transfer control of the HSM from the Manufacturer to two Customer crypto officers.

If required, the date and time can be set to match your time zone

(See 2.10)

TSM500i-NSS: Conductor is preinstalled and is managed by TSM-WEB.

TSM500i-PCIe: Use Conductor Setup to configure and install a Conductor service. See

Conductor User Guide for more details.

(See 2.11)

Setup TSM-WEB access control by creating TSM-WEB user accounts, setting the

password policy and default auto-logoff times

(See 2.12)

Follow the backup procedure to backup TSM-WEB settings:

(See 2.13)

CSPs must be loaded into the TSM500i to configure it for operational use. The most

important CSP is usually the Storage Master Key (SMK), which is split between several

custodians in the form of components. If required, additional TSM500i HSM operational

permissions can be set at this point.

(See 2.14)

Client software must be configured to communicate with Conductor and/or the TSM500i,

then tested to ensure that transaction processing can proceed successfully. Third-party

tools will be used during this step.

Establish Security Procedures

Inspect and Install Hardware

Access TSM-WEB Interface

Authenticate HSM

and Set Initial Passwords;

Set Date & Time

TSM-WEB Access Control

Prepare TSM500 for Operation:

Load CSPs

Configure and Test Client

Software

Check Physical Indicators

PCIe: Install Driver & SW

NSS: Network Setup

Backup Settings

Configure and Test Conductor

TSM500i and TsmWeb User Guide (PCI HSM v3) (PR-D2-1037 Rev 1.1)| Page 9

Zazoo Limited, Co. No 9265606 | Directors: Dr S C P Belamant (French),

Mr H G Kotze, Mr P M Belamant | Company Secretary: Ms C W van Straaten

www.zazooltd.com

2.2 ESTABLISH SECURITY PROCEDURES

Security procedures that monitor and control access to the environment, the HSMs and the Critical Security

Parameters (CSPs) must be documented and put in place.

FIPS, PCI, the Banking Industry and Card Institutions mandate such procedures.

You will need to create your own security procedures that are appropriate for your industry, environment

and hardware.

Detailed recommendations for creating your own procedures that are suitable for the retail

banking industry can be found in Sample Security Procedures.pdf (Doc. PR-D2-0621).

Both VISA and MasterCard provide audit compliance guidelines that are a good reference for creating security

procedures. A valuable source of information is the PCI PIN Security Requirements.

At minimum the following issues should be addressed:

The environment containing TSMs should be physically secure, with logged access control.

There should be periodic inspections to check compliance with security procedures.

A procedure for commissioning a new HSM, including checking that it has been received intact,

assignment of administrators or responsible individuals, and storage of management passwords.

A procedure for loading CSPs, including requirements for selecting custodians, generating the

Storage Master Key (SMK), and storing SMK components.

A procedure for backing up critical data, including the SMK, Key Space configuration, and the key

database.

A procedure for maintenance, which must ensure that CSPs in the HSM are destroyed before it is

removed from the secure environment.

A procedure for decommissioning, which must ensure that CSPs in the HSM are destroyed.

TSM500i and TsmWeb User Guide (PCI HSM v3) (PR-D2-1037 Rev 1.1)| Page 10

Zazoo Limited, Co. No 9265606 | Directors: Dr S C P Belamant (French),

Mr H G Kotze, Mr P M Belamant | Company Secretary: Ms C W van Straaten

www.zazooltd.com

2.3 INSPECT AND INSTALL HARDWARE

2.3.1 Hardware Inspection

This section defines the customer’s responsibilities on receiving TSM500i HSMs to ensure that security is

maintained during the delivery process.

Verify that the goods arrive via the same waybill number as per what was supplied in an email from

Prism.

Verify that the packaging and TSM500i HSM has not been tampered with in any way by confirming

that tamper evident stickers on the packaging and hardware are intact. Also verify that is no sign of

physical damage.

Verify that the hardware has not tampered. Power on hardware and if red status LED is permanently

ON then the hardware has tampered.

Unpack and verify contents of the KCED packaging. Refer to Key Component Entry Device (KCED)

Installation & User Guide.pdf (0560-00157) for more details.

Contact Prism immediately if the serial tamper evident stickers have been interfered with, or if the

HSM is in the tampered state. An HSM that arrives in the tampered state cannot be authenticated

and should be returned to the Manufacturer.

2.3.2 TSM500i-NSS Hardware Installation

Connect an Ethernet patch cable (not supplied) from your network hub to the port labelled

“ETHERNET” on the rear panel of the TSM500i-NSS.

Connect the mains cable from your mains supply to the socket labelled “100240 VAC”.

Table of contents

Popular Network Hardware manuals by other brands

socomec

socomec SNMP Card II quick start guide

NVR SYSTEMS

NVR SYSTEMS 4-CH user manual

Draytek

Draytek VigorSwitch G1240 quick start guide

Westermo

Westermo TD-34 LV installation manual

LaCie

LaCie Network Space MAX Quick install guide

ZoneVu

ZoneVu ZSI-450-IP Installation guide & user manual

QNAP

QNAP Turbo NAS Application notes

OpenEye

OpenEye MV Series quick start guide

Huawei

Huawei SmartAX MT880a quick start guide

Proxim

Proxim Tsunami QuickBridge 2454-R installation guide

Bay Networks

Bay Networks CLAM quick start guide

Innodisk

Innodisk SATADOM-SH 3SE Series manual

Cisco

Cisco CGR 1000 Series Getting connected guide

Matrix Switch Corporation

Matrix Switch Corporation MSC-HD161DEL product manual

National Instruments

National Instruments NI 653x user manual

B&B Electronics

B&B Electronics ZXT9-IO-222R2 product manual

Yudor

Yudor YDS-16 user manual

D-Link

D-Link ShareCenter DNS-320L datasheet

ZAZO TsmWeb TSM500i User manual

Popular Network Hardware manuals by other brands