ZAZO TsmWeb TSM500i User manual
Tel: +44 207 340 6300 |Fax: +44 207 340 6301 | Email: info@zazooltd.com
Address: 111 Buckingham Palace Road, London, SW1W 0SR, United Kingdom
Zazoo Limited, Co. No 9265606 | Directors: Dr S C P Belamant (French),
Mr H G Kotze, Mr P M Belamant | Company Secretary: Ms C W van Straaten
www.zazooltd.com
TSM500i and TsmWeb User Guide (PCI HSM v3)
June 2018
Document number:
PR-D2-1037 Rev 1.1
Release date:
June 2018
Prepared by:
SS, RP
Copyright:
© 2018 Prism Payment Technologies (Pty) Ltd
Synopsis:
This document describes the PCI HSM v3.0
TSM500i Hardware Security Module (HSM) as well
as the TsmWeb interface used to manage this
HSM.
Company Confidential
The information in this document is intended only for the person or the entity to which it is addressed and
may contain confidential and/or privileged material. Any views, recreation, dissemination or other use of or
taking of any action in reliance upon this information by persons or entities other than the intended
recipient, is prohibited.
Disclaimer
Prism Payment Technologies (Pty) Ltd makes no representations or warranties whether expressed or implied
by or with respect to anything in this document, and shall not be liable for any implied warranties of
merchantability or fitness for a particular purpose or for any indirect, special or consequential damages.
Tel: +44 207 340 6300 |Fax: +44 207 340 6301 | Email: info@zazooltd.com
Address: 111 Buckingham Palace Road, London, SW1W 0SR, United Kingdom
Zazoo Limited, Co. No 9265606 | Directors: Dr S C P Belamant (French),
Mr H G Kotze, Mr P M Belamant | Company Secretary: Ms C W van Straaten
www.zazooltd.com
Important Notes
This document only applies to a TSM500i that has Boot Loader v1.5.0.0 or later. Earlier versions of
the boot loader do not have the same dual control requirements as mandated by PCI HSM v3.0.
Refer to document no. PR-D2-0854 “TSM500i and TsmWeb User Guide” for an HSM with BL v1.2.x.x
or BL v1.4.x.x.
Do NOT use the TSM500i without following all of the appropriate security procedures detailed in
Section 2.
The TSM500i HSM is shipped with no passwords for the Crypto Officer roles. The two crypto
appointed officers must authenticate the HSM on initial deployment and set their passwords in
accordance with section 2.8. This step is used to transfer control of the HSM from the Manufacturer
to the Customer.
The TSM500i should always be transported in its original packaging (in an anti-static bag in foam
padded box). Failure to do so could result in damage to the HSM. The original packaging should be
kept in a safe place in case it becomes necessary to transport the HSM to a different location.
Document Structure
This document comprises the following sections:
Section 1: TSM500 Overview
This section contains information that describes your TSM500i Hardware Security Module (HSM), its interfaces
and its status indicators. It is very important to read this section before proceeding with installation and
operation of your TSM500i HSM.
Section 2 : Installation and Security Procedures
This section outlines the correct handling and installation of a TSM500i. It also describes the setup and security
procedures that must be followed when commissioning an HSM.
Follow all the steps provided in Section 2 to get your new TSM500i operational.
Section 3 : HSM Password Management
This section provides details on how to use and manage your crypto officer passwords on a TSM500i that is
PCI HSM v3 certified.
Section 4 : Ongoing maintenance
This section provides details on how to use and manage your TSM500i after initial deployment. In includes
information on additional settings and services available through TSM-WEB and the NSS LCD Menu.
TSM500i and TsmWeb User Guide (PCI HSM v3) (PR-D2-1037 Rev 1.1)| Page 3
Zazoo Limited, Co. No 9265606 | Directors: Dr S C P Belamant (French),
Mr H G Kotze, Mr P M Belamant | Company Secretary: Ms C W van Straaten
www.zazooltd.com
Contents
1TSM500i OVERVIEW ................................................................... 6
1.1 TSM500i-PCIe DESCRIPTION................................................................................................... 6
1.2 TSM500i-NSS DESCRIPTION..................................................................................................... 6
1.3 KCED DESCRIPTION ................................................................................................................ 7
2INSTALLATION & SECURITY PROCEDURES............................... 8
2.1 QUICK GUIDE: FROM INSTALLATION TO OPERATION ......................................................... 8
2.2 ESTABLISH SECURITY PROCEDURES ....................................................................................... 9
2.3 INSPECT AND INSTALL HARDWARE ..................................................................................... 10
2.3.1 Hardware Inspection.......................................................................................................................... 10
2.3.2 TSM500i-NSS Hardware Installation .................................................................................................. 10
2.3.3 TSM500i-PCIe Hardware Installation ................................................................................................ 11
2.4 CHECK PHYSICAL INDICATORS (LEDs) ............................................................................... 12
2.5 INSTALL DRIVERS, CONDUCTOR & TSM-WEB ..................................................................... 13
2.6 NETWORK SETUP & RECOVERY............................................................................................ 14
2.6.1 Use the LCD MENU to set the IP address ........................................................................................ 14
2.7 TSM-WEB INTERFACE............................................................................................................. 15
2.7.1 Invoking TSM-WEB for a TSM500i-PCIe ............................................................................................. 15
2.7.2 Invoking TSM-WEB for a TSM500i-NSS ............................................................................................... 15
2.7.3 Setting the TSM-WEB admin password............................................................................................ 16
2.7.4 Using TSM-WEB for the first time ........................................................................................................ 17
2.7.5 Accessing TSM-WEB through a different subnet ........................................................................... 17
2.8 AUTHENTICATE HSM AND SET INITIAL PASSWORDS ........................................................... 18
2.8.1 Put the TSM500i into the Loader State ............................................................................................ 18
2.8.2 Authenticate HSM - Request Step ................................................................................................... 19
2.8.3 Authenticate HSM - Finalise Step ..................................................................................................... 19
2.8.4 Add additional crypto officers ......................................................................................................... 20
2.9 SET DATE AND TIME............................................................................................................... 21
2.9.1 [Optional Step] Set Date and Time ................................................................................................. 21
2.9.2 Put the TSM500i back into the Application State.......................................................................... 21
2.10 CONFIGURING AND TESTING CONDUCTOR ..................................................................... 22
2.10.1 Configuring Conductor on the TSM500i-NSS.................................................................................. 22
2.10.2 Configuring Conductor on the TSM500i-PCIe ............................................................................... 22
2.11 SETUP TSM-WEB ACCESS CONTROL.................................................................................... 23
2.11.1 Create users ......................................................................................................................................... 23
TSM500i and TsmWeb User Guide (PCI HSM v3) (PR-D2-1037 Rev 1.1)| Page 4
Zazoo Limited, Co. No 9265606 | Directors: Dr S C P Belamant (French),
Mr H G Kotze, Mr P M Belamant | Company Secretary: Ms C W van Straaten
www.zazooltd.com
2.11.2 Configuring Account and Password Policy ................................................................................... 23
2.11.3 Change Auto-Logoff Timeouts ......................................................................................................... 23
2.11.4 Disable the default admin account ............................................................................................... 23
2.12 BACKUP NSS SETTINGS.......................................................................................................... 24
2.13 PREPARE TSM FOR OPERATION: LOAD CSPs ..................................................................... 25
2.13.1 Generating SMK components.......................................................................................................... 25
2.13.2 Loading SMK components................................................................................................................ 26
2.13.3 [Optional] Setting the TSM500i HSM’s Operational Permissions ................................................. 27
2.14 CONFIGURING & TESTING CLIENT SOFTWARE................................................................... 27
2.14.1 Generating and Loading Operational Keys.................................................................................. 27
3HSM PASSWORD MANAGEMENT .......................................... 28
3.1 How to add a Crypto Officer ............................................................................................. 28
3.2 How to change an existing password .............................................................................. 29
3.3 Reset One Password............................................................................................................ 30
3.4 Reset CSPs, clear all passwords, and set passwords....................................................... 31
4ONGOING MAINTENANCE .................................................... 32
4.1 Check Operational vs Privileged state ............................................................................. 32
4.2 Check Date & Time ............................................................................................................. 32
4.3 Preference Manager........................................................................................................... 32
4.4 Storage Master Key Migration............................................................................................ 33
4.4.1 Select Migration Menu and Login ................................................................................................... 33
4.4.2 Load a Migration SMK........................................................................................................................ 34
4.4.3 Translate Keys....................................................................................................................................... 34
4.4.4 Set the Migration SMK as the Active SMK ...................................................................................... 34
4.4.5 Delete the Migration SMK.................................................................................................................. 34
4.5 TSM500i Status Information.................................................................................................. 35
4.6 NSS Log Files .......................................................................................................................... 35
4.7 NSS LCD Menu ...................................................................................................................... 36
4.8 Backup and Restore ............................................................................................................ 37
4.8.1 Backup & Restore on a TSM500i-NSS ............................................................................................... 37
4.8.2 Backup & Restore on a TSM500i-PCIe ............................................................................................. 38
4.9 Reset NSS to Default Settings.............................................................................................. 39
4.9.1 Admin Passwd ..................................................................................................................................... 39
4.9.2 Config Reset......................................................................................................................................... 39
4.9.3 Factory Reset ....................................................................................................................................... 39
4.10 SSL/TLS Certificate ................................................................................................................ 40
TSM500i and TsmWeb User Guide (PCI HSM v3) (PR-D2-1037 Rev 1.1)| Page 5
Zazoo Limited, Co. No 9265606 | Directors: Dr S C P Belamant (French),
Mr H G Kotze, Mr P M Belamant | Company Secretary: Ms C W van Straaten
www.zazooltd.com
4.11 Disabling and Enabling SSL / TLS ........................................................................................ 40
4.11.1 Disable TLS from the LCD MENU ....................................................................................................... 40
4.11.2 Disable or Enable TLS from TSM-WEB ............................................................................................... 40
4.12 Upgrading TSM500i firmware .............................................................................................. 41
4.13 Upgrading TSM500i-NSS System Software......................................................................... 42
4.14 Force a tamper condition .................................................................................................. 43
4.15 Clear tamper ........................................................................................................................ 44
APPENDIX A –KEY MIGRATION FILE FORMAT .......................... 45
A.1 File structure .......................................................................................................................... 45
A.2 Field types ............................................................................................................................. 45
A.3 Fields ...................................................................................................................................... 46
APPENDIX B –LCD SEQUENCE................................................... 47
APPENDIX C - LIST OF ABBREVIATIONS...................................... 48
TSM500i and TsmWeb User Guide (PCI HSM v3) (PR-D2-1037 Rev 1.1)| Page 6
Zazoo Limited, Co. No 9265606 | Directors: Dr S C P Belamant (French),
Mr H G Kotze, Mr P M Belamant | Company Secretary: Ms C W van Straaten
www.zazooltd.com
1TSM500i OVERVIEW
The TSM500i is a Hardware Security Module (HSM) and is also referred to as the TSM or HSM in this
document. These terms are used interchangeably in the remainder of this document. This document only
applies to a TSM500i that has Boot Loader v1.5.0.0 or later.
1.1 TSM500i-PCIe DESCRIPTION
The TSM500i-PCIe is a Hardware Security Module (HSM) with a PCI Express
interface. It also includes a serial interface for loading Critical Security
Parameters (CSPs).
When using a TSM500i-PCIe, it is the user’s responsibility to procure and
setup a server that will house the TSM500i-PCIe. Note that a physical
computer is required –the TSM500i-PCIe cannot be installed in a virtual
machine. It is also necessary to install drivers and other support software
such as Conductor, TSM-WEB and the Java 2 Runtime Environment.
1.2 TSM500i-NSS DESCRIPTION
The TSM500i-NSS is a network appliance that includes a TSM500i-PCI packaged together with an embedded
computer system. This solution has an Ethernet interface and also includes a serial interface for loading CSPs.
A 2-line LCD display provides basic status information.
The embedded computer system in a TSM500i-NSS is pre-installed with the following: an interface service
called Conductor, the TSM-WEB application and supporting drivers. This configuration is easier to manage
than the TSM500i-PCIe. Below is a simplified view of what is inside the TSM500i-NSS and how it inter-
connects.
TSM500i and TsmWeb User Guide (PCI HSM v3) (PR-D2-1037 Rev 1.1)| Page 7
Zazoo Limited, Co. No 9265606 | Directors: Dr S C P Belamant (French),
Mr H G Kotze, Mr P M Belamant | Company Secretary: Ms C W van Straaten
www.zazooltd.com
1.3 KCED DESCRIPTION
The Key Component Entry Device (KCED) is secure handheld terminal that is used for the following purposes:
Entry of Cryptographic Passwords (refer section 2.8 and section 3)
Entry of Key Components (refer section 2.13)
Generation of Key Components (refer section 2.13)
The KCED connects directly to the TSM500i hardware security module by means of a serial interface. In the
case of a TSM500i-NSS, it connects to the “KCED” port on the front panel. In the case of a TSM500i-PCIe, it
connects to the RED port on the connector panel (this is the connector closest to the status LEDs).
Whenever the KCED is connected to the HSM, the Cryptographic Officers must inspect the HSM, the
externally connected device, and the inter-connecting cable for any signs of tampering or insertion of a
bugging device.
Note: Examples of signs that a device might have been tampered with or substituted include unexpected
attachments or cables plugged into the device, missing or changed security labels, broken or differently
coloured casing, or changes to the serial number or other external markings
TSM500i-PCIe KCED PORT
TSM500i LEDs
TSM500i LEDs TSM500i-NSS KCED PORT
The above photographs identify the 9-way connector to be used by the KCED on the TSM500i-PCIe and
TSM500i-NSS.
TSM500i and TsmWeb User Guide (PCI HSM v3) (PR-D2-1037 Rev 1.1)| Page 8
Zazoo Limited, Co. No 9265606 | Directors: Dr S C P Belamant (French),
Mr H G Kotze, Mr P M Belamant | Company Secretary: Ms C W van Straaten
www.zazooltd.com
2INSTALLATION & SECURITY PROCEDURES
2.1 QUICK GUIDE: FROM INSTALLATION TO OPERATION
(See 2.2)
The TSM500i and its Critical Security Parameters (CSPs) must be handled in accordance
with documented security procedures in order to meet the security requirements of the
Banking Industry and standards bodies. Refer to Sample Security producedure.pdf
(See 2.3)
The TSM500i NSS / PCIe hardware must be inspected and then installed in a secure
environment in accordance with the procedures detailed in this user guide
(See 2.4)
Power on and check physical indicators (LEDs) to confirm that the hardware has been
successfully installed
(See 2.5)
PCIe ONLY: Install device driver. Run TSM500 PCI Installer which installs Conductor,
documentation & TSM-WEB. Install Java J2RE.
(See 2.6)
NSS ONLY: Set the IP address, network mask and default gateway using the LCD Menu
which is accessed via the front panel
(See 2.7)
Enter the IP address into a Web Browser on a PC that is connected to the same subnet to
access TSM-WEB. Set the TSM-WEB admin user account password. Login to TSM-WEB as
admin and perform a basic functionality test.
(See 2.8 & 2.9)
The TSM500i is shipped without Crypto Officer passwords.
A two- step process is used to authenticate the HSM at the place of initial deployment,
and to simultaneously set the initial 2 crypto officer passwords. This process is used to
transfer control of the HSM from the Manufacturer to two Customer crypto officers.
If required, the date and time can be set to match your time zone
(See 2.10)
TSM500i-NSS: Conductor is preinstalled and is managed by TSM-WEB.
TSM500i-PCIe: Use Conductor Setup to configure and install a Conductor service. See
Conductor User Guide for more details.
(See 2.11)
Setup TSM-WEB access control by creating TSM-WEB user accounts, setting the
password policy and default auto-logoff times
(See 2.12)
Follow the backup procedure to backup TSM-WEB settings:
(See 2.13)
CSPs must be loaded into the TSM500i to configure it for operational use. The most
important CSP is usually the Storage Master Key (SMK), which is split between several
custodians in the form of components. If required, additional TSM500i HSM operational
permissions can be set at this point.
(See 2.14)
Client software must be configured to communicate with Conductor and/or the TSM500i,
then tested to ensure that transaction processing can proceed successfully. Third-party
tools will be used during this step.
Establish Security Procedures
Inspect and Install Hardware
Access TSM-WEB Interface
Authenticate HSM
and Set Initial Passwords;
Set Date & Time
TSM-WEB Access Control
Prepare TSM500 for Operation:
Load CSPs
Configure and Test Client
Software
Check Physical Indicators
PCIe: Install Driver & SW
NSS: Network Setup
Backup Settings
Configure and Test Conductor
TSM500i and TsmWeb User Guide (PCI HSM v3) (PR-D2-1037 Rev 1.1)| Page 9
Zazoo Limited, Co. No 9265606 | Directors: Dr S C P Belamant (French),
Mr H G Kotze, Mr P M Belamant | Company Secretary: Ms C W van Straaten
www.zazooltd.com
2.2 ESTABLISH SECURITY PROCEDURES
Security procedures that monitor and control access to the environment, the HSMs and the Critical Security
Parameters (CSPs) must be documented and put in place.
FIPS, PCI, the Banking Industry and Card Institutions mandate such procedures.
You will need to create your own security procedures that are appropriate for your industry, environment
and hardware.
Detailed recommendations for creating your own procedures that are suitable for the retail
banking industry can be found in Sample Security Procedures.pdf (Doc. PR-D2-0621).
Both VISA and MasterCard provide audit compliance guidelines that are a good reference for creating security
procedures. A valuable source of information is the PCI PIN Security Requirements.
At minimum the following issues should be addressed:
The environment containing TSMs should be physically secure, with logged access control.
There should be periodic inspections to check compliance with security procedures.
A procedure for commissioning a new HSM, including checking that it has been received intact,
assignment of administrators or responsible individuals, and storage of management passwords.
A procedure for loading CSPs, including requirements for selecting custodians, generating the
Storage Master Key (SMK), and storing SMK components.
A procedure for backing up critical data, including the SMK, Key Space configuration, and the key
database.
A procedure for maintenance, which must ensure that CSPs in the HSM are destroyed before it is
removed from the secure environment.
A procedure for decommissioning, which must ensure that CSPs in the HSM are destroyed.
TSM500i and TsmWeb User Guide (PCI HSM v3) (PR-D2-1037 Rev 1.1)| Page 10
Zazoo Limited, Co. No 9265606 | Directors: Dr S C P Belamant (French),
Mr H G Kotze, Mr P M Belamant | Company Secretary: Ms C W van Straaten
www.zazooltd.com
2.3 INSPECT AND INSTALL HARDWARE
2.3.1 Hardware Inspection
This section defines the customer’s responsibilities on receiving TSM500i HSMs to ensure that security is
maintained during the delivery process.
Verify that the goods arrive via the same waybill number as per what was supplied in an email from
Prism.
Verify that the packaging and TSM500i HSM has not been tampered with in any way by confirming
that tamper evident stickers on the packaging and hardware are intact. Also verify that is no sign of
physical damage.
Verify that the hardware has not tampered. Power on hardware and if red status LED is permanently
ON then the hardware has tampered.
Unpack and verify contents of the KCED packaging. Refer to Key Component Entry Device (KCED)
Installation & User Guide.pdf (0560-00157) for more details.
Contact Prism immediately if the serial tamper evident stickers have been interfered with, or if the
HSM is in the tampered state. An HSM that arrives in the tampered state cannot be authenticated
and should be returned to the Manufacturer.
2.3.2 TSM500i-NSS Hardware Installation
Connect an Ethernet patch cable (not supplied) from your network hub to the port labelled
“ETHERNET” on the rear panel of the TSM500i-NSS.
Connect the mains cable from your mains supply to the socket labelled “100240 VAC”.
TSM500i and TsmWeb User Guide (PCI HSM v3) (PR-D2-1037 Rev 1.1)| Page 11
Zazoo Limited, Co. No 9265606 | Directors: Dr S C P Belamant (French),
Mr H G Kotze, Mr P M Belamant | Company Secretary: Ms C W van Straaten
www.zazooltd.com
2.3.3 TSM500i-PCIe Hardware Installation
The following steps are to be followed when installing the TSM500i-PCIe into a PC. The term PC here also
applies to servers.
Locate the PC’s card installation documentation and ensure that you are familiar with the safety
instructions and precautions conveyed in this document.
Turn OFF the PC and ensure all attached devices are also off.
Remove the cover from the PC and locate a suitable PCI express expansion slot (as described in Section
1). Access to the expansion slot may differ for machines from different vendors, please refer to your
vendor documentation.
Remove the TSM500i from the protective static bag.
To prevent Electro Static Discharge, it is advisable to wear an anti-static wrist strap when handling
the card. Failure to do so may result in the module entering the Tampered State.
The following precautions MUST be used when not using an anti-static wrist strap.
oGround yourself by making contact with the case of the machine for at least 2 seconds.
oLimit your movements as to prevent excessive build-up of static electricity.
oHandle the card at its edges only. Do not touch exposed circuitry and components.
Insert the module into an available PCI express slot ensuring that the card is correctly seated.
Secure the card to the case using the appropriate screws.
Replace all covers and reattach all cables that were disconnected.
TSM500i and TsmWeb User Guide (PCI HSM v3) (PR-D2-1037 Rev 1.1)| Page 12
Zazoo Limited, Co. No 9265606 | Directors: Dr S C P Belamant (French),
Mr H G Kotze, Mr P M Belamant | Company Secretary: Ms C W van Straaten
www.zazooltd.com
2.4 CHECK PHYSICAL INDICATORS (LEDs)
After powering on the TSM500i-NSS or the PC in which the TSM500i-PCIe is installed.
The red and green Status LEDs provide very important information about the current state of the
TSM500i.
For the TSM500i-NSS, the status LEDs are located on the front panel
For the TSM500i-PCIe, the status LEDs are located on the connector panel.
The meaning of these LEDs must be understood and the LEDs should be monitored when performing
management functions on the TSM500i.
During normal operation, the RED LED will be OFF and the GREEN LED should be FLASHING (either 1-flash if in
Loader state or 2-flash if in the Operational state).
A detailed description of the LED states is given below:
RED
GREEN
Meaning
OFF
2-FLASH
Application running. This is a healthy operational state.
OFF
1-FLASH
Loader state. This is a healthy maintenance state. If the module is required to
be in the operational state, it will need to be reset.
ON
1-FLASH
Tampered state. Remove and physically inspect the module (according to
standard security procedures). Refer to the HSM’s User Guide on how to clear
the tamper condition.
OFF
ON
Notice Me. Typically this is a healthy operational state and indicates that the
TSM500i is waiting for key/password entry (with a specified timeout period).
OFF *
ON
Initialising and performing self-tests. Occurs on power-up and reset.
* Although the RED LED will remain off during initialisation / self-tests, it will
flash once at the start of the initialisation sequence.
1-FLASH
1-FLASH
Error state. If resetting does not rectify the situation, contact Prism Support.
ON
OFF
Corrupt State. If resetting does not rectify the situation, contact Prism Support.
OFF
OFF
Power is off or catastrophic hardware failure.
Notes:
Red ON or FLASH indicates that the HSM is unable to operate normally.
Green FLASH indicates that the HSM is accepting commands.
Green ON indicates that the HSM is busy.
Both OFF indicates no power or a catastrophic failure.
A 1-FLASH sequence follows the pattern 101010 (500ms per state)
A 2-FLASH sequence follows the pattern 101000 (500ms per state)
TSM500i and TsmWeb User Guide (PCI HSM v3) (PR-D2-1037 Rev 1.1)| Page 13
Zazoo Limited, Co. No 9265606 | Directors: Dr S C P Belamant (French),
Mr H G Kotze, Mr P M Belamant | Company Secretary: Ms C W van Straaten
www.zazooltd.com
2.5 INSTALL DRIVERS, CONDUCTOR & TSM-WEB
This section only applicable to the TSM500i-PCIe (it does not apply to a TSM500i-NSS).
For a TSM500i-PCIe, perform the following steps:
Install the Driver
Refer to the readme.txt file provided in the Driver folder of the TSM5XX Support CD to select
the appropriate driver for your Windows operating system.
Install Conductor and TSM-WEB
Run TSM5XX-PCI_Installer.exe (provided on the TSM5XX Support CD). This will install the
Conductor service and TSM-WEB.
Install Java Runtime Environment (JRE)
JRE v1.4.2 is provided on the TSM5XX Support CD. This is the recommended version that
should be installed before attempting to use Conductor.
Setup Conductor
Run ConductorSetup.exe. Refer to the Conductor User Guide for details on how to setup
Conductor. This may be found in Start -> Prism -> Conductor after installing Conductor and is
also on the TSM5XX Support CD.
TSM500i and TsmWeb User Guide (PCI HSM v3) (PR-D2-1037 Rev 1.1)| Page 14
Zazoo Limited, Co. No 9265606 | Directors: Dr S C P Belamant (French),
Mr H G Kotze, Mr P M Belamant | Company Secretary: Ms C W van Straaten
www.zazooltd.com
2.6 NETWORK SETUP & RECOVERY
This section only applicable to the TSM500i-NSS (it does not apply to a TSM500i-PCIe).
The IP address of the TSM500i-NSS will be displayed on the LCD on the front panel after powering up. The
network setting factory defaults are:
IP address 192.168.0.201
Network mask 255.255.255.0
Default Gateway “none”
If it is not possible to connect to the TSM500i-NSS over the local network, the IP address and network mask
(netmask) can be changed via the front panel of the NSS using the LCD MAIN MENU (see section 2.6.1). The
alternative is to access the NSS using the default address and change it later using the TSM-WEB interface.
It is also possible to use the LCD Main Menu to reset the configuration to its defaults, reset the NSS to factory
state and to reset the TSM-WEB admin password.
2.6.1 Use the LCD MENU to set the IP address
To access the LCD MAIN MENU, power the TSM500i-NSS off. Power it on again and watch the LCD display.
After about 30 seconds, the following prompt will be displayed briefly: “+ for menu…”. Press and hold
down the red button and green button on the front panel until a MAIN MENU appears on the LCD display.
Hint: You may hold the and buttons from before the prompt is displayed. However, you must keep the
buttons depressed until the MAIN MENU appears.
The menu has the following layout, whereby the following menu options may be accessed by means of the
up/down arrow keys:
MAIN MENU
1. Exit & Boot
2. TCP/IP (includes IP address, netmask and default gateway setup)
3. TLS settings (includes enable/disable and resetting of TLS key)
4. USB Backup (includes options to backup and restore database)
5. Reset… (includes options to reset Admin Password and config settings
To abort and proceed with the normal power-up sequence, select Continue boot.
Use the arrow keys and green accept key to select the TCP/IP option. This menu will allow the setting of the IP
address, netmask and default gateway.
To change any address (IP address, netmask or default gateway), use the left and right arrow buttons on the
front panel to move the cursor, until the cursor is under a digit to be changed. Use the up and down buttons to
set the digit to the required value. Repeat the process for all digits in the address.
More details about the MAIN MENU can be found in APPENDIX B –LCD SEQUENCE.
TSM500i and TsmWeb User Guide (PCI HSM v3) (PR-D2-1037 Rev 1.1)| Page 15
Zazoo Limited, Co. No 9265606 | Directors: Dr S C P Belamant (French),
Mr H G Kotze, Mr P M Belamant | Company Secretary: Ms C W van Straaten
www.zazooltd.com
2.7 TSM-WEB INTERFACE
TSM-WEB works best with Chrome and Mozilla Firefox web browsers. Internet Explorer is not officially
supported.
2.7.1 Invoking TSM-WEB for a TSM500i-PCIe
Enter http://localhost as the URL into your Web Browser when using TSM500i-PCIe.
Note that TSM-WEB and Conductor must have been installed (see section 2.5).
2.7.2 Invoking TSM-WEB for a TSM500i-NSS
When using a TSM500i-NSS, verify that the LCD on the TSM500i-NSS displays “TSM500-NSS READY” and that it
also displays its IP address. Enter this IP address into a web browser, e.g. http://196.214.189.219 on a PC that
is connected to the same subnet to access TSM-WEB. The home page similar to the one shown below should
load. (The IP address entered must match the IP address shown on the TSM500i-NSS LCD).
TSM500i and TsmWeb User Guide (PCI HSM v3) (PR-D2-1037 Rev 1.1)| Page 16
Zazoo Limited, Co. No 9265606 | Directors: Dr S C P Belamant (French),
Mr H G Kotze, Mr P M Belamant | Company Secretary: Ms C W van Straaten
www.zazooltd.com
2.7.3 Setting the TSM-WEB admin password
User / Password Setup is optional on a TSM500i-PCIe when using TSM-WEB from the computer that
hosts the TSM500i-PCIe. To login on a local installation, click Login as $Local . When accessing the
TSM500-PCIe from a remote computer, it process is the same as for the TSM500i-NSS which means
TSM-WEB user accounts will need to be setup as detailed below.
Please note that TSM-WEB is not supplied with default passwords and it is necessary to set a password for the
pre-defined admin username before using TSM-WEB.
The TSM-WEB user account passwords must not be confused with, and are not related to, the
Cryptographic Officer passwords that reside in the TSM500i HSM.
When using TSM-WEB with a TSM500i-NSS, it is necessary to LOG IN to TSM-WEB in order to access any of the
menus other than the Home page. The web browser will be re-directed to the SSL-secured log-in page. A
warning will first be displayed due to what is believed to be an untrusted connection. The reason for this is
that the certificate is self-signed so this warning can be ignored. In Chrome simply click “Proceed anyway”. In
Mozilla Firefox an exception will need to be added after clicking “I understand the risks”.
2.7.3.1 Setting Admin Password for the first time
If no admin user password has been set, the user will be presented with a screen titled TSM-WEB Set Admin
Password and with the following message in red text:
“No password has been set for account 'admin'. Please set one now.”
The username for this account is admin (case sensitive) and the user must enter a password for admin. The
password must be entered into BOTH boxes provided in order to confirm the new password and then
click Set Admin Password .
Once a password has been entered for the admin user, the TSM-WEB Log In screen will be displayed. You may
then login using username admin and your chosen password.
By default, the password must contain at least 6 characters and must include at least one of each of the
following:
Upper case character
Lower case character
Digit
2.7.3.2 Resetting Admin Password
In the event that the password has been lost, you will require access to the TSM500i-NSS front panel. Perform
the following procedure:
Power the TSM500i-NSS off and then power it on again. Watch the LCD display and, when prompted, press
and hold down the red button and green button on the front panel until a MAIN MENU appears on the
LCD display. Use the arrow keys to select the Reset… option. Press the green accept key and then select the
Admin passwd option. After confirming, wait until the LCD display returns to the MAIN MENU and then press
the green accept key to continue booting.
Once the TSM500i-NSS has powered up, a new admin password for TSM-WEB may be set in accordance with
section 2.7.3.1.
TSM500i and TsmWeb User Guide (PCI HSM v3) (PR-D2-1037 Rev 1.1)| Page 17
Zazoo Limited, Co. No 9265606 | Directors: Dr S C P Belamant (French),
Mr H G Kotze, Mr P M Belamant | Company Secretary: Ms C W van Straaten
www.zazooltd.com
2.7.4 Using TSM-WEB for the first time
Enter the username (admin) and your newly assigned password and click Login .
Click TSM from the side menu, wait for the TSM management page to load, then click on TSM Status Report
which will retrieve a detailed status report from the TSM500i. Read the report to identify any problems.
If the Access control mode is BL:TAMPERED_ROLE_NONE then it means that the TSM500i is in the tampered
state. If the HSM is tampered on arrival at the point of first deployment, it should be returned to the
Manufacturer.
If the Access control mode is BL:ERROR then it indicates that the TSM500i has detected a hardware fault. If the
problem is persistent after power-cycling, the unit must be returned to the Manufacturer.
TSM-WEB will automatically log the user off after a default of 10 minutes of inactivity.
This timeout period can be configured via Preference Manager page on TSM-WEB.
When using TSM-WEB on a TSM500i-NSS, you will always be required to enter a password.
When using a TSM500i-PCIe, a password is not required when using TSM-WEB on the host
computer, but is required if TSM-WEB is accessed from a remote computer.
Refer to sections 2.7.3 and 2.11 for details on how to setup a TSM-WEB admin password and
further user passwords.
2.7.5 Accessing TSM-WEB through a different subnet
In some instances it may be necessary to access TSM-WEB interface through a firewall or from a different
subnet. Ports 80 and 443 will have to be enabled for incoming connections on the firewall if you need to
access TSM-WEB through the firewall.
When your client computer is on a different subnet to the TSM500i-NSS needs to have a default gateway
specified. The default gateway needs a route entry that will correctly direct return network traffic from
TSM500i-NSS to the remote computer you are using.
Click Network Settings from the side menu, wait for the Network settings page to load, edit set the default
gateway to the IP address of the default gateway, where your TSM500i-NSS is installed, and
click Change Settings .
TSM500i and TsmWeb User Guide (PCI HSM v3) (PR-D2-1037 Rev 1.1)| Page 18
Zazoo Limited, Co. No 9265606 | Directors: Dr S C P Belamant (French),
Mr H G Kotze, Mr P M Belamant | Company Secretary: Ms C W van Straaten
www.zazooltd.com
2.8 AUTHENTICATE HSM AND SET INITIAL PASSWORDS
The two step process is used to authenticate the HSM at the place of first deployment, and to
simultaneously set the initial 2 crypto officer passwords. This process is used to transfer control of
the HSM from the Manufacturer to two Customer crypto officers.
The TSM500i HSM is shipped without any Cryptographic Officer passwords.
The cryptographic officer passwords reside inside the HSM. They must not be confused with, and are
not related to, the TSM-WEB user account passwords.
Requirements: Logged into TSM-WEB and the KCED connected to the TSM500i.
2.8.1 Put the TSM500i into the Loader State
Prior to attempting any of the procedures detailed below, it is necessary to ensure that the TSM500i HSM is in
the Loader state. To do this, click on TSM side menu and read the Access Control Mode that is reported. The
Access Control Mode specifies:
1. Whether the module is in the Loader state (i.e. running the Boot Loader), Loader Tampered
state or in the Operational state (i.e. running the Firmware Application).
2. What Role is currently assumed (e.g. none, officer, dual officer)
The following Access Control Modes are possible:
BL:LOADER_ROLE_NONE : Loader state, no tamper, not logged in
BL:LOADER_ROLE_OFFICER : Loader state, no tamper, officer logged in
BL:LOADER_ROLE_DUAL_OFFICER : Loader state, no tamper, 2 officers logged in
BL:LOADER_ROLE_USER : Loader state, no tamper, user logged in
BL:TAMPERED_ROLE_NONE : Loader Tampered state, not logged in
BL:TAMPERED_ROLE_OFFICER : Loader Tampered state, officer logged in
BL:TAMPERED_ROLE_DUAL_OFFICER : Loader Tampered state, 2 officers logged in
BL:ERROR : Loader Error state, (login not possible)
AC:OPERATIONAL : Application running
AC:PRIVILEGED : Application running, 2 officers logged in
To change the State from Operational to Loader, click on “Reset TSM” tab in the TSM Management page.
Click on RESET TO LOADER and allow about 20 seconds (until the green LED is flashing) for the TSM500i
module to complete its initialisation before attempting to communicate with it again.
TSM500i and TsmWeb User Guide (PCI HSM v3) (PR-D2-1037 Rev 1.1)| Page 19
Zazoo Limited, Co. No 9265606 | Directors: Dr S C P Belamant (French),
Mr H G Kotze, Mr P M Belamant | Company Secretary: Ms C W van Straaten
www.zazooltd.com
2.8.2 Authenticate HSM - Request Step
On the TSM Operators page click on “Authenticate HSM and Set Initial Passwords” tab.
Select “Request” from the “Action” drop down menu. Click on REQUEST.
Write the “Expected Response” down and keep this safe. It will be of the form “ER12345678”.
Copy the “Token” into the text file. The token will comprise 112 ascii-hex characters.
Send the “Token” (Device Authentication Token) to Prism (the Manufacturer) so that the HSM can be
authenticated before control is transferred to the Customer.
In the same email, provide the manufacturer with the names and email addresses of the two crypto
officers that will be established during the ‘FINALIZE’ step of this process. This information should be
provided on a company letterhead. Sample wording for the request is provided in a template on the
support CD that is provided with the HSM.
Having issued the Request and sent the token to the Manufacturer, DO NOT initiate the Request
step again prior to completing the Finalize step detailed below. Authenticating the HSM uses a
challenge-response mechanism. The Finalize step will only work if it is in response to the last
challenge issued.
2.8.3 Authenticate HSM - Finalise Step
To perform this operation you must have completed the Request step and received the necessary
response from the Manufacturer (Prism). The tokens will be emailed individually to the 2 officers
identified in the Request step.
Both officers need to be present simultaneously to complete this step.
Confirm that both crypto officers have received their Control Transfer Tokens from the Manufacturer.
Confirm that the Expected Response that was returned by the Manufacturer matches the expected
response that was recorded in the first step.
Select “Finalise” from the “Action” drop down menu.
Ensure that the KCED is attached to the appropriate port of the HSM before proceeding.
Whenever the KCED is connected to the HSM, the Cryptographic Officers must inspect the HSM, the
externally connected device, and the inter-connecting cable for any signs of tampering or insertion
of a bugging device.
Officer 1 will be required to enter their name and token. The token will be of the form “0187654321”
Officer 2 will be required to enter their name and token. The token will be of the form “0287654321”
Click on FINALISE.
Officer 1 will be required to enter and confirm their password via the KCED. Make a record of the
password and keep in a safe place.
Officer 2 will be required to enter and confirm their password via the KCED. Make a record of the
password and keep in a safe place.
A password must be at least 7 digits in length, using digits in the range 0 to 9.
TSM500i and TsmWeb User Guide (PCI HSM v3) (PR-D2-1037 Rev 1.1)| Page 20
Zazoo Limited, Co. No 9265606 | Directors: Dr S C P Belamant (French),
Mr H G Kotze, Mr P M Belamant | Company Secretary: Ms C W van Straaten
www.zazooltd.com
The crypto officers must keep a record of their passwords in a safe place and
ENSURE THAT THEY FULLY UNDERSTAND THE CONSEQUENCES OF LOSING THEIR PASSWORDS!
If all crypto officers forget their passwords, there is NO way to reset the HSM passwords without
ERASING ALL CSPs.
On successful completion of the above step, the HSM will have been authenticated to have originated
from the Manufacturer and verified to have not been modified.
2.8.4 Add additional crypto officers
Refer to section 3.1 for instructions on how to ADD additional Crypto Officers.
The above HSM authentication process included setting up passwords for the two crypto officers
that took control of the HSM. If all crypto officers forget their passwords, there is NO way to reset
passwords WITHOUT ERASING ALL CSPs.
Because the HSM requires dual control for all sensitive operations, it is strongly recommended that
the crypto officers add at least one more crypto officer during initial deployment.
Table of contents
Popular Network Hardware manuals by other brands
ADTRAN
ADTRAN 414 RG manual
D-Link
D-Link DNS-323 - Network Storage Enclosure NAS... user manual
CP Plus
CP Plus CP-UNR-1xxQ1 Series user manual
Panduit
Panduit SmartZone Technical reference
Cisco
Cisco Firepower 9300 Installation & maintenance
ZyXEL Communications
ZyXEL Communications Centralized Network Management Vantage CNM user guide
