Thales payShield 10K Installation And User Manual

page of 470

/ 470
Contents
Table of Contents
Bookmarks

Table of Contents

Quick Links

Download this manual

cpl.thalesgroup.com

payShield

10K

Installation and User Guide

PUGD0535-006

Table of Contents

Chapters

Table of Contents

Need help?

Do you have a question about the payShield 10K and is the answer not in the manual?

Questions and answers

Abdulnasser

January 30, 2025

how to clear error alert in Thales HSM 9000?

1 comments:

Mr. Anderson

February 10, 2025

To clear an error alert in Thales payShield 10K:

1. Navigate to Status > Maintenance in the system interface.
2. Click On to activate maintenance mode.
3. The handle light on payShield 10K should turn blue, indicating maintenance mode is active.

Additionally, if the security setting "Allow Error light to be extinguished when viewing Error Log?" is set to YES, viewing the error log may also clear the error light.

This answer is automatically generated

Summary of Contents for Thales payShield 10K

Page 1 cpl.thalesgroup.com ® payShield Installation and User Guide PUGD0535-006...
Page 2 Thales does not and shall not warrant that this product will be resistant to all possible attacks and shall not incur, and disclaims, any liability in this respect. Even if each product is compliant with current security standards in force on the date of their design, security mechanisms' resistance necessarily evolves according to the state of the art in security and notably under the emergence of new attacks.
Page 3: Table Of Contents
2.1.1 Host Interface and Commands........2-25 2.1.2 Options for Managing payShield 10K....... . . 2-26 2.1.3 Modifications made to the console commands .
Page 4 7.3 Preparing for Commissioning ........7-55 7.3.1 Configuring payShield 10K for Static IP (if required) ..... 7-55 7.3.2 Install Smart Card Reader Driver.
Page 5 7.4.1 Connecting to payShield 10K ........7-58 7.4.2 Installing Thales Browser Extensions....... . . 7-59 7.4.3 Configure the Smart Card reader .
Page 6 10K Installation and User Guide payShield 10K Installation and User Guide 8.7.3.3 Maintenance ..........8-113 8.7.4 Error Log .
Page 7 10K Installation and User Guide 8.10.5.3 Management - TLS Certificate ........8-168 8.10.6 General Settings.
Page 8 10K Installation and User Guide payShield 10K Installation and User Guide 9.15.2 BH Response..........9-199 9.16 Re-encrypting decimalization tables .
Page 9 - how to update software”, on page 122 004a April 2020 Minor editorial changes October 2020 payShield 10K 10G Ethernet Hardware Platform Variant support documented in Chapter 5, “payShield 10K 10G Ethernet Hardware Platform Variant”. Links to Chapter 5 added to: Chapter 1, “Introduction”,...
Page 11: Introduction
The payShield 10K payment hardware security module (HSM) provides cryptographic functions to support network and point-to-point data security. The payShield 10K acts a peripheral device to a Host computer. It provides the cryptographic facilities required to implement key management, message authentication, and Personal Identification Number (PIN) encryption in real time online environments.
Page 12: Typical Configuration
1.4 Typical Configuration A typical payShield 10K configuration consists of two or more payShield units connected as “live” units. A multi-unit configuration permits concurrent operation for high throughput, and, under control of the application program, provides automatic and immediate backup in the event of a fault in a single unit.
Page 13: Command Flow
10K Installation and User Guide 1.4.1 Command Flow Note: The payShield 10K is normally online to the Host and does not require operator monitoring or intervention. The HSM processes commands from the Host. • The Host sends command messages, which consist of command codes and other fields that are required by the HSM in order to process the commands, to the HSM.
Page 14: Customer Trust Authority (Cta)
Can only be formatted using the FC Manager command using USB-C console Save Settings (Alarm, Host, Can be used to save payShield 10K Can be used to save payShield 10K Security, Audit, Command, settings via payShield Manager and settings via USB-C console and embedded...
Page 15: Customer Security Domain
10K Installation and User Guide The CTA is split across a number of CTA smart cards. (Section 1.8, “Key Shares”, on page 16 further explains the split/sharing concept.) The CTA is temporarily loaded into an HSM prior to signing the smart card or HSM public key certificates.
Page 16: Local Master Keys (Lmks)
HSM. The payShield 10K can support multiple LMKs, such that up to 20 LMKs, of different types, can be in use at any one time. Each LMK can be managed by a separate security team. This allows a single payShield 10K to be used for multiple purposes - such as different applications or different clients.
Page 17: Zone Master Key
ZMK is encrypted under one of the LMK pairs. Within the VISA environment this is known as a ZCMK. The payShield 10K supports the use of a single-length, double-length or triple-length DES ZMK, or a 128-bit, 192- bit or 256-bit AES ZMK.
Page 18: Terminal Encryption Key
TMK or ZMK; for local storage it is encrypted under one of the LMK pairs. The payShield 10K supports the use of a single-length, double-length or triple-length DES TEK, or a 128-bit, 192- bit or 256-bit AES TEK.
Page 19: Host Commands Supporting Multiple Lmks
10K Installation and User Guide Figure 1 “key share” concept overview 1.9 Host Commands supporting multiple LMKs The basic mechanism for Host commands to support multiple LMKs and LMK schemes is as follows: Two additional (optional) fields are added at the end of each Host command request message. These fields are: Field Length &...
Page 20: Lmk Usage In Host Commands
10K Installation and User Guide payShield 10K Installation and User Guide Command received on TCP Port LMK Used 1503 LMK ID 02 1.9.1 LMK Usage in Host Commands The HSM uses the following mechanisms to determine which LMK Id to use with a Host command: •...
Page 21: Payshield 10K License Packages
10K Installation and User Guide 1.10 payShield 10K license packages The tables that follow summarize payShield 10K license packages. Product Code Product Name Product Description PS10-CLA-L Classic package - 25 cps Classic Package - 25 cps. Standard processing package containing all the core functionality necessary to route and validate payment transactions.
Page 22 10K Installation and User Guide payShield 10K Installation and User Guide Product Code Product Name Product Description PS10U-PRM-L2S Premium pack perf upg - 25 to Premium pack performance upgrade - 25 to 60 cps 60 cps PS10U-PRM-S2M Premium pack perf upg - 60 to...
Page 23: Trusted Management Device (Tmd)
1.11.2 Background Secure key management is crucial to the security of the system in which the payShield 10K is used. One particular area of importance is the exchange of symmetric encryption keys between parties in the payment network (such as an Acquirer and a Switch) who need to exchange data securely.
Page 24 1.11.4 How Keys Are Shared With payShield and 3 Parties The following table shows how keys are typically shared securely between the TMD, payShield 10K and third parties. Other options are available for example to secure the transfer of keys.
Page 25: Example Sequence Of Steps To Set-Up And Transfer Keys
The main steps are: 1. Sharing MZMK between the payShield 10K and the TMD: a) Use payShield 10K Console Command GS to generate MZMK components on HSM smart cards and to display the MZMK encrypted under the LMK. b) Install MZMK in the TMD from the components on smart card generated above.
Page 26 10K Installation and User Guide The ZMK can be generated by payShield 10K instead of by the third party. In this case, payShield 10K is used to generate the ZMK (using Host Command A0), encrypt the ZMK under a MZMK (using host command A8 or Console Command KE) for import into the TMD.
Page 27: Backwards Compatibility And Differences
9000 can use those same CTAs in payShield 10K payShield 10K does not support the old Remote HSM Manager. If you have set up LMK cards using the old Remote HSM Manager, migrate the cards to payShield Manager using the payShield 9000. Once migrated, the cards can be used on the payShield 10K.
Page 28: Options For Managing Payshield 10K
Modified to remove Asynchronous Communications option. ‘QH’ (Query Host) Modified to remove Asynchronous Communications option. ‘VR’ (view software revision) Modified to reflect payShield 10K Version options. UPLOAD (upload new code) Added for secure code and license loading at the console. © Thales Group...
Page 29: Feature Comparison
Modified because of 10K OS version TRACERT (Trace TCP/IP route) Modified because of 10K OS version 2.1.4 Feature Comparison Note: For the10G Ethernet Platform Variant, follow this link: Chapter 5, “payShield 10K 10G Ethernet Hardware Platform Variant”. © Thales Group Page 27...
Page 30 10K Installation and User Guide payShield 10K Installation and User Guide Feature payShield 9000 payShield 10K Form Factor 2U Chassis 1U Chassis Code loading mechanism FTP interface or USB stick HTTPS via payShield Manager or the secure “UPLOAD” console command using the USB-...
Page 31: Front Panel
Front Panel Tamper No Tamper has been detected. Front Panel Tamper Solid Red A high Tamper has been detected, contact Thales support. Front Panel Tamper Flashing Red A medium Tamper has been detected, customer key material has been erased.
Page 32: Rear Panel
2.1.8 Rear Panel 2.1.9 Enhanced Security Features payShield 10K software has been designed, where practical, to be secure by default. Most security settings affecting configurations are set to their most secure value by default. Attention: All Host commands, most console commands and all PIN Blocks have been disabled by default.
Page 33: Diagnostics
• The prompt to enter a port for the trap now supports a default port of 162. • AES-128 is provided as a privacy algorithm option in the payShield 10K. • Objects related to ASYNC Host communications have been removed.
Page 34: Transitioning Legacy Manager Smart Cards
You will then have your CTA and LMK cards and ADMIN cards on the JAVA cards, which can be read by payShield Manager on the payShield 10K. Non-supported Remote HSM Manager Smart Cards: JAVA card which can be read by payShield Manager on the payShield 10K: © Thales Group Page 32...
Page 35: Transitioning Non-Supported Legacy Hsm Smart Cards
6. Confirm that the LMK is working in the 10K. 7. Destroy the old LMK cards. 2.1.13 User Documentation The payShield 10K user manuals are now available for download from the Thales support website. Follow the link below and to download all the user manuals: © Thales Group...
Page 37: Physical Description
Chapter 5, “payShield 10K 10G Ethernet Hardware Platform Variant”. The payShield 10K can both stand alone or be part several units installed in a standard 19-inch cabinet. • Overall rack dimensions (WxDxH) 1U rack 19” x 29” x 1.75” (482.6mm x 736.6mm x 44.5mm) The unit is supported on telescopic runners that slide out via the front of the cabinet.
Page 38: Smart Card Reader
10K Installation and User Guide payShield 10K Installation and User Guide • Secure (both locks are unlocked). 3.1.2 Smart Card Reader The Smart Card Reader is an ISO card complaint type with automatic card ejection. The card is ejected at a standard point in HSM operation.
Page 39: Health Led
10K Installation and User Guide 3.1.3.1 Health LED The Health LED is software controlled and readily identifies whether the unit is operational or if a fault condition exists. LED Display Indicates Power is off White Unit is operating properly Flashing Unit is booting.
Page 40: Tamper Led
3.1.3.5 Blue LED The blue service LED is indicates that the HSM requires service. 3.1.4 Air Inlets The air inlets on the payShield 10K provide a cooling air entryway for the system and for power supplies. © Thales Group Page 38...
Page 41: Rear Panel
Variant”. 3.2.1 AC/DC power supplies The payShield 10K is equipped with dual power supply units allowing the HSM to receive power from two independent supplies. This redundancy is designed to help prevent any operational break in the event of: •...
Page 42: Fan Trays
10K Installation and User Guide payShield 10K Installation and User Guide 2. Using thumb and forefinger, gently press lever to the left to release the hold. 3. Slide the power supply out of chassis. 4. Slide the new power supply into chassis.
Page 43: Ac Power On/Off Switch
Note: When connecting serial or parallel interface devices to USB ports, it is essential that a USB adapter is acquired from Thales. Adapters are available for USB-Serial, USB-Centronics parallel, and USB-25 Pin parallel. Adapters from other sources must not be used as the payShield 10K will not have the required drivers. 3.2.7 USB Type A port There is a single USB host interface with a type A connector.
Page 45: Installation
0 deg C to +40 deg C Humidity 10% to 90% non-condensing @ +30C 4.1.1.2 Power Considerations The payShield 10K is a Class I product and must be connected to a power supply system which provides an earth continuity connection. © Thales Group Page 43...
Page 46: Environmental Considerations
• A Phillips screwdriver, #2. 1. Read the payShield 10K Regulatory User Warnings and Cautions document. 2. Gather the necessary personnel, e.g., security/trusted officers, trusted installer. 3. Verify that the shipment never left the custody of the shipper and log the receipt of the shipment in accordance with your security policies.
Page 47 8. Store the serial number records in accordance with your security policy. 9. Mount the rack. a) Unpack the Thales box containing the Thales Universal Rack Mount Kit. The Mount Kit contains 2 rails and 10 M4 x 6 mm screws.
Page 48 10K Installation and User Guide payShield 10K Installation and User Guide • Position the inner rail on the side of the product with the safety catch toward the rear. • Align the rear hole of the rail with the rear hole on the chassis and attach using the M4 x 6mm screws provided.
Page 49 10K Installation and User Guide As the system powers up, the LEDs display changes as the HSM moves through the power up sequence. The table below provides a key to the LED sequence. LED Displays Process • All LEDs are turned on System LED test power up occurring •...
Page 51: Payshield 10K 10G Ethernet Hardware Platform Variant
5 payShield 10K 10G Ethernet Hardware Platform Variant 5.1 Introduction A variant of the standard payShield 10K hardware platform is available supporting 10G Ethernet. This can be ordered in place of the standard PS10-S payShield 10K Ethernet Hardware Platform using the following part number:...
Page 52: Rear Panel Overview
5.2 Rear Panel Overview 5.3 General Notes • payShield 10K 10G Ethernet Hardware Platform has 4 ports for connecting to a 10G network using the transceivers ordered separately. The transceivers must be connected to a switch or router that supports 10G Ethernet.
Page 53: Power Consumption
10K Installation and User Guide 3. Slide each SFP into a port slot. (Each SFP can be either copper or optical or a mixture.) • If a mixture, the media type SFP must match the site requirement. • Host 1 in port 1, Host 2 in port 2, Management in port 3, AUX in port 4.
Page 55: Payshield Management Options
10K’s Ethernet management port. The Remote payShield Manager License is required to use this option. payShield 10K can also be managed using the Console. Here the smart card reader on the front panel is used together with LMK Component Smart cards. The Console Commands are described in Appendix A, Console Commands.
Page 57: Commission Using Payshield Manager
Chapter 10 Using payShield Manager. 7.2 Prerequisites The following are required before starting the commissioning procedure: • payShield 10K installed in a cabinet with the keys on the front panel set to “online” as covered in Chapter 4, “Installation”. •...
Page 58: Install Smart Card Reader Driver
Dynamically update DNS A and PTR records for DHCP clients that do not request updates. Note: The DHCP request from the payShield 10K is going to request an IP address and also request a name (with -h option on DHCP client). This option pushes the name and assigned IP address to the DNS.
Page 59: Connect To The Network
10K Installation and User Guide 7.3.5 Connect to the Network Connect the laptop or Workstation to be used for payShield Manager to payShield 10K using Ethernet as follows: • To use payShield Manager locally, the PC hosting payShield Manager is connected directly into the payShield 10K’s Ethernet management port on the rear panel.
Page 60: Connecting To Payshield 10K, Installing Browser Extensions And Configuring Smart Card Reader
7.4.1 Connecting to payShield 10K To connect to payShield 10K using payShield Manager and display the “landing page” proceed as follows: Using the browser on the laptop / workstation being used for payShield Manager, enter the network name or the IP address assigned and access the page.
Page 61: Installing Thales Browser Extensions
7.4.2 Installing Thales Browser Extensions From the Landing Page, click Commission. If the Unable to load Thales Browser Extension message is displayed (as shown in the screen shot below), follow the steps below Otherwise, continue to Section 7.4.3, “Configure the Smart Card reader”, on page Note the following procedure is for Chrome.
Page 62 4. Follow the instructions under Possible Solution (Enable Extension Component). a) Click the More icon. b) Navigate to: More tools > Extensions c) Scroll through the list of Extensions, if a Thales Extension is not present, Click Get more extensions. © Thales Group Page 60 All Rights Reserved...
Page 63 10K Installation and User Guide The Chrome web store opens. d) Type in Thales and click thales e security. The Thales eSecurity Smart Card Bridge Extension displays. e) Click ADD TO CHROME. The system displays: © Thales Group Page 61...
Page 64 Confirm that the extension is Enabled. Navigate back to: More Tools > Extensions Scroll to the Thales extension and confirm that the Enabled box is checked. 5. Follow the instructions under Possible Solution (Install the Local Application Component). a) Navigate to: Start >...
Page 65 10K Installation and User Guide c) Return to your payShield Manager window. d) Click the blue button as shown below. The ThalesScBridge_ChromeFoxFire.msi downloads. e) Click Run. The Smart Card Bridge Setup Wizard Opens. Click Next. © Thales Group Page 63...
Page 66 10K Installation and User Guide payShield 10K Installation and User Guide g) Click Next a second time to confirm. h) Follow the instructions as prompted. Click Back to return to the payShield landing page. Close your payShield session. 6. From your Internet browser, enter the network name or IP address.
Page 67: Configure The Smart Card Reader
10K Installation and User Guide 7.4.3 Configure the Smart Card reader 1. From the landing page, click on the Settings icon. 2. Confirm that the pop-up menu displays: Bridge Version 1.0.0.0 3. Click Configure card reader. The Change Default Smart Card Terminal window opens.
Page 68: Commissioning Payshield 10K
10K Installation and User Guide You are returned to the landing page. 7.5 Commissioning payShield 10K This section describes the steps required to complete the commissioning of the payShield 10K ready for LMK eneration / LMK installation and configuration. Table 3...
Page 69: Open The Commissioning Wizard Page
10K Installation and User Guide 7.5.1 Open the Commissioning Wizard page 1. Click Commission. The payShield Manager’s Commission HSM wizard landing page opens. From the landing page you have two options: • If you already have a Security Domain (i.e., you have previously created a security domain with these cards), you are ready to install, i.e., continue to...
Page 70: Create A New Security Domain
10K Installation and User Guide payShield 10K Installation and User Guide • If you are unsure of the status of your cards and prefer to create a new security domain, i.e., continue to Section 7.5.2, “Create a new Security Domain”, on page Note: When re-using existing Smart Cards, you must know the PIN.
Page 71 10K Installation and User Guide For example, if the security domain is shared over 8 Smart Cards, and the quorum is set to 3, any three security officers out of the eight would need to be present to rebuild the Customer Trust Authority (CTA).
Page 72 10K Installation and User Guide payShield 10K Installation and User Guide 4. Click Next. 5. Follow the wizard instructions to commission each Smart Card (i.e., assign key shares to each security officer’s Smart Card). © Thales Group Page 70...
Page 73 10K Installation and User Guide Note: Each Smart Card will hold a share of the CTA. 6. Click Next. 7. Follow the prompt and insert your Smart Card into your Smart Card reader. Note: If your Smart Card is brand new, continue to Step e.
Page 74 10K Installation and User Guide payShield 10K Installation and User Guide c) Enter the original PIN. d) Press OK on the card reader. The system prompts for a new PIN. e) Enter a new PIN (for example, a 6-digit PIN).
Page 75: Load The Security Domain
10K Installation and User Guide It is important to note that these cards are critical in the remote management process. They are required each time an HSM or a Smart Card is added to the security domain. Note: It is a best practice to back up these cards and store the backups in a secure off-site location.
Page 76 10K Installation and User Guide payShield 10K Installation and User Guide 3. Each security officer performs the following: • Place their Smart Card in the reader. System prompts: • Enter PIN. • Click OK on the PIN pad. The system displays: 4.
Page 78 10K Installation and User Guide payShield 10K Installation and User Guide 7. Click Next. The system displays: This certificate can then be imported into the browser in order to trust subsequent TLS connections to the commissioned payShield. Depending on your organization's IT policy, a PC administrator may be required to perform this configuration.
Page 79 10K Installation and User Guide a) Insert your Smart Card. b) Enter your PIN. c) Press OK. The system displays (example): d) Save your file to an appropriate location. e) Open the certificate for details. Note: For additional data, open the Details tab and the Certification Path tab.
Page 80: Set Hsm Recovery Key (Hrk) Passphrases
10K Installation and User Guide payShield 10K Installation and User Guide The Certificate Import Wizard opens. g) Follow the prompts. 9. Click OK. 7.5.4 Set HSM Recovery Key (HRK) passphrases Note: You cannot use any HRK that was previously attempted to be set within the last 10 attempts. This encompasses all attempts.
Page 81: Create Left And Right Remote Access Control Key Cards
3. Enter a PIN. Note: Although the system will accept a minimum PIN length of 6 digits, PINs MUST consist of 8 or more digits to align with the practices identified in the payShield 10K Security Manual. 4. Remove the Smart Card.
Page 82 10K Installation and User Guide payShield 10K Installation and User Guide The system displays: Note: PINs are entered via the Smart Card terminal keypad. Remember to press OK after entering a PIN. 3. Enter the PIN. 4. Press OK.
Page 83 10K Installation and User Guide 6. Enter a new PIN. 7. Press OK. 8. Click Next. The system is ready to create the right key card. 9. Click Next. 10. Insert the Smart Card into the reader. © Thales Group...
Page 84 10K Installation and User Guide payShield 10K Installation and User Guide 11. Enter the PIN. 12. Press OK. 13. Insert the card into the Smart Card reader. The system prompts 14. Click OK. The system starts to process. The system prompts completion.
Page 86: Adding Additional Warranted Hsms To The Security Domain
The system displays: 7.5.6 Adding Additional Warranted HSMs to the Security Domain New payShield HSMs that have Thales warranting on them can be added by using the instructions for Remote Commissioning of a warranted payShield. 1. Log into payShield Manager using the address of the new HSM to be commissioned.
Page 87: Additional Information
10K Installation and User Guide Follow this link for additional information: Chapter 8, “Using payShield Manager”. 7.6 Additional Information This section includes additional information on commissioning payShield Manager. 7.6.1 Using payShield Manager with MacOS Catalina The following steps are required to be undertaken when using payShield Manager with MacOS Catalina Version 10.15.7 and above.
Page 88 10K Installation and User Guide payShield 10K Installation and User Guide 2. Add the Certificate to Keychain Access. • Open the Keychain Access Application and Navigate to the Certificates panel. • Drag the certificate into the Certificates panel. •...
Page 89 10K Installation and User Guide • Double-click on the certificate in order to manage the system preferences for handling the certificate. • Expand the Trust panel and set the preference to “Always Trust” the certificate. 4. Restart the Browser/System.
Page 91: Using Payshield Manager
1. Enter the IP address of your payShield 10K into your Internet browser and click enter. Note: Only one tab in one browser window may be connected to the payShield 10k. To monitor multiple 10ks within the same browser, each should be loaded into a separate browser tab.
Page 92 10K Installation and User Guide payShield 10K Installation and User Guide 2. Click Log In. The system prompts you to insert your Smart Card into the Smart Card reader. Note: To reach the Secure state, both Right and Left Administrators must perform steps 3 through 5 below.
Page 93: Top Tab Descriptions
10K Installation and User Guide 8.3 Top Tab descriptions 8.3.1 Summary Tab Selecting this tab causes the UI to transition to the Summary Perspective (shown). In this perspective, you can view summary information about your HSM. 8.3.2 Status Tab Selecting this tab causes the UI to transition to the Status Perspective.
Page 94: Operational Tab
10K Installation and User Guide payShield 10K Installation and User Guide • View/download/reset utilization statistics and configure their collection • View/download/reset health statistics, configure their collection and reset the fraud detection • Run diagnostics and configure the automated run-time •...
Page 95: Domain Tab
10K Installation and User Guide • Install LMKs into the Key Change Storage (old LMKs) Note: “Old” LMKs are stored in a table within the secure memory of the HSM, with each “old” LMK occupying a different “slot” within the table.
Page 96: Virtual Console Tab
10K Installation and User Guide payShield 10K Installation and User Guide • View and manage the alarm settings • View and manage the fraud settings • View and set the HSM’s date and time • View and set the HSM’s system name and description •...
Page 97: Payshield 10K States
10K Installation and User Guide 8.5.1 payShield 10K States The allowed state transitions are based on the type of users logged in. For example: • If only a left or only a right RACC are logged into the HSM, then the available states are Online and Offline.
Page 98: Time Remaining
10K Installation and User Guide payShield 10K Installation and User Guide Assuming you logged in with a left RACC, you would simply have to login the right RACC before the “State” button would present the option to move to the “Secure” state.
Page 99: Status
10K Installation and User Guide icon next to a card serial number indicates that you is a Left RACC. While the icon next to a card serial number indicates that you is a Right RACC. The symbol next to the card serial number indicates that the card is currently inserted into the reader.
Page 100: Login/Logout Of Users
10K Installation and User Guide payShield 10K Installation and User Guide 8.5.7 Login/Logout of Users 8.5.7.1 Login Additional Users To login additional users, insert the new user’s Smart Card into the Smart Card reader after the initial login (and when not in the middle of a wizard that calls for a Smart Card to be inserted –...
Page 101: Summary Page
10K Installation and User Guide 8.6 Summary Page After a successful login, you will be greeted with the main page as shown below. Each element will be described next. The four collapsible sections contained on this page are the following: 8.6.1 Summary Dashboard...
Page 102: Health Dashboard
Unit status (#1 and #2), System Up-Time, Instantaneous HSM Load (%), and the number of Reboots. 8.6.2.1 How to resolve reported errors In the example above, the dashboard identifies Failure with Power Supply #2. The payShield 10K handle light is red. Follow these steps to resolve: 1. Navigate to Status > Maintenance.
Page 103 Security Officer who is at the unit. This light is for informational purposes only and does not impact the status of the payShield 10K in any manner other than turning on the blue service light in on the front and rear panels of the payShield. If the service light is turned on or off, it will be recorded as an event in the Audit Log.
Page 104 10K Installation and User Guide payShield 10K Installation and User Guide 5. Navigate to Status > Health Statistics/Diagnostics > Maintenance. 6. Set the maintenance light to Off. Note: Turning the maintenance light to off can also be performed manually at the unit.
Page 105: Configuration Dashboard
10K Installation and User Guide 8.6.3 Configuration Dashboard When expanded this section displays a table containing Host 1 IP address, Host 2 IP addresses, the management IP address, a summary of the printer configuration, PCI-HSM compliance, and Management Chain of Trust Validation status.
Page 106: Local Master Key
10K Installation and User Guide payShield 10K Installation and User Guide 8.6.4 Local Master Key When expanded, this section displays two tables. The first is the Local Master Key Table showing ID, AUTH, SCHEME, ALGORITHM, STATUS, CHECK, and COMMENTS.
Page 107: Status Page
10K Installation and User Guide 8.7 Status page The Status Page can be reached by selecting the “Status” button which is the second button from the left at the top of the frame. © Thales Group Page 105 All Rights Reserved...
Page 108: Device Information
10K Installation and User Guide payShield 10K Installation and User Guide 8.7.1 Device Information The Device Information section contains a table that displays the System Name of the HSM Unit, the Unit Descrip- tion, Serial Number, Unit Info, Model number, Performance in calls per seconds (cps), the Date of Manufacture, PSU serial numbers, and Fan serial numbers.
Page 109: Utilization Statistics
10K Installation and User Guide 8.7.2 Utilization Statistics The Utilization Statistics section contains a set of click-able tabs. The first tab is titled “Cumulative” and the second tab is titled “Instantaneous”. The two tabs provide information showing static statistics about CPU Load, Command Totals and Command TPS.
Page 110 10K Installation and User Guide payShield 10K Installation and User Guide CPU: This data indicates how heavily the HSM is loaded. Cmd Totals: This data indicates how many times each Host command has been processed. Cmd TPS: This data indicates the average transactions per second (tps) for each command that has been processed.
Page 111 10K Installation and User Guide Additionally, while in the Offline or Secure state: • Click Refresh to refresh statistics. • Click Reset to reset the statistics. In any state: • Click Download to save to a text file. © Thales Group...
Page 112 10K Installation and User Guide payShield 10K Installation and User Guide From the Instantaneous view, you may change the measurement period as follows: 1. Enter the new value in the Measurement Period field. 2. Click Apply. Clicking Undo restores the prior setting.
Page 113: Health Statistics/Diagnostics
10K Installation and User Guide 8.7.3 Health Statistics/Diagnostics 8.7.3.1 Health/Stats In this section, you can enable and disable the collection of health statistics as well as reset the currently gathered statistics. In Offline or Secure state, the Health Check Data Collection can be turned on or off using the buttons presented on this page.
Page 114: Diagnostics
10K Installation and User Guide payShield 10K Installation and User Guide 8.7.3.2 Diagnostics The Diagnostics tab contains a list of tests that are run periodically and can be run immediately. Tests that are run immediately will display their result(s) upon completion. Automated tests do not report results on this screen.
Page 115: Maintenance
8.7.3.3 Maintenance The payShield 10K has a service light on the front and rear panel of the HSM. This light can be toggled on or off only through payShield Manager or directly in front of the payShield using the On/Off button. This light is for informational purposes only and does not impact the status of the payShield 10K in any manner other than turning on the blue service light in on the front and rear panels of the payShield.
Page 116: Audit Log
10K Installation and User Guide payShield 10K Installation and User Guide • System • Subsystem • Time • User • Process • File • Message Below the log table there are options to Download, Get More, Reload, and Clear.
Page 117 10K Installation and User Guide The Audit Log can contain up to 100,000 entries for audit records. The audit records are added to the log until it is full and for each subsequent record, the oldest record in the log is deleted to make room for the new one.
Page 118 10K Installation and User Guide payShield 10K Installation and User Guide Category Audit Log Messages Notes Authorization Activity A was authorized for LMK id 0-19 A - activity list, T - timeout Activity A:T was authorized for LMK id 0-19...
Page 119 10K Installation and User Guide Category Audit Log Messages Notes FAN 1/2 removed “fru serial number” is the FRU serial (Field FAN 1/2 restored number Replaceable Fan 1/2 replaced: “fru serial number” Units - fans, Power Supply 1/2 removed...
Page 120 10K Installation and User Guide payShield 10K Installation and User Guide Category Audit Log Messages Notes Management Format of the audit logs for payShield Manager commands is Security sensitive management actions/ as follows: commands are always audited. Remote (xxxxxxxx) - “command string” - Current users: (None / Left: SSSS / Right: SSSS / Guest: SSSS) “Current Users:”...
Page 121 10K Installation and User Guide Category Audit Log Messages Notes Management CTA generated CTA share read from smartcard (optional - disabled by default) CTA share loaded from smartcard (optional - disabled by default) CTA share created on smartcard CTA share stored on smartcard...
Page 122 10K Installation and User Guide payShield 10K Installation and User Guide Category Audit Log Messages Notes Management Audit log retrieved (optional - disabled by default) (continued) Audit log downloaded (optional - disabled by default) New LMK installed / deleted...
Page 123: Software Info
10K Installation and User Guide Category Audit Log Messages Notes Management Failed to commission HSM (Continued) Failed to update license Failed to set HRK passphrases Failed to change HRK passphrase 1 Failed to change HRK passphrase 2 Failed to update HSM date and time...
Page 124: Software - How To Update Software
Note: With Release 1.0e, the Software tab has been updated. “Build Number” was changed to “Firmware Version” and a new entry “Deployment Version” has been added. Both fields are used only to assist Thales Support. The figure below shows both 1.0d and 1.0e screens for clarification purposes.
Page 125: Fips/Licensing
10K Installation and User Guide Software updates can take several minutes. 8.7.7 FIPS/Licensing The FIPS/Licensing tab has three tabs. 8.7.7.1 License Summary - how to update Licensing This tab displays data about the connected HSM license information including the performance number, the crypto algorithms licensed in the box, and the number of licensed LMKs.
Page 126: Installed Licenses
10K Installation and User Guide payShield 10K Installation and User Guide To update the license: 1. Click Update License. Note: This can be performed from the offline or secure state. 2. Select or drag and drop the file. 3. Click Next.
Page 127: Fips Validated Algorithms
From this tab, when in the secure state, you can load a TLS certificate into the payShield. 8.7.8.1 General Information payShield 10K supports the use of TLS to secure traffic between Host applications and the HSM. TLS v1.2 is the preferred protocol.
Page 128: Tls Management
10K Installation and User Guide payShield 10K Installation and User Guide Note that TLS works between applications. This means that both communicating applications must be TLS-enabled, rather than the Host and client devices. Proxies can be implemented to allow non-TLS-enabled applications to be used over a TLS-protected link: here, the authentication is from/to the proxy rather than the application.
Page 129: Operational
10K Installation and User Guide 1. Both Left and Right Administrators log on. 2. Click the Secure State. 3. Click the TLS Management tab. 4. Select or drag and drop the file. 5. Click Next. 6. Continue as prompted.
Page 130: Local Master Keys
LMKs provide separation between different types of keys to ensure that keys can be used only for their intended purpose. The payShield 10K supports two types of LMK, both of which provide key separation: • Variant LMKs. These are double- or triple-length Triple-DES keys and provide key separation by encrypting different types of key with different variants of the LMK.
Page 131 10K Installation and User Guide By design, when you created your Left and Right LMK cards, no data is stored on the cards. The Left and Right LMK cards are used for things that do store data on cards.
Page 132 10K Installation and User Guide payShield 10K Installation and User Guide 3. Click Generate. The Generate LMK screen displays showing the default settings. © Thales Group Page 130 All Rights Reserved...
Page 134 10K Installation and User Guide payShield 10K Installation and User Guide 6. Click Next. 7. Insert your Smart Card into the card reader, enter the PIN, and press OK. 8. Click Next. © Thales Group Page 132 All Rights Reserved...
Page 135 10K Installation and User Guide 9. Remove your Smart Card from the card reader. 10. Insert the second Smart Card into the card reader. 11. Enter your PIN and press OK. 12. Click OK. 13. Remove the Smart Card from the card reader.
Page 136 10K Installation and User Guide payShield 10K Installation and User Guide 15. Enter the LMK Parameters. 16. Click Next. 17. Click your preferences or use the default settings. © Thales Group Page 134 All Rights Reserved...
Page 137 10K Installation and User Guide 18. Click Next. 19. Follow the prompt and insert the first LMK card. 20. Enter your PIN and press OK. 21. Insert the next LMK card, enter your PIN and press OK. 22. Click Next to install the LMK.
Page 139: Verify An Lmk Card
8.8.1.3 Create an Authorizing Card When in Offline or Secure state, you can create an Authorizing Card (used to enter Authorized state) for a RLMK card. Prerequisite: The payShield 10K is in the Offline or Secure state. © Thales Group Page 137...
Page 140: Duplicate An Lmk Card
6. Remove the Authorizing Card upon completion 7. Click OK. 8.8.1.4 Duplicate an LMK Card Prerequisite: The payShield 10K is in the Secure state. 1. Click Duplicate Card. A system prompt displays. 2. Insert the RLMK card that you wish to duplicate.
Page 141: Install An Lmk From Rlmk Card Set
10K Installation and User Guide 2. Follow the prompts and enter the following information about the new LMK: • Number of LMK shares (Default: 2) • Number of shares to rebuild (Default: 2) • Key scheme (Variant or Key Block) •...
Page 142: Replace An Installed Lmk
Note: You cannot delete the current Default LMK without first assigning a new Default LMK. 8.8.1.8 Replace an installed LMK Prerequisite: The payShield 10K is in the Secure state. Click the button next to the LMK you wish to replace.
Page 143: Set The Management Lmk
10K Installation and User Guide Prerequisite: The payShield 10K is in the Secure state. 1. Click the button next to the LMK that you want to make the Default LMK. 2. Click Set Default. 3. When prompted to confirm, click OK.
Page 144: Enter Authorized State
10K Installation and User Guide payShield 10K Installation and User Guide 8.8.1.11 Enter Authorized State Authorized State is a mode of operation of the HSM that permits one or more specified sensitive functions to be performed. It requires two Authorizing Officers using their Smart Cards and PINs to confirm the activity.
Page 145: Single Authorization Mode
10K Installation and User Guide 8.8.1.12 Single Authorization Mode You will be prompted to enter a card containing the first of the LMK’s authorizing PIN. Insert the card and enter the PIN. You will then be prompted to enter a card containing the second of the LMK’s authorizing PIN. Insert the card and enter the PIN.
Page 146: Delete An Installed Lmk
10K Installation and User Guide payShield 10K Installation and User Guide Specify the ID for the old LMK as well as a brief comment describing the LMK and click “Next”. Insert the RLMK card containing the first LMK share for the LMK and enter the card’s PIN. Continue inserting LMK share cards when prompted until the entire LMK has been read from the card set.
Page 148: Payshield Security Group
10K Installation and User Guide payShield 10K Installation and User Guide 8.9.1 payShield Security Group In this tab, you can control which RACCs are usable as Left, Right and Restricted Key Cards. Each section pro- vides a list of all card serial numbers that are usable as that type of card. To remove a card, click the minus icon next to the card you want to remove.
Page 149: Security Domain
10K Installation and User Guide 8.9.2 Security Domain In this tab, you controls the domain and cards. Additionally, a table is displayed showing information on the loaded certificates. The following sections describe the available operations. 8.9.2.1 Commission a Smart Card When you commission a Smart Card, you are adding it to a security domain.
Page 150 10K Installation and User Guide payShield 10K Installation and User Guide Your logged on in the Secure state. 1. Navigate to: Domain > Security Domain 2. Click Commission Card. © Thales Group Page 148 All Rights Reserved...
Page 151 10K Installation and User Guide 3. Insert one card from your existing CTA into the card reader. Note: You must move efficiently, as this operation will timeout. 4. Click Next. 5. Click Next. 6. Click Next. © Thales Group...
Page 154: Decommission A Card
10K Installation and User Guide payShield 10K Installation and User Guide 11. Enter the new PIN two times followed by OK. Note: Follow this link, should you need to return to: Section 3.6, “Migrate LMK Cards to become RLMK Cards”, on page 463.
Page 155 10K Installation and User Guide This tab is used to change the Administrator passphrases for the HRK. To change a passphrase, click “Change HRK Passphrase”. In the table, specify which Administrator you want to change the passphrase for, use the keyboard enter the current passphrase, use the keyboard to enter the new passphrase twice in the appropriate boxes, and click “Next”.
Page 156: Configuration
10K Installation and User Guide payShield 10K Installation and User Guide 8.10 Configuration Note: Presence of a lock icon, indicates the setting/action requires proper authorization. © Thales Group Page 154 All Rights Reserved...
Page 157: Host Settings
10K Installation and User Guide 8.10.1 Host Settings Host Message Header Length: Each transaction to the HSM begins with a string of characters (header), which the Host can use to identify the transaction (or for any other purpose). The HSM returns the string unchanged to the Host in the response message.
Page 158: Ethernet
10K Installation and User Guide payShield 10K Installation and User Guide 8.10.3 Ethernet The payShield provides 2 Host Ethernet interfaces and allows the port speed and duplexity to be set inde- pendently. The HSM's Host Ethernet interfaces support the delivery of Host commands via TCP/IP or UDP/IP.
Page 159 10K Installation and User Guide 8.10.3.1 IP In this section, network settings may be set up for each Ethernet interface provided the unit is in offline or secure state. You may enable each interface independently using the “Enabled” check box. You must have at least one interface enabled when Ethernet is the Clicked Active Host Interface.
Page 160: Access Control List (Acl)
10K Installation and User Guide payShield 10K Installation and User Guide – When DHCP is not employed, a static IP address for the payShield 10K’s Host port may be specified. This must be a unique IP address on the Host network. –...
Page 161: Tcp/Udp
10K Installation and User Guide – Example: 192.168.1.5 • Ranges – A range of addresses consisting of a starting address and an ending address. – Example: 192.168.1.5 / 192.168.1.10 • Masks – A range of addresses consisting of a base address and a subnet mask.
Page 162: Tls
10K Installation and User Guide payShield 10K Installation and User Guide – The amount of time (in seconds) that an idle connection should be kept open. Table 5 Port Settings Port Protocol Purpose xxxx TCP/UDP Well-known port for command traffic between host and payShield, as defined in host port parameters.
Page 163: Printer Settings
10K Installation and User Guide 8.10.3.5 Printer Settings You may alter the configuration of connected printers when the unit is in offline or secure settings and there is at least one parallel or serial USB adapter attached to the HSM that has not been designated as a Host Interface by adjusting the settings explained below and selecting the “Apply”...
Page 164 10K Installation and User Guide payShield 10K Installation and User Guide • Delay – The time to wait before attempting to communicate with the printer. • Line Feed Order – May be either standard (<LF><CR>) or reversed (<CR><LF>). •...
Page 165: Security Settings
10K Installation and User Guide 8.10.4 Security Settings You may alter the security configuration of the unit when it is in a secure state by adjusting the settings explained below and selecting the “Apply” button to commit the changes to the HSM. Note that changing any settings in the “Initial”...
Page 167: Security Parameter Descriptions
10K Installation and User Guide 8.10.4.1 Security Parameter Descriptions Refer to the payShield 10K Security Manual for a full description of the security parameters and their settings. 8.10.5 Management Settings You may alter the management settings when the HSM is in the offline or secure state. Select the “Apply” button to commit the changes to the HSM.
Page 168 HSM interface. • IP address: – When DHCP is not employed, you may specify a static IP address for the payShield 10K’s management port. This must be a unique IP address on the management network. – Example: 192.168.002.010 •...
Page 169: Management - Timeouts
10K Installation and User Guide 8.10.5.2 Management - Timeouts This tab allows for configuration of the different timeout options for management sessions. • Default Inactivity Timeout: – This timeout is triggered when the payShield Manager detects no user activity. After the configured time has elapsed, the inactive user will be automatically logged out.
Page 170 10K Installation and User Guide payShield 10K Installation and User Guide 8.10.5.3 Management - TLS Certificate This is the certificate that was created when establishing the security domain (CTA). 8.10.6 General Settings General Settings include tabs for: • PIN Blocks •...
Page 171 10K Installation and User Guide 8.10.6.1 General - PIN Blocks – This tab allows you to Click which PIN Block formats should be enabled on the HSM when in offline or secure state. A Host system would typically not use all the PIN Block formats supported by the HSM. A simple but effective method of locking-down the HSM is to disable (un-check) all unused PIN block formats: the subsequent use of a disabled format would result in an error code (69) being returned.
Page 172 10K from executing Host commands or console commands which require an LMK to be present. – Once the stimulus that triggered the alarm has ended, the payShield 10K will need to be rebooted to clear the tamper state and allow the LMKs to be reloaded. –...
Page 173 10K Installation and User Guide – The anti-theft feature relies on tilt angle for determining when to trigger a tamper. Motion Sensor hardware filter settings: • Low Sensitivity - 171 milli-g • Medium Sensitivity - 65 milli-g • High Sensitivity - 25 milli-g The Motion sensor activity time is 6 ticks @50Hz (.12 seconds)
Page 174 10K Installation and User Guide payShield 10K Installation and User Guide – Logging Only: The Health Check data will show how often the limits have been exceeded (if gathering of Health Check statistics is enabled). An entry is also made in the Audit Log when any of the limits is exceeded.
Page 175 10K Installation and User Guide 8.10.7 Configure Commands New commands are added to the HSM software on a regular basis. Old commands are rarely removed. As far as is possible, the HSM maintains backward compatibility with existing systems. A side effect is that Host systems tend to use a subset of the commands actually provided by the HSM, leaving many commands unused.
Page 176 10K Installation and User Guide payShield 10K Installation and User Guide After making changes press the “Apply” button to commit the changes to the HSM. © Thales Group Page 174 All Rights Reserved...
Page 177 10K Installation and User Guide The UI will generate a SHA-256 Hash over as set of available commands. You can use an offline tools to compute the hash and compare it with the value displayed to ensure that two or more HSMs have the same set of commands available.
Page 178 10K Installation and User Guide payShield 10K Installation and User Guide You may also set the audit counter value. Note: Notification is provided when the audit log is 80%, 95% and 100% full. Note: Typically, you do not audit commands that run all the time.
Page 179 10K Installation and User Guide 8.10.8.3 Audit - Host Commands It is possible to audit any of the Host commands available in the HSM’s license. Activities can be enabled or disabled by checking or un-checking the appropriate box(es). Checked items are enabled; unchecked items are disabled.
Page 180 10K Installation and User Guide payShield 10K Installation and User Guide 8.10.8.4 Audit - Management Commands In the Manager tab, you may enable auditing of all HSM Manager events, such as logins, state changes and configuration changes. © Thales Group...
Page 181 10K Installation and User Guide 8.10.9 SNMP Settings This section allows you to SNMP settings of the HSM when the unit is in any state. SNMP can be used to retrieve the following information on demand from the HSM: –...
Page 182 10K Installation and User Guide payShield 10K Installation and User Guide – To delete a User, simply click the minus icon next to that user. Note: SNMP MIB-2 system values corresponding to MIB2system values in console SNMP command (sysName, sysDescr, sysLocation, sysContact) can be set under General Settings ->...
Page 183 10K Installation and User Guide The following commands may not be used in the virtual console: A, CO, DC, EJECT, FC, GK, GS, LK, LO, NP, RC, RS, SS, VC, XA, XD, XE, XH, XI, XK, XR, XT, XX, and XZ.
Page 185 This chapter outlines the migration process. 9.2 Multiple LMKs By default, the payShield 10K is delivered with the ability to install one or two LMKs. If two LMKs are installed, one must be a Variant type and one must be a Key Block type.
Page 186 9.4 Generating new LMK component Smart Cards LMKs are set up in the payShield 10K by loading a number (typically 3) of components which are then combined within the HSM to form the LMK. (The formed LMK is never available outside of the HSM.) The LMK components are loaded from LMK Smart Cards.
Page 187 Follow this link for additional instruction: Appendix , “Console Commands” 9.5.2 payShield Manager LMK Cards With payShield Manager, the LMK components are written to RLMK cards which are provided by Thales. RLMK cards do not require formatting. © Thales Group...
Page 188 10K Installation and User Guide payShield 10K Installation and User Guide 9.6 Generating LMK Component Cards 9.6.1 HSM LMK Cards Each component holder should now generate a component and write it to their Smart Card and backup card(s). This is done using the GK console command.
Page 189 LN console command if the new LMK is to be loaded into LMK Key Change storage. The payShield 10K must be in the Secure state. In addition, if the LN console command is being used, then the HSM must be in the Authorized state. If multiple authorized states is enabled, the activity category is admin (with no sub- category), and the console interface should be selected.
Page 190 Appendix , “Console Commands” The payShield 10K must be in Secure state. In addition, the HSM must be in Authorized state. If multiple authorized states are enabled, the activity category is admin (with no sub-category), and the console interface should be selected.
Page 191 10K Installation and User Guide After loading the old LMK, the HSM should be returned to Online state by turning the physical keys. 9.9.2 Using payShield Manager The old LMK is loaded using the Install button in payShield Manager's Operational > LMK Operations > Key Change Storage tab.
Page 192 10K Installation and User Guide payShield 10K Installation and User Guide Length & Field Type Notes Message Header This field contains whatever the user wants. The length of the field is defined using the CH console command or Configuration / Host Settings in payShield Manager. It is subsequently returned unchanged in the response to the host.
Page 193 10K Installation and User Guide Length & Field Type Notes Key Scheme Optional. Key scheme for encrypting key under LMK (or '0' (LMK) (zero). Reserved Optional. If present must be '0' (zero). Delimiter Value '%'. Optional; if present, the following field must be present.
Page 194 10K Installation and User Guide payShield 10K Installation and User Guide 9.10.2 BX Response to the Host In response to the BW host command, the payShield 10K returns the following BX response to the host: Length & Field Type...
Page 195 10K Installation and User Guide 9.11 Migrating keys from Variant to Key Block LMKs Key Block LMKs provide additional security compared to Variant LMKs. The BW host command already described for Variant LMK > Variant LMK migration can also be used for Variant LMK >...
Page 196 10K Installation and User Guide payShield 10K Installation and User Guide Length & Field Type Notes Key Usage The required key usage for the key encrypted under the Key Bock LMK. This information is included in the Key Block header and should be determined using the Key Usage Table.
Page 197 10K Installation and User Guide 9.11.2 BX Response to the Host In response to the BW host command, the payShield 10K returns the following BX response to the host: Length & Field Type Notes  Message (As for Variant LMK...
Page 198 10K Installation and User Guide payShield 10K Installation and User Guide 9.12 Migrating keys between Key Block LMKs Migration of operational keys between Key Block LMKs is supported in addition to the Variant LMK > Variant LMK and Variant LMK > Key Block LMK migrations already described. This section describes the BW host command when used for this purpose.
Page 199  Message Trailer (As for Variant LMK Key Block LMK) 9.12.2 BX Response to the Host In response to the BW host command, the payShield 10K returns the following BX response to the host: Length & Field Type Notes ...
Page 200 9.14 Migrating keys for PCI HSM compliance When it is required to make a payShield 10K compliant with the requirements of the PCI PTS HSM security standard, it may be necessary to move some keys from Variant key type 002 (LMK pair 14-15, Variant 0) to other key types.
Page 201 10K Installation and User Guide Length & Field Type Notes LMK Identifier Where the user is using multiple LMKs on the same HSM, this allows the required LMK to be selected. Minimum value = '00'; maximum value is defined by license. This field must be present if the above Delimiter (%) is present.
Page 202 Message Trailer Optional. The contents of the trailer is as required by the user, and is returned unchanged in the response. Maximum length 32 characters. The payShield 10K returns the following LP response to the host: Length & Field Type...
Page 203 10K Installation and User Guide Length & Field Type Notes Error code Indicating the general outcome of the LO command: '00' : No error '68' : Command disabled or any standard error code Decimalisation 16 H The decimalisation table encrypted under the new LMK.
Page 204 HSM is using the old or new LMK and must retrieve the key or data from the appropriate database. The use of the Multiple LMK feature of the payShield 10K offers additional options, and is described in the following section.
Page 205 The LMK in Key Change Storage should be deleted once it is no longer needed. There are multiple ways of doing this. 9.19.1.1 Using the console The LMK can be deleted from Key Change Storage using the DO console command. The payShield 10K must be in Secure state. 9.19.1.2 Using payShield Manager The LMK is deleted using the button displayed against the LMK in payShield Manager's Operational >...
Page 206 10K Installation and User Guide payShield 10K Installation and User Guide Length & Field Type Notes Delimiter Value '%'. Optional; if present, the following field must be present. LMK Identifier Where the user is using multiple LMKs on the same HSM, this allows the host to select which Old LMK is to be deleted.
Page 207 10K Installation and User Guide 9.19.2.1 Console LMK deletion is achieved using the DM console command. This command requires Secure state and authorization - in a multiple authorize state environment, the activity to be authorized is “admin.console”. Note that the DM console command also deletes the relevant old key in Key Change Storage, avoiding the need to do this separately.
Page 209 Appendix A - Console Commands The payShield 10K provides over 80 console commands. All console commands are enabled by default. Note: In contrast, all Host commands are disabled by default. Refer to the payShield 10K Host Command Manual. • Enabling and disabling console commands: Command syntax: <+ or ->...
Page 210 10K Installation and User Guide Appendix Contents Console Commands – Listed Alphabetically ................212 Configuration Commands ..................... 216 Reset to Factory Settings (RESET)..................217 Upload Software and Licenses (UPLOAD) ................219 Configure Commands (CONFIGCMDS) ................221 Configure PIN Block Formats (CONFIGPB) ................223 Configure Security (CS) ......................
Page 211 10K Installation and User Guide Trace TCP/IP route (TRACERT) .................... 286 View/Reset Utilization Data (UTILSTATS) ................288 View/Reset Health Check Counts (HEALTHSTATS) ............. 290 Local Master Keys ......................291 Types of LMKs ........................... 291 Multiple LMKs ..........................291 LMK Commands ......................293 Generate LMK Component(s) (GK)..................
Page 212 10K Installation and User Guide Form Key from Components (FK) ..................367 Generate Key (KG) ........................ 374 Import Key (IK) ........................378 Export Key (KE) ........................382 Generate a Check Value (CK)....................386 Set KMC Sequence Number (A6) ..................388 Payment System Commands ....................
Page 213 10K Installation and User Guide View Installed Certificate(s) (SV) .................... 435 Delete Installed Certificate(s) (SD) ..................438 Generate HRK (SK) ....................... 439 Change HRK Passphrase (SP) ....................440 Restore HRK (SL) ........................441 KMD Support Commands ..................... 442 Generate KTK Components (KM) ..................443 Install KTK (KN) ........................
Page 214: Console Commands - Listed Alphabetically
10K Installation and User Guide Console Commands – Listed Alphabetically Command Function Page Enter the Authorized State Authorize Activity Configure Fraud Detection Set KMC Sequence Number Re-enable PIN Verification AUDITLOG Display the Audit Log AUDITOPTIONS Audit Options Cancel the Authorized State...
Page 215 10K Installation and User Guide Encrypt Clear Component Encrypt Decimalization Table EJECT Eject a Smartcard ERRLOG Display the Error Log Format an HSM Smartcard Form Key from Components Generate Key Component GETCMDS View Available Commands GETTIME Query the Time and Date...
Page 216 10K Installation and User Guide Generate a VISA PIN Verification Value View Auxiliary Port Configuration View Host Port Configuration View Alarm Configuration View Management Port Configuration View Printer Port Configuration View Security Configuration Load the Diebold Table Read Unidentifiable Smartcard Details...
Page 217 10K Installation and User Guide TRAPDEL Delete an SNMP Trap UTILCFG View/Change Instantaneous Utilization Period UTLENABLE Suspend/Resume Collection of Utilization Data UTILSTATS View/Reset Utilization Data UPLOAD Upload Software and Licenses Verify LMK Store View Authorized Activities Verify the Contents of a Smartcard...
Page 218: Configuration Commands
10K Installation and User Guide Configuration Commands The payShield 10K provides the following console commands to support configuration operations: Command Page Reset to Factory Settings (RESET) Upload Software and Licenses (UPLOAD) Configure Commands (CONFIGCMDS) Configure PIN Block Formats (CONFIGPB)
Page 219: Reset To Factory Settings (Reset)
Function: Returns the HSM to the state it was in when it was shipped from the factory, so that it can be securely taken out of service – e.g. for return to Thales for repair. Any configuration changes (including port settings) that the customer has applied will be reversed, and any customer data and logs will be erased.
Page 220 10K Installation and User Guide Secure> RESET <Return> Example 1: Reset HSM to factory settings? [Y/N]: Y <Return> The unit is currently in its factory default state: NO Resetting the unit will remove all customer data, including logs, port settings, keys, etc.
Page 221: Upload Software And Licenses (Upload)
10K Installation and User Guide Variant  Key Block  Upload Software and Licenses (UPLOAD) Online  Offline  Secure  Authorization: Not required UPLOAD Command: Function: With this command, you can upload new software and new licenses from the console.
Page 222 10K Installation and User Guide Secure> UPLOAD <Return> Example 2: Please select one of the following options: 1) Software update 2) Install new license Your selection: 2 <Return> Attached USB Mass storage devices: Ultra USB 3.0 The following License files are available: C4665271228Q.licence...
Page 223: Configure Commands (Configcmds)
10K Installation and User Guide Variant  Key Block  CONFIGCMDS) Configure Commands ( Online  Offline  Secure  Authorization: Not required CONFIGCMDS Command: Function: To view the list of enabled host and console commands, and (if in secure state) to enable or disable host and console commands.
Page 224 10K Installation and User Guide List of enabled Host commands: A0 A4 GG GY List of enabled Console commands: Enter command code (e.g. +CDE) or Q to Quit: +CDE <Return> List of enabled Host commands: A0 A4 GG GY List of enabled Console commands: Enter command code (e.g.
Page 225: Configure Pin Block Formats (Configpb)
10K Installation and User Guide Variant  Key Block  Configure PIN Block Formats (CONFIGPB) Online  Offline  Secure  Authorization: Not required Command: CONFIGPB Function: To view the list of enabled PIN block formats, and (if in secure state) to enable or disable individual PIN block formats.
Page 226 10K Installation and User Guide 47 – ISO 9564-1 & ANSI X9.8 format 3 48 – ISO 9564-1 PIN Block Format 4 (AES) Enter + or – followed by PIN Block format or Q to Quit: Q <Return> Save PIN BLOCK settings to smart card? [Y/N]: Y <Return>...
Page 227: Configure Security (Cs)
10K Installation and User Guide Variant  Key Block  Configure Security (CS) Online  Offline  Secure  Authorization: Not required Command: Function: To set the security configuration of the HSM and some processing parameters. CS converts all lower-case alpha values to upper case for display purposes, except for the Card issuer Password.
Page 228 10K Installation and User Guide • Enable use of Tokens in PIN Verification? [Y/N]: Y or N • Allow Error light to be extinguished when viewing Error Log? [Y/N]: Y or N • Ensure LMK Identifier in command corresponds with host port? [Y/N]: Y or N •...
Page 229 10K Installation and User Guide Example 1: Erasing LMKs not selected by the user Secure> CS <Return> PIN Length [4-12]: 8 <Return> Echo [oN/ofF]: N <Return> Atalla ZMK variant support [oN/ofF]: F <Return> Transaction Key Scheme: Racal, Australian or None [R/A/N]: N <Return>...
Page 230 Management LMK identifier [0-4](0): <Return> LMKs must be erased before remaining parameters can be set Erase LMKs? [Y/N]: Y <Return> Enforce Atalla variant match to Thales key type? [Y/N](YES): <Return> Select clear PINs? [Y/N](YES): <Return> Enable ZMK translate command? [Y/N](YES): <Return>...
Page 231 10K Installation and User Guide Key export and import in trusted format only? [Y/N](NO): <Return> Protect MULTOS cipher data checksums? [Y/N](YES): <Return> Enable Key Scheme Tag 'X' (X9.17) for storing keys under LMK? [Y/N](NO): <Return> Enable use of Tokens in PIN Translation? [Y/N](NO): <Return>...
Page 232 10K Installation and User Guide Example 3: Final setting affecting PCI HSM compliance is about to be set to compliant value. The user is specifying a different card issuer software. Secure> CS <Return> Please make a selection. The current setting is in parentheses.
Page 233 10K Installation and User Guide [Y/N](NO): <Return> Enable use of Tokens in PIN Translation? [Y/N](NO): <Return> Enable use of Tokens in PIN Verification? [Y/N](NO): <Return> Allow Error light to be extinguished when viewing Error Log? [Y/N](NO): <Return> Ensure LMK Identifier in command corresponds with host port? [Y/N](NO): <Return>...
Page 234 10K Installation and User Guide Secure> Example 4: All settings affecting PCI HSM compliance have compliant values Secure> CS <Return> Please make a selection. The current setting is in parentheses. Press ENTER to keep the current setting. PIN length [4-12](4): <Return>...
Page 235 10K Installation and User Guide Enable use of Tokens in PIN Verification? [Y/N](NO): <Return> Allow Error light to be extinguished when viewing Error Log? [Y/N](NO): <Return> Ensure LMK Identifier in command corresponds with host port? [Y/N](NO): <Return> Ignore LMK ID in Key Block Header? [Y/N](NO): <Return>...
Page 236: View Security Configuration (Qs)
10K Installation and User Guide Variant  Key Block  View Security Configuration (QS) Online  Offline  Secure  Authorization: Not required Command: Function: Reports the security configuration of the HSM and some processing parameters, plus the LMK check value.
Page 237 10K Installation and User Guide Example 1: Settings affecting PCI HSM compliance do not all have compliant values Online> QS <Return> PIN length: 04 Encrypted PIN length: 05 Echo: OFF Atalla ZMK variant support: OFF Transaction key support: NONE...
Page 238 10K Installation and User Guide Card/password authorization (local): C Restrict PIN block usage for PCI HSM Compliance: NO Enforce key type 002 separation for PCI HSM compliance: NO Enforce Authorization Time Limit: YES Enforce Multiple Key Components: YES Enforce PCI HSMv3 Key Equivalence for Key Wrapping: YES...
Page 239 10K Installation and User Guide Example 2: Settings affecting PCI HSM compliance have compliant values Online> QS <Return> PIN length: 04 Encrypted PIN length: 05 Echo: OFF Atalla ZMK variant support: OFF Transaction key support: NONE User storage key length: SINGLE...
Page 240 10K Installation and User Guide Enforce minimum key strength of 1024-bits for RSA signature verification: YES Enforce minimum key strength of 2048-bits for RSA: YES Online> ©Thales Group Page 238 All Rights Reserved...
Page 241: Configure Host Port (Ch)
The HSM must be in the offline or secure state to run this command. • If settings relating to Secure Host Communications (TLS) or Access Control Lists are to be changed, the payShield 10K must be in Secure state. •...
Page 242 10K Installation and User Guide Example 1: In this example, Ethernet communications using TCP/IP and TLS are selected – all types of traffic are allowed. The IP addresses are set up as static, manually-entered addresses. Access Control Lists are to be used, and will be set up using the CONFIGACL console command.
Page 243 10K Installation and User Guide 100BaseTX half-duplex 100BaseTX full-duplex 1000BaseT half-duplex 1000BaseT full-duplex Speed setting (4): 6 <Return> Save HOST settings to smart card? [Y/N]: N <Return> Secure> Example 2: In this example, Ethernet communications using TLS is enabled - but UDP, and unprotected TCP are not allowed (i.e.
Page 244: View Host Port Configuration (Qh)
10K Installation and User Guide Variant  Key Block  View Host Port Configuration (QH) Online  Offline  Secure  Authorization: Not required Command: Function: To display details of the Host port configuration of the HSM. Authorization: This command does not require any authorization.
Page 245 10K Installation and User Guide Example 1: In this example, Ethernet communications using TCP/IP and TLS are selected – all types of traffic are allowed. The IP addresses are set up as static, manually-entered addresses. Access Control Lists are to be used, and will be set up using the CONFIGACL console command.
Page 247: Host Port Access Control List (Acl) Configuration (Configacl)
10K Installation and User Guide Variant  Key Block  Host Port Access Control List (ACL) Configuration Online  Offline  Secure  (CONFIGACL) Authorization: Not required Command: CONFIGACL Function: To display and amend the Access Control Lists (ACLs) for the HSM's host ports.
Page 248 10K Installation and User Guide Example 1: In this example, only one host interface has been configured in the CH command. There are no existing ACL entries. The user sets up a single address ACL entry, then adds a mask ACL entry, then adds a range ACL entry, and finally deletes the single address ACL entry.
Page 249 10K Installation and User Guide 10.10.40.0 to 10.10.40.255 (Mask:255.255.255.0) Add/Delete/Quit [A/D/Q]: D <Return> Entry to delete [1/3]: 1 <Return> Access control list for Interface 1: Single: None Range: 192.168.0.0 to 192.168.0.92 Mask: 10.10.40.0 to 10.10.40.255 (Mask:255.255.255.0) Add/Delete/Quit [A/D/Q]: Q <Return>...
Page 250: Configure Printer Port (Cp)
10K Installation and User Guide Variant  Key Block  Configure Printer Port (CP) Online  Offline  Secure  Authorization: Not required Command: Function: To select and configure a connection to a printer attached to the HSM via a USB port.
Page 251 10K Installation and User Guide Example 1: This example demonstrates the configuration of a printer attached to the HSM via a USB-to-serial cable. Offline> CP <Return> Reverse the <LF><CR> order? [Y/N]: N <Return> The following possible printer devices were found in the system: 0.
Page 252 10K Installation and User Guide Print test page? [Y/N]: Y <Return> Offline> Example 2: This example demonstrates the configuration of a printer attached to the HSM via a USB-to-parallel cable. Offline> CP <Return> Reverse the <LF><CR> order? [Y/N]: N <Return>...
Page 253: View Printer Port Configuration (Qp)
10K Installation and User Guide Variant  Key Block  View Printer Port Configuration (QP) Online  Offline  Secure  Authorization: Not required Command: Function: To display details of the HSM's printer configuration. Authorization: This command does not require any authorization.
Page 255: Configure Management Port (Cm)
10K Installation and User Guide Variant  Key Block  Configure Management Port (CM) Online  Offline  Secure  Authorization: Not required Command: Function: To configure the Management port, which is an Ethernet port used only for management of the HSM. If connection to the host is via Ethernet then the Ethernet host port is used for that purpose.
Page 256 10K Installation and User Guide that the Management TLS certificate is regenerated. Continuing will cause the certificate to be regenerated under the Customer Trust Authority. If you require an externally signed Management TLS certificate you will need to regenerate a CSR, have it signed and imported.
Page 257: View Management Port Configuration (Qm)
10K Installation and User Guide Variant  Key Block  View Management Port Configuration (QM) Online  Offline  Secure  Authorization: Not required Command: Function: To display details of the Management port parameters. Authorization: This command does not require any authorization.
Page 258: Configure Auxiliary Port (Ca)
10K Installation and User Guide Variant  Key Block  Configure Auxiliary Port (CA) Online  Offline  Secure  Authorization: Not required Command: Function: To configure the Auxiliary port, which is an Ethernet port currently used only for transmission of SNMP traffic from the HSM.
Page 259 10K Installation and User Guide Example 2: In this example, the auxiliary port has its IP address set up automatically by a DHCP server. Secure> CA <Return> Auxiliary Ethernet Interface: IP Configuration Method? [D]HCP or [S]tatic (DHCP): <Return> Network Name (B4665271226O-Aux): HSM-Aux <Return>...
Page 260: View Auxiliary Port Configuration (Qa)
10K Installation and User Guide Variant  Key Block  View Auxiliary Port Configuration (QA) Online  Offline  Secure  Authorization: Not required Command: Function: To display details of the Auxiliary port parameters. Authorization: This command does not require any authorization.
Page 261: Configure Alarms (Cl)
10K Installation and User Guide Variant  Key Block  Configure Alarms (CL) Online  Offline  Secure  Authorization: Not required Command: Function: To enable or disable the motion alarm. The temperature alarm is permanently enabled. The HSM alarm circuitry typically needs to be turned off if the HSM is to be moved.
Page 262: View Alarm Configuration (Ql)
10K Installation and User Guide Variant  Key Block  View Alarm Configuration (QL) Online  Offline  Secure  Authorization: Not required Command: Function: To display details of the alarm configuration of the HSM. Authorization: This command does not require any authorization.
Page 263: View/Change Instantaneous Utilization Period (Utilcfg)
10K Installation and User Guide Variant  Key Block  View/Change Instantaneous Utilization Period (UTILCFG) Online  Offline  Secure  Authorization: Not required Command: UTILCFG Function: To display the current setting of the period over which utilization statistics is to be collected when Instantaneous Utilization Data is requested.
Page 264: Suspend/Resume Collection Of Utilization Data (Utilenable)
10K Installation and User Guide Variant  Key Block  Suspend/Resume Collection of Utilization Data (UTILENABLE) Online  Offline  Secure  Authorization: Not required Command: UTILENABLE Function: To suspend or resume the collection of Utilization Data and the incrementing of the count of seconds over which the data is being collected.
Page 265: Suspend/Resume Collection Of Health Check Counts (Healthenable)
10K Installation and User Guide Variant  Key Block  Suspend/Resume Collection of Health Check Counts (HEALTHENABLE) Online  Offline  Secure  Authorization: Not required Command: HEALTHENABLE Function: To suspend or resume the collection of Health Check counts. This allows data collection to be suspended if, for example, data is not required.
Page 266: View Snmp Settings (Snmp)
10K Installation and User Guide Variant  Key Block  View SNMP Settings (SNMP) Online  Offline  Secure  Authorization: Not required Command: SNMP Function: To display the current SNMP settings, and to enable/disable provision of Utilization and Health Check data via SNMP.
Page 267: Add An Snmp User (Snmpadd)
10K Installation and User Guide Variant  Key Block  Add an SNMP User (SNMPADD) Online  Offline  Secure  Authorization: Not required Command: SNMPADD Function: Add an SNMP User (for SNMP version 3). • Authorization: The HSM does not require any authorization to run this command.
Page 268: Delete An Snmp User (Snmpdel)
10K Installation and User Guide Variant  Key Block  Delete an SNMP User (SNMPDEL) Online  Offline  Secure  Authorization: Not required Command: SNMPDEL Function: Delete an SNMP User. • Authorization: The HSM does not require any authorization to run this command.
Page 269: Configure Snmp Traps (Trap)
10K Installation and User Guide Variant  Key Block  Configure SNMP Traps (TRAP) Online  Offline  Secure  Authorization: Not required TRAP Command: Function: To display the current SNMP Trap configuration and to enable/disable individual SNMP Traps.
Page 270: Add A New Snmp Trap (Trapadd)
10K Installation and User Guide Variant  Key Block  Add a new SNMP Trap (TRAPADD) Online  Offline  Secure  Authorization: Not required TRAPADD Command: Function: Add an SNMP Trap. • Authorization is not required. Authorization: • The HSM must be in the Secure state.
Page 271: Delete An Snmp Trap (Trapdel)
10K Installation and User Guide Variant  Key Block  Delete an SNMP Trap (TRAPDEL) Online  Offline  Secure  Authorization: Not required TRAPDEL Command: Function: Delete an SNMP Trap. • Authorization is not required. Authorization: • The HSM must be in the Secure state.
Page 272: Fraud Detection Commands
10K Installation and User Guide Fraud Detection Commands The payShield 10K provides the following commands to support fraud detection operations: Command Page Configure Fraud Detection (A5) Re-enable PIN Verification (A7) ©Thales Group Page 270 All Rights Reserved...
Page 273: Configure Fraud Detection (A5)
10K Installation and User Guide Variant  Key Block  Configure Fraud Detection (A5) Online  Offline  Secure  Authorization: May be required audit.console Activity: Command: Function: To set the configuration of the HSM fraud detection function. Authorization: If the Fraud Detection settings are to be edited, the HSM must be: •...
Page 274 10K Installation and User Guide Offline-AUTH> A5 <Return> Example: HSM reaction to Exceeding Fraud Limits is : ON The following limits are set: PIN verification failures per minute : 100 PIN verification failures per hour : 1000 PIN Attack Limit...
Page 275: Re-Enable Pin Verification (A7)
10K Installation and User Guide Variant  Key Block  Re-enable PIN Verification (A7) Online  Offline  Secure  Authorization: Required audit.console Activity: Command: Function: To reset the configuration of the HSM fraud detection function. Authorization: The HSM must be in the offline state to run this command. The HSM must be either in the Authorized State, or the activity audit.console must be...
Page 276: Diagnostic Commands
10K Installation and User Guide Diagnostic Commands The payShield 10K provides the following console commands to support diagnostic operations: Command Page Diagnostic Test (DT) View Software Revision Number (VR) View Available Commands (GETCMDS) Show Network Statistics (NETSTAT) Test TCP/IP Network (PING)
Page 277: Diagnostic Test (Dt)
10K Installation and User Guide Variant  Key Block  Diagnostic Test (DT) Online  Offline  Secure  Authorization: Not required Command: Function: To perform diagnostic tests. The DT command tests the following parts of the HSM: • Battery voltage level •...
Page 278 10K Installation and User Guide Secure>DT <Return> Example 1: Battery: AES: DES: ECDSA: HMAC: MD5: Memory: Power Supply: RNG: RSA: Real-Time Clock: SYNCHRONIZED (system time was synchronized with the RTC) SHA: SCR: Temperature: Fans: Voltages: Health Check Status TCP Server:...
Page 279 10K Installation and User Guide Online> DT verbose <Return> Example 2: Battery: Voltage: 3500 mV HSM will enter tamper state if voltage drops below 2500 Running AES Known Answer Test PASSED AES Known Answer Test AES: Running DES Known Answer Test...
Page 280 10K Installation and User Guide Sensor 3 : 35.2C 95.4F (Min=33.1C 91.6F Max=36.6C 36.6F) Fans: Fan 1: 8000 RPM (target: 8000 RPM) Fan 2: 7868 RPM (target: 8000 RPM) Voltages: 11.46 (Min=11.43 Max=11.48) 5.052 (Min=5.032 Max=5.067) MP Core 1.028 (Min=1.016...
Page 281: View Software Revision Number (Vr)
10K Installation and User Guide Variant  Key Block  View Software Revision Number (VR) Online  Offline  Secure  Authorization: Not required Command: Function: To display details of the software release number, revision number and build number.
Page 282 PCI HSM Compliance field: PCI HSM Compliance: Refer to the PCI web site (https://www.pcisecuritystandards.org/approved_companies_pro viders/approved_pin_transaction_security.php) for current certification status of this version of payShield 10K software. Security settings are consistent with the requirements of PCI HSM. ©Thales Group...
Page 283: View Available Commands (Getcmds)
10K Installation and User Guide Variant  Key Block  View Available Commands (GETCMDS) Online  Offline  Secure  Authorization: Not required Command: GETCMDS Function: To display a list of enabled host & console commands. Commands listed in the output are licensed AND enabled.
Page 284 10K Installation and User Guide CONFIGPB EJECT ERRLOG GETCMDS GETTIME GK HEALTHENABLE HEALTHSTATS NETSTAT PING RESET SETTIME SG SNMP SNMPADD SNMPDEL TRAP TRAPADD TRAPDEL TRACERT UPLOAD UTILCFG UTILENABLE UTILSTATS Host/Console Command Hash Value: cf7e8a ©Thales Group Page 282 All Rights Reserved...
Page 285: Show Network Statistics (Netstat)
10K Installation and User Guide Variant  Key Block  Show Network Statistics (NETSTAT) Online  Offline  Secure  Authorization: Not required Command: NETSTAT Function: The HSM records details about network activity on both its Management and Host Ethernet ports for diagnostic and security purposes.
Page 286 10K Installation and User Guide Outputs: Text messages as appropriate. The reported state can have the following values: ESTABLISHED The socket has an established connection. SYN_SENT The socket is actively attempting to establish a connection. SYN_RECV A connection request has been received from the network.
Page 287: Test Tcp/Ip Network (Ping)
10K Installation and User Guide Variant  Key Block  Test TCP/IP Network (PING) Online  Offline  Secure  Authorization: Not required Command: PING Function: To test the specified network node, and the route to it. Authorization: The HSM does not require any authorization to run this command.
Page 288: Trace Tcp/Ip Route (Tracert)
10K Installation and User Guide Variant  Key Block  Trace TCP/IP route (TRACERT) Online  Offline  Secure  Authorization: Not required Command: TRACERT Function: To view the path taken from the HSM to the specified address. Authorization: The HSM does not require any authorization to run this command.
Page 289 10K Installation and User Guide outgoing probe packets. If the host has more than one IP address, you can use this option to force the source address to be something other than the IP address of the interface that the probe packet is sent on. If the IP...
Page 290: View/Reset Utilization Data (Utilstats)
10K Installation and User Guide Variant  Key Block  View/Reset Utilization Data (UTILSTATS) Online  Offline  Secure  Authorization: Not required Command: UTILSTATS Function: To display Utilization Data at the Console. Options to print the data to an HSM-attached printer and to reset accumulated data to zero.
Page 291 10K Installation and User Guide 4.79 2.11 7.28 8.68 3.00 2.87 1.79 1.40 0.38 2.00 2.00 2.00 1.06 0.30 0.72 0.89 0.11 0.23 2.72 Press "Enter" to continue... <Return> Cmd Code Total Transactions Average TPS 0.21 0.04 Instantaneous HSM Load: 17%...
Page 292: View/Reset Health Check Counts (Healthstats)
10K Installation and User Guide Variant  Key Block  View/Reset Health Check Counts (HEALTHSTATS) Online  Offline  Secure  Authorization: May be required Activity: diagnostics Command: HEALTHSTATS Function: To display Health Check counts at the Console. Options to print the data to a HSM-attached printer and to reset accumulated data to zero.
Page 293: Local Master Keys
Note that the term "pair" is used regardless of whether the LMK consists of double-length keys, or triple- length keys. The standard LMK format supported in all previous versions of Thales (Racal) HSM firmware consists of 20 double-length TDES keys.
Page 294 10K Installation and User Guide Authorization Indicates the authorization status of the HSM for this particular LMK – either a flag (for Authorized State) or a list of authorized activities. Old/New Flag for each LMK held in Key Change Storage indicating whether they are to...
Page 295: Lmk Commands
10K Installation and User Guide LMK Commands The HSM provides the following console commands to support LMK operations: Command Page Generate LMK Component (GK) Load LMK (LK) Load 'Old' LMK into Key Change Storage (LO) Load 'New' LMK into Key Change Storage (LN)
Page 296: Generate Lmk Component(S) (Gk)
10K Installation and User Guide Variant  Key Block  Generate LMK Component(s) (GK) Online  Offline  Secure  Authorization: Not required Command: Function: To generate component(s) of an LMK, and store the component(s) on smartcards. This command may be used to generate components for the following types of LMKs: •...
Page 297 10K Installation and User Guide Example 1: This example generates a triple-length Variant LMK component set, and (Triple-length writes the components to a smartcard. Variant LMK) Secure> GK <Return> Variant scheme or key block scheme? [V/K]: V <Return> Enter algorithm type [2=2DES, 3=3DES]: 3 <Return>...
Page 298 10K Installation and User Guide Example 3: This example generates a 3DES key block LMK component, and writes the (Triple-length component to a smartcard. 3DES Key Block LMK) Secure> GK <Return> Variant scheme or key block scheme? [V/K]: K <Return>...
Page 299: Load Lmk (Lk)
• Invalid PIN; re-enter - a PIN of less than 5 or greater than 8 digits is entered. • Invalid key – a standard Thales test key cannot be given live status. • Incompatible key status – the components have different status ("live" or "test").
Page 300 10K Installation and User Guide Example 1: This example loads a double-length Variant LMK from smartcards and (Double-length installs it in the HSM. There is already Default and Management LMKs Variant LMK) installed. Secure> LK <Return> Enter LMK id: 00 <Return>...
Page 301 10K Installation and User Guide Comments: Process System One Confirm details? [Y/N]: Y <Return> Use the LO/LN command to load LMKs into key change storage. Secure> Example 3: In this example, the PIN is not entered within 60 seconds.
Page 302 10K Installation and User Guide Example 5: This example loads a 3DES key block LMK from smartcards and installs it in (3DES Key Block the HSM. There is already Default and Management LMKs installed. LMK) Secure> LK <Return> Enter LMK id: 01 <Return>...
Page 303 10K Installation and User Guide Example 6: This example loads an AES key block LMK from smartcards and installs it in (AES Key Block the HSM. There is already Default and Management LMKs installed. LMK) Secure> LK <Return> Enter LMK id: 02 <Return>...
Page 304 10K Installation and User Guide Example 7: This example loads an AES key block LMK from smartcards and installs it in (AES Key Block the HSM. There is no Default or Management LMK already installed. LMK - no Default or Management Secure>...
Page 305: Load 'Old' Lmk Into Key Change Storage (Lo)
• Command only allowed from Secure-Authorized – the HSM is not in Secure State, or the HSM is not authorized to perform this operation, or both. • Invalid key – a standard Thales test key cannot be given live status. • Incompatible cards – the component cards have different formats.
Page 306 10K Installation and User Guide Example 1: This example loads a double-length Variant LMK from smartcards and installs (Double-length it as 'old' LMK 00. Variant LMK) Secure-AUTH> LO <Return> Enter LMK id: 00 <Return> Enter comments: Old LMK for ABC Bank <Return>...
Page 307 10K Installation and User Guide Example 2: This example loads a triple-length Variant LMK from smartcards and installs it (Triple-length as 'old' LMK 00. Variant LMK) Secure-AUTH> LO <Return> Enter LMK id: 00 <Return> Enter comments: Old LMK for Process System One <Return>...
Page 308 10K Installation and User Guide LMK Check: ZZZZZZ LMK id: 01 LMK key scheme: KeyBlock LMK algorithm: 3DES (3key) LMK status: Live Comments: Old LMK for XYZ Bank Confirm details? [Y/N]: Y <Return> Secure-AUTH> Example 5: This example loads an AES key block LMK from smartcards and installs it as (AES Key Block 'old' LMK 02.
Page 309: Load 'New' Lmk Into Key Change Storage (Ln)
• Command only allowed from Secure-Authorized – the HSM is not in Secure State, or the HSM is not authorized to perform this operation, or both. • Invalid key – a standard Thales test key cannot be given live status. • Incompatible cards – the component cards have different formats.
Page 310 10K Installation and User Guide Example 1: This example loads a double-length Variant LMK from smartcards and installs (Double-length it as 'new' LMK 00. Variant LMK) Secure-AUTH> LN <Return> Enter LMK id: 00 <Return> Enter comments: New LMK for ABC Bank <Return>...
Page 311 10K Installation and User Guide Example 2: This example loads a triple-length Variant LMK from smartcards and installs it (Triple-length as 'new' LMK 00. Variant LMK) Secure-AUTH> LN <Return> Enter LMK id: 00 <Return> Enter comments: New LMK for Process System One <Return>...
Page 312 10K Installation and User Guide LMK Check: ZZZZZZ LMK id: 01 LMK key scheme: KeyBlock LMK algorithm: 3DES(3key) LMK status: Live Comments: New LMK for XYZ Bank Confirm details? [Y/N]: Y <Return> Secure-AUTH> Example 5: This example loads an AES key block LMK from smartcards and installs it as (AES Key Block 'new' LMK 02.
Page 313: Verify Lmk Store (V)
10K Installation and User Guide Variant  Key Block  Verify LMK Store (V) Online  Offline  Secure  Authorization: Not required Command: Function: To confirm that the check value is identical to the value that was recorded when the LMK set was installed.
Page 314: Duplicate Lmk Component Sets (Dc)
10K Installation and User Guide Variant  Key Block  Duplicate LMK Component Sets (DC) Online  Offline  Secure  Authorization: Not required Command: Function: To copy an LMK component onto another smartcard. Authorization: The HSM must be in the secure state to run this command.
Page 315: Delete Lmk (Dm)
10K Installation and User Guide Variant  Key Block  Delete LMK (DM) Online  Offline  Secure  Authorization: Required Activity: admin.console Command: Function: To delete a selected LMK and (if loaded) the LMK in the corresponding location in key change storage.
Page 316: Delete 'Old' Or 'New' Lmk From Key Change Storage (Do)
10K Installation and User Guide Variant  Key Block  Delete 'Old' or 'New' LMK from Key Change Storage (DO) Online  Offline  Secure  Authorization: Not required Command: Function: To delete a selected LMK from key change storage. This command may only be used if an LMK is loaded in the corresponding location in main LMK memory.
Page 317: View Lmk Table (Vt)
10K Installation and User Guide Variant  Key Block  View LMK Table (VT) Online  Offline  Secure  Authorization: Not required Command: Function: To display the LMK table and the corresponding table for key change storage. Authorization: The HSM does not require any authorization to run this command.
Page 318 10K Installation and User Guide Example 1: The HSM is configured for single authorized state, but has not been authorized: Secure> VT <Return> LMK table: ID Authorized Scheme Algorithm Status Check Comments 00 No Variant 3DES(2key) Test 268604 test...
Page 319 10K Installation and User Guide Example 4: The HSM is configured for multiple authorized activities. Output shows how many host and console commands are authorized for each LMK: Online-AUTH> VT <Return> LMK table: ID Authorized Scheme Algorithm Status Check...
Page 320: Generate Test Lmk (Gt)
Online  Offline  Secure  Authorization: Not required Command: Function: To generate one of the standard Thales Test LMKs, and write the component(s) to smartcard(s). The payShield 10K supports four different types of LMK: • 2DES Variant LMK •...
Page 321 10K Installation and User Guide Example 1: This example writes the standard 2DES Variant Thales Test LMK to a single smartcard: Online> GT <Return> Generate Standard Thales Test LMK Set: 1 - 2DES Variant 2 - 3DES Variant 3 - 3DES KeyBlock...
Page 322: Operational Commands
10K Installation and User Guide Operational Commands Authorization Commands The payShield 10K needs to be authorized for certain commands to be executed - usually those involving clear text data. There are two methods of authorizing the HSM – using: •...
Page 323: Enter The Authorized State (A)
10K Installation and User Guide Variant  Key Block  Enter the Authorized State (A) Online  Offline  Secure  Authorization: Not required Command: Function: To set the HSM into the Authorized State. The HSM prompts for either Smartcards or Passwords, as applicable, which must correspond to the LMK being authorized.
Page 324 10K Installation and User Guide First Officer: Password: **************** <Return> Second Officer:  Password: ******************* <Return> Password too long Data invalid; please re-enter: **************** <Return> AUTHORIZED Console authorizations will expire in 720 minutes (12 hours). Online-AUTH> ©Thales Group Page 322...
Page 325: Cancel The Authorized State (C)
10K Installation and User Guide Variant  Key Block  Cancel the Authorized State (C) Online  Offline  Secure  Authorization: Not required Command: Function: To cancel the Authorized State. There is an equivalent command available to the host (Host command 'RA') Authorization: The HSM does not require any authorization to run this command.
Page 326: Authorize Activity (A)
10K Installation and User Guide Variant  Key Block  Authorize Activity (A) Online  Offline  Secure  Authorization: Not required Command: Function: To authorize the HSM to perform certain specified activities. In command line mode, the operator specifies which activities are to be authorized.
Page 327 10K Installation and User Guide • Data invalid; please re-enter: the password is an invalid length. • If the CS setting "Card/Password authorization" is set to "Card", then the Notes: passwords required to put the HSM into the Authorized State will be read from smartcards.
Page 328 10K Installation and User Guide • There is one case when it will be necessary to overwrite an existing activity: when only the Timeout field changes. For example, suppose that the following activity is authorized: export.001.console:11 and the user uses the 'A' command to authorize the following activity: export.001.console:60...
Page 329 10K Installation and User Guide Enter LMK id [0-4]: 0 <Return> Console authorizations will expire in 720 minutes (12 hours). The following activities are pending authorization for LMK id 00: admin..console:720 admin..host audit..console:720 audit..host command..console:720 command..host component..console:720 component..host diagnostic..console:720 diagnostic..host...
Page 331 10K Installation and User Guide Example 3: This example authorizes three activities additional Example 1 via the menu. (Variant LMK) Online-AUTH> A <Return> Enter LMK id [0-9]: 00 <Return> The following activities are authorized for LMK id 00: pin.mailer...
Page 332 10K Installation and User Guide First Officer Insert Card for Security Officer and enter the PIN: **** <Return> Second Officer Insert Card for Security Officer and enter the PIN: **** <Return> The following activities are authorized for LMK id 00: admin:240 (240 mins remaining) export.001.host...
Page 333 10K Installation and User Guide Insert Card for Security Officer and enter the PIN: **** <Return> Second Officer: Insert Card for Security Officer and enter the PIN: **** <Return> The following activities are authorized for LMK id 01: pin.clear.console:720 (720 mins remaining) pin.clear.host...
Page 334 10K Installation and User Guide host console Select interface, or <RETURN> for all: c <Return> Enter time limit for admin, or <RETURN> for permanent: <Return> Make activity persistent? [Y/N]: n <Return> Enter additional activities to authorize? [y/N]: n <Return>...
Page 336: Cancel Authorized Activity (C)
10K Installation and User Guide Variant  Key Block  Cancel Authorized Activity (C) Online  Offline  Secure  Authorization: Not required Command: Function: To cancel one or more Authorized Activities. Authorization: The HSM does not require any authorization to run this command.
Page 337 10K Installation and User Guide Example 1: This example cancels an existing activity via the menu. (Variant or Key Block LMK) Online-AUTH> C <Return> Enter LMK id [0-9]: 00 <Return> Cancel pin.mailer? [y/N] Y <Return> No activities are authorized for LMK id 00.
Page 338: View Authorized Activities (Va)
10K Installation and User Guide Variant  Key Block  View Authorized Activities (VA) Online  Offline  Secure  Authorization: Not required Command: Function: To view all active authorized activities. Authorization: The HSM does not require any authorization to run this command.
Page 339: Logging Commands
There is also a command to enable the user to set their time zone, so that the correct time is displayed in audit log reports. The Error log stores fault information for use by Thales support personnel. The error log is used to log unexpected software errors, hardware failures and alarm events. Whenever an error occurs, that error code is stored, along with the time, date and severity level.
Page 340: Display The Error Log (Errlog)
10K Installation and User Guide Variant  Key Block  Display the Error Log (ERRLOG) Online  Offline  Secure  Authorization: Not required Command: ERRLOG Function: To display the entries in the error log. Authorization: The HSM does not require any authorization to run this command.
Page 341 10K Installation and User Guide Example 3: In this example, the Security setting "Allow Error light to be extinguished when viewing Error Log?" is set to YES. Offline> ERRLOG <Return> Error Log (3 entries) -------------------------- 1: May 01 09:35:00...
Page 342: Clear The Error Log (Clearerr)
10K Installation and User Guide Variant  Key Block  Clear the Error Log (CLEARERR) Online  Offline  Secure  Authorization: Not required Command: CLEARERR Function: To clear the entries in the error log. Authorization: The HSM must be in the secure state to run this command.
Page 343: Display The Audit Log (Auditlog)
10K Installation and User Guide Variant  Key Block  Display the Audit Log (AUDITLOG) Online  Offline  Secure  Authorization: Not required Command: AUDITLOG Function: To display the entries in the audit log. Authorization: The HSM does not require any authorization to run this command.
Page 344 10K Installation and User Guide Offline> AUDITLOG <Return> Example 2: Audit Log (10 entries) Counter Time Date Command/Event --------------------------------------------------------- ----- 0000000268 13:55:00 02/Jul/2013 Diagnostic self test failure: Power 0000000267 16:45:07 01/Jul/2013 Authorized activity admin..host was cancelled for LMK id 0...
Page 345: Clear The Audit Log (Clearaudit)
10K Installation and User Guide Variant  Key Block  Clear the Audit Log (CLEARAUDIT) Online  Offline  Secure  Authorization: Required Activity: audit.console Command: CLEARAUDIT Function: To clear the entries in the audit log. Authorization: The HSM must be in the secure state to run this command. Additionally, the HSM must be either in the Authorized State, or the activity audit.console...
Page 346: Audit Options (Auditoptions)
10K Installation and User Guide Variant  Key Block  Audit Options (AUDITOPTIONS) Online  Offline  Secure  Authorization: Required Activity: audit.console Command: AUDITOPTIONS Function: To configure the HSM's auditing functionality. The HSM can be configured to monitor and record the following events: •...
Page 347 Host commands to be logged. In this context, "relevant" means error responses which may indicate situations that require investigation by the payShield 10K Administrators or Security Officers. The use of this setting will therefore not log non-00 error responses which are purely for information or which indicate "business as...
Page 348 10K Installation and User Guide Secure-AUTH>auditoptions Example: Audit User Actions: YES Audit Error Responses to Host Commands: YES Audit utilization data resets: NO Audit diagnostic self tests: NO Audit ACL connection failures: NO Audit Counter Value: 0000000223 List of Audited Console Commands:...
Page 349: Time And Date Commands
Time and Date Commands The SETTIME command is used to set the system time and date used by the payShield 10K for the audit log entries. The user should use this command to adjust the time for the local timezone. The time and date can be queried using the GETTIME command.
Page 350 10K Installation and User Guide Variant  Key Block  Online  Offline  Secure  Authorization: Required Activity: admin.console Command: Set the Time (SETTIME) Function: To set the system time and date used by the HSM. Authorization: The HSM must be in the secure state to run this command. Additionally, the HSM must be either in the Authorized State, or the activity admin.console...
Page 351: Query The Time And Date (Gettime)
10K Installation and User Guide Variant  Key Block  Query the Time and Date (GETTIME) Online  Offline  Secure  Authorization: Not required Command: GETTIME Function: To query the system time and date. Authorization: The HSM does not require any authorization to run this command.
Page 352: Set Time For Automatic Self-Tests (St)
10K Installation and User Guide Variant  Key Block  Set Time for Automatic Self-Tests (ST) Online  Offline  Secure  Authorization: Not required Command: Function: Reports the time of day when the daily automatic self-tests required for PCI HSM compliance will be run, and allows this time to be changed.
Page 353: Settings, Storage And Retrieval Commands
Settings, Storage and Retrieval Commands Commands are provided to save the payShield 10K's Alarm, Host and Security settings to a smartcard and to restore the settings to the HSM. Besides the dedicated command to Save HSM Settings to Smartcard, the following individual configuration commands have the option to save settings to smartcard: •...
Page 354: Save Hsm Settings To A Smartcard (Ss)
10K Installation and User Guide Save HSM Settings to a Smartcard (SS) Key Block Variant   Online  Offline  Secure  Authorization: Required Activity: admin.console Command: Function: To save the Alarm, Host Port, Security, Audit, Command, and PIN Block settings to a smartcard (RACCs are supported).
Page 355: Retrieve Hsm Settings From A Smartcard (Rs)
10K Installation and User Guide Retrieve HSM Settings from a Smartcard (RS) Key Block Variant   Online  Offline  Secure  Authorization: Required Activity: admin.console Command: Function: To read the Alarm, Host Port, Security, Audit, Command, and PIN Block settings from a smartcard.
Page 356 10K Installation and User Guide Secure-AUTH> RS <Return> Example: Insert card and press ENTER: <Return> Temperature Alarm: ON Motion Alarm: HIGH Self Test Run Time: 09:00 Overwrite alarm settings with the settings above? [Y/N]: Y <Return> ALARM settings retrieved from smartcard...
Page 357 10K Installation and User Guide Protect MULTOS cipher data checksums: YES Enforce Atalla variant match to Thales key type: NO Card/password authorization: C Enable use of Tokens in PIN Translation: NO Enable use of Tokens in PIN Verification: NO...
Page 358: Key Management Commands
10K Installation and User Guide Key Management Commands The payShield 10K provides the following host commands to support generic key management operations: Command Page Generate Key Component (GC) Generate Key and Write Components to Smartcard (GS) Encrypt Clear Component (EC)
Page 359: Generate Key Component (Gc)
10K Installation and User Guide Variant  Key Block  Generate Key Component (GC) Online  Offline  Secure  Authorization: Required Activity: component.{key}.console Command: Function: To generate a key component and display it in plain and encrypted forms.
Page 360 10K Installation and User Guide • When generating key components encrypted by a Key Block LMK, the Notes: "Component Number" field stored within the component's key block header can be used to help identify individual components. Note, however, that this field is not examined or used by the HSM's FK command when forming a key from these components.
Page 361 10K Installation and User Guide Enter key length [1,2,3]: 2 <Return> Enter key scheme: S <Return> Enter key usage: P0 <Return> Enter mode of use: N <Return> Enter component number [1-9]: 2 <Return> Enter exportability: E <Return> Enter optional blocks? [Y/N]: N <Return>...
Page 362: Generate Key And Write Components To Smartcard (Gs)
10K Installation and User Guide Variant  Key Block  Generate Key and Write Components to Smartcard (GS) Online  Offline  Secure  Authorization: Required Activity: component.{key}.console Command: Function: Generates a key in 2 to 3 component and write the components to smartcards.
Page 363 10K Installation and User Guide • Invalid key scheme - an invalid key scheme is entered. • Invalid entry - an invalid number of components has been entered. • Not an LMK card - card is not formatted for LMK or key storage.
Page 364 10K Installation and User Guide Example 2: This example generates and writes two double length 3DES key (3DES Key Block components to two smartcards, and encrypts the formed key. LMK) Online-AUTH> GS <Return> Enter LMK id: 01 <Return> Enter key length [1,2,3]: 2 <Return>...
Page 365 10K Installation and User Guide Enter key version number: 00 <Return> Enter exportability: E <Return> Enter optional blocks? [Y/N]: Y <Return> Enter optional block identifier: 00 <Return> Enter optional block data: L <Return> Enter more optional blocks? [Y/N]: N <Return>...
Page 366: Encrypt Clear Component (Ec)
10K Installation and User Guide Variant  Key Block  Encrypt Clear Component (EC) Online  Offline  Secure  Authorization: Required Activity: component.{key}.console Command: Function: To encrypt a clear text component and display the result at the console.
Page 367 10K Installation and User Guide • Various key block field errors – the value entered is invalid, or incompatible with previously entered values. Example 1: This example encrypts a plaintext double length DES key component. (Variant LMK) Online-AUTH> EC <Return>...
Page 368 10K Installation and User Guide Example 4: This example encrypts a plaintext 128-bit AES key component. (AES Key Block LMK) Online-AUTH> EC <Return> Enter LMK id: 02 <Return> Enter algorithm [3DES/AES]: A <Return> Enter component length [128,192,256]: 128 <Return>...
Page 369: Form Key From Components (Fk)
10K Installation and User Guide Variant  Key Block  Form Key from Components (FK) Online  Offline  Secure  Authorization: Required Activity: component.{key}.console Command: Function: To build a key from components. If clear components are used, they will not be checked for parity, but odd parity will be forced on the final key before encryption under the selected LMK.
Page 370 10K Installation and User Guide • Incompatible header values - the field values are incompatible between components. • Incompatible key status optional blocks - there is a mismatch between the values contained in one or more key status optional blocks.
Page 371 10K Installation and User Guide Enter number of components (1-9): 2 <Return> Insert card 1 and enter PIN: ******** <Return> Component 1 check value: XXXXXX Continue? [Y/N]: y <Return> Insert card 2 and enter PIN: ******** <Return> Component 2 check value: XXXXXX Continue? [Y/N]: y <Return>...
Page 372 10K Installation and User Guide Example 4: The security settings require that multiple components are used to form keys, (Variant LMK) but the user attempts to form a key from one component. Online-AUTH> FK <Return> Enter LMK id: 00 <Return>...
Page 373 10K Installation and User Guide Example 5: This example forms a single length DES key from plaintext components. (3DES Key Block LMK) Online-AUTH> FK <Return> Enter LMK id: 01 <Return> Enter key length [1,2,3]: 1 <Return> Enter key scheme: S <Return>...
Page 374 10K Installation and User Guide Enter exportability: E <Return> Enter optional blocks? [Y/N]: N <Return> Enter component 1: **** **** **** **** **** **** **** **** <Return> Component 1 check value: XXXXXX Continue? [Y/N]: y <Return> Enter component 2: **** **** **** **** **** **** **** **** <Return>...
Page 375 10K Installation and User Guide Component 1 check value: XXXXXX Continue? [Y/N]: y <Return> Enter component 2: S XXXXXXXX……XXXXXX <Return> Component 2 check value: XXXXXX Continue? [Y/N]: y <Return> Enter component 3: S XXXXXXXX……XXXXXX <Return> Component 3 check value: XXXXXX Continue? [Y/N]: y <Return>...
Page 376: Generate Key (Kg)
10K Installation and User Guide Variant  Key Block  Generate Key (KG) Online  Offline  Secure  Authorization: Determined by KTT(G&E) Activity: generate.{key}.console and export.{key}.console Authorization: If export to non-KB. Activity: export.{key}.console Command: Function: To generate a random key and return it encrypted under the LMK and optionally under a ZMK (for transmission to another party).
Page 377 10K Installation and User Guide • Exportability: See the Exportability Table in the Host Programmer's Manual. • Optional Block data. • Exportability of exported key (if exporting). • Key encrypted under an • Key Block containing the key encrypted...
Page 378 10K Installation and User Guide Example 2: This example generates a new double length DES key, and exports it to (Variant LMK) X9.17 format. Online-AUTH> KG <Return> Enter LMK id: 00 <Return> Enter key length [1,2,3]: 2 <Return> Enter key type: 002 <Return>...
Page 379 10K Installation and User Guide Example 5: This example generates a new double length DES key, and exports it to TR- (3DES Key Block 31 format. LMK) Online> KG <Return> Enter LMK id: 01 <Return> Enter key length [1,2,3]: 2 <Return>...
Page 380: Import Key (Ik)
• Use of this command will always create an entry in the Audit Log. • If the option "Enforce Atalla variant match to Thales key type" is set to YES in the CS console command, the following matchings between Atalla variant and Thales variant key types will be enforced: ∅...
Page 381 10K Installation and User Guide 1 or 01 002 LMK 14-15 70D LMK 36-37/7 001 LMK 06-07 001 LMK 06-07 2 or 02 00B LMK 32-33 00B LMK 32-33 00A LMK 30-31 00A LMK 30-31 3 or 03 003 LMK 16-17...
Page 382 10K Installation and User Guide Example 2: This example imports a key from TR-31 format. (Variant LMK) Online> IK <Return> Enter LMK id: 00 <Return> Enter key type: 009 <Return> Enter key scheme (LMK): U <Return> Enter ZMK: U XXXX XXXX XXXX XXXX XXXX XXXX XXXX XXXX <Return>...
Page 383 10K Installation and User Guide Example 5: This example imports a key from Thales Key Block format. (3DES or AES Key Block LMK) Online> IK <Return> Enter LMK id: 01 <Return> Enter key scheme (LMK): S <Return> Enter ZMK: S XXXXXXXX……XXXXXX <Return>...
Page 384: Export Key (Ke)
10K Installation and User Guide Variant  Key Block  Export Key (KE) Online  Offline  Secure  Authorization: Determined by KTT(E) Activity: export.{key}.console Authorization: If export to non-KB. Activity: export.{key}.console Command: Function: To translate a key from encryption under the specified LMK to encryption under a ZMK.
Page 385 10K Installation and User Guide • Mode of Use: See the Mode of Use Table the payShield 10K Host Programmer's Manual. • Key Version Number: 00-99. • Exportability: See the Exportability Table in the payShield 10K Host Programmer's Manual.
Page 386 10K Installation and User Guide Example 1: This example exports a key to X9.17 format. (Variant LMK) Online-AUTH> KE <Return> Enter Key type: 002 <Return> Enter Key Scheme: X <Return> Enter ZMK: U XXXX XXXX XXXX XXXX XXXX XXXX XXXX XXXX <Return>...
Page 387 10K Installation and User Guide Example 5: This example exports a key to Thales Key Block format. (3DES or AES Key Block LMK) Online> KE <Return> Enter LMK id: 01 <Return> Enter key scheme (ZMK): S <Return> Enter ZMK: S XXXXXXXX……XXXXXX <Return>...
Page 388: Generate A Check Value (Ck)
10K Installation and User Guide Variant  Key Block  Generate a Check Value (CK) Online  Offline  Secure  Authorization: Required if ≠ 6 digits Activity: generate.{key}.console Authorization: Not required. Command: Function: To generate a key check value (KCV) for a key encrypted under a specified LMK.
Page 389 • Invalid key type; re-enter - the key type is invalid. See the Key Type Table in the payShield 10K Host Programmer's Manual. • Internal failure 12: function aborted - the contents of LMK storage have been corrupted or erased.
Page 390: Set Kmc Sequence Number (A6)
10K Installation and User Guide Set KMC Sequence Number (A6) Variant  Key Block  Online  Offline  Secure  Authorization: Required Activity: misc.console Command: Function: To set the value of the KMC sequence number held within the HSM protected memory.
Page 391: Payment System Commands
10K Installation and User Guide Payment System Commands The payShield 10K provides the following console commands to support some of the card payment systems host commands. Command Page Generate a Card Verification Value (CV) Generate a VISA PIN Verification Value (PV)
Page 392: Generate A Card Verification Value (Cv)
10K Installation and User Guide Variant  Key Block  Generate a Card Verification Value (CV) Online  Offline  Secure  Authorization: Required Activity: misc.console Command: Function: To generate a VISA CVV or MasterCard CVC. Authorization: The HSM must be either in the Authorized State, or the activity misc.console must be authorized, using the Authorizing Officer cards of the relevant LMK.
Page 393 10K Installation and User Guide Example 1: This example generates a CVV using a CVK pair encrypted in variant format. (Variant LMK) Online-AUTH> CV <Return> Enter LMK id: 00 <Return> Enter key A: XXXX XXXX XXXX XXXX <Return> Enter key B: XXXX XXXX XXXX XXXX <Return>...
Page 394: Generate A Visa Pin Verification Value (Pv)
10K Installation and User Guide Variant  Key Block  Generate a VISA PIN Verification Value (PV) Online  Offline  Secure  Authorization: Required Activity: misc.console Command: Function: To generate a VISA PIN Verification Value (PVV). Authorization: The HSM must be either in the Authorized State, or the activity misc.console must be authorized, using the Authorizing Officer cards of the relevant LMK.
Page 395 10K Installation and User Guide Example 1: This example generates a PVV using a PVK pair in variant format. (Variant LMK) Online-AUTH> PV <Return> Enter LMK id: 00 <Return> Enter key A: XXXX XXXX XXXX XXXX <Return> Enter key B: XXXX XXXX XXXX XXXX <Return>...
Page 396: Load The Diebold Table (R)
100 bytes, the index must be in the range 000-07F. See the payShield 10K Host Programmer's Manual for further information. • If the security setting "Enforce key type 002 separation for PCI HSM compliance" is changed, the Diebold Table must be re-entered by using this command.
Page 397 10K Installation and User Guide Example: The security setting "User storage key length" has a fixed length value. Online-AUTH> R <Return> Enter LMK id: 00 <Return> Enter index (000 – FE0): XXX <Return> Now enter table, 16 hex digits/line Line 01: XXXX XXXX XXXX XXXX <Return>...
Page 398: Encrypt Decimalization Table (Ed)
10K Installation and User Guide Variant  Key Block  Encrypt Decimalization Table (ED) Online  Offline  Secure  Authorization: Required Activity: misc.console Command: Function: To encrypt a 16 digit decimalization table for use with host commands using IBM 3624 PIN Generation &...
Page 399 10K Installation and User Guide Note: The result of the "ED" command gives no indication as to the LMK scheme or LMK identifier used in the command. When this value is used with other (host) commands, the user must ensure that the correct LMK is specified in the command.
Page 400: Translate Decimalization Table (Td)
10K Installation and User Guide Variant  Key Block  Translate Decimalization Table (TD) Online  Offline  Secure  Authorization: Required Activity: misc.console Command: Function: To translate an encrypted decimalization table from Encryption under an old LMK to encryption under the corresponding new LMK.
Page 401 10K Installation and User Guide Online–AUTH> TD <Return> Example: Enter LMK id: 00 <Return> (Variant or 3DES Key Block LMK) Enter decimalization table encrypted under old LMK : XXXXXXXXXXXXXXXX <Return> Decimalization table encrypted under new LMK YYYYYYYYYYYYYYYY Online–AUTH> Example: Online–AUTH>...
Page 402: Generate A Mac On An Ipb (Mi)
10K Installation and User Guide Variant  Key Block  Generate a MAC on an IPB (MI) Online  Offline  Secure  Authorization: Required Activity: misc.console Command: Function: To generate a MAC on the Cryptogram component of a CAP IPB.
Page 403: Smartcard Commands
10K Installation and User Guide Smartcard Commands The payShield 10K provides the following console commands to support HSM smartcards. Please note that some of these commands are designed to operate only with the legacy HSM smartcards while other may support both the legacy and new smartcards used in the payShield Manager.
Page 404: Format An Hsm Smartcard (Fc)
10K Installation and User Guide Variant  Key Block  Format an HSM Smartcard (FC) Online  Offline  Secure  Authorization: Not required Command: Function: To format an HSM smartcard for use by the HSM. Different formats are used for LMK storage and saving HSM settings.
Page 405 10K Installation and User Guide Online> FC <Return> Example 1: Insert card and press ENTER: <Return> Card already formatted, continue? [Y/N]: Y <Return> Format card for HSM settings/LMKs? [H/L]: L <Return> Erasing card Formatting card . . . Enter new PIN for Smartcard: ******* <Return>...
Page 406: Create An Authorizing Officer Smartcard (Co)
10K Installation and User Guide Variant  Key Block  Create an Authorizing Officer Smartcard (CO) Online  Offline  Secure  Authorization: Not required Command: Function: To copy the Password for an Authorizing Officer to another smartcard (RLMKs are supported) so that it can be used to set the HSM into the Authorized State.
Page 407: Verify The Contents Of A Smartcard (Vc)
10K Installation and User Guide Variant  Key Block  Verify the Contents of a Smartcard (VC) Online  Offline  Secure  Authorization: Not required Command: Function: To verify the key component or share held on a smartcard. The HSM reads the key component from the smartcard, computes the check value, compares this with the check value stored on the card and displays the result.
Page 408: Change A Smartcard Pin (Np)
10K Installation and User Guide Variant  Key Block  Change a Smartcard PIN (NP) Online  Offline  Secure  Authorization: Not required Command: Function: To select a new PIN for a smartcard (RACCs and RLMKs are supported) without changing any of the other details stored on the card.
Page 409: Read Unidentifiable Smartcard Details (Rc)
10K Installation and User Guide Variant  Key Block  Read Unidentifiable Smartcard Details (RC) Online  Offline  Secure  Authorization: Not required Command: Function: To read otherwise unidentifiable smartcards (RACCs and RLMKs supported). Authorization: The HSM does not require any authorization to run this command.
Page 410: Eject A Smartcard (Eject)
10K Installation and User Guide Variant  Key Block  Eject a Smartcard (EJECT) Online  Offline  Secure  Authorization: Not required Command: EJECT Function: To eject the smartcard from the smartcard reader. Authorization: The HSM does not require any authorization to run this command.
Page 411: Des Calculator Commands
10K Installation and User Guide DES Calculator Commands The payShield 10K provides the following console commands to support the encryption and decryption of data with a given plaintext single, double or triple-length DES key: Command Page Single-Length Key Calculator (N)
Page 412: Single-Length Key Calculator (N)
10K Installation and User Guide Variant  Key Block  Single-Length Key Calculator (N) Online  Offline  Secure  Authorization: Not required Command: Function: To encrypt and decrypt the given data block with the given single-length key. Authorization: The HSM does not require any authorization to run this command.
Page 413: Double-Length Key Calculator ($)
10K Installation and User Guide Variant  Key Block  Double-Length Key Calculator ($) Online  Offline  Secure  Authorization: Not required Command: Function: To encrypt and decrypt the given data block with the given double-length key. Authorization: The HSM does not require any authorization to run this command.
Page 414: Triple-Length Key Calculator (T)
10K Installation and User Guide Variant  Key Block  Triple-Length Key Calculator (T) Online  Offline  Secure  Authorization: Not required Command: Function: To encrypt and decrypt the given data block with the given triple-length key. Authorization: The HSM does not require any authorization to run this command.
Page 415: Payshield Manager Commands
10K Installation and User Guide payShield Manager Commands This section describes the commands used to configure the HSM for use with the payShield Manager. The payShield 10K provides the following console commands to support the payShield Manager: Command Page...
Page 416: Add A Racc To The Whitelist (Xa)
10K Installation and User Guide Variant  Key Block  Add a RACC to the whitelist (XA) Online  Offline  Secure  Authorization: Not required Command: Function: To add a RACC to the whitelist on the HSM. Authorization: The HSM must be in Secure state to run this command.
Page 417: Decommission The Hsm (Xd)
10K Installation and User Guide Variant  Key Block  Decommission the HSM (XD) Online  Offline  Secure  Authorization: Not required Command: Function: To decommission the HSM by deleting the payShield Managers keys and groups. Authorization: The HSM must be in Secure state to run this command.
Page 418: Remove Racc From The Whitelist (Xe)
10K Installation and User Guide Variant  Key Block  Remove RACC from the whitelist (XE) Online  Offline  Secure  Authorization: Not required Command: Function: To remove an RACC from the whitelist. Authorization: The HSM must be in Secure state to run this command.
Page 419: Commission The Hsm (Xh)
10K Installation and User Guide Variant  Key Block  Commission the HSM (XH) Online  Offline  Secure  Authorization: Not required Command: Function: To commission the HSM Authorization: The HSM must be in Secure state to run this command.
Page 420: Generate Customer Trust Authority (Xi)
10K Installation and User Guide Variant  Key Block  Generate Customer Trust Authority (XI) Online  Offline  Secure  Authorization: Not required Command: Function: Generates the Customer Trust Authority and stores them on smartcards. Authorization: The HSM must be in Secure state to run this command.
Page 421 10K Installation and User Guide CTA share written to smartcard. Insert payShield Manager Smartcard 3 of 3 and press ENTER: <Return> Enter new PIN for smartcard: ****** <Return> Re-enter new PIN: ****** <Return> Working..CTA share written to smartcard.
Page 422: Make An Racc Left Or Right Key (Xk)
10K Installation and User Guide Variant  Key Block  Make an RACC left or right key (XK) Online  Offline  Secure  Authorization: Not required Command: Function: Defines a RACC as either a left or right key in the whitelist on the HSM.
Page 423: Commission A Smartcard (Xr)
10K Installation and User Guide Variant  Key Block  Commission a smartcard (XR) Online  Offline  Secure  Authorization: Not required Command: Function: To commission a smartcard. Authorization: The HSM must be in Secure state to run this command.
Page 424: Transfer Existing Lmk To Rlmk (Xt)
10K Installation and User Guide Variant  Key Block  Transfer existing LMK to RLMK (XT) Online  Offline  Secure  Authorization: Not required Command: Function: To transfer an existing HSM LMK stored on legacy smartcards to payShield Manager RLMK cards for use through the payShield Manager.
Page 425 10K Installation and User Guide Card Check: E0CBF4 LMK share written to smartcard. Want to test the reassembly of the LMK? Y <Return> Please have all the RLMK shares ready Insert RLMK card and press ENTER: <Return> Enter PIN: ****** <Return>...
Page 426: Decommission A Smartcard (Xx)
10K Installation and User Guide Variant  Key Block  Decommission a smartcard (XX) Online  Offline  Secure  Authorization: Not required Command: Function: To decommission a payShield Manager smartcard. Authorization: The HSM may be in any state to run this command.
Page 427: Hsm Commissioning Status (Xy)
10K Installation and User Guide Variant  Key Block  HSM commissioning status (XY) Online  Offline  Secure  Authorization: Not required Command: Function: To show the state of the HSM Management commissioning and whitelist. Authorization: The HSM may be in any state to run this command.
Page 428: Duplicate Cta Share (Xz)
10K Installation and User Guide Variant  Key Block  Duplicate CTA share (XZ) Online  Offline  Secure  Authorization: Not required Command: Function: To duplicate a CTA share smartcard. Authorization: The HSM must be in Secure state to run this command.
Page 429: Secure Host Communications
The Certificate Requests and Certificates may be stored on / loaded from a regular USB memory stick. The required format for the USB memory stick is FAT32. The Operating System used in the payShield 10K supports most types of USB memory sticks, but may not have the drivers for some of the newer types. If difficulties are experienced when trying to read from or write to a USB device, an alternative memory stick should be used.
Page 430: Generate Certificate Signing Request (Sg)
• The required format for the USB memory stick is FAT32. The Operating System used in the payShield 10K supports most types of USB memory stick, but may not have the drivers for some of the newer types. If difficulties are experienced when trying to read from or write to a USB device, an alternative memory stick should be used.
Page 431 10K Installation and User Guide Example 1: This example demonstrates the use of the SG console command to generate a 521-bit ECDSA public/private key pair and output a certificate signing request. Secure> SG <Return> Please enter the Subject Information for the Certificate Request: Country Name (2 letter code) []: UK <Return>...
Page 432 10K Installation and User Guide Example 2: This example demonstrates the use of the SG console command to generate a 2048-bit RSA public/private key pair and output a certificate signing request. Secure> SG <Return> Please enter the Subject Information for the Certificate Request: Country Name (2 letter code) []: UK <Return>...
Page 433: Import Certificate (Si)
• The required format for the USB memory stick is FAT32. The Operating System used in the payShield 10K supports most types of USB memory stick, but may not have the drivers for some of the newer types. If difficulties are experienced when trying to read from or write to a USB device, an alternative memory stick should be used.
Page 434 10K Installation and User Guide Example 2: This example demonstrates the use of the SI console command to import the HSM's (now signed) certificate back into the HSM. (Note that the root CA certificate has already been installed (see Example 1), and so the HSM indicates that the "Chain of Trust"...
Page 435: Export Hsm Certificate's Chain Of Trust (Se)
• The required format for the USB memory stick is FAT32. The Operating System used in the payShield 10K supports most types of USB memory stick, but may not have the drivers for some of the newer types. If difficulties are experienced when trying to read from or write to a USB device, an alternative memory stick should be used.
Page 436 10K Installation and User Guide Example 1: This example demonstrates the use of the SE console command to export the HSM certificate's chain of trust (in this case, just the root CA certificate) to a USB memory stick. Secure> SE <Return>...
Page 437: View Installed Certificate(S) (Sv)
10K Installation and User Guide Variant  Key Block  View Installed Certificate(s) (SV) Online  Offline  Secure  Authorization: Not required Command: Function: To view the list of currently installed certificates (for use with secure host communications). Individual certificates can be displayed in full.
Page 438 10K Installation and User Guide Example 1: This example demonstrates the use of the SV console command to view the list of currently installed certificates, and to display the contents of the HSM's certificate. Secure> SV <Return> HSM Private Key installed: Yes...
Page 439 10K Installation and User Guide Digital Signature, Non Repudiation, Key Encipherment Signature Algorithm: sha1WithRSAEncryption b8:e9:e9:8f:2e:f9:50:93:a1:8b:8d:0b:e5:fd:ef:6f:6c:05: … 59:0d:df:85:b7:48:c6:02:d9:16:f9:80:e5:c9:c2:69:7f:06: 2b:ba:18:9f Do you wish to view another certificate? N <Return> Online> ©Thales Group Page 437 All Rights Reserved...
Page 440: Delete Installed Certificate(S) (Sd)
10K Installation and User Guide Variant  Key Block  Delete Installed Certificate(s) (SD) Online  Offline  Secure  Authorization: Not required Command: Function: To delete a currently installed certificate (for use with secure host communications). Authorization: The HSM must be in the secure state to run this command.
Page 441: Generate Hrk (Sk)
10K Installation and User Guide Variant  Key Block  Generate HRK (SK) Online  Offline  Secure  Authorization: Not required Command: Function: To generate a new HSM Recovery Key (HRK). Once installed, the HRK will be used to back-up secret key material inside the HSM into persistent memory (a process known as key synchronization).
Page 442: Change Hrk Passphrase (Sp)
10K Installation and User Guide Variant  Key Block  Change HRK Passphrase (SP) Online  Offline  Secure  Authorization: Not required Command: Function: To change one of the passphrases associated with the HRK. Authorization: The HSM must be in the secure state to run this command.
Page 443: Restore Hrk (Sl)
10K Installation and User Guide Variant  Key Block  Restore HRK (SL) Online  Offline  Secure  Authorization: Not required Command: Function: To restore the HRK (and also the secret key material backed-up by the HRK) in the event of erasure of tamper protected memory.
Page 444: Kmd Support Commands
10K Installation and User Guide KMD Support Commands This section describes the set of console commands that facilitate the operation of the Thales Key Management. Please note the Key Management Device (KMD) is now end of sale and has been replaced by the Trusted Management Device (TMD) –...
Page 445: Generate Ktk Components (Km)
10K Installation and User Guide Variant  Key Block  Generate KTK Components (KM) Online  Offline  Secure  Authorization: Not required Command: Function: To generate the components of a KMD Transport Key (KTK), and store the components on smartcards.
Page 446: Install Ktk (Kn)
10K Installation and User Guide Variant  Key Block  Install KTK (KN) Online  Offline  Secure  Authorization: Not required Command: Function: To install a KMD Transport Key (KTK) into the HSM. Authorization: None • Inputs: KTK Identifier: 2 numeric digits •...
Page 447: View Ktk Table (Kt)
10K Installation and User Guide Variant  Key Block  View KTK Table (KT) Online  Offline  Secure  Authorization: Not required Command: Function: To display the KTK table. Authorization: None • Inputs: None • Outputs: List of installed KTKs...
Page 448: Import Key Encrypted Under Ktk (Kk)
10K Installation and User Guide Variant  Key Block  Import Key encrypted under KTK (KK) Online  Offline  Secure  Authorization: Required Activity: command.kk.console Command: Function: To translate a key from encryption under a KTK to encryption under an LMK.
Page 449: Delete Ktk (Kd)
10K Installation and User Guide Variant  Key Block  Delete KTK (KD) Online  Offline  Secure  Authorization: Not required Command: Function: To delete a selected KTK from the HSM. Authorization: None • Inputs: KTK Identifier •...
Page 450: Error Responses Excluded From Audit Log
10K Installation and User Guide Error Responses Excluded from Audit If the option to Audit Error Responses to Host Commands is selected using AUDITOPTIONS, those errors which may require attention by the HSM Administrators or Security Officers are logged. The following non-00...
Page 453 10K Installation and User Guide Appendix B - Configuring Ports Using the Console This chapter describes how to physically configure the payShield HSM to work with the Host system via console commands. Note: Host commands are disabled by default.
Page 454 10K Installation and User Guide payShield 10K Installation and User Guide Where a firewall is used to protect the network link to the Management port, the following ports should be opened as appropriate: Table 7 Port settings with Firewall...
Page 455 10K Installation and User Guide Configure the Printer Port The payShield 10K is compatible with several types of printers: • a serial printer (connected via a USB-to-serial converter cable), • a parallel printer (connected via a USB-to-parallel converter cable), •...
Page 456 10K Installation and User Guide payShield 10K Installation and User Guide B.3.1.1 Message Header Length Each transaction to the HSM begins with a string of characters (header) which the Host can use to identify the transaction (or for any other purpose). The HSM returns the string unchanged to the Host in the response message.
Page 457 10K Installation and User Guide The payShield provides network resiliency by supporting two independent network paths between the Host computer and HSM. In order to take advantage of this feature, the two HSM Host interfaces must be connected to two independent interfaces at the Host computer.
Page 459 10K Installation and User Guide Where a firewall is used to protect the network link to the host port, the following ports should be opened as appropriate: Table 8 Port Settings Port Protocol Purpose SNMP Requests - Utilization and Health Check data SNMP Traps.
Page 461 This chapter describes how to commission a payShield 10K using console commands. payShield Manager for payShield 10K is usually commissioned remotely. However if for any reason the payShield 10K is no longer warranted, the Console can be used to set up payShield Manager as described in this section.
Page 462 10K Installation and User Guide payShield 10K Installation and User Guide Prerequisites – The Remote payShield Manager license (i.e., is installed. PS10-LIC-RMGT) – A payShield HSM is connected via the Management Port to a secure WAN. – You are using DHCP to connect and you know the IP address of the HSM.
Page 463 10K Installation and User Guide Secure> XI <Return> Please enter the certificate Subject information: Country Name (2 letter code) [US]: US <Return> State or Province Name (full name) []: Florida <Return> Locality Name (eg, city) []: Plantation <Return> Organization Name (eg, company) []: Thales <Return>...
Page 464 10K Installation and User Guide payShield 10K Installation and User Guide Notes: • The Country, State, Locality, Organization, Common Name, and Email parameter values are those that are included in the X.509 certificate corresponding to the CTA. The Common Name is the only required parameter and it should concisely describe the security domain.
Page 465 10K Installation and User Guide – CA public key certificate The HMK is used to encrypt the HSM's private key. The HSM uses the HSM’s private key when establishing the TLS/SSL session. 1. At the prompt, enter SK and press ENTER.
Page 466 10K Installation and User Guide payShield 10K Installation and User Guide • Two payShield Manager smart cards (different than the CTA shares) Note: These smart cards will be used as the Left and Right RACCs that replace both the physical keys on the front panel and the trusted officers.
Page 467 Note: A link is provided to return you to the section below. C.3.6 Migrate LMK Cards to become RLMK Cards The XT console command transfers an existing HSM LMK stored on legacy Thales smart cards to payShield Man- ager RLMK cards for use through the payShield Manager.
Page 468 10K Installation and User Guide payShield 10K Installation and User Guide Example: Secure> XT <Return> Please have all the local LMK components and enough commissioned RACCs to receive the LMK ready. Insert card and press ENTER: <Return> Enter PIN: ***** <Return>...
Page 469 Our team of knowledgeable and friendly support staff are available to help. If your product is under warranty or you hold a support contract with Thales, do not hesitate to contact us using the link below. For more information, consult our standard Terms and Conditions for Warranty and Support.
Page 470 Contact us For all office locations and contact information, please visit cpl.thalesgroup.com/contact-us > cpl.thalesgroup.com <...

This manual is also suitable for:

Pugd0535-006

Thales payShield 10K Installation And User Manual

Table of Contents

Appendix Contents

Quick Links

Chapters

Need help?

Questions and answers

Related Manuals for Thales payShield 10K

Summary of Contents for Thales payShield 10K