1. Manuals
  2. Brands
  3. ZAZO Manuals
  4. Network Hardware
  5. TsmWeb TSM500i
  6. User manual

ZAZO TsmWeb TSM500i User Manual

Hide thumbs
Table of Contents

Advertisement

Quick Links

Download this manual
TSM500i and TsmWeb User Guide (PCI HSM v3)
Document number:
Release date:
Prepared by:
Copyright:
The information in this document is intended only for the person or the entity to which it is addressed and
may contain confidential and/or privileged material. Any views, recreation, dissemination or other use of or
taking of any action in reliance upon this information by persons or entities other than the intended
recipient, is prohibited.
Prism Payment Technologies (Pty) Ltd makes no representations or warranties whether expressed or implied
by or with respect to anything in this document, and shall not be liable for any implied warranties of
merchantability or fitness for a particular purpose or for any indirect, special or consequential damages.
Zazoo Limited, Co. No 9265606 | Directors: Dr S C P Belamant (French),
Mr H G Kotze, Mr P M Belamant | Company Secretary: Ms C W van Straaten
Tel: +44 207 340 6300 | Fax: +44 207 340 6301 | Email: info@zazooltd.com
Address: 111 Buckingham Palace Road, London, SW1W 0SR, United Kingdom
June 2018
PR-D2-1037 Rev 1.1
June 2018
SS, RP
© 2018 Prism Payment Technologies (Pty) Ltd
Synopsis:
This document describes the PCI HSM v3.0
TSM500i Hardware Security Module (HSM) as well
as the TsmWeb interface used to manage this
HSM.
Company Confidential
Disclaimer
www.zazooltd.com

Advertisement

Table of Contents
loading

Summary of Contents for ZAZO TsmWeb TSM500i

  • Page 1 Tel: +44 207 340 6300 | Fax: +44 207 340 6301 | Email: info@zazooltd.com Address: 111 Buckingham Palace Road, London, SW1W 0SR, United Kingdom TSM500i and TsmWeb User Guide (PCI HSM v3) June 2018 Document number: PR-D2-1037 Rev 1.1 Release date: June 2018 Prepared by: SS, RP...
  • Page 2 Tel: +44 207 340 6300 | Fax: +44 207 340 6301 | Email: info@zazooltd.com Address: 111 Buckingham Palace Road, London, SW1W 0SR, United Kingdom Important Notes This document only applies to a TSM500i that has Boot Loader v1.5.0.0 or later. Earlier versions of the boot loader do not have the same dual control requirements as mandated by PCI HSM v3.0.

  • Page 3: Table Of Contents

    TSM500i and TsmWeb User Guide (PCI HSM v3) (PR-D2-1037 Rev 1.1)| Page 3 Contents 1 TSM500i OVERVIEW ..............6 TSM500i-PCIe DESCRIPTION ....................6 TSM500i-NSS DESCRIPTION ..................... 6 KCED DESCRIPTION ........................ 7 2 INSTALLATION & SECURITY PROCEDURES ....... 8 QUICK GUIDE: FROM INSTALLATION TO OPERATION ............8 ESTABLISH SECURITY PROCEDURES ..................
  • Page 4 TSM500i and TsmWeb User Guide (PCI HSM v3) (PR-D2-1037 Rev 1.1)| Page 4 2.11.2 Configuring Account and Password Policy ................... 23 2.11.3 Change Auto-Logoff Timeouts ......................23 2.11.4 Disable the default admin account ....................23 2.12 BACKUP NSS SETTINGS ......................24 2.13 PREPARE TSM FOR OPERATION: LOAD CSPs ..............
  • Page 5 TSM500i and TsmWeb User Guide (PCI HSM v3) (PR-D2-1037 Rev 1.1)| Page 5 4.11 Disabling and Enabling SSL / TLS ..................40 4.11.1 Disable TLS from the LCD MENU ....................... 40 4.11.2 Disable or Enable TLS from TSM-WEB ....................40 4.12 Upgrading TSM500i firmware ....................

  • Page 6: Tsm500I Overview

    TSM500i and TsmWeb User Guide (PCI HSM v3) (PR-D2-1037 Rev 1.1)| Page 6 1 TSM500i OVERVIEW The TSM500i is a Hardware Security Module (HSM) and is also referred to as the TSM or HSM in this document. These terms are used interchangeably in the remainder of this document. This document only applies to a TSM500i that has Boot Loader v1.5.0.0 or later.

  • Page 7: Kced Description

    TSM500i and TsmWeb User Guide (PCI HSM v3) (PR-D2-1037 Rev 1.1)| Page 7 1.3 KCED DESCRIPTION The Key Component Entry Device (KCED) is secure handheld terminal that is used for the following purposes:  Entry of Cryptographic Passwords (refer section 2.8 and section 3) ...

  • Page 8: Installation & Security Procedures

    TSM500i and TsmWeb User Guide (PCI HSM v3) (PR-D2-1037 Rev 1.1)| Page 8 2 INSTALLATION & SECURITY PROCEDURES 2.1 QUICK GUIDE: FROM INSTALLATION TO OPERATION (See 2.2) The TSM500i and its Critical Security Parameters (CSPs) must be handled in accordance Establish Security Procedures with documented security procedures in order to meet the security requirements of the Banking Industry and standards bodies.

  • Page 9: Establish Security Procedures

    TSM500i and TsmWeb User Guide (PCI HSM v3) (PR-D2-1037 Rev 1.1)| Page 9 2.2 ESTABLISH SECURITY PROCEDURES Security procedures that monitor and control access to the environment, the HSMs and the Critical Security Parameters (CSPs) must be documented and put in place. FIPS, PCI, the Banking Industry and Card Institutions mandate such procedures.

  • Page 10: Inspect And Install Hardware

    TSM500i and TsmWeb User Guide (PCI HSM v3) (PR-D2-1037 Rev 1.1)| Page 10 2.3 INSPECT AND INSTALL HARDWARE 2.3.1 Hardware Inspection This section defines the customer’s responsibilities on receiving TSM500i HSMs to ensure that security is maintained during the delivery process. ...

  • Page 11: Tsm500I-Pcie Hardware Installation

    TSM500i and TsmWeb User Guide (PCI HSM v3) (PR-D2-1037 Rev 1.1)| Page 11 2.3.3 TSM500i-PCIe Hardware Installation The following steps are to be followed when installing the TSM500i-PCIe into a PC. The term PC here also applies to servers.  Locate the PC’s card installation documentation and ensure that you are familiar with the safety instructions and precautions conveyed in this document.

  • Page 12: Check Physical Indicators (Leds)

    TSM500i and TsmWeb User Guide (PCI HSM v3) (PR-D2-1037 Rev 1.1)| Page 12 2.4 CHECK PHYSICAL INDICATORS (LEDs) After powering on the TSM500i-NSS or the PC in which the TSM500i-PCIe is installed. The red and green Status LEDs provide very important information about the current state of the TSM500i.

  • Page 13: Install Drivers, Conductor & Tsm-Web

    TSM500i and TsmWeb User Guide (PCI HSM v3) (PR-D2-1037 Rev 1.1)| Page 13 2.5 INSTALL DRIVERS, CONDUCTOR & TSM-WEB This section only applicable to the TSM500i-PCIe (it does not apply to a TSM500i-NSS). For a TSM500i-PCIe, perform the following steps: ...

  • Page 14: Network Setup & Recovery

    TSM500i and TsmWeb User Guide (PCI HSM v3) (PR-D2-1037 Rev 1.1)| Page 14 2.6 NETWORK SETUP & RECOVERY This section only applicable to the TSM500i-NSS (it does not apply to a TSM500i-PCIe). The IP address of the TSM500i-NSS will be displayed on the LCD on the front panel after powering up. The network setting factory defaults are: IP address 192.168.0.201...

  • Page 15: Tsm-Web Interface

    TSM500i and TsmWeb User Guide (PCI HSM v3) (PR-D2-1037 Rev 1.1)| Page 15 2.7 TSM-WEB INTERFACE TSM-WEB works best with Chrome and Mozilla Firefox web browsers. Internet Explorer is not officially supported. 2.7.1 Invoking TSM-WEB for a TSM500i-PCIe Enter http://localhost as the URL into your Web Browser when using TSM500i-PCIe.

  • Page 16: Setting The Tsm-Web Admin Password

    TSM500i and TsmWeb User Guide (PCI HSM v3) (PR-D2-1037 Rev 1.1)| Page 16 2.7.3 Setting the TSM-WEB admin password User / Password Setup is optional on a TSM500i-PCIe when using TSM-WEB from the computer that hosts the TSM500i-PCIe. To login on a local installation, click Login as $Local .

  • Page 17: Using Tsm-Web For The First Time

    TSM500i and TsmWeb User Guide (PCI HSM v3) (PR-D2-1037 Rev 1.1)| Page 17 2.7.4 Using TSM-WEB for the first time Enter the username (admin) and your newly assigned password and click Login Click TSM from the side menu, wait for the TSM management page to load, then click on TSM Status Report which will retrieve a detailed status report from the TSM500i.

  • Page 18: Authenticate Hsm And Set Initial Passwords

    TSM500i and TsmWeb User Guide (PCI HSM v3) (PR-D2-1037 Rev 1.1)| Page 18 2.8 AUTHENTICATE HSM AND SET INITIAL PASSWORDS The two step process is used to authenticate the HSM at the place of first deployment, and to simultaneously set the initial 2 crypto officer passwords. This process is used to transfer control of the HSM from the Manufacturer to two Customer crypto officers.

  • Page 19: Authenticate Hsm - Request Step

    TSM500i and TsmWeb User Guide (PCI HSM v3) (PR-D2-1037 Rev 1.1)| Page 19 2.8.2 Authenticate HSM - Request Step  On the TSM Operators page click on “Authenticate HSM and Set Initial Passwords” tab.  Select “Request” from the “Action” drop down menu. Click on REQUEST. ...

  • Page 20: Add Additional Crypto Officers

    TSM500i and TsmWeb User Guide (PCI HSM v3) (PR-D2-1037 Rev 1.1)| Page 20  The crypto officers must keep a record of their passwords in a safe place and ENSURE THAT THEY FULLY UNDERSTAND THE CONSEQUENCES OF LOSING THEIR PASSWORDS! If all crypto officers forget their passwords, there is NO way to reset the HSM passwords without ERASING ALL CSPs.

  • Page 21: Set Date And Time

    TSM500i and TsmWeb User Guide (PCI HSM v3) (PR-D2-1037 Rev 1.1)| Page 21 2.9 SET DATE AND TIME 2.9.1 [Optional Step] Set Date and Time Requirements: Logged into TSM-WEB and the KCED connected to the TSM500i. Prism sets the date and time on the TSM500i HSM system to UTC +2 hours which is the local time where the hardware is manufactured.

  • Page 22: Configuring And Testing Conductor

    TSM500i and TsmWeb User Guide (PCI HSM v3) (PR-D2-1037 Rev 1.1)| Page 22 2.10 CONFIGURING AND TESTING CONDUCTOR 2.10.1 Configuring Conductor on the TSM500i-NSS It is not necessary to configure and test Conductor on the TSM500i-NSS. The default settings will work in most environments.

  • Page 23: Setup Tsm-Web Access Control

    TSM500i and TsmWeb User Guide (PCI HSM v3) (PR-D2-1037 Rev 1.1)| Page 23 2.11 SETUP TSM-WEB ACCESS CONTROL When using a TSM500i-NSS in an EFT payment system or key injection solution for terminals, TSM-WEB access control needs to be configured so that it complies with PCI-DSS security requirements. The details of PCI-DSS security requirements are beyond the scope of this guide and the user should refer to the latest PCI-DSS security requirements from the PCI Security Standards Councils website.

  • Page 24: Backup Nss Settings

    TSM500i and TsmWeb User Guide (PCI HSM v3) (PR-D2-1037 Rev 1.1)| Page 24 2.12 BACKUP NSS SETTINGS The TSM500i-NSS supports a backup of NSS data store (which includes network settings, conductor settings, user configuration and preferences) and log files to USB flash drive using the LCD MAIN MENU. ...

  • Page 25: Prepare Tsm For Operation: Load Csps

    TSM500i and TsmWeb User Guide (PCI HSM v3) (PR-D2-1037 Rev 1.1)| Page 25 2.13 PREPARE TSM FOR OPERATION: LOAD CSPs This section covers operational preparation for all TSM500i HSMs except those that are running STS firmware. The most important CSP in a HSM is usually the Storage Master Key (SMK). This key is used to encrypt all other keys which are stored in a key database (outside the HSM).

  • Page 26: Loading Smk Components

    TSM500i and TsmWeb User Guide (PCI HSM v3) (PR-D2-1037 Rev 1.1)| Page 26 2.13.2 Loading SMK components The TSM500i requires two Cryptographic Officers to authenticate themselves to the HSM to permit the loading of an SMK. Key loading should take place according to established security procedures, and is usually witnessed by an auditor.

  • Page 27: Optional] Setting The Tsm500I Hsm's Operational Permissions

    TSM500i and TsmWeb User Guide (PCI HSM v3) (PR-D2-1037 Rev 1.1)| Page 27 2.13.3 [Optional] Setting the TSM500i HSM’s Operational Permissions The TSM500i firmware supports Access Control, allowing cryptographic officers to enhance system security by enabling or disabling certain functionality of the HSM. Two cryptographic officers are required to authenticate themselves to the HSM in order to manage the Access Control settings.

  • Page 28: Hsm Password Management

    TSM500i and TsmWeb User Guide (PCI HSM v3) (PR-D2-1037 Rev 1.1)| Page 28 3 HSM PASSWORD MANAGEMENT 3.1 How to add a Crypto Officer This process cannot be used for setting initial passwords. Refer to section 2.8 for details on how to set passwords on initial deployment.

  • Page 29: How To Change An Existing Password

    TSM500i and TsmWeb User Guide (PCI HSM v3) (PR-D2-1037 Rev 1.1)| Page 29 3.2 How to change an existing password When changing a password, it is required that the Officer knows the existing password and for another Officer to have authenticated themselves (dual access control). Requirements: Logged into TSM-WEB and the KCED connected to the TSM500i.

  • Page 30: Reset One Password

    TSM500i and TsmWeb User Guide (PCI HSM v3) (PR-D2-1037 Rev 1.1)| Page 30 3.3 Reset One Password This operation may be used to RESET one password. It requires a reset certificate from the Manufacturer and it also requires one officer to authenticate themselves. To proceed, the customer must send a signed letter to the Manufacturer requesting the reset certificate.

  • Page 31: Reset Csps, Clear All Passwords, And Set Passwords

    TSM500i and TsmWeb User Guide (PCI HSM v3) (PR-D2-1037 Rev 1.1)| Page 31 3.4 Reset CSPs, clear all passwords, and set passwords This operation should NOT be used to set initial passwords - for that use 'Authenticate HSM & Set Initial Passwords' (see section 2.8).

  • Page 32: Ongoing Maintenance

    TSM500i and TsmWeb User Guide (PCI HSM v3) (PR-D2-1037 Rev 1.1)| Page 32 4 ONGOING MAINTENANCE 4.1 Check Operational vs Privileged state This paragraph is not applicable to TSM500i HSMs that are running STS firmware. Verify that the TSM500i is in the Operational state and that it not left in the Privileged state after operations requiring dual control.

  • Page 33: Storage Master Key Migration

    TSM500i and TsmWeb User Guide (PCI HSM v3) (PR-D2-1037 Rev 1.1)| Page 33 4.4 Storage Master Key Migration This functionality is NOT applicable on TSM500i HSMs with STS firmware. This section relates to replacing an existing Storage Master Key (SMK) while maintaining all operational keys in the system.

  • Page 34: Load A Migration Smk

    TSM500i and TsmWeb User Guide (PCI HSM v3) (PR-D2-1037 Rev 1.1)| Page 34 4.4.2 Load a Migration SMK Before any key translation can be performed, a migration Storage Master Key (SMK) must to be loaded into the module.  Select algorithm type from the drop down menu labelled “Algorithm” ...

  • Page 35: Tsm500I Status Information

    TSM500i and TsmWeb User Guide (PCI HSM v3) (PR-D2-1037 Rev 1.1)| Page 35 4.5 TSM500i Status Information The user can view the current status of the HSM as well as the history of security-related events on the HSM. Select the TSM Status page from within the TSM menu to obtain a report with detailed status information. The status information displayed will differ depending on whether you are in the Loader state or the Operational state.

  • Page 36: Nss Lcd Menu

    TSM500i and TsmWeb User Guide (PCI HSM v3) (PR-D2-1037 Rev 1.1)| Page 36 4.7 NSS LCD Menu The LCD’s MAIN MENU allows the following settings to be modified: IP Address, Netmask, default gateway, USB Backup & Restore, Disable SSL/TLS and Resetting of parameters such as Admin Password and factory default settings.

  • Page 37: Backup And Restore

    TSM500i and TsmWeb User Guide (PCI HSM v3) (PR-D2-1037 Rev 1.1)| Page 37 Backup and Restore 4.8.1 Backup & Restore on a TSM500i-NSS This procedure is only applicable to the TSM500i-NSS (it does not apply to a TSM500i-PCIe). Backup Refer to section 2.12 for the procedure to backup NSS settings and the TSM-WEB database to a directory “NSS_BACKUPS”...

  • Page 38: Backup & Restore On A Tsm500I-Pcie

    TSM500i and TsmWeb User Guide (PCI HSM v3) (PR-D2-1037 Rev 1.1)| Page 38 Backup & Restore on a TSM500i-PCIe 4.8.2 This procedure is only applicable to the TSM500i-PCIe (it does not apply to a TSM500i-NSS) Backup/restore functionality can be implemented via 3 party software, which is not provided with the TSM- WEB software.

  • Page 39: Reset Nss To Default Settings

    TSM500i and TsmWeb User Guide (PCI HSM v3) (PR-D2-1037 Rev 1.1)| Page 39 4.9 Reset NSS to Default Settings Section 4.7 details how to access the Reset submenu from the NSS LCD Main Menu. The Reset Menu includes a number of options and the associated default values are detailed below: 4.9.1 Admin Passwd Select the “Admin Passwd”...

  • Page 40: Ssl/Tls Certificate

    TSM500i and TsmWeb User Guide (PCI HSM v3) (PR-D2-1037 Rev 1.1)| Page 40 4.10 SSL/TLS Certificate SSL / TLS support was added to TSM-WEB from v3.21.0 onwards. When logging into TSM-WEB, the web browser will be re-directed to the SSL-secured log-in page. When TSM-WEB generates a certificate, it assigns it a validity period of 2 years.

  • Page 41: Upgrading Tsm500I Firmware

    TSM500i and TsmWeb User Guide (PCI HSM v3) (PR-D2-1037 Rev 1.1)| Page 41 4.12 Upgrading TSM500i firmware A TSM500i ships from Prism with the customer-specified version of firmware. If you receive an upgrade from Prism, login to TSM-WEB and select TSM from the side menu to load the TSM management page. Click Reset to Loader in the TSM Management page to set the TSM500i HSM to the Loader state.

  • Page 42: Upgrading Tsm500I-Nss System Software

    TSM500i and TsmWeb User Guide (PCI HSM v3) (PR-D2-1037 Rev 1.1)| Page 42 4.13 Upgrading TSM500i-NSS System Software This section is only applicable to the TSM500i-NSS (it does not apply to the TSM500i-PCIe).  Upgrading the TSM500i-NSS System Software should not be confused with upgrading the TSM500i HSM Application Firmware.

  • Page 43: Force A Tamper Condition

    TSM500i and TsmWeb User Guide (PCI HSM v3) (PR-D2-1037 Rev 1.1)| Page 43 4.14 Force a tamper condition It should only be necessary to force a tamper on an HSM when the HSM is to be decommissioned or redeployed in a different environment for a different purpose. This service can only be performed if the module is in the Loader state and requires both Crypto Officers to have logged in.

  • Page 44: Clear Tamper

    TSM500i and TsmWeb User Guide (PCI HSM v3) (PR-D2-1037 Rev 1.1)| Page 44 4.15 Clear tamper If the TSM500i is in a tampered state you will need to reset the tamper. This service requires both Crypto Officers to login to the TSM500i HSM using the KCED. i.e.

  • Page 45: Appendix A - Key Migration File Format

    TSM500i and TsmWeb User Guide (PCI HSM v3) (PR-D2-1037 Rev 1.1)| Page 45 APPENDIX A – KEY MIGRATION FILE FORMAT This appendix is applicable to Key Migration, as described in Section 4.4. A key file forms the interface between the Migration Tool and the key database. A single format is used for both input and output files.

  • Page 46: Fields

    TSM500i and TsmWeb User Guide (PCI HSM v3) (PR-D2-1037 Rev 1.1)| Page 46 A.3 Fields Each record (line) is of the form: <Key Label>,<Key Space ID>,<Key Type>,<Key>,<Parity>,<Check Value>,<Check Digits> Name Type Description Key Label String A label or name that uniquely identifies the key within the database (or, at minimum, within this file).

  • Page 47: Appendix B - Lcd Sequence

    TSM500i and TsmWeb User Guide (PCI HSM v3) (PR-D2-1037 Rev 1.1)| Page 47 APPENDIX B – LCD SEQUENCE Zazoo Limited, Co. No 9265606 | Directors: Dr S C P Belamant (French), Mr H G Kotze, Mr P M Belamant | Company Secretary: Ms C W van Straaten www.zazooltd.com...
  • Page 48 TSM500i and TsmWeb User Guide (PCI HSM v3) (PR-D2-1037 Rev 1.1)| Page 48 Zazoo Limited, Co. No 9265606 | Directors: Dr S C P Belamant (French), Mr H G Kotze, Mr P M Belamant | Company Secretary: Ms C W van Straaten www.zazooltd.com...

  • Page 49: Appendix C - List Of Abbreviations

    TSM500i and TsmWeb User Guide (PCI HSM v3) (PR-D2-1037 Rev 1.1)| Page 49 APPENDIX C - LIST OF ABBREVIATIONS Boot Loader Critical Security Parameter (for example, a password or a key) FIPS Federal Information Processing Standard Hardware Security Module Interface KCED Key Component Entry Device Liquid Crystal Display...

Table of Contents