In the description that follows, user entries at the Console are shown underlined. Characters returned by the HSM that depend on the values entered by the user (and therefore cannot be predicted) are shown as X.
It is assumed that the HSM has been set for Smartcard mode and Echo On at security configuration (CS command).
1. Set the HSM into the Secure state: insert the keys in both of the key switches on the HSM front panel and rotate them both one quarter turn. The Console displays:
HSM going OFFLINE, press Reset to go Online.
Master Key loading facilities now available.
Secure>
2. Initiate the LMK generation and storage procedure. Use the GK command. The HSM responds with a series of prompts to ensure that the initial starting conditions are achieved.
Secure> GK <Return>
The HSM responds with:
LMKs must be erased before proceeding.
Erase LMKs? Y <Return>
3. The HSM prompts for the number of the component set:
LMK component set [1-9]: 1 <Return>
4. The HSM prompts for the first (16-character hexadecimal) secret value:
Enter secret value A: aaaaaaaaaaaaaaaa <Return>
If Echo off has been configured,
the characters are replaced by stars *
If only <Return> is entered, the HSM generates a random number for
use as the secret value.
Note: The random number created by the HSM is not displayed.
5. The HSM prompts for the second (16 character hexadecimal) secret value:
Enter secret value B: aaaaaaaaaaaaaaaa <Return>
As in Step 4, just <Return> can be entered.
6. The HSM prompts for the third (8- character decimal) value, which may (for example) be the date:
Enter value C: 18051994 <Return>
As in Step 4, just <Return> can be entered.
7. The HSM is now ready to copy the LMKs onto Smartcards. It prompts:
Insert blank card and enter PIN: ***** <Return>
Insert the Smartcard in the reader
and enter its PIN.
If there is a fault on the card or it already has data on it, either allow
the HSM to write over the old data or reject the card and use another,
as applicable, in reply to prompts from the HSM.
8. The HSM displays:
Writing keys
Checking keys
Device write complete, check: XXXX XXXX XXXX XXXX
Remove the Smartcard and store
it securely. If a failure has occurred, the Smartcard is ejected: return
to Step 7.
Make a note of the check value for future reference. (It is subsequently
used to ensure that the contents of the Smartcard are correct, and should
be safely stored.)
The HSM prompts:
Make another copy? [Y/N]: Y <Return>
9. Make another copy: repeat Steps 8 and 9 until the required number of copies have been made, then terminate the command in response to the prompt:
Make another copy? [Y/N]: N <Return>
X copies made
Generating Component Set 2
The procedure of generating Component Set 2 is almost the same as the procedure for generating Component Set 1. The only difference is:
· In Step (3), enter 2 (for Component Set 2) instead of 1.
Generating Component Set 3 (etc.)
The procedure for generating Component Set 3 (and 4 to 9, as required) is almost the same as the procedure for generating Component Set 1.
1. In Step (3) enter 3 (or 4, etc.) instead of 1.
2. When all component sets have been generated, to return the HSM to normal use, load the LMKs and lock the cam locks on the front panel. Remove the keys.
Password Mode
The HSM may be configured for password Mode authorisation using the CS (Configure Security) command.
This mode is provided for backward compatibility.
The process is similar to generating component set 1 & 2, except there is an extra step before (5) where the HSM prompts twice for the (16- character alphanumeric) Password.