Command: CS (Configure Security). The HSM must be in the Secure state.
Function: To set the security configuration of the HSM and some processing parameters. CS converts all lower-case alpha values to upper case for display purposes, except for the Card issuer Password. Operation is menu-driven, as shown in the examples. The security settings can optionally be saved to a Smartcard.
Inputs:
PIN length [4-12]: a one or two-digit number in the range 4 to 12
Echo [oN/ofF]: N or F
Atalla ZMK variant support [oN/ofF]: N or F
Transaction key scheme: Racal, Australian or None? [R/A/N]: R or A or N
User storage key length [S/D/T]: S, D or T
Erase LMKs? [Y/N]: confirm Y or N
Select clear PINs? [Y/N]: Y or N
Enable ZMK translate command? [Y/N]: Y or N
Enable X9.17 for import? [Y/N]: Y or N
Enable X9.17 for export? [Y/N]: Y or N
Solicitation batch size [1-1024]: a one to four-digit number, range 1 to
1024
Enable single-DES [Y/N]: Y or N
Prevent Single-DES
keys masquerading as double or triple-length key? [Y/N]: Y or N
Single/double length ZMKs [S/D]: S or D (Single or Double)
Decimalization table Encrypted/Plaintext
[E/P]:
E<Return>
Enable decimalization table checks? [Y/N]: Y or N
PIN encryption algorithm: A or B (Visa method or Racal Method)
Card/password authorisation [C/P]: C or P (Card or Password)
Card issuer password [ENTER = no change]: 8 alphanumeric printable characters
Authorised State required when importing DES key under RSA key? [Y/N]: Y or N
Minimum HMAC verification length in bytes
[5-20]: a one to two-digit number, range 5-20
Enable PKCS#11 import and export for HMAC keys [Y/N]: Y or N
Enable ANSI X9.17 import and export for HMAC keys [Y/N]: Y or N
Enable ZEK encryption of all printable ASCII chars [Y/N]: Y or N
Enable ZEK encryption of “Base94” ASCII chars [Y/N]: Y or N
Enable ZEK encryption of “Base64” ASCII chars [Y/N]: Y or N
Enable ZEK encryption of “Hex-only”ASCII chars [Y/N]: Y or N
Restrict Key Check Values to 6 hex chars [Y/N]: Y or N
Enable Multiple Authorised Activities [Y/N]: Y or N
Save SECURITY settings to Smartcard? [Y/N]: Y or N
Outputs: Prompts according to the settings chosen (see examples below).
Errors: Invalid entry.
Card not formatted to save/retrieve
HSM settings.
Attempt with another card? [Y/N]:
Note: Changing the ZMK single/double setting in the above command will affect the output responses of a number of related console commands.
The default values for the parameters are:
|
Parameter |
Default value |
|
PIN length |
4 |
|
Echo |
Off |
|
Atalla ZMK variant support |
Off |
|
Transaction key scheme: Racal, Australian or None |
None |
|
User storage key length |
Single |
|
Enable single-DES |
No |
|
Prevent Single-DES keys masquerading as double or triple-length key. |
Yes |
|
Select clear PINs |
No |
|
Enable ZMK translate command |
No |
|
Enable X9.17 for import |
No |
|
Enable X9.17 for export |
No |
|
Solicitation batch size |
1024 |
|
ZMK length |
Double |
|
PIN encryption algorithm |
A (Visa method) |
|
Card/password authorisation |
Card |
|
Card issuer password |
GUARDATA |
|
Decimalization table Encrypted\Plaintext |
Encrypted |
|
Enable decimalization table checks |
Yes |
|
Authorised State required when importing DES key under RSA key |
Yes |
|
Minimum HMAC verification length in bytes |
10 |
|
Enable PKCS#11 import and export for HMAC keys |
No |
|
Enable ANSI X9.17 import and export for HMAC keys |
No |
|
Enable ZEK encryption of all printable ASCII chars |
No |
|
Enable ZEK encryption of Base 94 ASCII chars |
No |
|
Enable ZEK encryption of Base 64 ASCII chars |
No |
|
Enable ZEK encryption of Hex only ASCII chars |
No |
|
Restrict Key Check Value to 6 Hex chars |
Yes |
|
Enable Multiple Authorised Activities |
Yes |
Example 1:
Secure> CS <Return>
PIN Length [4-12]: 4 <Return>
Echo [oN/ofF]: N < Return >
Transaction Key Scheme: Racal, Australian or None [R/A/N]: N <Return>
Racal or Australian transaction key [R/A]: R <Return>
User storage key length [S/D/T]: S <Return>
LMKs must be erased before remaining parameters can be set.
Erase LMKs? [Y/N]: N <Return>
Save SECURITY settings to smart card? [Y/N]: N <Return>
Example 2:
Secure > CS <Return>
PIN length [4-12]: 4 <Return>
Echo [oN/ofF]: F <Return>
Atalla ZMK variant support [oN/ofF]: F <Return>
Transaction key scheme Racal, Australian or None ? [R/A/N]: R <Return>
User storage key length [S/D/T]: S <Return>
LMKs must be erased before remaining parameters can be set.
Erase LMKs? [Y/N]: Y <Return>
Select clear PINs? [Y/N]: N <Return>
Enable ZMK translate command? [Y/N]: N <Return>
Enable X9.17 for import? [Y/N]: N <Return>
Enable X9.17 for export? [Y/N]: N <Return>
Solicitation batch size [1-1024]: 1024 <Return>
Enable Single DES [Y/N]: Y <Return>
Prevent single-DES keys masquerading as double or triple-length key [Y/N]: Y <Return>
Single/double length ZMKs [S/D]: S <Return>
Decimalization table Encrypted/Plaintext [E/P]: E <Return>
Enable decimalization table checks? [Y/N]: Y <Return>
PIN encryption algorithm [A/B]: A <Return>
Card/password authorisation [C/P]: C <Return>
Card issuer password [Enter = no change]: <Return>
Authorised State required when importing DES key under RSA key [Y/N]: Y <Return>
Minimum HMAC verification length in bytes? [5-20]: 10 <Return>
Enable PKCS#11 import and export for HMAC keys? [Y/N]: N <Return>
Enable ANSI X9.17 import and export for HMAC keys? [Y/N]: N <Return>
Enable ZEK encryption of all printable ASCII chars? [Y/N]: N<Return>
Enable ZEK encryption of “Base94” ASCII chars? [Y/N]: N<Return>
Enable ZEK encryption of “Base64” ASCII chars? [Y/N]: Y<Return>
Restrict Key Check Value to 6 hex chars [Y/N]:Y<Return>
Enable Multiple Authorised Activities [Y/N]:Y<Return>
Save SECURITY settings to smart card? [Y/N]: Y <Return>
Insert card and press ENTER: <Return>
SECURITY settings saved to the smart card.