Command: A (Authorise Activity). Can be used in online, offline and secure.
Function: To authorise the HSM to perform certain specified activities.
In command line mode, the operator specifies which activities are to be authorised; in menu mode, the operator is prompted to enter the activities.
In both cases, the selected activities are authorised by submitting two Security Officer cards or passwords.
Inputs: Activities to be authorised.
Timeout value: Number
of minutes before HSM will revoke chosen authorised activity.
PIN (if applicable): 4 to 8 alphanumeric characters.
Password (if applicable): 16 alphanumeric characters.
Outputs: Text messages as shown in examples.
Errors: Card not formatted – card is not formatted
Not a LMK card – card formatted for HSM settings or is a licence card
Smartcard error; command/return: 0003 – invalid PIN is entered
Invalid PIN; re-enter: - a PIN of less than 4 or greater than 8 is entered.
Data invalid; please re-enter: the password is an invalid length.
Help Page: Command : A – Authorise activity
Syntax : A [<Activity>] [<Activity>] ...
Activity: <Category>[.<Sub-category>][.<Interface>][:<Timeout>]
Category = generate|component|genprint|import|export|pin|audit|admin|diag|misc|command
Sub-category (for ‘generate|import|export’) = key name, e.g. TPK, MK-AC, etc.
Sub-category (for ‘pin’) = mailer|clear
Interface = host|console
Timeout = value in minutes
Names may be shortened but must remain unique.
Examples:
"pin.mailer" – all commands within the "PIN Mailer" group.
"gen.zmk.con:25" – the generation of ZMKs at the console for 25 mins.
Notes: Activities are described in terms of four fields: Category, Sub-Category, Interface and Timeout. If the Timeout field is omitted, the activity remains authorised until cancelled either by the console command “C” or the host command “RA”.
Omitting either the Sub-Category and/or the Interface field is equivalent to authorising multiple activities consisting of all possible combinations of valid values for the missing fields. For clarification:
pin.mailer
is equivalent to:
pin.mailer.host
pin.mailer.console
and:
pin
is equivalent to:
pin.clear.console
pin.clear.host
pin.mailer.console
pin.mailer.host
When authorising activities, two (or more) activities may overlap, for example:
pin
pin.mailer
There is no requirement to attempt to reduce activities to the minimum set. The list of authorised activities should simply consist of all those entered (and authorised) by the user.
Having said that, there is one case when it will be necessary to overwrite an existing activity: when only the Timeout field changes. For example, suppose that the following activity is authorised:
generate.zmk.console:11
and the user uses the ‘A’ command to authorise the following activity:
generate.zmk.console:60
then this should overwrite the first one (even if the newer activity has a shorter Timeout value).
A full list of activities categories and sub categories is identified in Appendix C
Example 1: Adding single activity via Menu ,or via Command Line:
Online> A <Return>
No activities are authorised.
List of authorisable activities:
[g]enerate [comp]onent [genp]rint [i]mport [e]xport [p]in
[au]dit [ad]min [d]iag [m]isc [comm]and
Select category: p <Return>
[c]lear [m]ailer
Select sub-category, or <Return> for all: m <Return>
[h]ost [c]onsole
Select interface, or <Return> for all: <Return>
Enter time limit for pin.mailer, or <Return> for permanent: <Return>
Enter additional activities to authorise? [y/N]: n <Return>
The following activities are pending authorisation:
pin.mailer
First Officer:
Insert Card for Security Officer and enter the PIN: ****<Return>
Second Officer:
Insert Card for Security Officer and enter the PIN: ****<Return>
The following activities are authorised:
pin.mailer
Online Auth[1]>
Online> a pin.mailer <Return>
The following activities are pending authorisation:
pin.mailer
First Officer:
Insert Card for Security Officer and enter the PIN: ****<Return>
Second Officer:
Insert Card for Security Officer and enter the PIN: ****<Return>
The following activities are authorised:
pin.mailer
Online Auth[1]>
Example 2: Adding additional activities (3) via Menu ,or via Command Line:
Online Auth[1]> a <Return>
The following activities are authorised:
pin.mailer
List of authorisable activities:
[g]enerate [comp]onent [genp]rint [i]mport [e]xport [p]in
[au]dit [ad]min [d]iag [m]isc [comm]and
Select category: g <Return>
[zm]k [k]ml [zp]k [p]vk [tp]k [tm]k [cs]ck [cv]k [ta]k [w]wk [za]k [b]dk
[mk-a]c [mk-smi] [mk-smc] [mk-da]k [mk-dn] [ze]k [r]sa
Select sub-category, or <Return> for all: zmk <Return>
[h]ost c]onsole
Select interface, or <Return> for all: c <Return>
Enter time limit for generate.zmk.console, or <Return> for permanent: 60 <Return>
Enter additional activities to authorise? [y/N]:y <Return>
List of authorisable activities:
[g]enerate [comp]onent [genp]rint [i]mport [e]xport [p]in
[au]dit [ad]min [d]iag [m]isc [comm]and
Select category: e <Return>
[k]ml [zp]k [p]vk [tp]k [tm]k [cs]ck [cv]k [ta]k [w]wk [za]k [b]dk [mk-a]c [mk-smi] [mk-smc] [mk-da]k [mk-dn] [ze]k
Select sub-category, or <Return> for all: zpk <Return>
[h]ost c]onsole
Select interface, or <Return> for all: h <Return>
Enter time limit for export.zpk.host, or <Return> for permanent: <Return>
Enter additional activities to authorise? [y/N]:y <Return>
List of authorisable activities:
[g]enerate [comp]onent [genp]rint [i]mport [e]xport [p]in
[au]dit [ad]min [d]iag [m]isc [comm]and
Select category: admin <Return>
[h]ost [c]onsole
Select interface, or <Return> for all: <Return>
Enter time limit for admin, or <Return> for permanent: 240 <Return>
Enter additional activities to authorise? [y/N]: <Return>
The following activities will be authorised.
admin:240
export.zpk.host
generate.zmk.console:60
First Officer
Insert Card for Security Officer and enter the PIN:**** <Return>
Second Officer
Insert Card for Security Officer and enter the PIN:**** <Return>
The following activities are authorised:
admin:240 (240 mins remaining)
export.zpk.host
generate.zmk.console:60 (60 mins remaining)
pin.mailer
Online Auth[4]>
Online Auth[1]> a gen.zmk.con:60 exp.zpk.host admin:240 <Return>
The following activities will be authorised:
admin:240
export.zpk.host
generate.zmk.console:60
First Officer:
Insert Card for Security Officer and enter the PIN: **** <Return>
Second Officer:
Insert Card for Security Officer and enter the PIN: **** <Return>
The following activities are authorised:
admin:240 (240 mins remaining)
export.zpk.host
generate.zmk.console:60 (60 mins remaining)
pin.mailer
Online Auth[4]>