An HSM can stand alone or can be part of a system consisting of a number of HSM units in a standard 19-inch cabinet. The front panel of each unit is accessible from the front of the cabinet. The rear of the cabinet has a lockable door which gives access to the rear panel of each unit. The units are supported on telescopic runners so that they can slide out via the front of the cabinet.
Front Panel
On the front panel are two cam locks, which secure the HSM in the rack. The locks have different keys, so the HSM can be removed from the rack only when the two authorised key holders are present. After installation, it is only necessary for both keyholders to be present when secure operations are to be carried out on the HSM such as changing the Local Master Keys (LMKs).
There are five coloured LED indicators on the front panel. These are the POWER, ERROR, ACTIVITY, ALARM and SECURE indicators.
The Smartcard reader is an ISO card compliant type with automatic card ejection. The card is ejected at standard points in HSM operation:
· On completion of a Smartcard related console command.
· Following premature console command termination when the user presses the CTRL-C key combination.
· When the HSM is reset by the RESET button on its front panel.
· During diagnostic testing.
· When an EJECT console command is input by the user.
This is a 9-way D-type female socket for connection to a standard Console terminal. It is a replica of the console connector on the rear panel; a console terminal must not be connected to the front panel connector while a console terminal is connected to the rear panel connector. The Console port is configured as a Data Communications equipment (DCE). Almost any asynchronous ASCII terminal is suitable for use with the HSM as a console terminal.
The red RESETbutton is recessed in the front panel to prevent accidental activation. It is used to take the HSM out of offline mode and back into normal operation. The reset also ejects any Smartcard that is in the Smartcard reader. If the RESET button is pressed while the HSM is online, the HSM performs a reboot and the rebooting message is displayed on the console terminal (if connected).
The RESETbutton must be pressed for two seconds for it to take effect.
The green POWER indicator is illuminated while the HSM has power applied to it. If the POWER LED goes out, this means that either the power has been disconnected or a fuse has blown.
The red ERROR indicator is normally extinguished. It is illuminated if the HSM’s continuous automatic self checks have detected a fault. The ERROR LED also indicates the state of the error log. If a new error has occurred since the error log was last checked then the LED flashes. Once the error log has been investigated it illuminates continuously. See Logging Functions.
The yellow SECURE indicator flashes during normal operation. This shows that the alarm circuitry (movement and temperature alarms) is active and the LMKs are loaded. The mesh circuitry, which detects an attempted intrusion into the crypto-processor, is always active and is not shown by the secure LED. The conditions for the SECURE indicator are:
|
Off |
LMKs not loaded |
|
On steady |
LMKs loaded, alarms disabled |
|
Flashing |
LMKs loaded, alarms enabled (either temperature alarm or movement alarm or both) |
The red ALARM indicator illuminates when the HSM is triggered into an alarmed state by a security compromise. All secure data stored in the HSM is erased. To extinguish the ALARM LED, the HSM must be rebooted by powering off and powering on again. If the alarm condition is still present after rebooting, the ALARM LED remains illuminated; in this case the HSM must be returned to THALES for investigation and repair.
The green ACTIVITY indicator shows host activity on the HSM. It illuminates when data is either received or transmitted. It flashes when a small amount of data is being sent and illuminates steadily when the HSM is busy. If no data is being received from the host it remains extinguished.
The locks on the front panel of the HSM provide security in two ways:
· When in the locked position, the HSM cannot be removed form the rack. Both locks need to be unlocked for the unit to be removed; this can only be achieved by the presence of two authorized key holders, as each lock requires a different key. The mechanical locking of the unit into the rack thus provides low level resistance to a direct attack. Note that the unit itself cannot be opened.
· Micro-switches are attached to the locks, wired to inputs on the internal circuit board, allowing the security state of the HSM to be changed. Three states are supported, online (both locked), offline (one locked and one unlocked) and secure (both unlocked). See table below.
|
State |
Left hand lock |
Right hand lock |
|
Normal (online) |
Locked (activated) |
Locked (activated) |
|
Offline |
Locked |
Unlocked |
|
Offline |
Unlocked |
Locked |
|
Secure |
Unlocked |
Unlocked |
Rear Panel
The power input (via an IEC connector) and fuses (20 mm type) are housed in a module on the right.
HSM 8000 Rear View
The host ethernet and ethernet management ports are RJ45 sockets.
The two host Serial ports are 26-way, D-type female sockets.
The auxiliary port is a 25-way, D-type male socket and the parallel printer port is a 25-way D-type female socket.
The console port is a 9-way D-type female socket, which is replicated on the front panel.
ESCON versions have an additional MT-RJ connector for the optical fibre. This is only fitted on the RG8200, other variants have a blanking plate fitted instead.
See the HSM 8000 Installation Manual for details of the host ports and configuration procedures.