The HSM receives command messages via the Host interface. A message contains all the data required by the HSM to perform a cryptographic operation. The HSM processes the data, and generates a response message which it sends to the Host. If the HSM identifies errors in the received data, it sends an error code.
A Console (and optionally a printer) are used to perform tasks involving plain text keys or PINs, set the HSM into the Authorised state and perform diagnostic functions. A Smartcard reader is provided on the front panel of the HSM to authorise logon to the console, to load critical key data and to store configuration information.
The Console port is configured as a Data Communications equipment (DCE). Almost any asynchronous ASCII terminal is suitable for use with the HSM. The default settings can be chosen to be either 300 baud, seven data bits, odd parity and one stop bit, or 19200 baud, eight data bits, no parity and one stop bit. When the Console is operational, the baud rate and word format can be changed to any convenient value.
Console operations include generating and loading the LMKs and Passwords, setting the HSM into the Authorized state by using the two Passwords or Smartcards and PINs, generating manually-distributed master keys and performing diagnostic functions. The terminal must therefore be located in a secure access-controlled area.
The console terminal is not required all the time therefore it is possible to share a terminal across a set of HSMs. The use of a RS232 switch box may make this easier.
A printer is required to print PIN mailers or generate and print components of manually-distributed keys. The HSM is configured from the Console to use either a parallel printer connected to the printer port or a serial printer connected to the auxiliary port.
The printer port is a standard ECP/EPP parallel port with a standard 25-pin D-type connector. The printer port implements compatibility, nibble and byte mode data transfer; therefore a “Win-printer” that requires the installation of specific software drivers cannot be used.
In normal operation, the HSM is set into the Authorized state by the use of the Console, then printing can start. The printer must be located in a secure access-controlled area.
The Auxiliary port is configured as a Data Communications equipment (DCE). The Auxiliary port can be used to connect a serial printer or other serial device. It is configured from the Console, either as part of the printer configuration or individually. The default settings are the same as the Console port. The baud rate and word format can be changed to any convenient value.
As for parallel printing, the HSM is set into the Authorized state for printing by the use of the Console. The printer must be located in a secure access-controlled area.
See also: Host Port