Crypt2Pay User'S Guide: Version No.: 1.0 Reference: Bntng/V7/En/Lp54007
Crypt2Pay User'S Guide: Version No.: 1.0 Reference: Bntng/V7/En/Lp54007
Crypt2Pay User'S Guide: Version No.: 1.0 Reference: Bntng/V7/En/Lp54007
THIS DOCUMENT IS THE PROPERTY OF BULL AND MAY NOT BE REPRODUCED OR COMMUNICATED WITHOUT ITS WRITTEN AUTHORIZATION
Trademarks
All brand names and product names are trademarks or registered trademarks of their
respective owners.
Copyrights
Under the copyright law, neither the Crypt2Pay software nor documentation may be
copied, photocopied, reproduced, translated or reduced to any electronic medium or
machine readable form, in whole or in part, without the prior written consent of Bull
SA.
License Conditions
Please read your license agreement with Bull carefully and make sure you understand
the exact terms of usage.
You are not allowed to make any modifications to the product. If you feel the need
for any modifications, please contact Bull.
Disclaimer
This Document is provided “ as is” without warranty of any kind, either express or
implied, including, but not limited to, the implied warranties of merchantability,
fitness for a particular purpose, or non-infringement.
This document could include technical inaccuracies or typographical errors. Changes
are periodically made to the information herein; these changes will be incorporated
in new editions of the document. Bull may make improvements of and/or changes to the
product described in this document at any time.
Contact
If you wish to obtain further information on this product or any other Bull product,
you are always welcome to contact us.
http://www.bull.com/security/crypt2pay.html
Date: 04/06/05
Doc. title: CRYPT2Pay User's Guide
Doc. reference: BNTng/V7/EN/LP54007
Doc. version: 1.0
CE DOCUMENT EST LA PROPRIETE DE BULL INGENIERIE ET NE PEUT ETRE REPRODUIT OU COMMUNIQUE SANS AUTORISATION ECRITE
REFERENCE VERSION PAGE
THIS DOCUMENT IS THE PROPERTY OF BULL AND MAY NOT BE REPRODUCED OR COMMUNICATED WITHOUT ITS WRITTEN AUTHORIZATION
REFERENCE VERSION PAGE
CONTENTS
1. INTRODUCTION______________________________________________________________________________ 1
THIS DOCUMENT IS THE PROPERTY OF BULL AND MAY NOT BE REPRODUCED OR COMMUNICATED WITHOUT ITS WRITTEN AUTHORIZATION
REFERENCE VERSION PAGE
LIST OF ILLUSTRATIONS
THIS DOCUMENT IS THE PROPERTY OF BULL AND MAY NOT BE REPRODUCED OR COMMUNICATED WITHOUT ITS WRITTEN AUTHORIZATION
REFERENCE VERSION PAGE
1. INTRODUCTION
Additionally, CRYPT2Pay also offers Personal Identification Number generation and cryptographic data computation
functions used to prepare the magstripe card personalization data.
Specified jointly with the largest French banks, CRYPT2Pay product helps meet the security requirements of electronic
banking servers to handle EMV transactions (EMV96, EMV 2000) taking into account the special characteristics of the
international Mastercard (Mchip 2, Mchip4) and VISA (VIS132, VIS140) payment systems.
This product is easily implemented by direct connection to the bank's server system via an IP or X25 link.
The implementation of cryptographic equipment, for the purpose of achieving secure exchanges with remote servers
over networks, and with stripe or smart cards personalized with issuer's keys, implies the management of keys the
number of which increases as the number of equipment units, remote servers and issuer is keys increases. To control
key distribution to CRYPT2Pays and simplify keys management at each electronic banking server, Bull provides a
specific key management tool known as KMC (Key Management Center).
Bull highly recommend it's customers to get some training and/or assistance from Bull's experts in order to
guarantee a safe and quick installation of the solution.
THIS DOCUMENT IS THE PROPERTY OF BULL AND MAY NOT BE REPRODUCED OR COMMUNICATED WITHOUT ITS WRITTEN AUTHORIZATION
REFERENCE VERSION PAGE
Bull Services
HSM & Pre-personalization Solutions
Business Unit
Rue Jean Jaures
BP 68
78340 Les Clayes-sous-Bois
FRANCE
e-mail: [email protected]
THIS DOCUMENT IS THE PROPERTY OF BULL AND MAY NOT BE REPRODUCED OR COMMUNICATED WITHOUT ITS WRITTEN AUTHORIZATION
REFERENCE VERSION PAGE
In order to have all your CRYPT2Pays up and running, you will have to load production software, personalize
CRYPT2Pays, install the KMC (Key Management Center) and create key distribution files.
This chapter briefly explains the standard procedure to have your CRYPT2Pay up and running, and gives you the
reference of detailed procedures in "CRYPT2Pay Reference Manual" or in the "KMC user's guide".
In this procedure, KMC server is also used as the administration workstation for CRYPT2Pay.
KMC PC (not
supplied by Bull)
CRYPT2Pay with
KMC option
SafePAD
• Connect the KMC PC to the Ethernet port of CRYPT2Pay (RJ45 cable or HUB, not supplied with CRYPT2Pay)
(See CRYPT2Pay Reference Manual § INSTALLATION – Administration setup)
• Set the IP address and network mask of the KMC PC so that the KMC can connect to CRYPT2Pay default address
(See CRYPT2Pay Reference Manual § INSTALLATION – Verification of CRYPT2Pay configuration and
parameters setting)
• Using a browser on the KMC PC, connect to the administration server of Transport Application and load
CRYPT2Pay software (See CRYPT2Pay Reference Manual § CRYPT2Pay ADMINISTRATION – Application
management – “Download” sub-menu)
Warning: Do not to stop the CRYPT2Pay software loading (no "tilt" machine or stop of CRYPT2Pay). In case of
problem during loading, it would be necessary to carry out two successive switch-off. At first reboot CRYPT2Pay
will boot on the partition which should have been loaded. Since its state is wrong, the boot fails. It is thus necessary
to switch the CRYPT2Pay HSM off and on to start again properly on the first partition.
• Reboot CRYPT2Pay
9 The front light turns to orange, since CRYPT2Pay is not personalized, and the safePAD displays the
personalisation prompt
9 Status of CRYPT2Pay:
¾ Active Area: Production software (I)
¾ Inactive Area: Transport software (X)
¾ Boot area at power on: Transport software (X)
¾ Not personalized
¾ Default IP Address, .
KMC PC (not
supplied by Bull)
SafePAD
KM2bntx
THIS DOCUMENT IS THE PROPERTY OF BULL AND MAY NOT BE REPRODUCED OR COMMUNICATED WITHOUT ITS WRITTEN AUTHORIZATION
REFERENCE VERSION PAGE
9 The Master Key is splitted in two components stored in labelled smart cards.
• Validate the "Input key" choice to proceed with introduction of the master key in the protected memory of
CRYPT2Pay (See CRYPT2Pay Reference Manual § SECURITY PROCEDURES – Customer personalization -
Stage 3 description : Key introduction by card function)
• Check the key attributes imported from the smart card (See CRYPT2Pay Reference Manual § SECURITY
PROCEDURES – Customer personalization - Personalization confirmation function)
• DO NOT VALIDATE the personalization at this step
9 CRYPT2Pay authorized for KMC is now up and running, but personalization has not been validated.
• Using a browser on the KMC PC, connect to the administration server of CRYPT2Pay
• Open an administration session using default login and password (See CRYPT2Pay Reference Manual §
UTILIZATION AND ADMINISTRATION PRINCIPLES – User profiles and accounts and § CRYPT2Pay
ADMINISTRATION – Opening an administration session)
• Change the default boot area so that production application be the default (See CRYPT2Pay Reference Manual §
CRYPT2Pay ADMINISTRATION – Application management – “Set up Boot” sub-menu)
• Configure the final CRYPT2Pay IP address (See CRYPT2Pay Reference Manual § CRYPT2Pay
ADMINISTRATION – System management “System” menu –“TCP/IP” sub-menu). This change will be taken
into account at next reboot. Do not reboot now.
• Check and activate options (See CRYPT2Pay Reference Manual § CRYPT2Pay ADMINISTRATION –
Application management - “Options” sub-menu).
9 Status of CRYPT2Pay:
¾ Active Area: Production software (I)
¾ Inactive Area: Transport software (X)
¾ Boot area at power on: Production software (I)
¾ Personalization not validated
¾ Final IP Address (at next boot).
THIS DOCUMENT IS THE PROPERTY OF BULL AND MAY NOT BE REPRODUCED OR COMMUNICATED WITHOUT ITS WRITTEN AUTHORIZATION
REFERENCE VERSION PAGE
CRYPT2Pay
production
ISO7816-4 software
Production CRYPT2Pays
Initialized Smart Cards
SafePAD
KM2bntx
THIS DOCUMENT IS THE PROPERTY OF BULL AND MAY NOT BE REPRODUCED OR COMMUNICATED WITHOUT ITS WRITTEN AUTHORIZATION
REFERENCE VERSION PAGE
KDK File
KMC PC (not
supplied by Bull)
db
SafePAD KDKM
KM2bntx
• Start the KMC software (See KMC User's guide § Running the KMC)
• Create a KDKM key to protect CRYPT2Pay master keys in the database (See KMC User's guide § Creating the key
label). The key owner shall be identical to CRYPT2Pay owner set during personalization.
• Generate the KDKM value and output it in two smart cards (See KMC User's guide § Output on external media
(paper or card)). Use a distinct smart card set for storing KDKM and KM2bntx. Don't forget to label the smart
card used to store the key and write the key index. (One smart card can be used to store up to 15 key components).
9 The KDKM for KM2bntx is now generated and stored in two smart cards.
• Input the KDKM value from smart cards (See KMC User's guide § Entry from external media (paper or card)).
• Create the KM2bntx key in the KMC database, under the KDKM (See KMC User's guide § Creating the key label).
The key owner shall be identical to CRYPT2Pay owner set during personalization.
The key number shall be identical to key version set during personalization.
The complementary identifer (IdC) shall be the following:
30 00 00 nn nn 00 00 00 00 00 00 00 00
where nn nn is CRYPT2Pay logical number set during personalization
• Input the KM2bntx value from smart cards (See KMC User guide § Entry from external media (paper or card)).
9 The KM2bntx is now stored in the KMC database, encrypted under KDKM
• Create another KDKM key to protect the Key Distribution Keys in the database (See KMC User's guide § Creating
the key label).
• Generate the KDKM value and output it in two smart cards (See KMC User's guide § Output on external media
(paper or card)). Yon can store this key in the same smart cards than the first KDKM, with a distinct index. Don't
forget to label the smart card used to store the key and write the key index. (One smart card can be used to store up
to 15 key component).
THIS DOCUMENT IS THE PROPERTY OF BULL AND MAY NOT BE REPRODUCED OR COMMUNICATED WITHOUT ITS WRITTEN AUTHORIZATION
REFERENCE VERSION PAGE
• Input the KDKM value from smart cards (See KMC User's guide § Entry from external media (paper or card)).
• Create the KDK key in the KMC database, under the KDKM (See KMC User's guide § Creating the key label).
• Generate the KDK value (See KMC User's guide § Key generation).
9 The first Key Distribution Key is now generated and stored in the KMC database, encrypted under a
KDKM.
9 CRYPT2Pay is now configured in the KMC database, with its master key and key distribution key.
• Create the key distribution files for CRYPT2Pays (See KMC User's guide § Generation).
• Save the KMC database (Menu 'Database', option 'Save').
• Exit from the KMC software (Menu 'Database', option 'Exit').
9 KDK file is created and contains the KDK token encrypted under the KM2bntx.
9 The KMC database is stored in the PC.
KDK File
KMC PC (not
supplied by Bull)
db
SafePAD KM2bntx
KDKMs
THIS DOCUMENT IS THE PROPERTY OF BULL AND MAY NOT BE REPRODUCED OR COMMUNICATED WITHOUT ITS WRITTEN AUTHORIZATION
REFERENCE VERSION PAGE
9 If CRYPT2Pay has been moved, security mechanisms may have triggered (flashing red light). In that case
you will have to reboot. The front light turns to orange, since CRYPT2Pay personalization has been
canceled, and the safePAD displays the personalisation prompt.
• Start the personalization process (See CRYPT2Pay Reference Manual § SECURITY PROCEDURES – Customer
personalization)
• SKIP the "Generate key" choice
• Validate the "Input key" choice to proceed with the introduction of the master key in the secured memory of
CRYPT2Pay (See CRYPT2Pay Reference Manual § SECURITY PROCEDURES – Customer personalization -
Stage 3 description : Key introduction by card function)
• Check the key attributes imported from the smart card (See CRYPT2Pay Reference Manual § SECURITY
PROCEDURES – Customer personalization - Personalization confirmation function)
• DO NOT VALIDATE the personalization
• Check the KDK loading (Please refer to the server application documentation for the detailed procedure)
9 The result of steps A1 to A4 is checked (i.e. CRYPT2Pay personalization and KMC database initialization
was successfully performed). You can apply the personalization
KDK File
KMC PC (not
supplied by Bull)
db
SafePAD KM2bntx
KDKMs
THIS DOCUMENT IS THE PROPERTY OF BULL AND MAY NOT BE REPRODUCED OR COMMUNICATED WITHOUT ITS WRITTEN AUTHORIZATION
REFERENCE VERSION PAGE
9 The front light turns to orange, since CRYPT2Pay personalization has been cancelled, and the safePAD
displays the personalisation prompt.
• Start the personalization process (See CRYPT2Pay Reference Manual § SECURITY PROCEDURES – Customer
personalization)
• SKIP the "Generate key" choice
• Validate the "Input key" choice to proceed with introduction of the master key in the secured memory of
CRYPT2Pay (See CRYPT2Pay Reference Manual § SECURITY PROCEDURES – Customer personalization -
Stage 3 description : Key introduction by card function)
• Check the key attributes imported from the smart card (See CRYPT2Pay Reference Manual § SECURITY
PROCEDURES – Customer personalization - Personalization confirmation function)
• VALIDATE the personalization now
• Switch CRYPT2Pay OFF and ON to reboot.
9 The front light turns to green: CRYPT2Pay authorized for KMC is now personalized.
• Connect the KMC PC to the Ethernet port of CRYPT2Pay (RJ45 cable or HUB, not supplied with CRYPT2Pay)
• Set the IP address and network mask of the KMC PC so that the KMC can connect to CRYPT2Pay address
• Update the KMC configuration file to set the correct CRYPT2Pay IP address
• Using a browser on the KMC PC, connect to the administration server and load CRYPT2Pay software in the
inactive area, to replace the transport application (See CRYPT2Pay Reference Manual § CRYPT2Pay
ADMINISTRATION – Application management – “Download” sub-menu)
• Reboot CRYPT2Pay on the loaded partition to check download (See CRYPT2Pay Reference Manual §
CRYPT2Pay ADMINISTRATION – Application management – “Reboot” sub-menu)
9 Status of CRYPT2Pay:
¾ Active Area: Production software (I)
¾ Inactive Area: Production software (I)
¾ Boot area at power on: Production software (I)
¾ Personalization validated
¾ Final IP Address.
THIS DOCUMENT IS THE PROPERTY OF BULL AND MAY NOT BE REPRODUCED OR COMMUNICATED WITHOUT ITS WRITTEN AUTHORIZATION
REFERENCE VERSION PAGE
CRYPT2Pay
production
KMC software software
Production CRYPT2Pays
KMC PC (not
supplied by Bull)
SafePAD KM2bntx
KDKMs
• Check the content of the delivery (See CRYPT2Pay Reference Manual § INSTALLATION – Reception of the
equipment)
• Connect the safePAD to the front I/O port of the production CRYPT2Pay with the supplied cable
• Connect the power supply and power CRYPT2Pay ON (See CRYPT2Pay Reference Manual § INSTALLATION –
Powering on).
• Connect the KMC PC to the Ethernet port of CRYPT2Pay (RJ 45 cable or HUB, not supplied with CRYPT2Pay)
(See CRYPT2Pay Reference Manual § INSTALLATION – Administration setup)
• Set the IP address and network mask of the KMC PC so that the KMC can connect to CRYPT2Pay default address
(See CRYPT2Pay Reference Manual § INSTALLATION – Verification of CRYPT2Pay configuration and
parameter setting)
• Using a browser on the KMC PC, connect to the administration server and load CRYPT2Pay software (See
CRYPT2Pay Reference Manual § CRYPT2Pay ADMINISTRATION – Application management – “Download”
sub-menu)
Warning: Do not to stop the CRYPT2Pay software loading (no "tilt" machine or stop of CRYPT2Pay). In case of
problem during loading, it would be necessary to carry out two successive switch-off. At first reboot CRYPT2Pay
will boot on the partition which should have been loaded. Since its state is wrong, the boot fails. It is thus necessary
to switch the CRYPT2Pay HSM off and on to start again properly on the first partition.
• Reboot CRYPT2Pay
THIS DOCUMENT IS THE PROPERTY OF BULL AND MAY NOT BE REPRODUCED OR COMMUNICATED WITHOUT ITS WRITTEN AUTHORIZATION
REFERENCE VERSION PAGE
9 The front light turns to orange, since CRYPT2Pay is not personalized, and the safePAD displays the
personalisation prompt.
9 Status of CRYPT2Pay:
¾ Active Area: Production software (I)
¾ Inactive Area: Transport software (X)
¾ Boot area at power on: Transport software (X)
¾ Not personalized
¾ Default IP Address
CRYPT2Pay
production
KMC software software
Production CRYPT2Pays
SafePAD
KMC PC (not
supplied by Bull)
KM2bntx
KDKMs
Figure 8 Personalization of production CRYPT2Pay
• Start the personalization process (See CRYPT2Pay Reference Manual § SECURITY PROCEDURES – Customer
personalization)
• Validate the "Generate key" choice to proceed with master key generation and identification (Key owner,
CRYPT2Pay logical number) (See CRYPT2Pay Reference Manual § SECURITY PROCEDURES – Customer
personalization - Stage 2 description : KM2bnt(x) key generation
• The Master Key is split in two components, each one being stored in a smart card. Don't forget to label the smart
card used to store the key and write the key index. (One smart card can be used to store up to 15 key components).
You can add the key to the smart cards used for personalization of other CRYPT2Pays, with a new index.
9 The Master Key is split in two components stored in a labelled smart card.
• Validate the "Input key" choice to proceed with introduction of the master key in the secured memory of
CRYPT2Pay (See CRYPT2Pay Reference Manual § SECURITY PROCEDURES – Customer personalization -
Stage 3 description : Key introduction by card function)
• Check the key attributes imported from the smart card (See CRYPT2Pay Reference Manual § SECURITY
PROCEDURES – Customer personalization - Personalization confirmation function)
• DO NOT VALIDATE the personalization at this step
THIS DOCUMENT IS THE PROPERTY OF BULL AND MAY NOT BE REPRODUCED OR COMMUNICATED WITHOUT ITS WRITTEN AUTHORIZATION
REFERENCE VERSION PAGE
9 CRYPT2Pay is now up and running, but personalization has not been validated.
• Using a browser on the KMC PC, connect to the administration server of CRYPT2Pay
• Open an administration session using default login and password
• Change the default boot area so that production application be the default (See CRYPT2Pay Reference Manual §
CRYPT2Pay ADMINISTRATION – Application management – “Set up Boot” sub-menu)
• Configure the final CRYPT2Pay IP address (See CRYPT2Pay Reference Manual § CRYPT2Pay
ADMINISTRATION – System management “System” menu –“TCP/IP” sub-menu). This change will take place
into account at next reboot. Do not reboot now.
• Check and activate options (See CRYPT2Pay Reference Manual § CRYPT2Pay ADMINISTRATION –
Application management - “Options” sub-menu).
9 Status of CRYPT2Pay:
¾ Active Area: Production software (I)
¾ Inactive Area: Transport software (X)
¾ Boot area at power on: Production software (I)
¾ Personalization not validated
¾ Final IP Address (at next boot).
KDK File
KMC PC (not
supplied by Bull)
db
SafePAD KDKM
KM2bntx
• Connect the KMC with its CRYPT2Pay, and connect the safePAD to CRYPT2Pay
• Reboot CRYPT2Pay with KMC option
• Set the IP address and network mask of the KMC PC so that the KMC can connect to CRYPT2Pay address
• Start the KMC software (See KMC User's guide § Running the KMC)
THIS DOCUMENT IS THE PROPERTY OF BULL AND MAY NOT BE REPRODUCED OR COMMUNICATED WITHOUT ITS WRITTEN AUTHORIZATION
REFERENCE VERSION PAGE
9 The KM2bntx is now stored in the KMC database, encrypted under KDKM
• Input the KDKM for KDK from smart cards (See KMC User's guide § Entry from external media (paper or card)).
• Create a new CRYPT2Pay in the HSM group (See KMC User's guide § Equipment creation). You can use
CRYPT2Pay logical number as the HSM label.
• Select the KM2bntx key in the key tree and assign it to CRYPT2Pay (See KMC User's guide § Key assignment to
equipment or group).
9 The new CRYPT2Pay is now configured in the KMC database, with its master key and key distribution key.
• Create the key distribution files for CRYPT2Pay (See KMC User guide § Generation).
• Save the KMC database (Menu 'Database', option 'Save').
• Exit from the KMC software (Menu 'Database', option 'Exit').
9 KDK file is created and contains the KDK token encrypted under the KM2bntx.
9 The KMC database is stored on the PC.
KM2bntx
KMC PC (not
KDK File
supplied by Bull)
db
KDKMs
Figure 10 Key loading tests
THIS DOCUMENT IS THE PROPERTY OF BULL AND MAY NOT BE REPRODUCED OR COMMUNICATED WITHOUT ITS WRITTEN AUTHORIZATION
REFERENCE VERSION PAGE
9 If CRYPT2Pay has been moved, security mechanisms may have triggered (flashing red light). In that case
you will have to reboot. The front light turns to orange, since CRYPT2Pay personalization has been
canceled, and the safePAD displays the personalisation prompt.
• Start the personalization (See CRYPT2Pay Reference Manual § SECURITY PROCEDURES – Customer
personalization)
• SKIP the "Generate key" choice
• Validate the "Input key" choice to proceed with introduction of the master key in the protected memory of
CRYPT2Pay (See CRYPT2Pay Reference Manual § SECURITY PROCEDURES – Customer personalization -
Stage 3 description : Key introduction by card function
• Check the key attributes imported from the smart card (See CRYPT2Pay Reference Manual § SECURITY
PROCEDURES – Customer personalization - Personalization confirmation function
• DO NOT VALIDATE the personalization
• Check the KDK loading (Please refer to the server application documentation for the detailed procedure)
9 The result of steps B1 to B3 is checked (i.e. CRYPT2Pay personalization and KMC database update were
successfully performed). You can apply the personalization
KM2bntx
KMC PC (not
supplied by Bull)
db KDK File
KDKMs
9 The front light turns to orange, since CRYPT2Pay personalization has been cancelled, and the safePAD
displays the personalisation prompt.
THIS DOCUMENT IS THE PROPERTY OF BULL AND MAY NOT BE REPRODUCED OR COMMUNICATED WITHOUT ITS WRITTEN AUTHORIZATION
REFERENCE VERSION PAGE
• Start the personalization (See CRYPT2Pay Reference Manual § SECURITY PROCEDURES – Customer
personalization)
• SKIP the "Generate key" choice
• Validate the "Input key" choice to proceed with the introduction of the master key in the protected memory of
CRYPT2Pay (See CRYPT2Pay Reference Manual § SECURITY PROCEDURES – Customer personalization -
Stage 3 description : Key introduction by card function)
• Check the key attributes imported from the smart card (See CRYPT2Pay Reference Manual § SECURITY
PROCEDURES – Customer personalization - Personalization confirmation function
• VALIDATE the personalization now
• Switch CRYPT2Pay OFF and ON to reboot.
• Connect the KMC PC to the Ethernet port of CRYPT2Pay (RJ45 cable or HUB, not supplied with CRYPT2Pay)
• Set the IP address and network mask of the KMC PC so that the KMC can connect to CRYPT2Pay address
• Using a browser on the KMC PC, connect to the administration server and load CRYPT2Pay software in the
inactive area, to replace the transport application (See CRYPT2Pay Reference Manual § CRYPT2Pay
ADMINISTRATION – Application management – “Download” sub-menu
• Reboot CRYPT2Pay on the loaded partition to check download (See CRYPT2Pay Reference Manual §
CRYPT2Pay ADMINISTRATION – Application management – “Reboot” sub-menu)
9 Status of CRYPT2Pay:
¾ Active Area: Production software (I)
¾ Inactive Area: Production software (I)
¾ Boot area at power on: Production software (I)
¾ Personalization validated
¾ Final IP Address.
THIS DOCUMENT IS THE PROPERTY OF BULL AND MAY NOT BE REPRODUCED OR COMMUNICATED WITHOUT ITS WRITTEN AUTHORIZATION
REFERENCE VERSION PAGE
KSK File
KMC PC (not
supplied by Bull)
db
KDK File
Service
keys
KM2bntx
• Connect the KMC with its CRYPT2Pay, and CRYPT2Pay with its safePAD
• Start the KMC software (See KMC User's guide § Running the KMC)
• Check CRYPT2Pay connection
• Input the KDKM for KDK from smart cards (See KMC User's guide § Entry from external media (paper or card)).
• Create the key distribution files for CRYPT2Pay group (See KMC User's guide § Generation).
• Save the KMC database (Menu 'Database', option 'Save').
• Exit from the KMC software (Menu 'Database', option 'Exit').
9 KSK file is created and contains the KSK tokens encrypted under the KDK.
9 The KMC database is stored on the PC.
THIS DOCUMENT IS THE PROPERTY OF BULL AND MAY NOT BE REPRODUCED OR COMMUNICATED WITHOUT ITS WRITTEN AUTHORIZATION
REFERENCE VERSION PAGE
CRYPT2Pay
production KDKMs Production KDKMs
db software CRYPT2Pays
KM2bntx
KM2bntx
KMC software
SafePAD StrongBox 2
StrongBox 1
KSK File
• Connect CRYPT2Pay to the host server and check the KDK and KSK loading (Please refer to the server
application documentation for the detailed procedure)
• Check CRYPT2Pay installtion environment (See CRYPT2Pay Reference Manual § INSTALLATION –
Installation environment)
THIS DOCUMENT IS THE PROPERTY OF BULL AND MAY NOT BE REPRODUCED OR COMMUNICATED WITHOUT ITS WRITTEN AUTHORIZATION
REFERENCE VERSION PAGE
• Using a browser on the KMC PC, connect to the administration server of CRYPT2Pay
• Open an administration session using default login and password (See CRYPT2Pay Reference Manual §
UTILIZATION AND ADMINISTRATION PRINCIPLES – User profiles and accounts and § CRYPT2Pay
ADMINISTRATION – Opening an administration session)
• Change the password of default admin user (See CRYPT2Pay Reference Manual § CRYPT2Pay
ADMINISTRATION – "Users" management – “Password” sub-menu)
• Create the identifiers of all the users who will manage CRYPT2Pay (See CRYPT2Pay Reference Manual §
CRYPT2Pay ADMINISTRATION – "Users" management – “Add” sub-menu)
9 Users are configured and can now connect to change their password.
Warning: Only an administrator can reinitialize an account who have lost his password (blocked). You shall define a
procedure to guarantee that there is always at least one administrator account no blocked. Otherwise, CRYPT2Pay
administration server may be definitely blocked:
• Store "admin" password in a safe place
• and/or, create backup administrator's accounts
• Using a browser on the KMC PC, connect to the administration server of CRYPT2Pay
• Open an administration session (See CRYPT2Pay Reference Manual § UTILIZATION AND ADMINISTRATION
PRINCIPLES – User profiles and accounts and § CRYPT2Pay ADMINISTRATION – Opening an administration
session)
• Clear all users and reset "admin" password to its default value (See CRYPT2Pay Reference Manual § CRYPT2Pay
ADMINISTRATION – "Users" management – “Delete” sub-menu)
THIS DOCUMENT IS THE PROPERTY OF BULL AND MAY NOT BE REPRODUCED OR COMMUNICATED WITHOUT ITS WRITTEN AUTHORIZATION
REFERENCE VERSION PAGE
In some cases however, you may have to load new option files in CRYPT2Pay:
♦ to use CRYPT2pay in test mode (test option is usually not authorized on production environement)
♦ to add new options later on.
• Using a browser on the KMC PC, connect to the administration server of CRYPT2Pay and open an administration
session
• Check and activate required options, among authorised options (See CRYPT2Pay Reference Manual §
CRYPT2Pay ADMINISTRATION – Application management - “Options” sub-menu).
9 Status of CRYPT2Pay:
¾ Active Area: New software (I)
¾ Inactive Area: Old software (I)
¾ Boot area at power on: Old software (I)
• Change the default boot area so that new be the (See CRYPT2Pay Reference Manual § CRYPT2Pay
ADMINISTRATION – Application management – “Set up Boot” sub-menu)
9 Status of CRYPT2Pay:
¾ Active Area: New software (I)
¾ Inactive Area: Old software (I)
¾ Boot area at power on: New software (I)
THIS DOCUMENT IS THE PROPERTY OF BULL AND MAY NOT BE REPRODUCED OR COMMUNICATED WITHOUT ITS WRITTEN AUTHORIZATION
REFERENCE VERSION PAGE
THIS DOCUMENT IS THE PROPERTY OF BULL AND MAY NOT BE REPRODUCED OR COMMUNICATED WITHOUT ITS WRITTEN AUTHORIZATION