007-000997-008 PayShield 10K Console Guide V1.8a Rev A

cpl.thalesgroup.
com
payShield® 10K
Console Guide
007-000997-008
payShield 10K Console Guide
Date: May 2023

Rev: A
Doc. Number: 007-000997-008
All information herein is either public information or is the property of and owned solely by Thales DIS
France S.A. and/or its subsidiaries or affiliates who shall have and keep the sole right to file patent
applications or any other kind of intellectual property protection in connection with such information.
Nothing herein shall be construed as implying or granting to you any rights, by license, grant or
otherwise, under any intellectual and/or industrial property rights of or concerning any of Thales DIS
France S.A. and any of its subsidiaries and affiliates (collectively referred to herein after as “Thales”)
information.
This document can be used for informational, non-commercial, internal and personal use only provided
that:
• The copyright notice below, the confidentiality and proprietary legend and this full warning notice
appear in all copies.
• This document shall not be posted on any network computer or broadcast in any media and no
modification of any part of this document shall be made.
Use for any other purpose is expressly prohibited and may result in severe civil and criminal liabilities.
The information contained in this document is provided "AS IS" without any warranty of any kind.
Unless otherwise expressly agreed in writing, Thales makes no warranty as to the value or accuracy of
information contained herein.
The document could include technical inaccuracies or typographical errors. Changes are periodically
added to the information herein. Furthermore, Thales reserves the right to make any change or
improvement in the specifications data, information, and the like described herein, at any time.
Thales hereby disclaims all warranties and conditions with regard to the information contained herein,
including all implied warranties of merchantability, fitness for a particular purpose, title and non-
infringement. In no event shall Thales be liable, whether in contract, tort or otherwise, for any indirect,
special or consequential damages or any damages whatsoever including but not limited to damages
resulting from loss of use, data, profits, revenues, or customers, arising out of or in connection with the
use or performance of information contained in this document.
Thales does not and shall not warrant that this product will be resistant to all possible attacks and shall
not incur, and disclaims, any liability in this respect. Even if each product is compliant with current
security standards in force on the date of their design, security mechanisms' resistance necessarily
evolves according to the state of the art in security and notably under the emergence of new attacks.
Under no circumstances, shall Thales be held liable for any third party actions and in particular in case
of any successful attack against systems or equipment incorporating Thales products. Thales disclaims
any liability with respect to security for direct, indirect, incidental or consequential damages that result
from any use of its products. It is further stressed that independent testing and verification by the
person using the product is particularly encouraged, especially in any application in which defective,
incorrect or insecure functioning could result in damage to persons or property, denial of service or loss
of privacy.
Copyright © 2018-2023 Thales Group. All rights reserved. Thales and the Thales logo are trademarks
and service marks of Thales and/or its subsidiaries and affiliates and are registered in certain countries.
All other trademarks and service marks, whether registered or not in specific countries, are the
properties of their respective owners.
Follow this link to find the End User Licensing Agreement: https://cpl.thalesgroup.com/legal
© Thales Group Page 2 of 256

All Rights Reserved
Contents
Contents ........................................................................................................................................................ 3
1 Introduction ............................................................................................................................................ 5
2 Console Commands – Listed Alphabetically ........................................................................................ 6
3 List of commands by Function............................................................................................................ 10

3.1 Configuration Commands ............................................................................................................. 10
3.2 Fraud Detection Commands ......................................................................................................... 11
3.3 Diagnostic Commands ................................................................................................................. 11
3.4 LMK Commands .......................................................................................................................... 11
3.5 HSM Authorization ....................................................................................................................... 12
3.6 Logging Commands ..................................................................................................................... 12
3.7 Time and Date Commands ........................................................................................................... 12
3.8 HSM Settings, Storage & Retrieval ............................................................................................... 12
3.9 Key Management Commands ...................................................................................................... 13
3.10 Payment System Commands ....................................................................................................... 13
3.11 Smartcard Commands ................................................................................................................. 13
3.12 DES Calculator Commands .......................................................................................................... 14
3.13 payShield Manager Commands.................................................................................................... 14
3.14 Secure Host Communications Commands.................................................................................... 14
3.15 KMD Support Commands ............................................................................................................. 15
4 Configuration Commands ................................................................................................................... 16
5 Fraud Detection Commands ................................................................................................................ 72
6 Diagnostic Commands ........................................................................................................................ 76
7 Local Master Keys ............................................................................................................................... 97

7.1 Types of LMKs ............................................................................................................................. 97
7.2 Multiple LMKs .............................................................................................................................. 97
7.3 LMK Commands .......................................................................................................................... 98
8 Operational Commands ..................................................................................................................... 125

8.1 Authorization Commands ........................................................................................................... 125
8.2 Logging Commands ................................................................................................................... 140
8.3 Time and Date Commands ......................................................................................................... 150
8.4 Settings, Storage and Retrieval Commands ............................................................................... 154
8.5 Key Management Commands .................................................................................................... 159
8.6 Payment System Commands ..................................................................................................... 195
8.7 Smartcard Commands ............................................................................................................... 206
8.8 DES Calculator Commands ........................................................................................................ 214

All Rights Reserved
9 payShield Manager Commands ........................................................................................................ 218
10 Secure Host Communications........................................................................................................... 232
11 KMD Support Commands .................................................................................................................. 247
Appendix A: Error Responses Excluded from Audit Log .................................................................. 253
Appendix B: Technical Support Contacts .......................................................................................... 255

All Rights Reserved
1 Introduction
This guide contains all the details for the payShield 10K Console Commands. Thales recommends that
payShield Manager is used to manage payShield 10K however the Console Commands are still provided as an
alternative. The Console Commands can be accessed via the Console connected directly to payShield 10K, or
by using the Virtual Console in payShield Manager. When using the Virtual Console, please note that several
Console Commands are not available.
The Console Commands are listed alphabetically in Section 2 and by function in Section 3 for easy reference.

All Rights Reserved
2 Console Commands – Listed

Alphabetically
Command Function Page
$ Double-Length Key Calculator ($) 216
A Enter the Authorized State (A) 126
A Authorize Activity (A) 129
A5 Configure Fraud Detection (A5) 73
A6 Set KMC Sequence Number (A6) 193
A7 Re-enable PIN Verification (A7) 75
AUDITLOG Display the Audit Log (AUDITLOG) 143
AUDITOPTIONS Audit Options (AUDITOPTIONS) 146
C Cancel the Authorized State (C) 128
C Cancel Authorized Activity (C) 137
CA Configure Auxiliary Port (CA) 57
CH Configure Host Port (CH) 39
CK Generate a Check Value (CK) 191
CL Configure Alarms (CL) 60
CLEARAUDIT Clear the Audit Log (CLEARAUDIT) 145
CLEARERR Clear the Error Log (CLEARERR) 142
CM Configure Management Port (CM) 54
CO Create an Authorizing Officer Smartcard (CO) 209
CONFIGACL Host Port Access Control List (ACL) Configuration 46
(CONFIGACL)
CONFIGCMDS Configure Commands (CONFIGCMDS) 21

CONFIGPB Configure PIN Block Formats (CONFIGPB) 23
CP Configure Printer Port (CP) 49
CS Configure Security (CS) 25
CV Generate a Card Verification Value (CV) 196
DC Duplicate LMK Component Sets (DC) 117
DM Delete LMK (DM) 118
DO Delete 'Old' or 'New' LMK from Key Change Storage (DO) 119

All Rights Reserved
DT Diagnostic Test (DT) 77

EA Convert (KEK) ZMK into a KEKr or KWKs (EA) 194
EC Encrypt Clear Component (EC) 167
ED Encrypt Decimalization Table (ED) 202
EJECT Eject a Smartcard (EJECT) 213
ERRLOG Display the Error Log (ERRLOG) 141
FC Format an HSM Smartcard (FC) 207
FICONTEST Check the FICON Host Interface (FICONTEST) 95
FK Form Key from Components (FK) 170
GC Generate Key Component (GC) 160
GETCMDS View Available Commands (GETCMDS) 84
GETTIME Query the Time and Date (GETTIME) 152
GK Generate LMK Component(s) (GK) 99
GS Generate Key and Write Components to Smartcard (GS) 163
GT Generate Test LMK (GT) 123
HEALTHENABLE Suspend/Resume Collection of Health Check Counts 64
(HEALTHENABLE)
HEALTHSTATS View/Reset Health Check Counts (HEALTHSTATS) 94

IK Import Key (IK) 183
KD Delete KTK (KD) 252
KE Export Key (KE) 187
KG Generate Key (KG) 177
KK Import Key encrypted under KTK (KK) 251
KM Generate KTK Components (KM) 248
KN Install KTK (KN) 249
KT View KTK Table (KT) 250
LK Load LMK (LK) 102
LN Load 'New' LMK into Key Change Storage (LN) 112
LO Load 'Old' LMK into Key Change Storage (LO) 108
MI Generate a MAC on an IPB (MI) 205
N Single-Length Key Calculator (N) 215
NETSTAT Show Network Statistics (NETSTAT) 86
NP Change a Smartcard PIN (NP) 211

All Rights Reserved
PING Test TCP/IP Network (PING) 89

PV Generate a VISA PIN Verification Value (PV) 198
QA View Auxiliary Port Configuration (QA) 59
QH View Host Port Configuration (QH) 43
QL View Alarm Configuration (QL) 61
QM View Management Port Configuration (QM) 56
QMAC MAC addresses of all network interfaces (QMAC) 71
QP View Printer Port Configuration (QP) 52
QS View Security Configuration (QS) 34
R Load the Diebold Table (R) 200
RC Read Unidentifiable Smartcard Details (RC) 212
RESET Reset to Factory Settings (RESET) 17
RS Retrieve HSM Settings from Smartcard (RS) 156
SD Delete Installed Certificate(s) (SD) 243
SE Export HSM Certificate's Chain of Trust (SE) 238
SETTIME Set the time (SETTIME) 151
SG Generate Certificate Signing Request (SG) 233
SI Import Certificate (SI) 236
SK Generate HRK (SK) 244
SL Restore HRK (SL) 246
SNMP View SNMP Settings (SNMP) 65
SNMPADD Add an SNMP User (SNMPADD) 66
SNMPDEL Delete an SNMP User (SNMPDEL) 67
SP Change HRK Passphrase (SP) 245
SS Save HSM Settings to a Smartcard (SS) 155
ST Set Time for Automatic Self-Tests (ST) 153
SV View Installed Certificate(s) (SV) 240
T Triple-Length Key Calculator (T) 217
TD Translate Decimalization Table (TD) 203
TRACERT Trace TCP/IP route (TRACERT) 90
TRAP Configure SNMP Traps (TRAP) 68
TRAPADD Add a new SNMP Trap (TRAPADD) 69
TRAPDEL Delete an SNMP Trap (TRAPDEL) 70

All Rights Reserved
UPLOAD Upload Software and Licenses (UPLOAD) 19

UTILCFG View/Change Instantaneous Utilization Period (UTILCFG) 62
UTILENABLE Suspend/Resume Collection of Utilization Data (UTILENABLE) 63
UTILSTATS View/Reset Utilization Data (UTILSTATS) 92
V Verify LMK Store (V) 116
VA View Authorized Activities (VA) 139
VC Verify the Contents of a Smartcard (VC) 210
VR View Software Revision Number (VR) 81
VT View LMK Table (VT) 120
XA Add a RACC to the whitelist (XA) 219
XD Decommission the HSM (XD) 220
XE Remove RACC from the whitelist (XE) 221
XH Commission the HSM (XH) 222
XI Generate Customer Trust Authority (XI) 223
XK Make an RACC left or right key (XK) 225
XR Commission a smartcard (XR) 226
XT Transfer existing LMK to RLMK (XT) 227
XX Decommission a smartcard (XX) 229
XY HSM commissioning status (XY) 230
XZ Duplicate CTA share (XZ) 231

All Rights Reserved
3 List of commands by Function

3.1 Configuration Commands
The payShield 10K provides the following console commands to support configuration operations:
Function (Command) Page

Reset to Factory Settings (RESET) 17
Upload Software and Licenses (UPLOAD) 19
Configure Commands (CONFIGCMDS) 21
Configure PIN Block Formats (CONFIGPB) 23
Configure Security (CS) 25
View Security Configuration (QS) 34
Configure Host Port (CH) 39
View Host Port Configuration (QH) 43
Host Port Access Control List (ACL) Configuration (CONFIGACL) 46
Configure Printer Port (CP) 49
View Printer Port Configuration (QP) 52
Configure Management Port (CM) 54
View Management Port Configuration (QM) 56
Configure Auxiliary Port (CA) 57
View Auxiliary Port Configuration (QA) 59
Configure Alarms (CL) 60
View Alarm Configuration (QL) 61
View/Change Instantaneous Utilization Period (UTILCFG) 62
Suspend/Resume Collection of Utilization Data (UTILENABLE) 63
Suspend/Resume Collection of Health Check Counts (HEALTHENABLE) 64
View SNMP Settings (SNMP) 65
Add an SNMP User (SNMPADD) 66
Delete an SNMP User (SNMPDEL) 67
Configure SNMP Traps (TRAP) 68
Add a new SNMP Trap (TRAPADD) 69
Delete an SNMP Trap (TRAPDEL) 70
MAC addresses of all network interfaces 71

All Rights Reserved
3.2 Fraud Detection Commands

The payShield 10K provides the following commands to support fraud detection operations:

Configure Fraud Detection (A5) 73
Re-enable PIN Verification (A7) 75
3.3 Diagnostic Commands

The payShield 10K provides the following console commands to support diagnostic operations:

Diagnostic Test (DT) 77
View Software Revision Number (VR) 81
View Available Commands (GETCMDS) 84
Show Network Statistics (NETSTAT) 86
Test TCP/IP Network (PING) 89
Trace TCP/IP route (TRACERT) 90
View/Reset Utilization Data (UTILSTATS) 92
View/Reset Health Check Counts (HEALTHSTATS) 94
Check the FICON Host Interface (FICONTEST) 95
3.4 LMK Commands

The HSM provides the following console commands to support LMK operations:

Generate LMK Component(s) (GK) 99
Load LMK (LK) 102
Load 'Old' LMK into Key Change Storage (LO) 108
Load 'New' LMK into Key Change Storage (LN) 112
Verify LMK Store (V) 116
Duplicate LMK Component Sets (DC) 117
Delete LMK (DM) 118
Delete 'Old' or 'New' LMK from Key Change Storage (DO) 119
View LMK Table (VT) 120
Generate Test LMK (GT) 123

All Rights Reserved
3.5 HSM Authorization

Enter the Authorized State (A) 126
Cancel the Authorized State (C) 128
Authorize Activity (A) 129
Cancel Authorized Activity (C) 137
View Authorized Activities (VA) 139
3.6 Logging Commands

Display the Error Log (ERRLOG) 141
Clear the Error Log (CLEARERR) 142
Display the Audit Log (AUDITLOG) 143
Clear the Audit Log (CLEARAUDIT) 145
Audit Options (AUDITOPTIONS) 146
3.7 Time and Date Commands

Set the time (SETTIME) 151
Query the Time and Date (GETTIME) 152
Set Time for Automatic Self-Tests (ST) 153
3.8 HSM Settings, Storage & Retrieval

Save HSM Settings to a Smartcard (SS) 155
Retrieve HSM Settings from Smartcard (RS) 156

All Rights Reserved
3.9 Key Management Commands

Generate Key Component (GC) 160
Convert (KEK) ZMK into a KEKr or KWKs (EA) 194
Generate Key and Write Components to Smartcard (GS) 163
Encrypt Clear Component (EC) 167
Form Key from Components (FK) 170
Generate Key (KG) 177
Import Key (IK) 183
Export Key (KE) 187
Generate a Check Value (CK) 191
Set KMC Sequence Number (A6) 193
3.10 Payment System Commands

Generate a Card Verification Value (CV) 196
Generate a VISA PIN Verification Value (PV) 198
Load the Diebold Table (R) 200
Encrypt Decimalization Table (ED) 202
Translate Decimalization Table (TD) 203
Generate a MAC on an IPB (MI) 205
3.11 Smartcard Commands

Format an HSM Smartcard (FC) 207
Create an Authorizing Officer Smartcard (CO) 209
Verify the Contents of a Smartcard (VC) 210
Change a Smartcard PIN (NP) 211
Read Unidentifiable Smartcard Details (RC) 212
Eject a Smartcard (EJECT) 213

All Rights Reserved
3.12 DES Calculator Commands

Single-Length Key Calculator (N) 215
Double-Length Key Calculator ($) 216
Triple-Length Key Calculator (T) 217
3.13 payShield Manager Commands

Add a RACC to the whitelist (XA) 219
Decommission the HSM (XD) 220
Remove RACC from the whitelist (XE) 221
Commission the HSM (XH) 222
Generate Customer Trust Authority (XI) 223
Make an RACC left or right key (XK) 225
Commission a smartcard (XR) 226
Transfer existing LMK to RLMK (XT) 227
Decommission a smartcard (XX) 229
HSM commissioning status (XY) 230
Duplicate CTA share (XZ) 231
3.14 Secure Host Communications Commands

Generate Certificate Signing Request (SG) 233
Import Certificate (SI) 236
Export HSM Certificate's Chain of Trust (SE) 238
View Installed Certificate(s) (SV) 240
Delete Installed Certificate(s) (SD) 243
Generate HRK (SK) 244
Change HRK Passphrase (SP) 245
Restore HRK (SL) 246

All Rights Reserved
3.15 KMD Support Commands

Generate KTK Components (KM) 248
Install KTK (KN) 249
View KTK Table (KT) 250
Import Key encrypted under KTK (KK) 251
Delete KTK (KD) 252

All Rights Reserved
4 Configuration Commands
The payShield 10K provides the following console commands to support configuration operations:

Reset to Factory Settings (RESET) 17
Upload Software and Licenses (UPLOAD) 19
Configure Commands (CONFIGCMDS) 21
Configure PIN Block Formats (CONFIGPB) 23
Configure Security (CS) 25
View Security Configuration (QS) 34
Configure Host Port (CH) 39
View Host Port Configuration (QH) 43
Host Port Access Control List (ACL) Configuration (CONFIGACL) 46
Configure Printer Port (CP) 49
View Printer Port Configuration (QP) 52
Configure Management Port (CM) 54
View Management Port Configuration (QM) 56
Configure Auxiliary Port (CA) 57
View Auxiliary Port Configuration (QA) 59
Configure Alarms (CL) 60
View Alarm Configuration (QL) 61
View/Change Instantaneous Utilization Period (UTILCFG) 62
Suspend/Resume Collection of Utilization Data (UTILENABLE) 63
Suspend/Resume Collection of Health Check Counts (HEALTHENABLE) 64
View SNMP Settings (SNMP) 65
Add an SNMP User (SNMPADD) 66
Delete an SNMP User (SNMPDEL) 67
Configure SNMP Traps (TRAP) 68
Add a new SNMP Trap (TRAPADD) 69
Delete an SNMP Trap (TRAPDEL) 70
MAC addresses of all network interfaces (QMAC) 71

All Rights Reserved
Variant  Key Block 

Reset to Factory Settings (RESET) Online  Offline  Secure 
Authorization: Not required
Command: RESET
Function: Returns the HSM to the state it was in when it was shipped from the factory,
so that it can be securely taken out of service – e.g. for return to Thales for
repair.
Any configuration changes (including port settings) that the customer has
applied will be reversed, and any customer data and logs will be erased.
If the HSM is to be returned (e.g. after it has been repaired), a record of all
the settings should be made before using this command such that the
settings can be re-applied after the HSM's return.
This command also reports whether the HSM is currently configured as it left
the factory.
Authorization:  Authorization is not required.

 The HSM must be in the secure state.
Inputs:  Confirmation that Reset is required.
Outputs:  Whether HSM is currently in its factory default state.

 Confirmation of Reset.
Notes:  This utility cannot reset firmware or licenses installed on the HSM.
Therefore, after use of this facility, the HSM will still have the most recently
installed firmware and license – which may be different from the firmware
and license when the HSM was shipped from the factory.
 At the end of the reset process, the payShield 10K will automatically
perform a restart. If the console does not display correctly after this, the
payShield 10K should be restarted manually. Turn the unit off and then back
on.

All Rights Reserved
Example 1: Secure> RESET <Return>
Reset HSM to factory settings? [Y/N]: Y <Return>
The unit is currently in its factory default state: NO
Resetting the unit will remove all customer data,

including logs, port settings, keys, etc. This may cause
the console to stop functioning.
This operation should only be performed if this unit is

being
taken out of normal operation.
Do you want to reset to the factory default settings?

[Y/N]: Y <Return>
You selected Yes; please confirm to Proceed with reset?

[Y/N]: Y <Return>
Return to factory default state complete
The HSM will now reboot automatically. This console is

exiting due to: Terminated
Example 2: Secure> RESET <Return>
Reset HSM to factory settings? [Y/N]: Y <Return>

The unit is currently in its factory default state: YES
Resetting the unit will remove all customer data,

including logs, port settings, keys, etc. This may cause
the console to stop functioning.
This operation should only be performed if this unit is

being
taken out of normal operation.
Do you want to reset to the factory default settings?

[Y/N]: N <Return>
Secure>

All Rights Reserved

Upload Software and Licenses Online  Offline  Secure 
(UPLOAD) Authorization: Not required
Command: UPLOAD
Function: With this command, you can upload new software and new licenses from the
console.
Notes: The software /license must be provided on a suitable USB memory stick inserted
into the USB-A socket on the rear of the payShield 10K.

 The HSM must be in the secure state.
Inputs:  New software load is available or new license is available.
Outputs:  The software/license successfully loads.
Errors:  Invalid Entry

 There are no License files available
Example 1: Secure> UPLOAD <Return>
Please select one of the following options:

1) Software update
2) Install new license
Your selection: 1 <Return>
This operation will terminate your session and reboot the

payShield. Do you want to proceed? [Y/N]: Y <Return>
Attached USB Mass storage devices:

Ultra USB 3.0
The following update files are available:

1) ps10k_update_1.pti
2) ps10k_update_2.pti
Your selection (choose 0 to exit): 1 <Return>
The following update will be applied: ps10k_update_1.pti
Continue with update? [Y/N]: Y <Return>
Obtaining update package information , please wait...
***** New HSM software is currently being installed. *****

***** Please do not remove power from the HSM. *****
***** Validating update package *****
***** Installing update package *****
***** New HSM Software has been successfully installed. *****
***** Unit will now reboot automatically. *****
Secure>

All Rights Reserved
Example 2: Secure> UPLOAD <Return>
Please select one of the following options:

1) Software update
2) Install new license
Attached USB Mass storage devices:

Ultra USB 3.0
The following License files are available:

1) C4665271228Q.licence
Are you sure you want to install license

C4665271228Q.licence? [Y/N]: Y <Return>
***** New HSM License is currently being installed. *****

***** Please do not remove power from the HSM. *****
***** New HSM License has been successfully installed. *****
Secure>

All Rights Reserved

Configure Commands (CONFIGCMDS) Online  Offline  Secure 
Command: CONFIGCMDS
Function: To view the list of enabled host and console commands, and (if in secure
state) to enable or disable host and console commands. All available
commands are disabled by default.
Commands are enabled or disabled using the following syntax:
[+ or -] [C or H] [<Command Code>]
+ indicates that the specified command should be enabled.
- indicates that the specified command should be disabled.
C indicates that <Command Code> is a Console command.
H indicates that <Command Code> is a Host command.
<Command Code> is the command code to be enabled or disabled, and may
contain the wildcard character '*'. If the first character is '*', then the second
character is absent, and this matches all command codes of the specified
type. If the second character is '*', then this matches all command codes of
the specified type starting with the given first character.
Authorization: The HSM must be in the secure state to enable/disable host and console
commands. The current status of enablement of host and console commands
can be viewed in any state.
Inputs:  List of host commands to enable.

 List of console commands to enable.
 List of host commands to disable.
 List of console commands to disable.
Outputs:  Complete list of enabled host commands.

 Complete list of enabled console commands.
Errors:  Invalid entry
Notes:  When a disabled host command is invoked, error code 68 is returned.

 When a disabled console command is invoked, the message "Function
undefined or not allowed" is displayed.
Example 1: This example demonstrates the use of the CONFIGCMDS console command
to view the list of enabled host and console commands.
Online> CONFIGCMDS <Return>
List of enabled Host commands:

A0 A4 GG GY
List of enabled Console commands:

GC GS EC FK
Online>
to enable one console command (DE) and disable one host command (A4).
Secure> CONFIGCMDS <Return>

All Rights Reserved

A0 A4 GG GY
GC GS EC FK
Enter command code (e.g. +CDE) or Q to Quit: +CDE
<Return>

A0 A4 GG GY
GC GS EC FK DE
Enter command code (e.g. +CDE) or Q to Quit: -HA4
<Return>

A0 GG GY
GC GS EC FK DE
Enter command code (e.g. +CDE) or Q to Quit: Q <Return>
Save COMMAND settings to smart card? [Y/N]: N <Return>
Secure>
using the wildcard character '*' to disable all non-core host commands, and
then enable just those host commands beginning with 'A'.
Secure> CONFIGCMDS <Return>

A0 A4 GG GY
GC GS EC FK
Enter command code (e.g. +CDE) or Q to Quit: -H* <Return>

GC GS EC FK DE
Enter command code (e.g. +CDE) or Q to Quit: +HA*
<Return>

A0 A2 A4 A6 A8 AA AC AE AG AS AU AW AY
GC GS EC FK DE
Enter command code (e.g. +CDE) or Q to Quit: Q <Return>
Save COMMAND settings to smart card? [Y/N]: Y <Return>
Insert card and press ENTER: <Return>

COMMAND settings saved to the smartcard.
Secure>

All Rights Reserved

Configure PIN Block Formats Online  Offline  Secure 
(CONFIGPB) Authorization: Not required
Command: CONFIGPB
Function: To view the list of enabled PIN block formats, and (if in secure state) to
enable or disable individual PIN block formats.
Authorization: The HSM must be in the secure state to enable/disable PIN block formats.
The current status of PIN Block format enablement can be viewed in any
state.
Inputs:  PIN block format identifier.
Outputs:  List of enabled PIN block formats.
Errors:  Invalid entry
Example 1: This example demonstrates the use of the CONFIGPB console command to
view the list of enabled PIN block formats.
Online> CONFIGPB <Return>
List of enabled PIN Block formats:

01 – ISO 9564-1 & ANSI X9.8 format 0
05 – ISO 9564-1 format 1
35 – MasterCard Pay Now and Pay Later format
41 – Visa/Amex new PIN only format
42 – Visa/Amex new & old PIN format
47 – ISO 9564-1 & ANSI X9.8 format 3
48 – ISO 9564-1 PIN Block Format 4 (AES)
Online>
Example 2: This example demonstrates the use of the CONFIGPB console command to
enable the use of HSM PIN Block format 03.
Secure> CONFIGPB <Return>

01 – ISO 9564-1 & ANSI X9.8 format 0
05 – ISO 9564-1 format 1
35 – MasterCard Pay Now & Pay Later format
47 – ISO 9564-1 & ANSI X9.8 format 3
Enter + or – followed by PIN Block format or Q to Quit:

+03 <Return>

01 – ISO 9564-1 & ANSI X9.8 format 0
03 – Diebold & IBM ATM format
05 – ISO 9564-1 format 1
35 – MasterCard Pay Now & Pay Later format

All Rights Reserved

47 – ISO 9564-1 & ANSI X9.8 format 3
Enter + or – followed by PIN Block format or Q to Quit: Q

<Return>
Save PIN BLOCK settings to smart card? [Y/N]: Y <Return>

PIN BLOCK settings saved to the smartcard.
Secure>

All Rights Reserved

Configure Security (CS) Online  Offline  Secure 
Command: CS
Function: To set the security configuration of the HSM and some processing parameters.
CS converts all lower-case alpha values to upper case for display purposes,
except for the Card issuer Password. Operation is menu-driven, as shown in
the examples. The security settings can optionally be saved to a smartcard.
Authorization: The HSM must be in the secure state to run this command.
Inputs:  PIN length [4-12]: a one or two-digit number in the range 4 to 12.
 Echo [oN/ofF]: N or F
 Atalla ZMK variant support [oN/ofF]: N or F
 Transaction key scheme: Racal, Australian or None? [R/A/N]: R or A or N
 User storage key length [S/D/T/V]: S, D, T, or V
 Display general information on payShield Manager Landing page? [Y/N]: Y or
N
 Default LMK identifier [0-x]: Integer between 0 and x
 Management LMK identifier [0-x] : Integer between 0 and x
 Whether to erase the installed LMKs to enable the following settings to be
changed.
 Select clear PINs? [Y/N]: Y or N
 Enable ZMK translate command? [Y/N]: Y or N
 Enable X9.17 for import? [Y/N]: Y or N
 Enable X9.17 for export? [Y/N]: Y or N
 Solicitation batch size [1-1024]: a one to four-digit number, range 1 to 1024.
 Single/double length ZMKs [S/D]: S or D
 Decimalization table Encrypted/Plaintext [E/P]: E
 Enable Decimalization Table Checks? [Y/N]: Y or N
 PIN encryption algorithm [A/B]: A or B
 Use deprecated proprietary format (Tag J) when using PIN Blocks under AES
Key Block LMK [Y/N]: Y or N
 Whether to use the default Card Issuer password or to enter a different value
(of 8 alphanumeric printable characters).
 Authorized State required when importing DES key under RSA key? [Y/N]: Y
or N
 Minimum HMAC verification length in bytes [5-64]: number, range 5-64
 Enable PKCS#11 import and export for HMAC keys? [Y/N]: Y or N
 Enable ANSI X9.17 import and export for HMAC keys? [Y/N]: Y or N
 Enable ZEK/TEK encryption of ASCII data or Binary data or None? [A/B/N]: A
or B or N
 Restrict Key Check Values to 6 hex chars? [Y/N]: Y or N
 Return PIN length in PIN translation response? [Y/N]: Y or N
 Enable multiple authorized activities? [Y/N]: Y or N
 Allow persistent authorized activities [Y/N]: Y or N
 Enable support for variable length PIN offset? [Y/N]: Y or N
 Enable weak PIN checking? [Y/N]: Y or N
 Enable PIN Block format 34 as output format for PIN translations to ZPK?
[Y/N]: Y or N
 Enable translation of account number for LMK encrypted PINs [Y/N]: Y or N.
 Use HSM clock for date/time validation? [Y/N]: Y or N
 Additional padding to disguise key length? [Y/N] : Y or N
 Key export and import in trusted format only? [Y/N] : Y or N
 Protect MULTOS cipher data checksums? [Y/N] : Y or N

All Rights Reserved
 Enable Key Scheme Tag 'X' (X9.17) for storing keys under LMK? [Y/N] : Y or
N
 Enable use of Tokens in PIN Translation? [Y/N]: Y or N
 Enable use of Tokens in PIN Verification? [Y/N]: Y or N
 Enable PIN translation to BDK encryption? [Y/N]: Y or N
 Ensure LMK Identifier in command corresponds with host port? [Y/N]: Y or N
 Ignore LMK ID in Key Block Header? [Y/N]: Y or N
 Enable import and export of RSA Private keys? [Y/N]: Y or N
 Prevent Single-DES keys masquerading as double or triple-length key? [Y/N]:
Y or N
 Disable Single-DES? [Y/N]: Y or N
 Card/password authorization (local) [C/P]: C or P (Card or Password).
 Restrict PIN block usage for PCI HSM compliance? [Y/N]: Y or N.
 Enforce key type 002 separation for PCI HSM compliance [Y/N]: Y or N.
 Enforce Authorization Time Limit? [Y/N]: Y or N.
 Enforce Multiple Key Components? [Y/N]: Y or N.
 Enforce PCI HSMv3 Key Equivalence for Key Wrapping? [Y/N]: Y or N.
 Enforce minimum key strength of 1024-bits for RSA signature verification?
[Y/N]: Y or N.
 Enforce minimum key strength of 2048-bits for RSA and ECC? [Y/N]: Y or N.
 Save SECURITY settings to smartcard? [Y/N]: Y or N
Outputs:  Prompts according to the settings chosen (see examples below).
Errors: Invalid Entry

Card not formatted to save/retrieve HSM settings.
Attempt with another card? [Y/N]
Notes:  For software versions which have been PCI HSM certified, in order to be PCI
HSM compliant a number of security settings must have specific values as
follows:
o Disable Single-DES? – must be “Y”
o Card/password authorization (local) – must be "C"
o Restrict PIN block usage for PCI HSM compliance – must be "Y"
o Enforce key type 002 separation for PCI HSM compliance –must be "Y"
o Enforce Authorization Time Limit – must be "Y"
o Enforce Multiple Key Components – must be "Y"
o Enforce PCI HSMv3 Key Equivalence for Key Wrapping – must be “Y”
o Enforce minimum key strength of 1024-bits for RSA signature verification –
must be “Y”
o Enforce minimum key strength of 2048-bits for RSA – must be “Y”
 Once all of these settings are at the PCI HSM compliant value, they cannot
be changed unless the RESET command is used.
 If the value of the setting "Enforce key type 002 separation for PCI HSM
compliance" is "Y", then:
o Key Type Table 2 is in effect. If the setting has a value of "N", then the
HSM is not being operated in a PCI HSM compliant manner and Key
Type Table 1 is in effect.
o The following Host commands are disabled: AA, AE, FC, FE, FG, HC,
KA, OE
 “Prevent single-DES keys masquerading as double or triple-length key?”
must be “Y”

All Rights Reserved
Example 1: Erasing LMKs not selected by the user
Secure> CS <Return>
PIN Length [4-12]: 8 <Return>
Echo [oN/ofF]: N <Return>
Atalla ZMK variant support [oN/ofF]: F <Return>
Transaction Key Scheme: Racal, Australian or None [R/A/N]: N
<Return>
User storage key length [S/D/T/V](SINGLE): <Return>
Display general information on payShield Manager Landing page?
[Y/N]: Y <Return>
Default LMK identifier [0-4](0): <Return>
Management LMK identifier [0-4](0): <Return>
LMKs must be erased before remaining parameters can be set.
Erase LMKs? [Y/N]: N <Return>
Save SECURITY settings to smartcard? [Y/N]: N <Return>

Secure>

All Rights Reserved
Example 2: Settings affecting PCI HSM compliance do not have compliant values. The user wishes
to use the default card issuer password.
Secure> CS <Return>
Please make a selection. The current setting is in parentheses.

Press ENTER to keep the current setting.
PIN length [4-12](4): <Return>
Echo [oN/ofF](ON): <Return>92
Atalla ZMK variant support [oN/ofF](ON): <Return>
Transaction key scheme: Racal, Australian or None? [R/A/N](R):
<Return>
[Y/N]: Y <Return>
LMKs must be erased before remaining parameters can be set
Erase LMKs? [Y/N]: Y <Return>

Enforce Atalla variant match to Thales key type? [Y/N](YES):
<Return>
Select clear PINs? [Y/N](YES): <Return>
Enable ZMK translate command? [Y/N](YES): <Return>
Enable X9.17 for import? [Y/N](YES): <Return>
Enable X9.17 for export? [Y/N](YES): <Return>
Solicitation batch size [1-1024](5): <Return>
Single/double length ZMKs [S/D](DOUBLE): <Return>

Decimalization table Encrypted/Plaintext [E/P](P): <Return>
Enable Decimalization Table Checks? [Y/N](YES): <Return>
PIN encryption algorithm [A/B](A): <Return>

Use deprecated proprietary format (Tag J) when using PIN Blocks
under AES Key Block LMK [Y/N](N): <Return>
Use default card issuer password [Y/N](YES): Y <Return>
Authorized State required when importing DES key under RSA key?
[Y/N](YES): <Return>
Minimum HMAC key length in bytes [5-64](10): <Return>
Enable PKCS#11 import and export for HMAC keys [Y/N](YES):
<Return>
Enable ANSI X9.17 import and export for HMAC keys [Y/N](YES):
<Return>
Enable ZEK/TEK encryption of ASCII data or Binary data or None?
[A/B/N] (N): <Return>
Restrict Key Check Values to 6 hex chars [Y/N](YES): <Return>
Return PIN length in PIN translation response [Y/N] (YES):
<Return>
Enable multiple authorized activities [Y/N](NO): <Return>
Allow persistent authorized activities [Y/N](NO): <Return>
Enable support for variable length PIN offset [Y/N](NO): <Return>
Enable weak PIN checking [Y/N](YES): <Return>
Check new PINs using global list of weak PINs? [Y/N](YES):
<Return>
Check new PINs using local list of weak PINs? [Y/N](YES):
<Return>
Check new PINs using rules? [Y/N](YES): <Return>
Enable PIN Block Format 34 as output format
for PIN Translations to ZPK [Y/N](NO): <Return>
Enable translation of account number for LMK encrypted PINs

All Rights Reserved
[Y/N](NO): <Return>
Use HSM clock for date/time validation? [Y/N](YES): <Return>
Additional padding to disguise key length? [Y/N](NO): <Return>
Key export and import in trusted format only? [Y/N](NO): <Return>
Protect MULTOS cipher data checksums? [Y/N](YES): <Return>
Enable Key Scheme Tag 'X' (X9.17) for storing keys under LMK?
[Y/N](NO): <Return>
Enable use of Tokens in PIN Translation? [Y/N](NO): <Return>
Enable use of Tokens in PIN Verification? [Y/N](NO): <Return>
Enable PIN translation to BDK encryption? [Y/N](YES): <Return>
Ensure LMK Identifier in command corresponds with host port?
[Y/N](NO): <Return>
Ignore LMK ID in Key Block Header? [Y/N](NO): <Return>
Enable import and export of RSA Private keys? [Y/N](NO): <Return>
The following settings affect PCI HSM compliance:

Prevent single-DES keys masquerading
as double or triple-length key? [Y/N](YES): <Return>
The following setting is not PCI HSM compliant: <Return>
Disable Single-DES? [Y/N](NO): <Return>
Card/password authorization (local) [C/P](C): <Return>
Restrict PIN block usage for PCI HSM compliance? [Y/N](YES):
<Return>
The following setting is not PCI HSM compliant:
Enforce key type 002 separation for PCI HSM compliance?
[Y/N](NO): <Return>
Enforce Authorization Time Limit? [Y/N](YES): <Return>
Enforce Multiple Key Components? [Y/N](NO): <Return>
Enforce PCI HSMv3 Key Equivalence for Key Wrapping? [Y/N](NO):
<Return>
Enforce minimum key strength of 1024-bits for RSA signature
verification? [Y/N](NO): <Return>
Enforce minimum key strength of 2048-bits for RSA and ECC?
[Y/N](NO): <Return>
Save SECURITY settings to smartcard? [Y/N]: N <Return>
Secure>

All Rights Reserved
Example 3: Final setting affecting PCI HSM compliance is about to be set to compliant value. The
user is specifying a different card issuer software.
Secure> CS <Return>

Echo [oN/ofF](ON): <Return>
<Return>
[Y/N]: Y <Return>



Use default card issuer password [Y/N](YES): N <Return>
Enter card issuer password (local):***** <Return>
Password must be 8 characters.
Enter card issuer password (local):******** <Return>
Confirm card issuer password: ******** <Return>
<Return>
<Return>
Return PIN length in PIN translation response? [Y/N] (YES):
<Return>
Enable PIN Block Format 34 as output format for PIN Translations
to ZPK [Y/N](NO): <Return>

All Rights Reserved

[Y/N](NO): <Return>
[Y/N](NO): <Return>
The following settings affect PCI HSM compliance - see Console

Reference Manual:
Prevent single-DES keys masquerading as double or triple-length
key? [Y/N](YES): <Return>
Disable Single-DES? [Y/N](YES): <Return>
Card/password authorization (local) [C/P](C): <Return>

Restrict PIN block usage for PCI HSM compliance? [Y/N](NO): Y
<Return>

Enforce key type 002 separation for PCI HSM compliance?
[Y/N](NO): Y <Return>
Enforce Authorization Time Limit? [Y/N](YES): <Return>
Enforce Multiple Key Components? [Y/N](YES): <Return>
Enforce PCI HSMv3 Key Equivalence for Key Wrapping? [Y/N](YES):

<Return>

verification? [Y/N](YES): <Return>
Enforce minimum key strength of 2048-bits for RSA? [Y/N](YES):

<Return>
These settings will all become PCI HSM compliant.

No further changes will be allowed to these options:
key: YES
Single-DES: DISABLED
Card/password authorization (local): C
Restrict PIN block usage for PCI HSM Compliance: YES
Enforce key type separation for PCI HSM compliance: YES
Enforce Authorization Time Limit: YES
Enforce Multiple Key Components: YES
Enforce PCI HSMv3 Key Equivalence for Key Wrapping: YES
verification: YES
Enforce minimum key strength of 2048-bits for RSA: YES
Confirm? [Y/N]: Y <Return>
Save SECURITY settings to smartcard? [Y/N]: Y <Return>


All Rights Reserved
SECURITY settings saved to the smartcard.
Secure>
Example 4: All settings affecting PCI HSM compliance have compliant values
Secure> CS <Return>

Echo [oN/ofF](ON): <Return>
<Return>
[Y/N]: Y <Return>



Use default card issuer password [Y/N](YES): Y <Return>
<Return>
<Return>
Return PIN length in PIN translation response [Y/N](YES):
<Return>
Enable PIN Block Format 34 as output format for PIN Translations
to ZPK [Y/N](NO): <Return>

All Rights Reserved

[Y/N](NO): <Return>
[Y/N](NO): <Return>
The following settings are all PCI HSM compliant and cannot be
changed.
key: YES
Enforce key type separation for PCI HSM compliance: YES
verification: YES
Save SECURITY settings to smartcard? [Y/N]: Y <Return>

Secure>

All Rights Reserved

View Security Configuration (QS) Online  Offline  Secure 
Command: QS
Function: Reports the security configuration of the HSM and some processing
parameters, plus the LMK check value.
Authorization: This command does not require any authorization.
Inputs: None.
Outputs:  See examples below.
Errors: None.
Notes:  Where the software has been PCI HSM certified, in order to be PCI HSM
compliant a number of security settings must have specific values as
follows:
o Disable Single-DES? – must be “Y”
o Card/password authorization (local) – must be "C"
o Restrict PIN block usage for PCI HSM compliance – must be "Y"
o Enforce key type 002 separation for PCI HSM compliance –must be "Y"
o Enforce Authorization Time Limit – must be "Y"
o Enforce Multiple Key Components – must be "Y"
o Enforce PCI HSMv3 Key Equivalence for Key Wrapping – must be “Y”
o Enforce minimum key strength of 1024-bits for RSA signature
verification – must be “Y”
o Enforce minimum key strength of 2048-bits for RSA – must be “Y”
 Once all of these settings are at the PCI HSM compliant value, they cannot
be changed unless the RESET command is used.

All Rights Reserved
Example 1: Settings affecting PCI HSM compliance do not all have compliant values
Online> QS <Return>
PIN length: 04
Encrypted PIN length: 05
Echo: OFF
Atalla ZMK variant support: OFF
Transaction key support: NONE
User storage key length: SINGLE
Display general information on payShield Manager Landing Page:
NO
Default LMK identifier: 00
Management LMK identifier: 00
Select clear PINs: NO

Enable ZMK translate command: NO
Enable X9.17 for import: NO
Enable X9.17 for export: NO
Solicitation batch size: 1024
ZMK length: DOUBLE
Decimalization tables: ENCRYPTED
Decimalization table checks: ENABLED
PIN encryption algorithm: A
under AES Key Block LMK: NO
Press "Enter" to view additional security settings... <Return>
Authorized state required when importing DES key under RSA key:
YES
Minimum HMAC length in bytes: 10
Enable PKCS#11 import and export for HMAC keys: NO
Enable ANSI X9.17 import and export for HMAC keys: NO
Enable ZEK/TEK encryption of ASCII data or Binary data or None:
NONE
Restrict key check values to 6 hex chars: YES
Return PIN length in PIN translation response: YES
Enable multiple authorized activities: YES
Allow persistent authorized activities: NO
Enable variable length PIN offset: NO
Enable weak PIN checking: NO
Enable PIN block Format 34 as output format for PIN
translations to ZPK: NO
Enable translation of account number for LMK encrypted PINs: NO
Use HSM clock for date/time validation: YES

Additional padding to disguise key length: NO
Key export and import in trusted format only: YES
Protect MULTOS cipher data checksums: YES
Enable Key Scheme Tag 'X' (X9.17) for storing keys under LMK:
NO
Enable use of Tokens in PIN Translation: NO
Enable use of Tokens in PIN Verification: NO
Enable PIN translation to BDK encryption: YES
Ensure LMK Identifier in command corresponds with host port: NO
Ignore LMK ID in Key Block Header: NO
Enable import and export of RSA Private keys: NO
NOTE: The following settings are not all PCI HSM compliant.

All Rights Reserved
keys: YES
Restrict PIN block usage for PCI HSM Compliance: NO
Enforce key type 002 separation for PCI HSM compliance: NO
verification: YES
Online>

All Rights Reserved
Example 2: Settings affecting PCI HSM compliance have compliant values

Online> QS <Return>
PIN length: 04
Encrypted PIN length: 05
Echo: OFF
Transaction key support: NONE
Display general information on payShield Manager Landing Page:
NO
Enable X9.17 for import: NO
Enable X9.17 for export: NO
ZMK length: DOUBLE
Decimalization tables: ENCRYPTED
Decimalization table checks: ENABLED
under AES Key Block LMK: NO
Press "Enter" to view additional security settings... <Return>
YES
NONE
Restrict key check values to 6 hex chars: YES
Allow persistent authorized activities: NO
Enable PIN block Format 34 as output format for PIN
Enable translation of account number for LMK encrypted PINs: NO

Key export and import in trusted format only: YES
Enable Key Scheme Tag 'X' (X9.17) for storing keys under LMK:
NO
Ensure LMK Identifier in command corresponds with host port: NO
Ignore LMK ID in Key Block Header: NO
Enable import and export of RSA Private keys: NO
The following settings are all PCI HSM compliant and cannot be
changed:
keys: YES

All Rights Reserved
Enforce key type 002 separation for PCI HSM compliance: YES
verification: YES
Online>

All Rights Reserved

Configure Host Port (CH) Online  Offline  Secure 
Command: CH
Function: To configure the Host port to emulate a type of data communications

equipment and control equipment, i.e., Ethernet or FICON.
The Host port setting can optionally be saved to a smartcard.
The new settings come into effect a few seconds after the command has
completed.
Authorization:  The HSM must be in the offline or secure state to run this command.
 If settings relating to Secure Host Communications (TLS) or Access
Control Lists are to be changed, the payShield 10K must be in Secure
state.
Inputs:  The options are menu driven and the inputs vary depending on the
communication mode selected. See examples below.
 Inputs specific to the FICON interface have the following definitions:
o Control Unit Image:

 Valid Range: 0-255; Default=0
 This is the actual control unit image defined in the
mainframe I/O gens.
o Unit Address:
 The unit address for this control unit.
o Missing Interrupt handler (mih) Minutes

 This specifies the missing interrupt handler value to be
used in the read device characteristics CCW for the
mainframe. If set to 0, the mainframe setting is used.
Outputs: None.
Notes:  To achieve maximum throughput on the HSM, the TCP/IP and FICON
interfaces need to be driven with multiple connections (or threads).
Optimum performance is normally achieved with 4 - 8 connections
(depending on the HSM performance model and the commands being
processed). Running with only a single thread can significantly reduce the
throughput of the HSM, and means that you will not be able to reach the
rated throughput for the machine.
 It is recommended that the Host Ethernet Ports, the Management Ethernet
Port, and the Auxiliary Ethernet Port are all on different IP subnets from each
other.
 Where dual Ethernet host ports are in use, 2 different IP addresses at the
Host computer must be used to drive the 2 ports on the HSM.
 The use of TLS v1.2 is supported on the payShield 10K:
o TLS traffic can be supported at the same time as non-TLS traffic.
o The specified number of connections are shared between TLS and
non-TLS traffic.

All Rights Reserved
o The HSM can be forced to accept only TLS traffic by setting the UDP
and TCP options to "N".
 For regular TCP communications (not protected by TLS), a Well-Known Port
Address is defined (default value 1500).
 For TLS communications, a Well-Known Port Address is defined (default
value 2500).
Errors: None.
Example 1: Ethernet interface
Secure> CH <Return>
Please make a selection. The current setting is in

parentheses.
Message header length [1-255] (4): <Return>
Disable host connections when no LMKs are installed? [Y/N]
(N): <Return>
Host interface [[E]thernet, [F]icon] (E): <Return>
Enter Well-Known-Port (1500): <Return>
Enter Well-Known-TLS-Port (2500): <Return>
UDP [Y/N] (Y): <Return>
TCP [Y/N] (Y): <Return>
Enable TLS [Y/N] (N): Y <Return>
ACL Enabled [Y/N] (N): Y <Return>
Number of connections [1-128] (5): <Return>
Enter TCP keep alive timeout [1-120 minutes] (120):
<Return>
Number of interfaces [1/2] (1): 2 <Return>
Interface Number 1:
IP Configuration Method? [D]HCP or [S]tatic (DHCP): S
<Return>
Enter IP Address (10.0.0.20): 10.0.0.20 <Return>
Enter subnet mask (255.255.255.0): <Return>
Enter Default Gateway Address (10.0.0.1): <Return>
Enter speed setting for this port:
SPEED OPTIONS:
0 Autoselect
1 10baseT full-duplex
Speed setting (0): 3 <Return>
Interface Number 2:
Enter IP Address (169.254.254.1): 10.0.0.21
Enter subnet mask (255.255.255.0):
Enter Default Gateway Address (169.254.254.1): 10.0.0.1
SPEED OPTIONS:
0 Autoselect

All Rights Reserved
Save HOST settings to smart card? [Y/N]: N <Return>
Secure>
Example 2: Ethernet interface
Secure> CH <Return>

parentheses.
(N): <Return>
UDP [Y/N] (Y): N <Return>
TCP [Y/N] (Y): N <Return>
Enable TLS [Y/N] (Y): Y <Return>
ACL Enabled [Y/N] (Y): N <Return>
<Return>
Number of interfaces [1/2] (2): 1 <Return>
Interface Number [1/2] (1): <Return>
Interface Number 1:
IP Configuration Method? [D]HCP or [S]tatic (static): D
<Return>
Network Name (S0000000001G-host1): HSM-Host-1 <Return>
SPEED OPTIONS:
0 Autoselect
Speed setting (3): <Return>
Secure>

All Rights Reserved
Example 3: Ethernet Interface.
Secure> CH <Return>

parentheses.
(N): <Return>
UDP [Y/N] (N): <Return>
TCP [Y/N] (N): <Return>
Enable TLS [Y/N] (Y): <Return>
ACL Enabled [Y/N] (N): <Return>
<Return>
Number of interfaces [1/2] (1): <Return>
Interface Number [1/2] (1): <Return>
Interface Number 1: <Return>

IP Configuration Method? [D]HCP or [S]tatic (static): D
<Return>
Network Name (HSM-Host-1): <Return>
SPEED OPTIONS:
0 Autoselect
Secure>
Example 4: FICON Interface
Secure> CH <Return>

parentheses.
(N): <Return>
Host interface [[E]thernet, [F]icon] (E): F <Return>
Control Unit Image [0-255] (5): <Return>
Unit address [0-255] (5): <Return>
Missing Interrupt Handler (mih) Minutes [0-60] (0):
<Return>
Secure>

All Rights Reserved

View Host Port Configuration (QH) Online  Offline  Secure 
Command: QH
Function: To display details of the Host port configuration of the HSM.
Inputs: None.
Outputs: For all systems:

 The message header length. This is the number of characters at the front
of each command from the Host to the HSM (after the STX character).
The HSM returns the message header in the response.
 Whether to disable the processing of host commands when no LMKs are
installed.
 The protocol used.
For an Ethernet system:

 The Well-Known Port. This is the publicized TCP Port address of the
HSM.
 The Well-Known TLS Port. This is the publicized TLS Port address of the
HSM.
 Transport method: TCP, UDP, TLS
 Number of TCP connections. Each host interface supports this number of
connections.
 The TCP Keep_Alive value: A number in minutes
 Whether ACLs are being used.
 The number of host interfaces configured
 The IP address for each host interface, and how they are derived. This is
the IP address of the HSM in the system.
 The Network name of the interface, if configured to DHCP
 Subnet mask for each host interface. This is the subnet mask of the
attached TCP/IP network. It is recommended that the Host Ethernet Ports,
the Management Ethernet Port, and the Auxiliary Ethernet Port are all on
different IP subnets from each other.
 The default gateway IP address
 The MAC Address for the interface
 The port speed for each host interface.
For a FICON system:

 Control Unit Image. This is the actual control unit image defined in the
mainframe I/O gens.
 Control Unit Address. The unit address for this control unit.
 Missing Interrupt Handler (mih). The missing interrupt handler value in
minutes to be used in the read device characteristics CCW for the
mainframe. If set to 0, the mainframe setting is used.
Errors: None.

All Rights Reserved
Example 1: In this example, Ethernet communications using TCP/IP and TLS are
selected – all types of traffic are allowed. The IP addresses are set up as
static, manually-entered addresses. Access Control Lists are to be used,
and will be set up using the CONFIGACL console command.
Online> QH <Return>
Message header length: 04

Disable host connections when no LMKs are installed: No
Protocol: Ethernet
Well-Known-Port: 01500
Well-Known-TLS-Port: 02500
Transport: UDP TCP TLS, 128 connections
TCP Keep_Alive value (minutes): 120 minutes
ACL: Enabled
Number of interfaces : (2)
Interface Number: 1
IP Configuration Method: static
IP address: 192.168.200.36
Subnet mask: 255.255.255.0
Default Gateway: 192.168.200.3
MAC address: 00:d0:fa:04:27:62
Port speed: 1000baseT full-duplex
Interface Number: 2
IP address: 192.168.202.110
Subnet mask: 255.255.255.0
Online>
Example 2: In this example, Ethernet communications using TCP/IP and TLS are
selected - but UDP, and unprotected TCP traffic is not allowed (i.e. all traffic
must be TLS protected). The IP address is set up as a dynamic address to
be obtained from a DHCP server. Access Control Lists are not being used.
Only one host port has been configured.
Online> QH <Return>

Protocol: Ethernet
Transport: TLS, 128 connections
TCP Keep_Alive value (minutes): 120 minutes
ACL: Disabled
Number of interfaces : (1)
Interface Number: 1
IP Configuration Method: DHCP
Network Name: HSM1-Host-1
IP address: 192.168.200.36
Subnet mask: 255.255.255.0
MAC address: 00:d0:fa:04:3b:4a

All Rights Reserved

Online>
Example 3: In this example, the host interface has been configured for FICON
communications
Online> QH <Return>

Protocol: FICON
Control Unit Image: 0
Control Unit Address: 0
Missing Interrupt Handler (mih): 0 minutes
Online>

All Rights Reserved

Host Port Access Control List (ACL) Online  Offline  Secure 
Configuration (CONFIGACL) Authorization: Not required
Command: CONFIGACL
Function: To display and amend the Access Control Lists (ACLs) for the HSM's host
ports. When ACL checking is enabled using the CH console command,
traffic from hosts is accepted only where the host's IP address is included in
one of the ACL entries set up using this command.

The HSM must be in Secure state.
Inputs:  The user can view/add/delete entries. Entries cannot be amended.

 Each of the 2 host ports has its own ACL set.
 Entries can be of the following types:
o A single IP address
o An IP address range
o An IP address mask
 Multiple types of entry can co-exist.
 Multiple entries of each type are allowed.
 The IP addresses in an entry can overlap with IP addresses in other
entries.
Outputs:  Confirmations and errors only.
Errors:  IP address formats are validated.
Notes:  This command sets up the IP addresses and ranges that will be used
when checking traffic against the ACL, but the use of ACLs must be
enabled in the CH console command before the ACLs configured in this
command are applied.
 If the CH console command enables ACL checking but no ACL entries
have been configured using CONFIGACL, then all host traffic will be
blocked.
 ACLs apply only to Ethernet (including TLS) host traffic. They have no
effect when FICON host communications are being used.

All Rights Reserved
Example 1: In this example, only one host interface has been configured in the CH
command. There are no existing ACL entries. The user sets up a single
address ACL entry, then adds a mask ACL entry, then adds a range ACL
entry, and finally deletes the single address ACL entry.
Secure> CONFIGACL <Return>
Access control list for Interface 1:

Single:
None
Range:
None
Mask:
None
Add/Delete/Quit [A/D/Q]: A <Return>
Type - Single/Range/Mask [S/R/M]: S <Return>
IP Address: 10.10.41.10 <Return>

Single:
1) 10.10.41.10
Range:
None
Mask:
None
Type - Single/Range/Mask [S/R/M]: M <Return>
Base IP Address: 10.10.40.0 <Return>
Mask: 255.255.255.0 <Return>

Single:
1) 10.10.41.10
Range:
None
Mask:
2) 10.10.40.0 to 10.10.40.255
(Mask:255.255.255.0)
Type - Single/Range/Mask [S/R/M]: R <Return>
From IP Address: 192.168.0.0 <Return>
To IP Address: 192.168.0.92 <Return>

Single:
1) 10.10.41.10
Range:
2) 192.168.0.0 to 192.168.0.92
Mask:

All Rights Reserved
3) 10.10.40.0 to 10.10.40.255
(Mask:255.255.255.0)
Add/Delete/Quit [A/D/Q]: D <Return>

Entry to delete [1/3]: 1 <Return>

Single:
None
Range:
1) 192.168.0.0 to 192.168.0.92
Mask:
2) 10.10.40.0 to 10.10.40.255
(Mask:255.255.255.0)
Add/Delete/Quit [A/D/Q]: Q <Return>
Secure>
Example 2: In this example, both host interfaces have been configured in the CH
command. The user simply views the existing ACL for host interface 2, and
then exits.
Secure> CONFIGACL <Return>
Interface 1: 10.10.100.216
Interface 2: 10.10.101.216
Select Interface [1/2]: 2 <Return>

Single:
1) 10.10.40.22
2) 10.10.40.23
3) 10.10.40.23
Range:
4) 10.10.40.200 to 10.10.40.220
Mask:
None
WARNING: Duplicate - Single: Entries 2 and 3
Add/Delete/Quit [A/D/Q]: Q <Return>
Secure>

All Rights Reserved

Configure Printer Port (CP) Online  Offline  Secure 
Command: CP
Function: To select and configure a connection to a printer attached to the HSM via a
USB port. The HSM is compatible with most printers via its USB interfaces:
 A serial printer may be connected using a USB-to-serial converter cable
available from Thales
 A parallel printer may be connected using a USB-to-parallel converter cable
available from Thales
The new settings come into effect immediately after the command has
completed.
Inputs:  CR/LF order (standard or reversed): Y or N

 Selected printer connection.
 Setup Parameters, dependent on printer type.
 Whether to print a test page.
Outputs:  Test page.
Errors:  Failed to print test page
Notes: A printer must be connected to the HSM before the CP command is invoked.

All Rights Reserved
Example 1: This example demonstrates the configuration of a printer attached to the HSM via a USB-to-
serial cable.
Offline> CP <Return>
Reverse the <LF><CR> order? [Y/N]: N <Return>
The following possible printer devices were found in the

system:
0. No printer
1. USB-Serial Controller by PrintCo located at Rear
USB Port
Your selection (ENTER for no change): 1 <Return>
You must configure the serial parameters for this device:
BAUD RATES
1. 1200
2. 2400
3. 4800
4. 9600 (current value)
5. 19200
6. 38400
7. 57600
8. 115200
Device baud rate (ENTER for no change): 8 <Return>
DATA BITS
1. 5
2. 6
3. 7
Device data bits (ENTER for no change): <Return>
STOP BITS
2. 2
Device stop bits (ENTER for no change): <Return>
PARITY
1. none (current value)
2. odd
3. even
Device parity (ENTER for no change): <Return>
Flow Control
1. none
2. software (current value)
3. hardware
Printer flow_ctl (ENTER for no change): <Return>
Printer Offline Control

1. none (current value)
2. RTS
3. DTR
Printer offline control (ENTER for no change): <Return>
Timeout [in milliseconds, min=1000, max=86400000]
(12000): <Return>
Delay [in milliseconds, min = 0, max=7200000] (0):
<Return>
Print test page? [Y/N]: Y <Return>

All Rights Reserved
Offline>
Example 2: This example demonstrates the configuration of a printer attached to the HSM via a USB-to-
parallel cable.

system:
No printer
IEEE-1284 Controller by PrintCo located at Rear USB Port
Timeout [in milliseconds, min=1000, max=86400000] (1000):
<Return>
<Return>
Print test page? [Y/N]: Y <Return>
Offline>
Example 3: This example demonstrates the configuration of a printer attached to the HSM via a native USB
cable.

system:
0. No printer
1. USB Printer by PrintCo located at Rear USB Port
Timeout [in milliseconds, min=1000, max=86400000] (1000):
<Return>
<Return>
Print test page? [Y/N]: N <Return>
Offline>

All Rights Reserved

View Printer Port Configuration (QP) Online  Offline  Secure 
Command: QP
Function: To display details of the HSM's printer configuration.
Inputs:  Print test page: Y or N
Outputs:  Reverse the <LF><CR> order: YES or NO.

 Validation of current printer configuration.
 The serial configuration settings (serial printer only).
Errors:  Failed to print test page
Example 1: This example demonstrates viewing the configuration of a printer attached to the HSM via a
USB-to-serial cable.
Online> QP <Return>
The configured printer, USB-Serial Controller by PrintCo

located at Rear USB Port, has been validated
BAUD RATE: 38400
DATA BITS: 8
STOP BITS: 1
PARITY: none
Flow Control: XON/XOFF
Offline Control: none
<LF><CR> order reversed: NO
Timeout: 12000 milliseconds
Delay: 0 milliseconds
Online>
USB-to-parallel cable.
Online> QP <Return>
The configured printer, IEEE-1284 Controller by PrintCo

located at Rear USB Port, has been validated.
Online>
native USB cable.
Online> QP <Return>
The configured printer, USB Printer by PrintCo located at

Rear USB Port, has been validated

All Rights Reserved
Online>

All Rights Reserved

Configure Management Port (CM) Online  Offline  Secure 
Command: CM
Function: To configure the Management port, which is an Ethernet port used only for
management of the HSM. If connection to the host is via Ethernet then the
Ethernet host port is used for that purpose. The Management Ethernet port is
used to update the HSM's internal software, updating licensing information,
and for enabling management of a HSM via the payShield Manager.
completed.
It is recommended that the Host Ethernet Ports, the Management Ethernet
other.
Authorization: The HSM must be in the offline or secure state to run this command.
Inputs:  Whether IP address is manually or automatically derived.

o If manually derived, then the address details must be entered.
o If using DHCP, then a network name may be entered.
 Ethernet speed setting.
 Enable (local or remote) payShield Manager connection?
Outputs: None.
Errors: None.
Example 1: In this example, the management port has its IP address set up manually.
Offline> CM <Return>
Management Ethernet Interface:

<Return>
Enter IP address (192.168.100.200): 192.168.200.90
<Return>
SPEED OPTIONS:
0 Autoselect
1 10BaseT half-duplex
2 10BaseT full-duplex
3 100BaseTX half-duplex
4 100BaseTX full-duplex
Enable payShield Manager connection:

Enable or Disabled? (E): D <Return>
Changing the IP address, Network name, or method requires
that the Management TLS certificate is regenerated.

All Rights Reserved
Continuing will cause the

certificate to be regenerated under the Customer Trust
Authority. If you
require an externally signed Management TLS certificate
you will need to regenerate a CSR, have it signed and
imported.
Do you wish to proceed? [Y/N]: Y <Return>
Would you like to apply the changes now? [Y/N]: Y

<Return>
Offline>
Example 2: In this example, the management port has its IP address set up automatically
by a DHCP server.
Secure> CM <Return>

IP Configuration Method? [D]HCP or [S]tatic (DHCP):
<Return>
Network Name (B4665271226O-mgmt): HSM-Mngmnt <Return>
SPEED OPTIONS:
0 Autoselect
Enable payShield Manager connection:

Enable or Disabled? (E): <Return>

<Return>
Secure>

All Rights Reserved

View Management Port Configuration Online  Offline  Secure 
(QM) Authorization: Not required
Command: QM
Function: To display details of the Management port parameters.
Inputs: None.
Outputs:  IP configuration method

 Network name (if configuration method is DHCP)
 IP address.
 Subnet mask.
 Default gateway.
 MAC address.
 Enable (local or remote) payShield Manager connection?
Errors: None.
Example 1: In this example, the management port has its IP address set up manually.
Online> QM <Return>

IP address: 192.168.200.90
Subnet mask: 255.255.255.0
payShield Manager connection: Disabled
Online>
Example 2: In this example, the management port has its IP address set up automatically
by a DHCP server.
Online> QM <Return>

Network Name: HSM-Mngmnt
IP address: 192.168.1.3
Subnet mask: 255.255.255.0
Port speed: 100baseTX full-duplex
payShield Manager connection: Enabled
Online>

All Rights Reserved

Configure Auxiliary Port (CA) Online  Offline  Secure 
Command: CA
Function: To configure the Auxiliary port, which is an Ethernet port currently used only
for transmission of SNMP traffic from the HSM.
completed.
It is recommended that the Host Ethernet Ports, the Management Ethernet
other.
Inputs:  Whether IP address is manually or automatically derived.

o If manually derived, then the address details must be entered.
o If using DHCP, then a network name may be entered.
Outputs: None.
Errors: None.
Example 1: In this example, the auxiliary port has its IP address set up manually.
Offline> CA <Return>
Auxiliary Ethernet Interface:

<Return>
Enter IP address (192.168.300.200): 192.168.300.90
<Return>
SPEED OPTIONS:
0 Autoselect

<Return>
Offline>

All Rights Reserved
Example 2: In this example, the auxiliary port has its IP address set up automatically by a
DHCP server.
Secure> CA <Return>

IP Configuration Method? [D]HCP or [S]tatic (DHCP):
<Return>
Network Name (B4665271226O-Aux): HSM-Aux <Return>
SPEED OPTIONS:
0 Autoselect

<Return>
Secure>

All Rights Reserved

View Auxiliary Port Configuration (QA) Online  Offline  Secure 
Command: QA
Function: To display details of the Auxiliary port parameters.
Inputs: None.
Outputs:  IP address.
 Network name, if DHCP configured.
 Subnet mask.
 Default gateway.
 MAC address.
Errors: None.
Example 1: In this example, the auxiliary port has its IP address set up manually.
Online> QA <Return>

IP address: 192.168.300.90
Subnet mask: 255.255.255.0
Port speed: Ethernet 1000baseT full-duplex
Online>
Example 2: In this example, the auxiliary port has its IP address set up automatically by a
DHCP server.
Online> QA <Return>

Network Name: HSM-Aux
IP address: 192.168.1.3
Subnet mask: 255.255.255.0
Port speed: 100baseTX full-duplex
Online>

All Rights Reserved

Configure Alarms (CL) Online  Offline  Secure 
Command: CL
Function: To enable or disable the motion alarm. The temperature alarm is permanently
enabled. The HSM alarm circuitry typically needs to be turned off if the HSM
is to be moved. The alarm should be turned on while the HSM is in service or
being stored. The alarm setting can optionally be saved to a smartcard.
Inputs:  Motion alarm status: Low, Medium, High or Off.

 Save settings to smartcard: Yes or No.
Outputs: None.
Errors:  Card not formatted to save/retrieve HSM settings.

Attempt with another card? [Y/N]
Example 1: In this example, the setting is being made to a less secure setting.
Secure> CL <Return>

parentheses.
Motion alarm [Low/Med/High/OFF] (MED): F <Return>
LMKs must be erased before proceeding.
Erase LMKs?? [Y/N]: Y<Return>
Save ALARM settings to smart card? [Y/N]: N <Return>
Secure>
Example 2: In this example, the setting is being made to a more secure setting.
Secure> CL <Return>

parentheses.
Motion alarm [Low/Med/High/OFF] (OFF): H <Return>
Save ALARM settings to smart card? [Y/N]: N <Return>
Secure>

All Rights Reserved

View Alarm Configuration (QL) Online  Offline  Secure 
Command: QL
Function: To display details of the alarm configuration of the HSM.
Inputs: None.
Outputs:  The Motion alarm status.
Errors: None.
Example: Online> QL <Return>
Motion alarm enabled high sensitivity
Online>

All Rights Reserved

View/Change Instantaneous Utilization Online  Offline  Secure 
Period (UTILCFG) Authorization: Not required
Command: UTILCFG
Function: To display the current setting of the period over which utilization statistics is to
be collected when Instantaneous Utilization Data is requested. This command
also allows the setting to be amended (in Offline/Secure states only).
Authorization: The HSM does not require any authorization to run this command.
Inputs: Amended value for Instantaneous Utilization Period. (It is suggested that the
period should not be set to less than 10 seconds, as data collected over very
short periods will not be indicative of actual activity.)
Outputs: Text messages as in example below.

Note that resetting of the value requires the HSM to be in Offline or Secure
state.
Example: Online> UTILCFG <Return>
Measurement period for instantaneous statistics is 60

seconds
Online>
Offline> UTILCFG <Return>
Measurement period for instantaneous statistics is 60

seconds
Change? [Y/N]: Y <Return>

Enter new value in seconds (1-60): 10 <Return>
Offline>

All Rights Reserved

Suspend/Resume Collection of Online  Offline  Secure 
Utilization Data (UTILENABLE) Authorization: Not required
Command: UTILENABLE
Function: To suspend or resume the collection of Utilization Data and the incrementing
of the count of seconds over which the data is being collected. This allows
data collection to be suspended if, for example, the HSM is taken out of
service or temporarily re-purposed. It ensures that cps rates are not diluted by
averaging command volumes over the total elapsed time, but only over the
time that data is being collected
Inputs: Whether to change the current state.
Notes: Following a software load, collection of Utilization Data will be suspended.

Data collection is automatically suspended while the HSM is not online.
Example: Offline> UTILENABLE <Return>
Utilization statistics gathering is currently turned ON.

Suspend? [Y/N] Y <Return>
Offline> UTILENABLE <Return>
Utilization statistics gathering is currently turned OFF.

Resume? [Y/N] Y <Return>
Offline>

All Rights Reserved

Suspend/Resume Collection of Health Online  Offline  Secure 
Check Counts (HEALTHENABLE) Authorization: Not required
Command: HEALTHENABLE
Function: To suspend or resume the collection of Health Check counts. This allows
data collection to be suspended if, for example, data is not required.
Inputs: Whether to change the current state.
Notes: Following a software load, collection of Health Check counts will be

suspended.
Example: Offline> HEALTHENABLE <Return>
Health check statistics gathering is currently turned

ON.
Suspend? [Y/N] Y <Return>
Offline> HEALTHENABLE <Return>
Health check statistics gathering is currently turned

OFF.
Resume? [Y/N] Y <Return>
Offline>

All Rights Reserved

View SNMP Settings (SNMP) Online  Offline  Secure 
Command: SNMP
Function: To display the current SNMP settings, and to enable/disable provision of

Utilization and Health Check data via SNMP.
Inputs:  Whether to Enable/Disable provision of Utilization and Health Check data

via SNMP.
 Which Ethernet port to use for SNMP traffic.
Notes: The HSM is delivered with no Users set up.
Example: Secure> SNMP <Return>
V3 Users:
None
SNMP is currently disabled
Enable? [Y/N]: Y <Return>
0. Management Port
1. Auxiliary Port
SNMP port [0-1] (ENTER for no change): 0 <Return>

sysName (Less than 256 characters)(payShield 10K):
<Return>
sysDescr (Less than 256 characters)(Thales payShield
10K): <Return>
sysLocation (Less than 256 characters)(USA): <Return>
sysContact (Less than 256 characters)(Thales Support):
<Return>
Save new MIB-2 system settings? [Y/N]: Y <Return>
SNMP MIB-2 system updated
Secure>

All Rights Reserved

Add an SNMP User (SNMPADD) Online  Offline  Secure 
Command: SNMPADD
Function: Add an SNMP User (for SNMP version 3).
Authorization:  The HSM does not require any authorization to run this command.
 The HSM must be in Secure state.
Inputs:  The SNMP user name,

 Authentication algorithm,
 Privacy algorithm.
Example: Secure> SNMPADD <Return>
Enter user name (Less than 20 characters): SHADES

<Return>
Authentication algorithm [[N]one, [M]D5, [S]HA]: S
<Return>
Enter authentication password (>= 8 and < 20 characters):
Password1 <Return>
Privacy algorithm [[N]one, [D]ES, [A]ES]: A <Return>
Enter privacy password (>= 8 and < 20 characters):
Password2 <Return>
The following entry will be added to the table:
'createUser shades SHA AES'.
User added successfully
Enter additional users? [Y/N]: N <Return>
Save and exit? [Y/N]: Y <Return>
SNMP configuration updated
Secure>

All Rights Reserved

Delete an SNMP User (SNMPDEL) Online  Offline  Secure 
Command: SNMPDEL
Function: Delete an SNMP User.
Authorization:  The HSM does not require any authorization to run this command.
 The HSM must be in Secure state.
Inputs: The index of the user to be deleted.
Example: Secure> SNMPDEL <Return>
SNMP user table:

0: User=public, Authentication=none, Privacy=none
1: User=shades, Authentication=SHA, Privacy=DES
2: User=none, Authentication=none, Privacy=none
3: User=md5, Authentication=MD5, Privacy=none
Select user to delete [0-3]: 1 <Return>
User ‘shades’ deleted successfully
Remove additional users? [Y/N]: N <Return>
Secure>

All Rights Reserved

Configure SNMP Traps (TRAP) Online  Offline  Secure 
Command: TRAP
Function: To display the current SNMP Trap configuration and to enable/disable

individual SNMP Traps.
Inputs: Whether to Enable/Disable individual trap configurations.
Outputs: Text messages as in the example below.
Notes: The HSM is delivered with no SNMP Traps configured.
Example 1: Offline> TRAP <Return>
Trap table is empty, no SNMP traps are configured.
Enable? [Y/N]: Y <Return>
Offline>
Example 2: Offline> TRAP <Return>
Entry IP Address:Port User name

1 192.168.100.133:162 User1
Disable? [Y/N]: N <Return>
Offline>

All Rights Reserved

Add a new SNMP Trap (TRAPADD) Online  Offline  Secure 
Command: TRAPADD
Function: Add an SNMP Trap.

 The HSM must be in the Secure state.
Inputs: Trap configuration data & confirmation.
Errors: User table is empty; please add a V3 user first

Failed to add trap destination
Notes: The HSM is delivered with no SNMP traps configured.
Example 1: Secure> TRAPADD <Return>
Enter IP Address: 192.168.100.133 <Return>

Enter Port (162): <Return>
SNMP user table:
0: User=User1, Authentication=SHA, Privacy=DES
Select user [0-0]: 0 <Return>
The following entry will be added to the table:

'192.168.100.133:162, User1'.
Trap destination added successfully
Configure additional traps? [Y/N]: N <Return>
Secure>

All Rights Reserved

Delete an SNMP Trap (TRAPDEL) Online  Offline  Secure 
Command: TRAPDEL
Function: Delete an SNMP Trap.

 The HSM must be in the Secure state.
Inputs: Confirmation of deletion.
Errors: Trap table is empty; nothing to delete

Failed to delete trap destination.
Notes: The HSM is delivered with no SNMP traps configured.
Example: Secure> TRAPDEL <Return>
SNMP Trap table:

0: Address=192.168.100.133, Port=162, User=User1
Select trap to delete [0-0]: 0 <Return>
Trap destination deleted successfully
Delete additional traps? [Y/N]: N <Return>
Secure>

All Rights Reserved

MAC addresses of all network Online  Offline Secure 
interfaces (QMAC) Authorization: Not required
Command: QMAC
Function: Obtain MAC addresses of all the network interfaces.
Inputs: Addresses of network interfaces are displayed.
Outputs: List of MAC addresses as in example below.
Example: Secure> QMAC <Return>
MAC addresses of network interfaces:
Host 1: 3c:fd:fe:ee:62:b0
Host 2: 3c:fd:fe:ee:62:b1
Management: 3c:fd:fe:ee:62:b2
Auxiliary: 3c:fd:fe:ee:62:b3
Secure>

All Rights Reserved
5 Fraud Detection Commands

The payShield 10K provides the following commands to support fraud detection operations:

Configure Fraud Detection (A5) 73
Re-enable PIN Verification (A7) 75

All Rights Reserved

Configure Fraud Detection (A5)
Online  Offline  Secure 
Authorization: May be required
Activity: audit.console
Command: A5
Function: To set the configuration of the HSM fraud detection function.
Authorization: If the Fraud Detection settings are to be edited, the HSM must be:
 in the offline or secure state to run this command, and
 either in the Authorized State, or the activity audit.console must be
authorized, using the Authorizing Officer cards of the Management
LMK.
Inputs:  Whether and how to respond to Fraud Detection

 Limit on number of PIN verification failures per minute.
 Limit on number of PIN verification failures per hour.
 Limit on number of PIN attacks detected.
Outputs: None.
Errors:  Not Authorized - the HSM is not authorized to perform this operation.
 Invalid Entry - the value entered is invalid.
Notes:  If any of the limits set by this command are exceeded, an entry will be
made in the Audit Log, and console command A7 must be used to re-
enable PIN verification.
 Setting the HSM reaction to Logging only and the limits to zero will
result in Fraud Detection not being recorded in the Health Check data.
(The term "Logging" as used in the screen prompt refers to logging in
the Health Check data, not in the Audit Log.)

All Rights Reserved
Example: Offline-AUTH> A5 <Return>
HSM reaction to Exceeding Fraud Limits is : ON
The following limits are set:

PIN verification failures per minute : 100
PIN verification failures per hour : 1000
PIN Attack Limit : 100
HSM reaction to Exceeding Fraud Limits? ([O]n/[L]ogging

only): L <Return>
Note that logging is supported only if enabled via the

HEALTHENABLE console command (or its payShield Manager
equivalent)
Enter limit on PIN verification failures per minute: 200

<Return>
Enter limit on PIN verification failures per hour: 2000
<Return>
Enter PIN Attack Limit: 200 <Return>
Offline-AUTH>

All Rights Reserved

Re-enable PIN Verification (A7) Online  Offline  Secure 
Authorization: Required
Command: A7
Function: To reset the configuration of the HSM fraud detection function.
Authorization: The HSM must be in the offline state to run this command. The HSM must be
either in the Authorized State, or the activity audit.console must be
authorized, using the Authorizing Officer cards of the Management LMK.
Inputs: None.
Outputs: None.
Errors:  Not Authorized - the HSM is not authorized to perform this operation.
 Command only allowed from offline.
 PIN Verification is not currently disabled

PIN verification has been re-enabled
Offline-AUTH>

All Rights Reserved
6 Diagnostic Commands
The payShield 10K provides the following console commands to support diagnostic operations:

Diagnostic Test (DT) 77
View Software Revision Number (VR) 81
View Available Commands (GETCMDS) 84
Show Network Statistics (NETSTAT) 86
Test TCP/IP Network (PING) 89
Trace TCP/IP route (TRACERT) 90
View/Reset Utilization Data (UTILSTATS) 92
View/Reset Health Check Counts (HEALTHSTATS) 94
Check the FICON Host Interface (FICONTEST) 95

All Rights Reserved

Diagnostic Test (DT) Online  Offline  Secure 
Command: DT
Function: To perform diagnostic tests.

The DT command tests the following parts of the HSM:
 Battery voltage level
 Various cryptographic algorithms (DES, AES, RSA, SHA-1, etc.)
 Working memory areas
 Power Supplies
 Random Number Generator
 Real-time clock
 Smartcard reader
 Operating temperature
 Operating fan speeds
 Operating voltages
The command also initiates the Health Check Status report.
Authorization: The HSM does not require any authorization for this command.
Inputs: Optional qualifiers to modify scope and detail of output. Options are:
all run all the commands (default option)
verbose be verbose in the output
battery run the battery diagnostics
des run the DES diagnostics
health run the health check diagnostics
aes run the AES KAT
ecdsa run the ECDSA KAT
md5 run the MD5 KAT
mem run the memory diagnostics
psu run the power supply diagnostics
rng run the random number generator diagnostics
rsa run the RSA KAT
rtc run the real-time clock diagnostics
scr run the smart card reader diagnostics
sha run the SHA KAT
temp run the temperature diagnostics
fans run the fans diagnostics
volt run the voltage diagnostics
Note that the multiple options can be combined (e.g." dt temp verbose"; "dt
volt rsa")
Note that whilst the command code ("dt") is not case sensitive, the options
listed above are.
Outputs: Status report on each item.
Errors: None.

All Rights Reserved
Notes:  The diagnostics are run automatically on a daily basis at the time specified
using the ST Console command.
Example 1: Secure> DT <Return>
Battery: OK
AES: OK
DES: OK
ECDSA: OK
HMAC: OK
MD5: OK
Memory: OK
Power Supply: OK
RNG: OK
RSA: OK
Real-Time Clock: OK
SHA: OK
SCR: OK
Temperature: OK
Fans: OK
Voltages: OK
Health Check Status
TCP Server: Up
UDP Server: Up
FICON Server: Not Enabled
Local/Remote Manager Server: Up
Host Ethernet Link 1: Up
Host FICON Link: Not Enabled
Unit Tampered?: No
Fraud limits exceeded?: No
PIN attack limit exceeded?: No
Diagnostics complete
Offline>

All Rights Reserved
Example 2: Online> DT verbose <Return>
Battery: OK
Voltage: 3500 mV
HSM will enter tamper state if voltage drops below
2500 mV
Running AES Known Answer Test

PASSED AES Known Answer Tests (including OpenSSL AES-
GCM)
AES: OK
Running DES Known Answer Test

PASSED DES Known Answer Test
DES: OK
Running ECDSA Known Answer Tests

PASSED ECDSA Known Answer Tests (Cryptodev ECDSA,
OpenSSL ECDSA, OpenSSL ECDHC)
ECDSA: OK
Running HMAC Known Answer Tests

PASSED HMAC Known Answer Tests (HMAC-SHA1, HMAC-SHA1
(multi-part), OpenSSL HMAC-SHA256)
HMAC: OK
Running MD5 Known Answer Test

PASSED MD5 Known Answer Test
MD5: OK
Running Memory Test

PASSED Memory Test
Memory: OK
Power Supply: OK
Running RNG self-tests (Attempt: 1)

PASSED RNG self-tests
RNG: OK
Running RSA Known Answer Test

PASSED RSA Known Answer Test
RSA: OK
Real-Time Clock: OK
Current Time: Wed Jun 15 16:00:59 2022
Running SHA Known Answer Test

PASSED SHA Known Answer Test
SHA: OK
SCR: OK
Temperature: OK
MSP : 33.1C 91.6F (Min=30.0C 86.0F

Max=35.1C 95.2F)
MP 1 : 56.2C 133.2F (Min=46.0C 114.8F
Max=61.6C 142.9F)
MP 2 : 56.2C 133.2F (Min=46.3C 115.3F
Max=62.9C 145.2F)
Crypto : 41.0C 105.8F (Min=37.1C 98.8F
Max=42.8C 109.0F)
Sensor 1 : 43.9C 111.0F (Min=42.1C 42.1F

All Rights Reserved
Max=46.3C 115.3F)
Sensor 2 : 38.6C 101.5F (Min=36.6C 97.9F
Max=40.4C 104.7F)
Sensor 3 : 35.2C 95.4F (Min=33.1C 91.6F
Max=36.6C 36.6F)
Fans: OK
Fan 1: 8000 RPM (target: 8000 RPM)
Fan 2: 7868 RPM (target: 8000 RPM)
Voltages: OK
V12 : 11.46 (Min=11.43 Max=11.48)

V5 : 5.052 (Min=5.032 Max=5.067)
MP Core : 1.028 (Min=1.016 Max=1.038)
Crypto Core : 1.053 (Min=1.052 Max=1.060)
Battery : 3.595 (Min=3.593 Max=3.599)
Health Check Status
TCP Server: Up
UDP Server: Up
FICON Server: Not Enabled
Local/Remote Manager Server: Up
Host FICON Link: Not Enabled
Unit Tampered?: No
Fraud limits exceeded?: No
PIN attack limit exceeded?: No
Diagnostics complete
Online>

All Rights Reserved

View Software Revision Number (VR) Online  Offline  Secure 
Command: VR
Function: To display details of the software release number, revision number and build
number.
Inputs: None.
Outputs: Software revision numbers, serial numbers, license details and FIPS algorithm
information.
Errors: None.
Notes: The software revision reported by the VR command will have one of the following
forms:
 xxxx-10xx – this indicates that this software has been PCI HSM certified
and that the appropriate security settings have been set (e.g. by using the
CS Console command) to the required values.
 xxxx-00xx – this indicates that either:
o this version of software is not PCI HSM certified, or
o this version of software is PCI HSM certified but one or more of the
appropriate security settings have not been set (e.g. by using the
CS Console command) to the required values.

All Rights Reserved
Example: Software which has not been configured to be PCI HSM compliant.
Secure>vr
Base Release: 1.7a

Revision: 1500-0033
Firmware Version: 1.11.0
Deployment Version: 1.11.0
PCI HSM Compliance:

Some security settings are not PCI HSM compliant
Serial Number: S0246377307Q

Model: PS10-S (971-700035-001)
Power supply #1:

Model number : D1U54P-W-450-12-HA4C
Serial number: XQ1933RG1312
Power supply #2:
Model number : D1U54P-W-450-12-HA4C
Serial number: XQ1933RG2060
Fan #1:
Serial number: FM01441900758
Fan #2:
Serial number: FM01441900757
Unit info: Licensed
Host Configuration: Ethernet,(optional) TLS/SSL

License Issue No: 1
Performance: 2500 cps
Ship Counter: 1
Crypto: 3DES,AES,RSA,ECC
Press "Enter" to view additional information...
Premium Package:
- Premium Key Management
- Magnetic Stripe Issuing
- Magnetic Stripe Transaction Processing
- EMV Chip, Contactless & Mobile Issuing
- EMV Transaction Processing
- User Authentication
- Data Protection
Optional Licenses:
- Legacy Commands
- LMKx20
- Remote payShield Manager
- Visa DSP
Bootstrap Version: 1.1.40

Sensor Processor Application: 1.1.29
Sensor Processor Boot Version: 1.0.0
CPLD Version: 1.2.3
PCI HW Rev: 01

All Rights Reserved
FIPS validated algorithms:

Algorithm Name and Version FIPS Status
--------- ---------------- -----------
DRBG/RNG TASP-DRBG v1.1 Approved
SHA TASP-SHA v1.0 Approved
HMAC TASP-HMAC v1.0 Approved
TDES TASP-TDES v1.0 Approved
AES TASP-AES v1.0 Approved
CMAC TASP-CMAC v1.0 Approved
RSA TASP-RSA v1.0 Approved
AES TASP-AES v1.0 Approved
TDES TASP-TDES v1.0 Approved
ECC TASP-ECC v1.0 Approved
Secure>

All Rights Reserved

View Available Commands (GETCMDS) Online  Offline  Secure 
Command: GETCMDS
Function: To display a list of enabled host and console commands. Commands listed in the
output are licensed AND enabled. Commands omitted from the output are either not
licensed, or not enabled. Console command CONFIGCMDS can be used to
enable/disable individual commands.
GETCMDS can optionally generate a hash (message digest) over the set of enabled
commands, thus providing a simple mechanism to verify that two (or more) HSMs
have the same set of commands enabled.
Note: Some of the commands listed may require additional license options enabled.
Inputs: [-hl]
Switch Description
<blank> Display a list of all host & console commands that are
implemented AND licensed AND enabled.
-h Display a hash of the host & console commands that are
implemented AND licensed AND enabled.
(The hash is affected by enabling/disabling commands using
the CONFIGCMDS console command.)
-l Display a list of all host & console commands that are
implemented AND licensed.
(This list is not affected by enabling/disabling commands using
the CONFIGCMDS console command.)
Outputs: A list of available HSM commands (depending on options) or a hash value.
Errors: None.

All Rights Reserved
Example: Online> GETCMDS -h –l <Return>
List of available Host commands:
A0 A2 A4 A6 A8 AA AC AE AG AI AK AM AO AQ AS
AU AW AY B0 B2 B8 BA BC BE BG BI BK BM BQ BS
BU BW BY C0 C2 C4 C6 C8 CA CC CE CG CI CK CM
CO CQ CS CU CW CY D0 D2 D4 D6 D8 DA DC DE DG
DI DK DM DO DQ DS DU DW DY E0 E2 E4 E6 E8 EA
EC EE EG EI EK EM EO EQ ES EU EW EY F0 F2 F4
F6 F8 FA FC FE FG FI FK FM FO FQ FS FU FW FY
G0 G2 G4 G6 G8 GA GC GE GG GI GK GM GO GQ GS
GU GW GY H0 H2 H4 H6 H8 HA HC HE HG HI HK HM
HO HQ HS HU HW HY I0 I2 I4 I6 I8 IA IC IE IG
II IK IM IO IQ IU IW IY J0 J2 J4 J6 J8 JA JC
JE JG JI JK JO JS JU JW JY K0 K2 K8 KA KC KE
KG KI KK KM KO KQ KS KU KW KY L0 L2 L4 L6 L8
LA LC LE LG LI LK LM LO LQ LS LU LW LY M0 M2
M4 M6 M8 MA MC ME MG MI MK MM MO MQ MS MU MW
MY N0 NC NE NG NI NK NO NY OA OC OE OI OK OU
OW P0 P2 P4 P6 P8 PA PC PE PG PI PK PM PO PQ
PS PU PW PY Q0 Q2 Q4 Q6 Q8 QA QC QE QI QK QM
QO QQ QS QU QW QY R2 R4 R6 R8 RA RC RE RG RI
RK RM RO RQ RS RU RW RY SY T0 T2 T4 T6 TA U0
U2 U4 U6 U8 V0 V2 V4 V6 V8 W0 W2 W4 W6 W8 X0
X2 X4 X6 X8 XK XM XO XQ XS XU XW Y0 Y2 Y4 Y6
Y8 Z0 ZA ZE ZK ZM ZU
List of available Console commands:
A A5 A6 A7 AUDITLOG AUDITOPTIONS
C CA CH CK CL CLEARERR
CLEARAUDIT CM CO CONFIGACL CONFIGCMDS
CONFIGPB
CP CS CV DC DM DO
DT EC ED EJECT ERRLOG FC
FK GC GETCMDS GETTIME GK GS
GT HEALTHENABLE HEALTHSTATS IK IV KD
KE KG KK KM KN KT
LK LO LN MI N NP
NETSTAT PING PV QA QH QL
QM QP QS R RC RESET
RS SD SE SETTIME SG SI
SK SL SP SNMP SNMPADD SNMPDEL
SS ST SV T TD TRAP
TRAPADD TRAPDEL TRACERT UPLOAD UTILCFG UTILENABLE
UTILSTATS V VA VC VR VT
XA XD XE XH XI XK
XR XT XX XY XZ $
Host/Console Command Hash Value: cf7e8a

All Rights Reserved

Show Network Statistics (NETSTAT) Online  Offline  Secure 
Command: NETSTAT
Function: The HSM records details about network activity on both its Management and Host
Ethernet ports for diagnostic and security purposes. As a diagnostic aid, it can
provide useful information when configuring the unit. If reviewed periodically, it can
also provide evidence of unexpected network activity, which may require further
investigation.
The HSM collects information about each 'endpoint' that communicates with it. The
information recorded will depend on the particular protocol that was used to send the
packet.
Inputs: Syntax:
netstat [-vWeenNcCF] [<Af>] –r
netstat {-V|--version|-h|--help}
netstat [-vWnNcaeol] [<Socket> ...]
netstat { [-vWeenNac] -i | [-cWnNe] -M | -s }
Options:
-r, --route display routing table
-i, --interfaces display interface table

-g, --groups display multicast group memberships
-s, --statistics display networking statistics (like SNMP)
-M, --masquerade display masqueraded connections
-v, --verbose be verbose
-W, --wide don't truncate IP addresses
-n, --numeric don't resolve names
--numeric-hosts don't resolve host names
--numeric-ports don't resolve port names
--numeric-users don't resolve user names
-N, --symbolic resolve hardware names
-e, --extend display other/more information
-p, --programs display PID/Program name for sockets
-c, --continuous continuous listing
-l, --listening display listening server sockets
-a, --all, --listening display all sockets (default: connected)
-o, --timers display timers

All Rights Reserved
-F, --fib display Forwarding Information Base (default)
-C, --cache display routing cache instead of FIB
-Z, --context display SELinux security context for sockets
Outputs: Text messages as appropriate.
The reported state can have the following values:
ESTABLISHED
The socket has an established connection.
SYN_SENT
The socket is actively attempting to establish a connection.
SYN_RECV
A connection request has been received from the network.
FIN_WAIT1
The socket is closed, and the connection is shutting down.
FIN_WAIT2
Connection is closed, and the socket is waiting for a shutdown from the
remote end.
TIME_WAIT
The socket is waiting after close to handle packets still in the network.
CLOSED
The socket is not being used.
CLOSE_WAIT
The remote end has shut down, waiting for the socket to close.
LAST_ACK
The remote end has shut down, and the socket is closed. Waiting for
acknowledgement.
LISTEN
The socket is listening for incoming connections.
CLOSING
Both sockets are shut down but we still don't have all our data sent.
UNKNOWN
The state of the socket is unknown

All Rights Reserved
Example: Offline> NETSTAT <Return>
Available Ethernet Interfaces:

Management Interface : 192.168.220.116
Auxiliary Interface : 169.254.254.1
Host Interface 1 : 192.168.220.16
Host Interface 2 : 192.168.192.149
Active Internet connections (w/o servers)

Proto Recv-Q Send-Q Local Address Foreign Address
State
tcp 0 236 192.168.220.116:ssh 193.240.102.135:49921
ESTABLISHED
Active UNIX domain sockets (w/o servers)
Proto RefCnt Flags Type State I-Node Path
unix 40 [ ] DGRAM 2925 /dev/log
unix 2 [ ] DGRAM 1735
unix 3 [ ] STREAM CONNECTED 143125
/var/ipc/agentx
Offline>

All Rights Reserved

Test TCP/IP Network (PING) Online  Offline  Secure 
Command: PING
Function: To test the specified network node, and the route to it.
Inputs: Syntax:
ping [-q] [-c count] [-I interface] [-p pattern]
[-s packetsize] [-t ttl] [-w maxwait] host
Options:
-c count Stop after sending (and receiving) this many
ECHO_RESPONSE packets.
-I interface The interface that PING is to be sent from.
interface Value HSM Port
h1 Host Port #1
h2 Host Port #2
m Management Port (default)
-p pattern Fill out the packet with this many "padding" bytes
(maximum is 16). You should find this useful for
diagnosing data-dependent problems in a network. For
example, -p ff causes the sent packet to be filled with
ones.
-q Be quiet: display nothing except for the summary lines at
start-up time and when finished.
-s packetsize Send this many data bytes. The default is 56, which
translates into 64 ICMP data bytes when combined with
the 8 bytes of ICMP header data.
-t ttl Use the specified time-to-live. It represents how many
hops the packet can go through before being discarded
(when it reaches 0). The default is 255.
-w maxwait Specify a timeout, in seconds, before ping exits
regardless of how many packets have been sent or
received.
Example: Offline> PING –I h1 192.168.100.123 <Return>
PING 192.168.100.123 (192.168.100.123): 56 data bytes

64 bytes from 192.168.100.123: seq=0 ttl=32 time=16 ms
Offline>

All Rights Reserved

Trace TCP/IP route (TRACERT) Online  Offline  Secure 
Command: TRACERT
Function: To view the path taken from the HSM to the specified address.
Inputs: Syntax:
tracert [-dFlInr] [-f first_ttl]
[-g gateway] [-i interface] [-m max_ttl] [-p port]
[-q nqueries] [-s src_addr] [-t tos] [-w wait_time]
host [packetsize]
Options:
-d Turn on socket-level debugging.
-F Set the "don't fragment" bit.
-f first_ttl Set the initial time-to-live used in the first outgoing
probe packet.
-g gateway Specify a loose source route gateway (8 maximum).
-I Use ICMP ECHO instead of UDP datagrams.
-i interface interface Value HSM Port
h1 Host Port #1
h2 Host Port #2
m Management Port
(default)
-l Display the TTL (time-to-live) value of the returned

packet. This is useful for checking for asymmetric
("el") routing.
-m max_ttl Set the maximum TTL (maximum number of hops)
used in outgoing probe packets. The default is 30 hops
(the same default as is used for TCP connections).
-n Print hop addresses numerically only. By default,
addresses are printed both symbolically and
numerically. This option saves a nameserver address-
to-name lookup for each gateway found on the path.
-p port The base UDP port number to be used in probes
(default is 33434). The tracert utility hopes that nothing
is listening on UDP ports base to base + nhops -1 at
the destination host (so an ICMP
PORT_UNREACHABLE message is returned to
terminate the route tracing). If something is listening on
a port in the default range, you can use this option to
pick an unused port range.
-q nqueries The number of probes per ttl to nqueries (default is
three probes).
-r Bypass the normal routing tables and send directly to a
host on an attached network. If the host isn't on a
directly attached network, an error is returned. You can
use this option to "ping" a local host through an

All Rights Reserved
interface that has no route through it (for example,

after the interface was dropped by routed).
-s src_addr The IP address (must be given as an IP number, not a
hostname) to be used as the source address in
outgoing probe packets. If the host has more than one
IP address, you can use this option to force the source
address to be something other than the IP address of
the interface that the probe packet is sent on. If the IP
address you specify isn't one of this machine's
interface addresses, an error is returned and nothing is
sent.
-t tos The type-of-service (TOS) to be used in probe packets
(default is zero). The value must be a decimal integer
in the range 0 to 255. You can use this option to see if
different TOSs result in different paths.
Not all TOS values are legal or meaningful. You should
find the values -t 16 (low delay) and -t 8 (high
throughput) useful.
-w wait_time The time (in seconds) to wait for a response to a probe

(default is 5).
host The destination hostname or IP number.
packetsize The probe datagram length (default is 40 bytes).
Example: Offline> TRACERT -I h1 –g 10.10.10.1 10.10.11.2

<Return>
traceroute to 10.10.11.2 (10.10.11.2), 64 hops max, 40

byte packets
10.10.10.1 (10.10.10.1) 5.000 ms 7.000 ms 5.000 ms
10.10.11.2 (10.10.11.2) 5.000 ms 6.000 ms 6.000 ms
Offline>

All Rights Reserved

View/Reset Utilization Data Online  Offline  Secure 
(UTILSTATS) Authorization: Not required
Command: UTILSTATS
Function: To display Utilization Data at the Console. Options to print the data to an
HSM-attached printer and to reset accumulated data to zero.
Notes:  Utilization statistics are also reset when new software is installed on the
HSM.
 The precise meaning of a HSM loading range identified below as, for
example, "10-20%" is "from exactly 10% to just under 20%".
 Statistics are provided irrespective of which host interface the commands
are received over.
Inputs:  Whether to print output to HSM-attached printer

 Whether to reset data
Note that the number of seconds displayed is not necessarily the number of
seconds between the start and end times: rather, it is the number of seconds
during this period when data collection was enabled using the UTILENABLE
command and the HSM was online.
Example: Online> UTILSTATS <Return>
HSM Serial Number: A4665271570Q
Report Generation Time: 05-Dec-2018 19:42.37

Report Start Time: 04-Dec-2018 09:25.01
Report End Time: 05-Dec-2018 19:42.37
Total number of secs: 123,456
HSM Loading:
0-10%: 56,789
10-20%: 24,109
20-30%: 21,445
30-40%: 12,382
40-50%: 3,288
50-60%: 2,917
60-70%: 2,123
70-80%: 403
80-90%: 0
90-100%: 0
100%: 0
Press "Enter" to continue... <Return>
Host Command Volumes:

Cmd Code Total Transactions Average CPS
A0 225 4.79

All Rights Reserved
A4 99 2.11
A6 342 7.28
A8 408 8.68
AA 141 3.00
AC 135 2.87
AE 84 1.79
AG 66 1.40
AS 18 0.38
AU 94 2.00
AW 94 2.00
AY 94 2.00
B0 50 1.06
BA 14 0.30
BC 34 0.72
BE 42 0.89
BG 5 0.11
BI 11 0.23
BK 128 2.72
Press "Enter" to continue... <Return>
Cmd Code Total Transactions Average TPS

BM 10 0.21
LA 2 0.04
Instantaneous HSM Load: 17%

Instantaneous Host Command Volumes:
Cmd Code Total Transactions Average CPS
BM 10 0.21
LA 2 0.04
Send output to printer? [Y/N]: Y <Return>

Reset All Stats? [Y/N]: Y <Return>
All utilization statistics will be reset to 0. Confirm?
[Y/N]: Y <Return>
Online>

All Rights Reserved

View/Reset Health Check Counts Online  Offline  Secure 
(HEALTHSTATS) Authorization: May be required
Activity: diagnostics
Command: HEALTHSTATS
Function: To display Health Check counts at the Console. Options to print the data to a
HSM-attached printer and to reset accumulated data to zero.
Authorization: The HSM does not require any authorization to run this command to view the
data.
The HSM must be in Offline/Secure Authorized state (or the activity
diagnostics must be authorized) for the Management LMK to reset the
Health Check Counts
Notes:  Accumulated health check counts are also reset when new software is
installed on the HSM.
 If collection of health check data has been suspended at any time, the
counts relating to Fraud Detection (i.e. failed PIN verifications and PIN
Attacks) will not represent the values of those counts which will be used
by the HSM to trigger return of Error 39 or deletion of LMKs.
Inputs:  Whether to print output to HSM-attached printer

 Whether to reset data (requires Offline/Secure Authorized state).
Example: Offline-AUTH> HEALTHSTATS <Return>
HSM Serial Number: A4665271570Q
Report Generation Time: 05-Dec-2018 23:22.28

Report Start Time: 01-Dec-2018 01:11.21
Report End Time: 25-Dec-2018 23:22.28
Number of reboots: 3
Number of tampers: 1
PIN verification failures/minute limit exceeded: 57
PIN verification failures/hour limit exceeded: 4
PIN Attack Limit exceeded: 0
Send output to printer? [Y/N]: Y <Return>
Reset All Stats? [Y/N]: Y <Return>

All Utilization statistics will be reset to 0. Confirm?
[Y/N]: Y <Return>
Offline-AUTH>

All Rights Reserved

Check the FICON Host Interface Online  Offline  Secure 
(FICONTEST) Authorization: Not required
Command: FICONTEST
Function: To check the operation of the FICON Host interface board (if fitted) and
optical transceivers.
Notes:  This test is appropriate only to the payShield 10K PS10-F.

 The test can be run using the loopback module provided. This should be
connected to the Transceiver connected to payShield 10K. Further details
on the loopback module are provided in the payShield 10K Installation
and User Guide.
 The test will send 10 packets and report success/failure on each
 The test will check that the following components are installed and
operational:
o HSM main board
o FICON board and connectors
o Transceivers and connectors
o Optical cable
o FICON software
Inputs:  None
Example 1: When this command is entered without parameters, the system displays
usage for the command.
Secure> ficonTest -f 0 -l 0 /dev/luminex/lucdrv0 0 0000

extloop <Return>
StartCU() with:
Identifier: S0000000001G
DeviceName: /dev/luminex/lucdrv0
Image: 0
ControlUnitType: 0000
ModelNumber: extloop
Starting DeviceAddress: 0
Endig DeviceAddress: 0
mihMinutes: 0
Set Speed to extloop
/dev/luminex/lucdrv0 Now Online
terminating...
/dev/luminex/lucdrv0 Now Offline
Set Speed to 0
Set Speed to 0
10 packets sent, 10 packets received, 0% loss
Secure>

All Rights Reserved
Example 2: This example uses the output from Example 1, which runs
the loopback test:
Secure> ficonTest -f 0 -l 0 /dev/luminex/lucdrv0 0 0000

extloop <Return>
StartCU() with:
Identifier: S0000000001G
DeviceName: /dev/luminex/lucdrv0
Image: 0
ControlUnitType: 0000
ModelNumber: extloop
Starting DeviceAddress: 0
Endig DeviceAddress: 0
mihMinutes: 0
terminating...
Set Speed to 0
Set Speed to 0
10 packets sent, 10 packets received, 0% loss
Secure>

All Rights Reserved
7 Local Master Keys

7.1 Types of LMKs
A Variant LMK is a set of 20 double- or triple-length TDES keys, with different "pairs" and variants of those
"pairs" being used to encrypt different types of keys.
Note that the term "pair" is used regardless of whether the LMK consists of double-length keys, or triple-length
keys. The standard LMK format supported in all previous versions of Thales (Racal) HSM firmware consists of
20 double-length TDES keys.
Note that the term "Variant LMK" refers to the fact that variants are applied to the LMK prior to using the LMK; a
Variant LMK is not itself a variant of any other key.
A Key Block LMK is either a triple-length TDES key, or a 256-bit AES key, and is used to encrypt keys in a key
block format. A Key Block LMK is not compatible with a Variant LMK, and it can only be used to encrypt keys in
the key block format.
Note that the term "Key Block LMK" refers to the 'key block' method of encrypting keys; a Key Block LMK is not
itself stored in the key block format.
7.2 Multiple LMKs

It is possible to install multiple LMKs within a single HSM. The precise details of the number and type of
installed LMKs are controlled via the HSM's license file:
LMKs are stored in a table within the secure memory of the HSM, with each LMK occupying a different “slot”
within the table. Each slot has the following attributes:
Attribute Description
LMK ID A 2-digit number which uniquely indicates the location of each LMK within the table. All
references to LMKs are made by specifying the LMK Identifier.
Key Scheme  "Variant" for traditional Racal/Thales LMK – key encryption performed using the
variant method.
 "Key Block" for enhanced security – key encryption performed using the key block
method.
Algorithm  "3DES (2key)" or "3DES (3key)" is used by Variant LMKs.
 "3DES (3key)" or "AES (256-bit)" is used by Key Block LMKs.
Other algorithm types may be supported in future software releases.
Status  "Test" indicates that the LMK is used for testing purposes.
 "Live" indicates that the LMK is used for live production purposes.
When installing LMKs, the HSM will prevent any mixing of Test and Live LMKs within the
same slot (i.e. LMK Value and Old/New LMK Value must have the same status).
Comments User-entered text, which can be used to help identify LMKs.
Authorization Indicates the authorization status of the HSM for this particular LMK – either a flag (for
Authorized State) or a list of authorized activities.
Old/New Flag for each LMK held in Key Change Storage indicating whether they are to be used as
Status an 'old' LMK (loaded via 'LO' command), or a 'new' LMK (loaded via 'LN' command).
LMK Check The check value of the LMK.
Value

All Rights Reserved
Attribute Description
Old/New LMK The check value of the 'old' or 'new' LMK held in Key Change Storage.
Check Value
Use the console command VT (View LMK Table) to view the contents of the HSM's LMK table (but not the
actual LMK values).
7.3 LMK Commands

The HSM provides the following console commands to support LMK operations:

Generate LMK Component(s) (GK) 99
Load LMK (LK) 102
Load 'Old' LMK into Key Change Storage (LO) 108
Load 'New' LMK into Key Change Storage (LN) 112
Verify LMK Store (V) 116
Duplicate LMK Component Sets (DC) 117
Delete LMK (DM) 118
Delete 'Old' or 'New' LMK from Key Change Storage (DO) 119
View LMK Table (VT) 120
Generate Test LMK (GT) 123

All Rights Reserved

Generate LMK Component(s) (GK) Online  Offline  Secure 
Command: GK
Function: To generate component(s) of an LMK, and store the component(s) on

smartcards.
This command may be used to generate components for the following types
of LMKs:
 Double-length (2DES) Variant LMK
 Triple-length (3DES) Variant LMK
 Triple-length (3DES) Key Block LMK
 256-bit AES Key Block LMK.
When creating a Variant LMK or a 3DES Key Block LMK, this command
generates the data for a single LMK component card.
When creating an AES Key Block LMK, this command generates the data for
all the required number of LMK component cards.
Inputs:  LMK Scheme (Variant or Key Block).

 LMK Algorithm:
o Double-length (2DES) or triple-length (3DES) if Variant scheme is
selected
o Triple-length (3DES) or AES if Key Block scheme is selected.
 LMK Status (Test or Live).
 For an AES Key Block LMK:
o Number of components.
o Number of components required to reconstitute the LMK.
Outputs:  LMK components written to smartcards.

 LMK component check value.
Errors:  Card not formatted – use the FC command to format the card.
 Not a LMK card –card is not formatted for LMK or key storage.
 Warning – card not blank. Proceed? [Y/N] – LMK card is not blank.
 Overwrite LMK set? [Y/N] – card already contains an LMK component.
 Smartcard error; command/return: 0003 – invalid PIN is entered.
 Invalid PIN; re-enter – a PIN of less than 4 or greater than 8 is entered.
Notes:  PINs must be entered within 60 seconds of being requested.

 If the CS setting "Card/Password authorization" is set to "Card", then the
HSM will write a random password to the 1st and 2nd LMK component cards.
These passwords will be required in order to put the HSM into the
Authorized State.

All Rights Reserved
Example 1: This example generates a triple-length Variant LMK component set, and
(Triple-length writes the components to a smartcard.
Variant LMK)
Secure> GK <Return>
Variant scheme or key block scheme? [V/K]: V <Return>
Enter algorithm type [2=2DES, 3=3DES]: 3 <Return>
Key status? [L/T]: L <Return>

LMK component set [1-9]: 1 <Return>
Insert blank card and enter PIN: ******** <Return>
Writing keys...
Checking keys...
Device write complete, check: ZZZZZZ
Remove the smartcard and store it securely.
Make another copy? [Y/N]: N <Return>

1 copies made.
Repeat the procedure to generate further component sets.
Secure>
Example 2: This example generates a double-length variant LMK component set, and
(Double-length writes the components to a smartcard.
Variant LMK)
Secure> GK <Return>
Variant scheme or key block scheme? [V/K]: V <Return>
Enter algorithm type [2=2DES, 3=3DES]: 2 <Return>

Writing keys...
Checking keys...

1 copies made.
Repeat the procedure to generate further component sets.
Secure>

All Rights Reserved
Example 3: This example generates a 3DES key block LMK component, and writes the
(Triple-length component to a smartcard.
3DES Key Block
LMK)
Secure> GK <Return>
Variant scheme or key block scheme? [V/K]: K <Return>
Enter algorithm type [D=DES,A=AES]: D
Writing keys...
Checking keys...

1 copies made.
Repeat the procedure to generate further components.
Secure>
Example 4: This example generates a set of AES key block LMK components, and writes
(AES Key Block each component to a smartcard.
LMK)
Secure> GK <Return>
Variant scheme or key block scheme? [V/K]: K <Return>
Enter algorithm type [D=DES,A=AES]: A <Return>
Enter the number of components to generate: [2-9]: 5
<Return>
Enter the number of components required to reconstitute
the LMK: [2-5]: 2 <Return>
Check value for the LMK: ZZZZZZ

Writing keys...
Checking keys...

Writing keys...
Checking keys...
The above sequence is repeated to generate each component

card.
Secure>

All Rights Reserved

Load LMK (LK) Online  Offline  Secure 
Command: LK
Function: To load LMK components from smartcards.
Inputs:  Confirm remote access (if already commissioned for remote access using
the payShield Manager)
 LMK Identifier: 2 numeric digits.
 Optional comments
 Smartcards (RLMKs are supported) with LMK components.
 PINs for the Smartcards or passwords. The PIN must be entered within 60
seconds.
 Whether to make this LMK the Default/Management LMK - see Notes
below.
Outputs:  Individual LMK component check value(s).

 Final LMK check value.
Notes:  For PCI HSM compliance, PINs and smartcards must be used to
authenticate the Security Officers.
 Use of this command will always create an entry in the Audit Log.
 If there is not already a Default and/or Management LMK installed (i.e. the
LMK IDs identified in the security settings as being the default and
management LMKs are empty), you will be asked if you wish to make this
new LMK the Default/Management LMK.
 An error is returned if an attempt is made to load an LMK with a single
component where:
o The LMK is not a test LMK, and
o The security setting to enforce multiple key components has
been set to YES.
Errors:  Invalid LMK identifier - no LMK loaded or entered identifier out of range.
 Load failed check comparison - card is blank.
 Not a LMK card - card is not formatted for LMK or key storage.
 Card not formatted - card is not formatted.
 Smartcard error; command/return: 0003 - invalid PIN is entered.
 Invalid PIN; re-enter - a PIN of less than 5 or greater than 8 digits is
entered.
 Invalid key – a standard Thales test key cannot be given live status.
 Incompatible key status – the components have different status ("live" or
"test").
 Invalid key - Multiple key components required – an attempt has been
made to load an LMK (other than a test LMK) using a single component
when the security setting to enforce multiple components has been set to
YES.

All Rights Reserved
Example 1: This example loads a double-length Variant LMK from smartcards and
(Double-length installs it in the HSM. There is already Default and Management LMKs
Variant LMK)
installed.
Secure> LK <Return>
Enter LMK id: 00 <Return>
Enter comments: Live LMK for ABC Bank <Return>
LMK in selected location must be erased before
proceeding
Erase LMK? Y <Return>
Load LMK from components or shares
Enter PIN: ******** <Return>
Check: AAAAAA
Load more components? [Y/N]: Y <Return>
Remove the smartcard. Insert the second and subsequent

smartcards and repeat the loading procedure. When all
components have been loaded and the HSM displays the LMK
Check value, record the check value.
LMK Check: ZZZZZZ

LMK id: 00
LMK key scheme: Variant
LMK algorithm: 3DES (2key)
LMK status: Live
Comments: Live LMK for ABC Bank
Confirm details? [Y/N]: Y <Return>
Use the LO/LN command to load LMKs into key change
storage.
Secure>
Example 2: This example loads a triple-length Variant LMK from smartcards and installs
(Triple-length it in the HSM. There are already Default and Management LMKs installed.
Variant LMK)
Secure> LK <Return>
Enter comments: Process System One <Return>
proceeding
Check: AAAAAA

LMK Check: ZZZZZZ

LMK id: 01

All Rights Reserved

LMK status: Live
Comments: Process System One
storage.
Secure>
Example 3: In this example, the PIN is not entered within 60 seconds.

(Any LMK type)
Secure> LK <Return>
Enter LMK id [0-9]: 0 <Return>
Enter comments: <Return>
Enter PIN:
Terminated
Secure>
Example 4: In this example, the security setting requiring use of multiple components
(Double- or triple- has been set to YES, but the user has attempted to load a non-Test LMK
length Variant
using only one component.
LMK)
Secure> LK <Return>
Enter comments: <Return>
Check: AAAAAA
Load more components? [Y/N]: N <Return>
LMK Check: ZZZZZZ
Invalid key - Multiple key components required
Secure>

All Rights Reserved
Example 5: This example loads a 3DES key block LMK from smartcards and installs it in
(3DES Key Block the HSM. There is already Default and Management LMKs installed.
LMK)
Secure> LK <Return>
Enter comments: Live LMK for XYZ Bank <Return>
proceeding
Check: AAAAAA

LMK Check: ZZZZZZ

LMK id: 01
LMK key scheme: KeyBlock
LMK algorithm: 3DES(3key)
LMK status: Live
Comments: Live LMK for XYZ Bank
storage.
Secure>

All Rights Reserved
Example 6: This example loads an AES key block LMK from smartcards and installs it in
(AES Key Block the HSM. There is already Default and Management LMKs installed.
LMK)
Secure> LK <Return>
proceeding
PIN: ******** <Return>
Check: AAAAAA

LMK Check: ZZZZZZ

LMK id: 02
LMK algorithm: AES-256
LMK status: Live
storage.
Secure>

All Rights Reserved
Example 7: This example loads an AES key block LMK from smartcards and installs it in
(AES Key Block the HSM. There is no Default or Management LMK already installed.
LMK - no Default
or Management
LMK already Secure> LK <Return>
installed.) Enter LMK id: 02 <Return>

Check: AAAAAA

LMK Check: ZZZZZZ

LMK id: 02
LMK status: Live
storage.
Do you want to make this LMK the default LMK? [Y/N]: Y
<Return>
Do you want to make this LMK the management LMK? [Y/N]:
Y <Return>
Secure>

All Rights Reserved

Load 'Old' LMK into Key Change Online  Offline  Secure 
Storage (LO) Authorization: Required
Activity: admin.console
Command: LO
Function: To load an old LMK component set into Key Change Storage for use in
translations from old to new keys. Note that the current LMK must be installed
before an "old" LMK can be installed. Also note that it is possible to install a
Variant LMK as the "old" LMK, and with a Key Block LMK as the "new" LMK.
Authorization: The HSM must be in the secure state to run this command. Additionally, the
HSM must be either in the Authorized State, or the activity admin.console
must be authorized, using the Authorizing Officer cards of the specified LMK.
Inputs:  LMK identifier: 2 numeric digits.

 Smartcards (RLMKs are supported) with old LMK components.
 PINs for the Smartcards or passwords. PINs must be entered within 60
seconds of being requested.
Outputs:  Individual LMK Component check value(s).

 Final LMK key check value.
Errors:  No LMK loaded – there is no LMK loaded in main memory.

 Invalid LMK identifier – entered identifier out of range
 Key Block LMK not permitted – it is not permitted to load a Key Block LMK
into key change storage if a variant LMK is loaded in main memory.
 Load failed check comparison – card is blank.
 Not a LMK card – card is not formatted for LMK or key storage.
 Card not formatted – card is not formatted.
 Command only allowed from Secure-Authorized – the HSM is not in Secure
State, or the HSM is not authorized to perform this operation, or both.
 Incompatible cards – the component cards have different formats.
"test").
 Invalid key - Multiple key components required – an attempt has been made
to load an LMK (other than a Test LMK) using a single component when the
security setting to enforce multiple components has been set to YES.
 It is not permitted to load a Key Block LMK into the "old" LMK slot of a Variant
LMK.
 It is not permitted to load an AES Key Block LMK into the "old" LMK slot of a
3DES Key Block LMK.
 If multiple LMKs are loaded on the HSM, each can have a corresponding
old LMK. The ID of the LMK being processed is defined in the command
input.

All Rights Reserved
Example 1: This example loads a double-length Variant LMK from smartcards and installs
(Double-length it as 'old' LMK 00.
Variant LMK)
Secure-AUTH> LO <Return>
Enter comments: Old LMK for ABC Bank <Return>
Load old LMK from components or shares
Check: AAAAAA

smartcards and repeat the loading procedure until all old
component sets have been loaded. When all components have
been loaded and the HSM displays the LMK Check value,
ensure that this is the expected value.
LMK Check: ZZZZZZ

LMK id: 00
LMK status: Live
Comments: Old LMK for ABC Bank
Secure-AUTH>

All Rights Reserved
Example 2: This example loads a triple-length Variant LMK from smartcards and installs it
(Triple-length as 'old' LMK 00.
Variant LMK)
Enter comments: Old LMK for Process System One <Return>
Check: AAAAAA

LMK Check: ZZZZZZ

LMK id: 00
LMK status: Live
Comments: Old LMK for Process System One
Secure-AUTH>
Example 3: This example attempts to load a non-Test LMK using a single component
(Double- or triple- when the security setting to enforce multiple components has been set to
length Variant
YES.
LMK)
Enter comments: Old LMK for ABC Bank <Return>
Check: AAAAAA
Check: AAAAAA
Secure-AUTH>
Example 4: This example loads a 3DES key block LMK from smartcards and installs it as
(3DES Key Block 'old' LMK 01.
LMK)
Enter comments: Old LMK for XYZ Bank <Return>
Check: AAAAAA


All Rights Reserved
LMK Check: ZZZZZZ

LMK id: 01
LMK status: Live
Comments: Old LMK for XYZ Bank
Secure-AUTH>
Example 5: This example loads an AES key block LMK from smartcards and installs it as
(AES Key Block 'old' LMK 02.
LMK)
Enter comments: Old LMK for XYZ Bank <Return>

Check: AAAAAA

LMK Check: ZZZZZZ

LMK id: 02
LMK status: Live
Comments: Old LMK for XYZ Bank
Secure-AUTH>

All Rights Reserved

Load 'New' LMK into Key Change Online  Offline  Secure 
Storage (LN) Authorization: Required
Command: LN
Function: To load a new LMK component set into Key Change Storage for use in
translations from the current LMK to a "new" LMK. Note that the current LMK
must be installed before a "new" LMK can be installed. Also note that it is
possible to install a Key Block LMK as the "new" LMK, with a Variant LMK as
the current LMK.

 Smartcards (regular HSM or payShield Manager smartcards) with new LMK
components.
 PINs for the Smartcards or passwords. PINs must be entered within 60
seconds of being requested.
Outputs:  Individual LMK Component check value(s).

 Final LMK key check value.
Errors:  No LMK loaded – there is no LMK loaded in main memory.

 Invalid LMK identifier – entered identifier out of range
 Key Block LMK not permitted – it is not permitted to load a key block LMK
into key change storage if a variant LMK is loaded in main memory.
 Load failed check comparison – card is blank.
 Not a LMK card – card is not formatted for LMK or key storage.
 Card not formatted – card is not formatted.
 Command only allowed from Secure-Authorized – the HSM is not in Secure
 Incompatible cards – the component cards have different formats.
"test").
 Invalid key - Multiple key components required – an attempt has been made
to load an LMK (other than a Test LMK) using a single component when the
security setting to enforce multiple components has been set to YES.
 It is not permitted to load a Variant LMK into the "new" LMK slot of a Key
Block LMK.
 It is not permitted to load a 3DES Key Block LMK into the "new" LMK slot of
an AES Key Block LMK.
 If multiple LMKs are loaded on the HSM, each can have a corresponding
'new' LMK. The ID of the LMK being processed is defined in the command
input.

All Rights Reserved
Example 1: This example loads a double-length Variant LMK from smartcards and installs
(Double-length it as 'new' LMK 00.
Variant LMK)
Secure-AUTH> LN <Return>
Enter comments: New LMK for ABC Bank <Return>
Load new LMK from components or shares
Check: AAAAAA

smartcards and repeat the loading procedure until all new
LMK Check: ZZZZZZ

LMK id: 00
LMK status: Live
Comments: New LMK for ABC Bank
Secure-AUTH>

All Rights Reserved
Example 2: This example loads a triple-length Variant LMK from smartcards and installs it
(Triple-length as 'new' LMK 00.
Variant LMK)
Enter comments: New LMK for Process System One <Return>
Check: AAAAAA

LMK Check: ZZZZZZ

LMK id: 00
LMK status: Live
Comments: New LMK for Process System One
Secure-AUTH>
Example 3: This example attempts to load a non-Test LMK using a single component
(Double- or triple- when the security setting to enforce multiple components has been set to
length Variant
YES.
LMK)
Enter comments: New LMK for ABC Bank <Return>
Load new LMK from components. Or shares
Check: AAAAAA
Check: AAAAAA
Secure-AUTH>
Example 4: This example loads a 3DES key block LMK from smartcards and installs it as
(3DES Key Block 'new' LMK 01.
LMK)
Enter comments: New LMK for XYZ Bank <Return>
Check: AAAAAA


All Rights Reserved
LMK Check: ZZZZZZ

LMK id: 01
LMK status: Live
Comments: New LMK for XYZ Bank
Secure-AUTH>
Example 5: This example loads an AES key block LMK from smartcards and installs it as
(AES Key Block 'new' LMK 02.
LMK)
Enter comments: New LMK for XYZ Bank <Return>
Check: AAAAAA

LMK Check: ZZZZZZ

LMK id: 02
LMK status: Live
Comments: New LMK for XYZ Bank
Secure-AUTH>

All Rights Reserved

Verify LMK Store (V) Online  Offline  Secure 
Command: V
Function: To confirm that the check value is identical to the value that was recorded
when the LMK set was installed.
For Variant LMKs, the length of the displayed check value is determined by the
CS (Configure Security) setting "Restrict Key Check Value to 6 hex chars".
For Key Block LMKs, the length of the displayed check value is always 6 hex
digits.
Inputs:  LMK Identifier: 2 numeric digits.
Outputs:  Master key check value.
Example: Online> V <Return>

Check: ZZZZZZ
Online>

All Rights Reserved

Duplicate LMK Component Sets (DC) Online  Offline  Secure 
Command: DC
Function: To copy an LMK component onto another smartcard.
Inputs:  Smartcard (RLMKs are supported) with LMK component.

 PIN for the smartcard. PINs must be entered within 60 seconds of being
requested.
Outputs:  LMK check value.
Errors:  Load failed check comparison - card is blank

 Card not formatted - card is not formatted
 Smartcard error; command/return: 0003 - invalid PIN is entered
 Invalid PIN; re-enter - a PIN of less than 4 or greater than 8 is entered.
 Warning - card not blank. Proceed? [Y/N] - LMK card is not blank
 Overwrite LMK set? [Y/N] - the smartcard already contains an LMK
component. It can be overwritten if desired.
Example: Secure> DC <Return>

Insert card to be duplicated and press ENTER: <Return>
Writing keys...
Checking keys...
Secure>

All Rights Reserved

Delete LMK (DM) Online  Offline  Secure 
Command: DM
Function: To delete a selected LMK and (if loaded) the LMK in the corresponding
location in key change storage.
Outputs:  Display of relevant entry from LMK table and the key change storage table.
 Command only allowed from Secure-Authorized - the HSM is not in Secure
 LMK id xx is the Default and Management LMK ID – the default and
Management LMKs cannot be deleted.
Notes:  LMKs which are the Default or Management LMK cannot be deleted. The
Default and Management LMK must be re-assigned to a new LMK before
the desired LMK can be deleted. (The LMK ID of the Management and
default LMKs can be viewed by running the QS command.)
Example: Secure-AUTH> DM <Return>

LMK table entry:

ID Auth Scheme Algorithm Status Check Comments
01 Yes(1) KeyBlock 3DES(3key) Test ZZZZZZ Test LMK
for XYZ Bank
Key change storage table entry:

ID Scheme Algorithm Status Check Comments
01 Variant 3DES(2key) Test ZZZZZZ Old test
LMK for XYZ Bank
Confirm LMK deletion [Y/N]: Y <Return>

LMK deleted from main memory and key change storage
Secure>

All Rights Reserved

Delete 'Old' or 'New' LMK from Key Online  Offline  Secure 
Change Storage (DO) Authorization: Not required
Command: DO
Function: To delete a selected LMK from key change storage. This command may only
be used if an LMK is loaded in the corresponding location in main LMK
memory.
Outputs:  Display of relevant entry from the key change storage table.
Example: Secure> DO <Return>

Key change storage table entry:

ID Scheme Algorithm Status Check Comments
01 Variant 3DES(2key) Test ZZZZZZ Old test LMK for
XYZ Bank
Confirm LMK deletion [Y/N]: Y <Return>

LMK deleted from key change storage
Secure>

All Rights Reserved

View LMK Table (VT) Online  Offline  Secure 
Command: VT
Function: To display the LMK table and the corresponding table for key change storage.
Inputs: None.
Outputs:  Displayed LMK table and key change storage table.

 For each LMK currently installed, the following information is displayed:
o ID – identifier selected during installation of this LMK.
o Auth – current authorized status:
 No – not authorized state/activities not active;
 Yes – authorized state is active;
 Yes (nX) – 'n' authorized activities are active (if HSM is
configured for multiple authorized activities), with X
identifying whether Host or Console commands.
 (Note that LMKs in key change storage cannot be
authorized.)
o Old/New – Status of key in Key Change Storage
 Old – key is treated as an 'old' LMK
 New – key is treated as a 'new' LMK
 (Note that only LMKs held in Key Change Storage have the
Old/New status.)
o Scheme – The LMK scheme:
 Variant – indicating a Variant LMK
 Key Block – indicating a Key Block LMK
o Algorithm – the LMK algorithm:
 3DES (2key) – indicating a double-length TDES Variant LMK
 3DES (3key) – indicating a triple-length TDES Variant or
triple-length (3DES) Key Block LMK
 AES-256 – indicating an AES Key Block LMK.
o Status – the LMK status, selected during generation of the LMK.
 Live – LMK is a 'live' LMK.
 Test – LMK is a 'test' LMK.
o Check – the check value of the LMK.
o Comments – the comments entered during installation of this LMK.
Errors: None.

All Rights Reserved
Example 1: The HSM is configured for single authorized state, but has not been authorized:
Secure> VT <Return>
LMK table:
ID Authorized Scheme Algorithm Status Check Comments
00 No Variant 3DES(2key) Test 268604 test
variant
Key change storage table:No keys loaded in key change

storage
Secure>
Example 2: The HSM is configured for single authorized state, and both host and console
commands are authorized for LMK 01:
Secure> VT <Return>
LMK table:

variant
01 Yes(1H,1C) Variant 3DES(2key) Test 268604 test
variant
02 Yes(1H,1C) Variant 3DES(3key) Live 554279
Production 1
storage
Secure>
Example 3: The HSM is configured for single authorized state, and only host commands
are authorized for LMK 01 (console command authorization has automatically
expired after 12 hours):
Secure> VT <Return>
LMK table:

variant
01 Yes(1H,0C) KeyBlock AES-256 Live 963272 Mngmnt
LMK
storage
Secure>

All Rights Reserved
Example 4: The HSM is configured for multiple authorized activities. Output shows how
many host and console commands are authorized for each LMK:
Online-AUTH> VT <Return>
LMK table:
00 Yes(0H,1C) Variant 3DES(3key) Live 726135 test variant
02 Yes(1H,0C) KeyBlock AES-256 Test 6620CA Mngmnt LMK
Key change storage table:
ID Old/New Scheme Algorithm Status Check Comments
00 New KeyBlock 3DES(3key) Live 331873 test variant 2
02 New KeyBlock AES-256 Test 9D04A0 New mngmnt LMK
Online-AUTH>

All Rights Reserved

Generate Test LMK (GT) Online  Offline  Secure 
Command: GT
Function: To generate one of the standard Thales Test LMKs, and write the
component(s) to smartcard(s).
The payShield 10K supports four different types of LMK:
 2DES Variant LMK
 3DES Variant LMK
 3DES Key Block LMK
 AES Key Block LMK
All three DES-based Test LMKs can be stored on a single smartcard; the
AES Test LMK requires two smartcards.
Note: This command simply generates a smart card with the known and
documented test LMK stored on it. The command does not generate a new
test LMK.
Inputs:  Type of Test LMK to be generated.

 Prompts for smartcards to be inserted & PINs to be entered.
Outputs:  Confirmation of Test LMK components being written to smartcards.

 Prompts to make additional copies.
Errors:  Card not formatted – use the FC command to format the card.
 Not a LMK card –card is not formatted for LMK or key storage.
 Warning – card not blank. Proceed? [Y/N] – LMK card is not blank.
 Overwrite LMK set? [Y/N] – card already contains an LMK component.
 Invalid selection.
 Invalid PIN.

All Rights Reserved
Example 1: This example writes the standard 2DES Variant Thales Test LMK to a single
smartcard:
Online> GT <Return>
Generate Standard Thales Test LMK Set:

1 - 2DES Variant
2 - 3DES Variant
3 - 3DES KeyBlock
4 - AES KeyBlock
Select Standard Thales Test LMK set to be generated: 1
<Return>
Insert blank card and enter PIN: **** <Return>
Writing keys...
Checking keys...

1 copies made.
Do you want to generate another Standard Thales Test LMK

set [Y/N]: N <Return>
Online>
Example 2: This example writes the two components of the standard AES Key Block Thales
Test LMK to two separate smartcards:
Online> GT <Return>
Generate Standard Thales Test LMK Set:

1 - 2DES Variant
2 - 3DES Variant
3 - 3DES KeyBlock
4 - AES KeyBlock
Select Standard Thales Test LMK set to be generated: 4
<Return>
Writing keys...
Checking keys...
Writing keys...
Checking keys...
Do you want to generate another Standard Thales Test LMK

set [Y/N]: N <Return>
Online>

All Rights Reserved
8 Operational Commands
8.1 Authorization Commands
The payShield 10K needs to be authorized for certain commands to be executed - usually those involving clear
text data.
There are two methods of authorizing the HSM – using:
 a single Authorized State;
 multiple Authorized Activities.
Note: The console command CS (Configure Security) setting "Enable multiple authorized activities" determines
which method is to be used; by default, multiple Authorized Activities are used.
If the HSM needs to be placed in Authorized State using the Authorizing Officer cards (or passwords)
corresponding to a particular LMK, then the command will only be authorized for that particular LMK identifier.
For example, if the "FK" console command ("Form Key from Components") is authorized using the passwords
corresponding to the LMK with identifier "00", then only keys encrypted using LMK "00" may be formed using
the command.
It is possible to authorize the HSM using multiple Authorizing Officer cards (or passwords), so that the HSM may
be simultaneously authorized for different LMKs.
Note: For PCI HSM compliance, PINs and smartcards must be used to authenticate the Security Officers:
passwords must not be used.
The payShield 10K provides the following console commands to support the authorization of the HSM:

Enter the Authorized State (A) 126
Cancel the Authorized State (C) 128
Authorize Activity (A) 129
Cancel Authorized Activity (C) 137
View Authorized Activities (VA) 139

All Rights Reserved

Enter the Authorized State (A) Online  Offline  Secure 
Command: A
Function: To set the HSM into the Authorized State.

The HSM prompts for either Smartcards or Passwords, as applicable, which
must correspond to the LMK being authorized.
Inputs:  LMK Identifier: 1 or 2 numeric digits.

 PIN (if applicable): 5 to 8 alphanumeric characters. The PIN must be
entered within 60 seconds. (4-digit PINs on legacy cards will also be
accepted.)
 Either:
o Smartcards (RLMKs are supported) with authorizing both
passwords.
o Password: 16 alphanumeric characters.
Outputs:  Text messages as shown in examples.
Notes:  If the CS setting "Card/Password authorization" is set to "Card", then the

passwords required to put the HSM into the Authorized State will be read
from smartcards. Note that only the first 2 LMK component cards contain
passwords.
 This command is only available when the console command CS (Configure
Security) setting "Enable multiple authorized activities [Y/N]" is set to "N".
 For PCI HSM compliance, authentication must use smartcards and PINs,
not passwords.
 Use of this command will always cause an entry to be made in the Audit
Log.
 Console commands remain authorized for 12 hours (720 minutes).
 Not an LMK card - card is not formatted for LMK or key storage.
 Invalid PIN; re-enter - a PIN of less than 5 or greater than 8 digits is entered.
 Data invalid; please re-enter - the password is an invalid length.
Example 1: This example authorizes the HSM using smartcards.

Online> A <Return>
First Officer:
Insert card and enter PIN: ******** <Return>
Second Officer:
AUTHORIZED
Console authorizations will expire in 720 minutes (12
hours).
Online-AUTH>
Example 2: This example authorizes the HSM using passwords.
Online> A <Return>
First Officer:

All Rights Reserved
Password: **************** <Return>

Second Officer:
Password: ******************* <Return>  Password too long
Data invalid; please re-enter: **************** <Return>
AUTHORIZED
hours).
Online-AUTH>

All Rights Reserved

Cancel the Authorized State (C) Online  Offline  Secure 
Command: C
Function: To cancel the Authorized State.

There is an equivalent command available to the host (Host command 'RA')
Outputs:  Text messages as shown in example.
Notes:  This command is only available when the console command CS (Configure
Security) setting "Enable multiple authorized activities [Y/N]" is set to "N".
Log.
Example 1: Online-AUTH> C <Return>

NOT AUTHORIZED for LMK id 00
Online>

All Rights Reserved

Authorize Activity (A) Online  Offline  Secure 
Command: A
Function: To authorize the HSM to perform certain specified activities.

In command line mode, the operator specifies which activities are to be
authorized.
In menu mode, the operator is prompted to enter the activities.
In both cases, the specified activities are authorized by submitting two
Security Officer cards or passwords, which must correspond to the LMK being
authorized.
Authorized activities can be made persistent, in which case they are retained
even if the power to the HSM is cycled.
Inputs:  LMK Identifier: 2 numeric digits

 Activities to be authorized.
 Timeout value: Number of minutes before HSM will revoke chosen
authorized activity. Where the security setting Enforce Authorization Time
Limit has been set to "YES" (i.e. to the PCI HSM compliant value) then
console commands can be authorized for a maximum period of 12 hours
(720 minutes).
 PIN (if applicable): 5 to 8 alphanumeric characters. The PIN must be
entered within 60 seconds of being requested. (4-digit PINs on legacy cards
will also be accepted.)
 Either:
o Smartcards (RLMKs are supported) with authorizing both
passwords.
o Password: 16 alphanumeric characters.
 Use "-h" to display help.
Syntax: Syntax: A [<Activity>] [<Activity>] ...

Activity: <Category>.[<Sub-category>].[<Interface>][:<Timeout>]
Category = generate|component|genprint|import|export|pin|audit|admin|diag|
misc|command
Sub-category (for 'generate|import|export') = key type code, e.g. 001 for ZPK.
Sub-category (for 'pin') = mailer|clear
Interface = host|console
Timeout = value in minutes or 'p' for persistent. (A maximum of 12 hours (720
minutes) is applied to Console commands.}
Names may be shortened but must remain unique.
 Data invalid; please re-enter: the password is an invalid length.

All Rights Reserved
Notes:  If the CS setting "Card/Password authorization" is set to "Card", then the

passwords required to put the HSM into the Authorized State will be read
from smartcards. Note that only the first 2 LMK component cards contain
passwords.
 This command is only available when the console command CS (Configure
Security) setting "Enable multiple authorized activities [Y/N]" is set to "Y".
 For PCI HSM compliance, the following security settings must be set:
o user authentication must be by smartcard and PIN, and not by using
passwords.
o Authorization time limit for Console commands must be enforced.
 Where the security setting Enforce Authorization Time Limit has been set to
"YES" (i.e. to the PCI HSM compliant value) then console commands can
be authorized for a maximum period of 12 hours (720 minutes).
Log.
 Activities are described in terms of four fields: Category, Sub-Category,
Interface and Timeout. If the Timeout field is omitted, the activity remains
authorized until cancelled either by the console command "C" or the host
command "RA".
 Omitting either the Sub-Category and/or the Interface field is equivalent to
authorizing multiple activities consisting of all possible combinations of valid
values for the missing fields. For clarification:
pin.mailer
is equivalent to:
pin.mailer.host
pin.mailer.console
and:
pin
is equivalent to:
pin.clear.console
pin.clear.host
pin.mailer.console
pin.mailer.host
 When authorizing activities, two (or more) activities may overlap, for
example:
pin
pin.mailer
 There is no requirement to attempt to reduce activities to the minimum set.
The list of authorized activities simply consists of all those entered (and
authorized) by the user.
 There is one case when it will be necessary to overwrite an existing activity:
when only the Timeout field changes. For example, suppose that the
following activity is authorized:
export.001.console:11
and the user uses the 'A' command to authorize the following activity:
then this should overwrite the first one (even if the newer activity has a
shorter Timeout value).

All Rights Reserved
 Note: When omitting the sub-category, but including the interface, there
should be two delimiters "." between them:
Example: export..host allows export of any (valid) key using a host
command.
 The option to make an authorization persistent (i.e. to survive across a re-
boot of the HSM) is only available for Host commands and where the
authorization is also permanent.
Example 1: This example authorizes a single activity via the menu.

(Variant or Key
Block LMK) Online> A <Return>
No activities are authorized for LMK id 00.
List of authorizable activities:
generate genprint component import
export pin audit admin
diagnostic misc command
Select category: pin <Return>
clear mailer
Select sub-category, or <RETURN> for all: mailer <Return>
host console
Select interface, or <RETURN> for all: <Return>
Enter time limit for pin.mailer, or <RETURN> for
permanent: <Return>
Make activity persistent? [Y/N]: N <Return>
Enter additional activities to authorize? [y/N]: N
<Return>
The following activities are pending authorization for

LMK id 00:
pin.mailer
First Officer:
Insert Card for Security Officer and enter the PIN:
******** <Return>
Second Officer:
Insert Card for Security Officer and enter the PIN:
******** <Return>
The following activities are authorized for LMK id 00:

pin.mailer
Online-AUTH>
Example 2: This example authorizes activities via the command line, with no time limits
(Variant or Key specified.
Block LMK)
Online> A gene comp genp i e p au ad di m comm<Return>

hours).

LMK id 00:
admin..console:720
admin..host

All Rights Reserved
audit..console:720
audit..host
command..console:720
command..host
component..console:720
component..host
diagnostic..console:720
diagnostic..host
export..console:720
export..host
generate..console:720
generate..host
genprint..console:720
genprint..host
import..console:720
import..host
misc..console:720
misc..host
pin..console:720
pin..host
First officer:
Second officer:
admin..console:720 (720 mins remaining)

admin..host
audit..console:720 (720 mins remaining)
audit..host
command..console:720 (720 mins remaining)
command..host
component..console:720 (720 mins remaining)
component..host
diagnostic..console:720 (720 mins remaining)
diagnostic..host
export..console:720 (720 mins remaining)
export..host
generate..console:720 (720 mins remaining)
generate..host
genprint..console:720 (720 mins remaining)
genprint..host
import..console:720 (720 mins remaining)
import..host
misc..console:720 (720 mins remaining)
misc..host
pin..console:720 (720 mins remaining)
pin..host
Online-AUTH>

All Rights Reserved
Example 3: This example authorizes three activities additional Example 1 via the menu.
(Variant LMK)
Online-AUTH> A <Return>
pin.mailer
Select category: generate <Return>
000 100 200 001
002 400 003 006
008 009 109 209
309 409 509 709
00a 00b rsa
Select sub-category, or <RETURN> for all: 000 <Return>
host console
Select interface, or <RETURN> for all: C <Return>
Enter time limit for generate.000.console, or <RETURN>
for permanent: 60 <Return>
Enter additional activities to authorize? [y/N]: Y

<Return>
Select category: export <Return>
000 100 200 001
002 400 003 006
008 009 109 209
309 409 509 709
00a 00b rsa
host console
Select interface, or <RETURN> for all: H <Return>
Enter time limit for export.001.host, or <RETURN> for
permanent: <Return>
Make activity persistent? [Y/N]: n <Return>

<Return>
Select category: admin <Return>
host console
Select interface, or <RETURN> for all: c <Return>
Enter time limit for admin, or <RETURN> for permanent:
240 <Return>
Enter additional activities to authorize? [y/N]: n

<Return>
LMK id 00:
admin..console:240
export.001.host
generate.000.console:60

All Rights Reserved
First Officer
Insert Card for Security Officer and enter the PIN: ****
<Return>
Second Officer
<Return>

admin:240 (240 mins remaining)
export.001.host
generate.000.console:60 (60 mins remaining)
pin.mailer
Online-AUTH>
Example 4: This example authorizes three activities additional to Example 1 via the
(Variant LMK) command line, including time limits.
Online-AUTH> A gene.000.con:60 exp.001.host:p admin:240

<Return>

LMK id 00:
admin:240
export.001.host:persistent
generate.000.console:60
First Officer:
<Return>
Second Officer:
<Return>

Online-AUTH>
Example 5: This example authorizes a single activity via the command line.
(Variant or Key
Block LMK) Online> A pin.clear <Return>

hours).

LMK id 01:
pin.clear.console:720
pin.clear.host
First Officer:
<Return>

All Rights Reserved
Second Officer:
<Return>
pin.clear.console:720 (720 mins remaining)

pin.clear.host
Online-AUTH>
Example 6: This example authorizes an additional three activities via the menu.
(Key Block LMK)
Online-AUTH> A <Return>
pin.clear
Select category: export <Return>
01 B0 C0 11
12 13 D0 21
22 E0 E1 E2
E3 E4 E5 E6
31 32 K0 51
52 M0 M1 M2
M3 M4 M5 61
62 63 64 65
P0 71 72 73
V0 V1 V2
host console
Select interface, or <RETURN> for all: C <Return>
Enter time limit for export.72.console, or <RETURN> for
permanent: 60 <Return>

<Return>
Select category: admin <Return>
host console
Select interface, or <RETURN> for all: <Return>
240 <Return>

<Return>
Select category: misc <Return>
host console
Select interface, or <RETURN> for all: c <Return>

All Rights Reserved

<Return>
Make activity persistent? [Y/N]: n <Return>
Enter additional activities to authorize? [y/N]: n

<Return>
LMK id 00:
misc..console
admin:240
First Officer
<Return>
Second Officer
<Return>

misc..console
export.72.console (60 mins remaining)
pin.clear
Online-AUTH>
Example 7: This example authorizes an additional three activities via the command line.
(Key Block LMK)
Online-AUTH> a exp.001.con:60 admin:240 misc..console
<Return>

hours).

LMK id 01:
admin:240
misc..console:720
First Officer:
<Return>
Second Officer:
<Return>

export.001.console:60 (60 mins remaining)
misc..console:720 (720 mins remaining)
pin.clear.console:720 (712 mins remaining)
pin.clear.host
Online-AUTH>

All Rights Reserved

Cancel Authorized Activity (C) Online  Offline  Secure 
Command: C
Function: To cancel one or more Authorized Activities.
Notes:  This command is only available when the console command CS (Configure
Security) setting "Enable multiple authorized activities [Y/N]" is set to "Y".
Syntax: C [<Activity>] [<Activity>] ...

Activity: <Category>[.<Sub-category>][.<Interface>][:<Timeout>]
Category = generate|component|genprint|import|export|pin|audit|admin|diag|
misc| command
Sub-category (for 'generate|import|export') = key name, e.g. TPK, MK-AC,
etc.
Sub-category (for 'pin') = mailer|clear
Interface = host|console
Timeout = value in minutes or 'p' for persistent
Names may be shortened but must remain unique.
When canceling an authorized activity which includes a timeout, the original
value of the timeout should be specified.
Note: When omitting the sub-category, but including the interface, there
should be two delimiters "." between them:
Example: export..host allows export of any (valid) key using a host
command.
 Invalid input.
Notes:  Use of this command will always cause an entry to be made in the Audit
Log.

All Rights Reserved
Example 1: This example cancels an existing activity via the menu.

(Variant or Key
Block LMK) Online-AUTH> C <Return>
Cancel pin.mailer? [y/N] Y <Return>
Online>
Note: This example assumes that the activities in the Authorize Activity
command Example 1 (above) are active.
Example 2: This example cancels an existing activity via the command line.
(Variant or Key
Block LMK) Online-AUTH> C pin.mailer <Return>
Online>
Example 3: This example cancels an existing activity via the menu.

(Variant LMK)
Online-AUTH> C <Return>
Cancel admin:240 (194 mins remaining) ? [y/N] Y <Return>
Cancel export.001.host? [y/N] N <Return>
Cancel generate.000.console:60 (14 mins remaining)?
[y/N] Y <Return>
Cancel pin.mailer? [y/N] N <Return>
export.001.host
pin.mailer
Online-AUTH>
(Variant LMK)
Online-AUTH> C gene.000.c admin <Return>
The hollowing activities are authorized for LMK id 00.
export.001.host
pin.mailer
Online-AUTH>
Note: This example assumes that the activities in the

Authorize Activity command Example 4 (above) are active.
(Variant or Key
Block LMK) Online-AUTH> C pin.clear <Return>
Online>

All Rights Reserved

View Authorized Activities (VA) Online  Offline  Secure 
Command: VA
Function: To view all active authorized activities.
Outputs:  List of active authorized activities.
Example 1: This example applies when multiple authorized activities has been enabled..
(Multiple
authorized Online-AUTH> VA <Return>
activities Enter LMK id: 00 <Return>
enabled) The following activities are authorized for LMK id 00:
Online-AUTH>
Note: This example assumes the activities in the Authorize Activity command
Example 4 (above) were authorized 12 minutes ago.
Example 2: This example applies when multiple authorized activities has not been
(Multiple enabled..
authorized
activities Online-AUTH> VA <Return>
disabled) Enter LMK id [0-9]: 0 <Return>
LMK id 00 is authorized.
Console authorization expires in 716 minute(s).
Online-AUTH>
Note: This example assumes that authorized state was enabled 4 minutes
ago.

All Rights Reserved
8.2 Logging Commands

An Error Log and an Audit Log are provided, each with a command to display the log and a command to clear
the log. There is also a command to enable the user to set their time zone, so that the correct time is displayed
in audit log reports.
The Error log stores fault information for use by Thales support personnel. The error log is used to log
unexpected software errors, hardware failures and alarm events. Whenever an error occurs, that error code is
stored, along with the time, date and severity level. Additional errors that have the same error code cause the
time and date of that code to be updated. In this way, each error type remains in the log (with the most recent
time and date) and is not lost. The severity levels are:
 Informative (0) Something abnormal happened, but was not important.
 Recoverable (1) Something abnormal happened, but the unit recovered from it without rebooting or
losing data.
 Major (2) Something abnormal happened, but the unit recovered from it but may have lost
data/information due to restarting a process or re-initializing hardware. The unit may not function in a full
capacity.
 Catastrophic (3) Something abnormal happened, and the unit had to reboot to recover.
Only catastrophic errors cause the HSM to reboot. New errors cause the Fault LED on the front panel to flash.
Whenever the HSM state is altered through power-up, key-lock changes or console commands, the Audit log is
updated with the action and the time and date. The Audit log can also be configured to record execution of
almost any console or host command. The Audit log records state changes until it is 100% full and for each
subsequent state change the earliest (i.e. oldest) record in the log is deleted to make room for the new record. A
number of host commands are provided which allow the host computer to extract and archive (print) audit
records from the HSM.
Management of the Audit journal is performed from the console using the command 'AUDITOPTIONS', while
'AUDITLOG' is used to retrieve the log and 'CLEARAUDIT' to clear the log. The HSM must be put into the
secure-authorized state in order to execute the 'AUDITOPTIONS' and 'CLEARAUDIT' console commands.
Note: Auditing host or console commands may impact HSM performance.
The payShield 10K provides the following console commands to support storage and retrieval of HSM settings:

Display the Error Log (ERRLOG) 141
Clear the Error Log (CLEARERR) 142
Display the Audit Log (AUDITLOG) 143
Clear the Audit Log (CLEARAUDIT) 145
Audit Options (AUDITOPTIONS) 146

All Rights Reserved

Display the Error Log (ERRLOG) Online  Offline  Secure 
Command: ERRLOG
Function: To display the entries in the error log.
Inputs: None.
Outputs:  A listing of the errors in the error log, or text message: "Error log is empty".
Errors: None.
Example 1: In this example, there are no entries in the error log.
Offline> ERRLOG <Return>

Error log is empty
Offline>
Example 2: In this example, there are three errors in the error log.
Offline> ERRLOG <Return>

Error Log (3 entries)
--------------------------
1: May 01 09:35:00 ERROR (1): Invalid queue size (Severity: 2,
Code = 00000001, Sub-code = 00000002)
2: May 01 09:35:02 ERROR (1): Key3 cannot be specified without
key2 (Severity: 0, Code = 00000004, Sub-code = 00000003)
3: May 06 13:55:00 ERROR: [Power Supply: FAILED (PSU 2
Failed) ] (Severity: 3, Code = 0x00000001, Sub-Code =
0x0000000E)
Please copy this log to a text file and send it

to your regional Thales E-Security Support center.
Offline>

All Rights Reserved

Clear the Error Log (CLEARERR) Online  Offline  Secure 
Command: CLEARERR
Function: To clear the entries in the error log.
Inputs: None.
Outputs:  A confirmation message.
Errors: None.
Example: Secure> CLEARERR <Return>

Error log Cleared
Secure>

All Rights Reserved

Display the Audit Log (AUDITLOG) Online  Offline  Secure 
Command: AUDITLOG
Function: To display the entries in the audit log.
Inputs: None.
Outputs:  A listing of the entries in the audit log.

o For authorizations, the period of authorization of Console commands
will be indicated by attaching text of the form ":123" (representing
123 minutes) to the identity of the authorized activity.
 The following text messages can be output:
 Audit Log (in entries)
 Continue displaying audit log entries? Yes/No/Continuous
Notes:  Certain items are always recorded in the Audit Log, irrespective of the
selections made using AUDITOPTIONS.
These are:
o Serial numbers of smartcards used to authenticate users at the HSM
or to payShield Manager.
o Authorization of activities
o Cancellation of authorization.
o Key and component entry at the Console or payShield Manager.
When key and component entry are forcibly logged in this way, the log
entry indicates successful completion of the action.
The user can, as in earlier versions of software, use AUDITOPTIONS to
specify that the key and component entry commands are logged: this will
normally result in 2 entries in the audit log – one resulting from the
AUDITOPTIONS setting indicating that the command was initiated, and the
forcible logging indicating the successful completion of the command. If the
command does not complete successfully (e.g. because it was cancelled
by the user) then there will be no forcible logging, but the entry indicating
the command was initiated will still be there if the command was specified
in AUDITOPTIONS.
 The Audit Log is displayed with the most recent entries shown first.
Errors: None.
Example 1: Offline> AUDITLOG <Return>

Audit log is empty
Offline>

All Rights Reserved
Example 2: Offline> AUDITLOG <Return>

Audit Log (10 entries)
Counter Time Date Command/Event
---------------------------------------------------------
-----
0000000268 13:55:00 02/Jul/2013 Diagnostic self test
failure: Power
0000000267 16:45:07 01/Jul/2013 Authorized activity
admin..host was cancelled for LMK id 0
0000000266 16:45:05 01/Jul/2013 Authorized activity
admin..console:123 was cancelled
0000000265 15:54:02 01/Jul/2013 Key I/O command BK
executed
0000000264 15:35:55 01/Jul/2013 Activity
component..console:123 was authorized for LMK id 0
0000000263 15:08:48 01/Jul/2013 Smartcard activated:
20025151
0000000262 15:08:48 01/Jul/2013 Smartcard activated:
20025132
0000000261 10:42:32 01/Jul/2013 Host command CA,
response 00
0000000260 10:36:03 01/Jul/2013 Host command CA,
response 69
0000000259 10:34:57 01/Jul/2013 System restarted
0000000258 10:32:48 01/Jul/2013 Keylock turned to
Online
0000000257 10:32:21 01/Jul/2013 Console command CH
0000000256 09:01:56 01/Jul/2013 Diagnostic self tests
passed.
Offline>
After 20 entries are displayed continuously, the

following text is displayed:
Continue displaying audit log entries? [Y/N/C]:

All Rights Reserved

Clear the Audit Log (CLEARAUDIT) Online  Offline  Secure 
Command: CLEARAUDIT
Function: To clear the entries in the audit log.
HSM must be either in the Authorized State, or the activity audit.console
must be authorized, using the Authorizing Officer cards of the Management
LMK.
Inputs: None.
Outputs:  One of the following text messages:

 Audit Log Cleared
 Audit Log is empty
Errors:  Command only allowed from Secure-Authorized - the HSM is not in Secure
Example 1: Secure-AUTH> CLEARAUDIT <Return>

Warning! The HSM's audit log contains entries that have
not yet been printed.
Please confirm that you wish to delete the entire audit
log. [Y/N]: Y <Return>
Audit Log Cleared
Secure-AUTH>

All Rights Reserved

Audit Options (AUDITOPTIONS) Online  Offline  Secure 
Command: AUDITOPTIONS
Function: To configure the HSM's auditing functionality.

The HSM can be configured to monitor and record the following events:
 Execution of individual host command
 Execution of individual console command
 User interactions, including:
 System restart (e.g. power cycle)
 State transitions (i.e. Offline, Online, Secure)
 LMK installation / erasure
 Authorization activation/cancelling
 The running and result of automatic self tests.
 Error responses to Host commands
 Host connection failures resulting from deployment of Access Control Lists.
Authorization: The HSM must be in the secure state to use this command to change the
items to be audited. Additionally, the HSM must be either in the Authorized
State, or the activity audit.console must be authorized, using the Authorizing
Officer cards of the Management LMK.
The current list of items being audited can be viewed in online state.
Inputs:  Changes to configuration:

 Audited console commands:
o +CXX to enable auditing of console command XX
o –CXX to disable auditing of console command XX
The "?" character can be used as a wildcard when specifying the
commands.
 Audited host commands
o +HXX to enable auditing of host command XX
o –HXX to disable auditing of host command XX
The "?" character can be used as a wildcard when specifying the
commands.
 Audit Error responses to Host Commands (Y/N)
 Audit user actions (Y/N)
 Audit counter value
 Audit Utilization Data Resets (Y/N)
 Audit Automatic Self testing (Y/N)
 Audit ACL connection failures (Y/N)
Outputs:  Current & new configuration details:

 List of audited console commands
 List of audited host commands
 List of user actions
 Results of automatic self tests
 Audit counter value

All Rights Reserved
Notes:  Certain operations are always recorded in the Audit Log, irrespective of the
selections made using AUDITOPTIONS.
 At the console, this includes the following console commands:

o A, C, AUDITOPTIONS, RS, A5, A7, CONFIGPB, CONFIGCMDS,
CL, CS, CM, RESET, SNMPDEL, CH
 At the host interface, this includes the following host commands:
o Q6
 At payShield Manager, this include the following operations:
o Serial numbers of smartcards used to authenticate users at the HSM
or to payShield Manager.
o Enter/cancel single authorized state or change multi authorized state
o Create Authorizing officer card
o Generate CTA cards
o Create CASC cards
o Commission RACC cards
o Prepare Key RACC for commissioning
o Commission HSM
o Run diagnostics tests
o Set HSM data and time
o Configure alarms
o Configure PIN blocks
o Configure/reset fraud settings
o Configure enabled/disabled host commands
o Configure enabled/disabled console commands
o Configure audit settings
o Configure management interface settings
o Configure general interface settings
o Configure initial interface settings
o Set/Change HRK passphrase(s)
o Configure async/Ethernet/FICON host settings
o Clear Error log
o Clear Audit log
o Install or delete new or Old LMK
o Generate/Copy/Verify LMK
o SNMP user deleted
o Firmware update attempted
o Whitelist modified
o Import Certificate TLS Management
o Import Certificate Secure Host Comm
 Key and component entry at the Console or payShield Manager. This
relates to the following Console commands (or HSM equivalents):
o CV Generate a Card Verification Value
o FK Form Key from Components
o IK Import a Key
o IV Import a CVK or PVK
o LK Load LMK
o LO Move Old LMKs into Key Change Storage
o PV Generate a Visa PIN Verification Value
When key and component entry are forcibly logged in this way, the log
entry indicates successful completion of the action.
The user can, as in earlier versions of software, use AUDITOPTIONS to
specify that the key and component entry commands are logged: this will
normally result in 2 entries in the audit log – one resulting from the
AUDITOPTIONS setting indicating that the command was initiated, and the
forcible logging indicating the successful completion of the command. If the
command does not complete successfully (e.g. because it was cancelled
by the user) then there will be no forcible logging, but the entry indicating

All Rights Reserved
the command was initiated will still be there if the command was specified
in AUDITOPTIONS.
 Audit Error Responses to Host Commands: this setting allows any
relevant error responses to Host commands to be logged. In this context,
"relevant" means error responses which may indicate situations that
require investigation by the payShield 10K Administrators or Security
Officers. The use of this setting will therefore not log non-00 error
responses which are purely for information or which indicate "business as
usual" (e.g. a customer entering an incorrect PIN at a terminal).
 Auditing items (such as heavily used Host commands) which result in a
high rate of update to the Audit Log will impact negatively on performance
of the HSM.
 After completing the AUDITOPTIONS command, a reboot of the HSM may
be required in order to activate the new settings.
Errors:  Command only allowed from Offline-Authorized - the HSM is not in Offline
(or Secure) State, or the HSM is not authorized to perform this operation, or
both.
 Invalid Entry - the value entered is invalid.
 Card not formatted to save/retrieve HSM settings - Attempt with another
card? [Y/N]
Example: Secure-AUTH> AUDITOPTIONS
Audit User Actions: YES

Audit Error Responses to Host Commands: YES
Audit utilization data resets: NO
Audit diagnostic self tests: NO
Audit ACL connection failures: NO
Audit Counter Value:
0000000223
List of Audited Console Commands:
List of Audited Host Commands:
Audit User Actions? [Y/N]: y
Audit Error Responses to Host Commands? [Y/N]: n
Audit Utilization Data Resets? [Y/N]: y
Audit Automatic Self Testing? [Y/N]: y
Audit ACL connection failures? [Y/N]: y
Current Audit Counter value is: 0000000223

Enter new value (decimal digits only) or <Return> for no
change:
Modify Audited Command List? [Y/N]: y

Enter command code (e.g. +CDE) or Q to Quit: +CDE
Enter command code (e.g. +CDE) or Q to Quit:
Enter command code (e.g. +CDE) or Q to Quit: q
Audit User Actions: YES

Audit Error Responses to Host Commands: NO
Audit utilization data resets: YES
Audit diagnostic self tests: YES
Audit ACL connection failures: YES

All Rights Reserved
Audit Counter Value:

0000000223
List of Audited Console Commands:
List of Audited Host Commands:
Save Audit Settings to Smartcard? [Y/N]: n

Secure-AUTH>

All Rights Reserved
8.3 Time and Date Commands

The SETTIME command is used to set the system time and date used by the payShield 10K for the audit log
entries. The user should use this command to adjust the time for the local time zone. The time and date can be
queried using the GETTIME command.

Set the time (SETTIME) 151
Query the Time and Date (GETTIME) 152
Set Time for Automatic Self-Tests (ST) 153

All Rights Reserved

Set the time (SETTIME) Online  Offline  Secure 
Command: SETTIME
Function: To set the system time and date used by the HSM.
must be authorized, using the Authorizing Officer cards of the Management
LMK.
Inputs:  The time in hours and minutes.

 The date in year, month and day.
Outputs:  Text messages, as in the example below.
Errors:  Command only allowed from Secure-Authorized - the HSM is not in

Secure State, or the HSM is not authorized to perform this operation, or
both.
 Response invalid. Re-enter - an invalid value has been entered.
Example: Secure-AUTH> SETTIME <Return>

Enter hours [HH](24 hour format): 10 <Return>
Enter minutes [MM]: 08 <Return>
Enter year [YYYY] (2009 or above): 2014 <Return>
Enter month [MM]: 02 <Return>
Enter day [DD]: 12 <Return>
The system time has been modified.
Secure-AUTH>
Setting the date or time back may prevent the payShield Manager from allowing a user to login. Care must
be taken when changing the date back such that it is not earlier than the creation date/time of any of the
smartcards that will be used to access the HSM.

All Rights Reserved

Query the Time and Date (GETTIME) Online  Offline  Secure 
Command: GETTIME
Function: To query the system time and date.
Inputs: None.
Outputs:  The year, month and date.

 The time in hours, minutes and seconds.
Errors: None.
Example: Online> GETTIME <Return>

System date and time: Feb 12 10:08:19 2014
Online>

All Rights Reserved

Set Time for Automatic Self-Tests (ST) Online  Offline  Secure 
Command: ST
Function: Reports the time of day when the daily automatic self-tests required for PCI
HSM compliance will be run, and allows this time to be changed.
Inputs: Time of day.
Outputs: None
Errors: None.
Notes:  The default time for running the diagnostics is 0900.
Example: Secure> ST <Return>
Self test run time is 09:00.
Change? [Y/N]: y <Return>
Enter hour [HH] (24 hour format): 13 <Return>

Enter minute [MM]: 55 <Return>
Self test run time changed to 13:55.
Secure>

All Rights Reserved
8.4 Settings, Storage and Retrieval Commands

Commands are provided to save the payShield 10K's Alarm, Host and Security settings to a smartcard and to
restore the settings to the HSM. Besides the dedicated command to Save HSM Settings to Smartcard, the
following individual configuration commands have the option to save settings to smartcard:
 CL (Configure Alarms) to save the Alarm configuration.
 CH (Configure Host Port) to save the Host port configuration.
 CS (Configure Security) to save the Security configuration.
 AUDITOPTIONS (Audit Options) to save the Audit configuration.

Save HSM Settings to a Smartcard (SS) 155
Retrieve HSM Settings from Smartcard (RS) 156

All Rights Reserved

Save HSM Settings to a Smartcard (SS) Online  Offline  Secure 
Command: SS
Function: To save the Alarm, Host Port, Security, Audit, Command, and PIN Block settings to a
smartcard (RACCs are supported).
Authorization: The HSM must be in the secure state to run this command. Additionally, the HSM must
be either in the Authorized State, or the activity admin.console must be authorized,
using the Authorizing Officer cards of the Management LMK.
Outputs:  Confirmation messages that Alarm, Host, Security, Audit, Command, and PIN Block
settings are saved.

Attempt with another card? [Y/N] - card is not formatted for storing HSM settings.
 Card not formatted. Attempt with another card? [Y/N] - card is not formatted.
 Command only allowed from Secure-Authorized - the HSM is not in Secure State, or
the HSM is not authorized to perform this operation, or both.
Example: Secure-AUTH> SS <Return>

ALARM settings saved to the smartcard.
HOST settings saved to the smartcard.
AUDIT settings saved to the smartcard.
COMMAND settings saved to the smart card.
PIN BLOCK settings saved to the smart card.
Secure-AUTH>

All Rights Reserved

Retrieve HSM Settings from Online  Offline  Secure 
Smartcard (RS) Authorization: Required
Command: RS
Function: To read the Alarm, Host Port, Security, Audit, Command, and PIN Block settings from
a smartcard. The user is then prompted to use these to overwrite the existing HSM
settings. If the settings on the smartcard were saved using a configuration command
(CL, CH, CS and AUDITOPTIONS), then only those settings are overwritten.
Authorization: The HSM must be in the secure state to run this command. Additionally, the HSM
must be either in the Authorized State, or the activity admin.console must be
authorized, using the Authorizing Officer cards of the Management LMK.
Inputs:  Whether to overwrite each of the groups of saved settings.
Outputs:  The Alarm, Host, Security, Audit, Command, and PIN Block settings stored on the
smartcard are listed.

Attempt with another card? [Y/N] - card is not formatted for storing HSM settings.
 Card not formatted. Attempt with another card? [Y/N] - card is not formatted.
 Command only allowed from Secure-Authorized - the HSM is not in Secure State, or

All Rights Reserved
Example: Secure-AUTH> RS <Return>

Temperature Alarm: ON
Motion Alarm: HIGH
Self Test Run Time: 09:00
Overwrite alarm settings with the settings above? [Y/N]: Y
<Return>
ALARM settings retrieved from smartcard

Protocol: ETHERNET
Character format: ASCII
UDP active: YES
TCP active: YES
TLS active: YES
Number of TCP connections: 1
Number of host interfaces: 1
Overwrite host settings with the settings above? [Y/N]: n

<Return>
PIN length: 04
Old encrypted PIN length: 05
Echo: OFF
Transaction key support: AUSTRALIAN
Enable X9.17 for import: YES
Enable X9.17 for export: YES
Single-DES: ENABLED
Prevent single-DES keys from masquerading as double or triple-
length keys: NO
ZMK length: DOUBLE
Decimalization tables: PLAINTEXT
Decimalization table checks enabled: YES
YES
BINARY
Restrict key check values to 6 hex chars : YES
Enable PIN block format 34 as output format for PIN
Enable PIN block account number translations: NO
Key export and import in trusted format only: NO

All Rights Reserved

Enforce Atalla variant match to Thales key type: NO
Card/password authorization: C
Restrict PIN block usage for PCI Compliance: NO
Enforce key type separation for PCI Compliance: NO
Overwrite security settings with the settings above? [Y/N]: Y
<Return>
SECURITY settings retrieved from smartcard.
User Action: ENABLED

Audit Counter: 00000183
24 Audited Mgmt commands
0 Audited Host commands
Audit Host Errors: DISABLED
0 Audited Console commands
Overwrite auditlog settings with the settings above? [Y/N]: n
<Return>
0 Blocked Host commands

0 Blocked Console commands
Overwrite command settings with the settings above? [Y/N]: n
<Return>
Pin Block Format 01: ENABLED

Overwrite pin block settings with the settings above? [Y/N]: n
<Return>
Secure-AUTH>

All Rights Reserved
8.5 Key Management Commands

The payShield 10K provides the following host commands to support generic key management operations using
the 3DES/AES algorithm:

Generate Key Component (GC) 160
Generate Key and Write Components to Smartcard (GS) 163
Encrypt Clear Component (EC) 167
Form Key from Components (FK) 170
Generate Key (KG) 177
Import Key (IK) 183
Export Key (KE) 187
Generate a Check Value (CK) 191
Set KMC Sequence Number (A6) 193
Convert (KEK) ZMK into a KEKr or KWKs (EA) 194

All Rights Reserved

Generate Key Component (GC) Online  Offline  Secure 
Activity: component.{key}.console
Command: GC
Function: To generate a 3DES/AES key component and display it in plain and encrypted
forms.
Variant LMK Key Block LMK
Authorization: The HSM must be in the Authorized The HSM must be in the Authorized State, or the
State, or the activity activity component.{key}.console must be
component.{key}.console must be authorized, where 'key' is the key usage code of
authorized, where 'key' is the key the key component being generated.
type code of the key component
being generated.
Inputs:  LMK Identifier: 00-99.  LMK Identifier: 00-99.

 Key Length: 1 (single), 2 (double),  Key Algorithm (if AES LMK): 3DES or AES
3 (triple).  Key Length: Single/Double/Triple length DES
 Key Type: See the Key Type key or (if AES LMK) 128/192/256-bit AES key.
Table in Chapter 7 of the  Key Scheme:
payShield 10K Host  Key Usage: See the Key Usage Table in
Programmer's Manual. Chapter 8 of the payShield 10K Host
 Key Scheme: Programmer's Manual.
 Mode of Use: See the Mode of Use Table in
Chapter 8 of the payShield 10K Host
Programmer's Manual.
 Component Number: 1-9.
 Exportability: See the Exportability Table in
Chapter 8 of the 10K Host Programmer's
Manual.
 Optional Block data.
Outputs:  Clear text key component.  Clear text key component.

 Key component encrypted under  Key Block containing the component encrypted
an appropriate variant of the under the selected LMK.
selected LMK.  Component check value.
 Component check value.
Notes:  To generate an AES key component requires the command to use an AES
Key Block LMK.
 When generating key components encrypted by a Key Block LMK, the
"Component Number" field stored within the component's key block header
can be used to help identify individual components. Note, however, that this
field is not examined or used by the HSM's FK command when forming a key
from these components.
 Invalid key type; re-enter - the key type is invalid. See the Key Type Table in
the payShield 10K Host Programmer's Manual.
 Invalid key scheme for key length - the Key Scheme is inappropriate for Key
length.
 Invalid key scheme - an invalid key scheme is entered.

All Rights Reserved
 Internal failure 12: function aborted - the contents of LMK storage have been
corrupted or erased. Do not continue. Inform the Security Department.
 Various key block field errors – the value entered is invalid, or incompatible
with previously entered values.
Example 1: This example generates a double length DES key component in plaintext & encrypted form.
(Variant LMK)
Online-AUTH> GC <Return>
Enter key length [1,2,3]: 2 <Return>
Enter key type: 001 <Return>
Enter key scheme: U <Return>
Clear Component: XXXX XXXX XXXX XXXX XXXX XXXX XXXX XXXX
Encrypted Component: UYYYY YYYY YYYY YYYY YYYY YYYY YYYY YYYY
Key check value: ZZZZZZ
Online-AUTH>
(3DES Key Block
LMK) Online-AUTH> GC <Return>
Enter key scheme: S <Return>
Enter key usage: P0 <Return>
Enter mode of use: N <Return>
Enter component number [1-9]: 2 <Return>
Enter exportability: E <Return>
Enter optional blocks? [Y/N]: N <Return>
Clear component: XXXX XXXX XXXX XXXX XXXX XXXX XXXX XXXX
Encrypted component: S YYYYYYYY……YYYYYY
Online-AUTH>
(AES Key Block
Enter algorithm type [D=DES, A=AES]: D <Return>
Online-AUTH>
Example 4: This example generates a 128-bit AES key component in plaintext & encrypted form.
(AES Key Block
Enter algorithm type [D=DES, A=AES]: A <Return>
Enter key usage: K0 <Return>

All Rights Reserved
Online-AUTH>

All Rights Reserved

Generate Key and Write Online  Offline  Secure 
Components to Smartcard (GS) Authorization: Required
Command: GS
Function: Generates a 3DES/AES key in 2 to 3 component and write the components to

smartcards.
Authorization: The HSM must be in the Authorized The HSM must be in the Authorized
State, or the activity State, or the activity
component.{key}.console must be component.{key}.console must be
authorized, where 'key' is the key authorized, where 'key' is the key
type code of the key being usage code of the key being
generated. generated.

 Key Length: 1 (single), 2 (double),  Key Algorithm (if AES LMK): 3DES or
3 (triple). AES
 Key Type: See the Key Type  Key Length: Single/Double/Triple
Table in the Host Programmer's length DES key or (if AES LMK)
Manual. 128/192/256-bit AES key.
 Key Scheme.  Key Scheme.
 Number of components: 2-3.  Number of components: 2-3.
 Smartcard PINs. PINs must be  Key Usage: See the Key Usage
entered within 60 seconds of Table in the Host Programmer's
being requested. Manual.
 Mode of Use: See the Mode of Use
Table in the Host Programmer's
Manual.
 Key Version Number: 00-99.
 Exportability: See the Exportability
Manual.
 Smartcard PINs. PINs must be
entered within 60 seconds of being
requested.
Outputs:  Key encrypted under an  Key Block containing the key

appropriate variant of the selected encrypted under the selected LMK.
LMK.  Key check value.
 Key check value.
Notes  To generate an AES key requires the command to use an AES Key Block
LMK.
 If multiple copies of a smartcard are required, these must be created when
running the GS console command. It is not possible to duplicate these
smartcards once the GS console command has completed.
 Warning - card not blank. Proceed? [Y/N] - the smartcard entered is not
blank.

All Rights Reserved
 Overwrite key component? [Y/N] - the smartcard already contains a key

component. It can be overwritten if desired.
 Device write failed - the component could not be verified.
 Invalid key scheme for key length - the Key scheme is inappropriate for Key
length.
 Invalid key type; re-enter - the key type is invalid. See the Key Type Table in
the Host Programmer's Manual.
 Invalid entry - an invalid number of components has been entered.
 Not an LMK card - card is not formatted for LMK or key storage.
 Command only allowed from Authorized - the HSM is not authorized to
perform this operation.
 Internal failure 12: function aborted - the contents of LMK storage have
been corrupted or erased. Do not continue. Inform the Security Department.
Example 1: This example writes two double length DES key components to two
(Variant LMK) smartcards, and encrypts the formed key.
Online-AUTH> GS <Return>
Enter key scheme: 0 <Return>
Enter number of components [2-3]: 2 <Return>
Insert card 1 and enter PIN: ******** <Return>
Make additional copies? [Y/N]: N <Return>
Encrypted key: YYYY YYYY YYYY YYYY
Online-AUTH>

All Rights Reserved
Example 2: This example generates and writes two double length 3DES key
(3DES Key Block components to two smartcards, and encrypts the formed key.
LMK)
Enter key version number: 00 <Return>
Enter optional blocks? [Y/N]: Y <Return>
Enter optional block identifier: 00 <Return>
Enter optional block data: L <Return>
Enter more optional blocks? [Y/N]: N <Return>
Encrypted key: S YYYYYYYY……YYYYYY
Online-AUTH>
Example 3: This example generates and writes two double length 3DES key
(AES Key Block components to two smartcards, and encrypts the formed key.
LMK)
Enter algorithm [3DES/AES]: 3 <Return>
Online-AUTH>
Example 4: This example generates and writes two128-bit AES key components to two
(AES Key Block smartcards, and encrypts the formed key.
LMK)
Enter algorithm [3DES/AES]: A <Return>

All Rights Reserved

Online-AUTH>

All Rights Reserved

Encrypt Clear Component (EC) Online  Offline  Secure 
Command: EC
Function: To encrypt a clear text 3DES/AES key component and display the result at
the console.
If a 3DES key component does not have odd parity, odd parity will be forced
before encryption by the selected LMK.
Authorization: The HSM must be in the Authorized The HSM must be in the Authorized
State, or the activity State, or the activity
component.{key}.console must be component.{key}.console must be
authorized, where 'key' is the key authorized, where 'key' is the key
type code of the component being usage code of the component being
encrypted. encrypted.

 Key Type: See the Key Type  Component Algorithm (if AES LMK):
Table in the Host Programmer's 3DES or AES
Manual.  Component Length:
 Key Scheme. Single/Double/Triple length DES
 Clear Component: 16/32/48 hex key or (if AES LMK) 128/192/256-bit
digits. AES key.
 Key Scheme.
 Key Usage: See the Key Usage
Manual.
Manual.
 Component Number: 1-9.
Manual.
 Clear Component: 16/32/48 hex
digits.
Outputs:  Component encrypted under an  Key Block containing the

appropriate variant of the selected component encrypted under the
LMK. selected LMK.
 Component check value.  Component check value.
Notes  To encrypt an AES key component requires the command to use an AES
Key Block LMK.
 Data invalid; please re-enter - the input data does not contain 16 or 32 or
48 hexadecimal characters. Re-enter the correct number of hexadecimal
characters.
 Invalid key type; re-enter - the key type is invalid. See the Key Type Table
in the Host Programmer's Manual.

All Rights Reserved

been corrupted or erased. Do not continue. Inform the Security
Department.
Example 1: This example encrypts a plaintext double length DES key component.
(Variant LMK)
Online-AUTH> EC <Return>
Enter key Scheme: U <Return>
Enter component: XXXX XXXX XXXX XXXX XXXX XXXX XXXX XXXX
<Return>
Encrypted component: U YYYY YYYY YYYY YYYY YYYY YYYY
YYYY YYYY
Online-AUTH>
(3DES Key Block
LMK) Online-AUTH> EC <Return>
Enter component length [1,2,3]: 2 <Return>
<Return>
Online-AUTH>
(AES Key Block
Enter key usage: D0 <Return>
<Return>

All Rights Reserved
Online-AUTH>
Example 4: This example encrypts a plaintext 128-bit AES key component.

(AES Key Block
<Return>
Online-AUTH>

All Rights Reserved

Form Key from Components (FK) Online  Offline  Secure 
Command: FK
Function: To build a 3DES/AES key from components. If clear 3DES key components
are used, they will not be checked for parity, but odd parity will be forced on
the final key before encryption under the selected LMK.
Authorization: The HSM must be in the The HSM must be in the Authorized
Authorized State, or the activity State, or the activity
component.{key}.console must component.{key}.console must be
be authorized, where 'key' is the authorized, where 'key' is the key usage
key type code of the key being code of the key being formed.
formed.

3 (triple). AES
 Key Type: See the Key Type  Key Length: Single/Double/Triple
Table in the Host Programmer's length DES key or (if AES LMK)
Manual. 128/192/256-bit AES key.
 Key Scheme. Must be U, T, or  Key Scheme.
None/Z.  Component Type (for AES keys): X
 Component Type: X (xor), H (xor), E (encrypted), S (smartcard),
(half), E (encrypted), S  Component Type (for DES keys): X
(smartcard), T (third). (xor), E (encrypted), S (smartcard), H
 Number of Components: 1-9 if the (half), T (third).
security setting "AU Components"  Number of Components: 1-9 if the
has been set to "NO", otherwise security setting "Enforce Multiple Key
2-9. Components" has been set to "NO",
 Clear Components: 16/32/48 hex otherwise 2-9.
digits.  Key Usage: See the Key Usage Table
Manual.
Manual.
 Clear Components: 16/32/48 hex digits.
Outputs:  Key encrypted under an  Key Block containing the component

LMK.  Key Check Value.
 Key Check Value.
Notes:  To form an AES key requires the command to use an AES Key Block LMK.
 PINs must be entered within 60 seconds of being requested.
 When using key components encrypted by a Key Block LMK, the FK
command ignores the "Component Number" field stored within each
component key block.

All Rights Reserved
 Incompatible header values - the field values are incompatible between
components.
 Incompatible key status optional blocks - there is a mismatch between the
values contained in one or more key status optional blocks.
 Key all zero - the key is invalid.
 Invalid entry - an invalid number of components has been entered.
 Data invalid; please re-enter - the amount of input data is incorrect. Re-
enter the correct number of hexadecimal characters.
 No component card - no key component on the provided smartcard.
Notes:  Component type H is not permitted for Triple – DES keys.

Example 1: This example forms a key from plaintext component.

(Variant LMK)
Online-AUTH> FK <Return>
Enter key length[1,2,3]: 2 <Return>
Component type [X,H,E,S,T]: X <Return>
Enter component 1: **** **** **** **** **** **** ****

**** <Return>
Component 1 check value: XXXXXX
Continue? [Y/N]: y <Return>
Enter component 2: **** **** **** **** **** **** ****

**** <Return>
Encrypted key: U YYYY YYYY YYYY YYYY YYYY YYYY YYYY YYYY
Online-AUTH>
Example 2: This example forms a key from components on a smartcard.

(Variant LMK)
Component type [X,H,E,S,T]: S <Return>

All Rights Reserved
Enter number of components (1-9): 2 <Return>


Online-AUTH>
Example 3: This example forms a key from encrypted components.

(Variant LMK)
Component type [X,H,E,S,T]: E <Return>
Enter component 1: U XXXX XXXX XXXX XXXX XXXX XXXX XXXX

XXXX <Return>

XXXX <Return>
Online-AUTH>

All Rights Reserved
Example 4: The security settings require that multiple components are used to form keys,
(Variant LMK) but the user attempts to form a key from one component.
Component type [X,H,E,S,T]: E <Return>
Invalid Entry

XXXX <Return>

XXXX <Return>
Online-AUTH>

All Rights Reserved
Example 5: This example forms a single length DES key from plaintext components.
(3DES Key Block
LMK) Online-AUTH> FK <Return>
Enter component 1: **** **** **** **** <Return>

Enter component 2: **** **** **** **** <Return>


Online-AUTH>
Example 6: This example forms a double length 3DES key from components on a
(3DES Key Block smartcard.
LMK)
Enter Key Length[1,2,3]: 2 <Return>
Component type [X,H,E,S,T]: S <Return>



Online-AUTH>
Example 7: This example forms a double length 3DES key from plaintext components.
(AES Key Block

All Rights Reserved

Enter component 1: **** **** **** **** **** **** ****

**** <Return>
Enter component 2: **** **** **** **** **** **** ****

**** <Return>

Online-AUTH>
Example 8: This example forms a 128-bit AES key from components on a smartcard.
(AES Key Block
Component type [X,E,S]: S <Return>



Online-AUTH>
Example 8: This example forms a 128-bit AES key from encrypted components.
(AES Key Block
Component type [X,E,S]: E <Return>
Enter optional block data: 2005:12:21:00 <Return>
Enter more optional blocks? [Y/N]: Y <Return>
Enter component 1: S XXXXXXXX……XXXXXX <Return>


All Rights Reserved



Online-AUTH>

All Rights Reserved

Generate Key (KG) Online  Offline  Secure 
Variant LMK
Authorization: Determined by KTT(G&E)
Activity: generate.{key}.console and
export.{key}.console
Key Block LMK

Authorization: If export to non-KB.
Activity: export.{key}.console
Command: KG
Function: To generate a random 3DES/AES key and return it encrypted under the LMK
and optionally under a ZMK (for transmission to another party).

Authorization: This command examines the The authorization requirement for this
'Generate' flag of the given key type command depends solely on the type of
within the Key Type Table to export being requested:
determine the authorization
requirement. If the flag is 'A', the Exported key scheme Authorization
HSM must either be in the No export None
Authorized State, or the activity 'S' (Thales Key None
generate.{key}.console must be Block)
authorized, where 'key' is the key 'R' (TR-31 Key Block) None
type code of the key being 'U', 'T' (Variant) Required
generated. 'Z', 'X', 'Y' (X9.17) Required
If the generated key is required to
be exported under the ZMK, this If authorization is required, the HSM must
command also examines the either be in the Authorized State, or the
'Export' flag of the given key type activity export.{key}.console must be
within the Key Type Table. If the flag authorized, where 'key' is the key usage
is 'A', the HSM must either be in the code of the key being exported.
Authorized State, or the activity
export.{key}.console must be
authorized, where 'key' is the key
type code of the key being exported.

3 (triple). AES
 Key Type: See the Key Type Table  Key Length: Single/Double/Triple
in the Host Programmer's Manual. length DES key or (if AES LMK)
 Key Scheme (LMK). 128/192/256-bit AES key.
 Key Scheme (ZMK) (if exporting).  Key Scheme (LMK).
 ZMK (if exporting).  Key Scheme (ZMK) (if exporting).
 Key Block values if exporting to  ZMK (if exporting).
TR-31 format  Key Usage: See the Key Usage Table
Manual.

All Rights Reserved

Manual.
 Exportability of exported key (if
exporting).
Outputs:  Key encrypted under an  Key Block containing the key encrypted
appropriate variant of the selected under the selected LMK.
LMK.  Key/Key Block encrypted under the
 Key/Key Block encrypted under ZMK (if exporting).
the ZMK (if exporting).  Key Check Value.
Notes:  To generate an AES key or to use an AES ZMK requires the command to
use an AES Key Block LMK.
 For security reasons, when using a Key Block LMK, this command will not
support the export of a DEK (Key Usage = "D0" or "21") to variant or X9.17
format.
 Must be in Authorized State or Activity not authorized - the key type
provided requires the HSM to be in Authorized State.
 Data invalid; please re-enter - the encrypted ZMK does not contain the
correct characters, or the key check value does not contain 6 hexadecimal
characters. Re-enter the correct number of hexadecimal characters.
 Key parity error; please re-enter - the ZMK does not have odd parity on
each byte. Re-enter the encrypted ZMK and check for typographic errors.
 Invalid key scheme for key length - the Key scheme is inappropriate for Key
length.
 Invalid key scheme - the key scheme is invalid.
Example 1: This example generates a new double length DES key.

(Variant LMK)
Online> KG <Return>
Enter key scheme (LMK): U <Return>
Enter key scheme (ZMK): <Return>
Enter ZMK: <Return>
Key under LMK: U YYYY YYYY YYYY YYYY YYYY YYYY YYYY YYYY
Key Check value: ZZZZZZ
Online>
Example 2: This example generates a new double length DES key, and exports it to
(Variant LMK) X9.17 format.
Online-AUTH> KG <Return>

All Rights Reserved
Enter key scheme (ZMK): X <Return>

Enter ZMK: U XXXX XXXX XXXX XXXX XXXX XXXX XXXX XXXX
<Return>
Key under ZMK: X YYYY YYYY YYYY YYYY YYYY YYYY YYYY YYYY
Online-AUTH>
Example 3: This example generates a new double length DES key, and exports it to TR-
(Variant LMK) 31 format.
Enter key scheme (ZMK): R <Return>
<Return>
Enter exportability: N <Return>
Enter TR-31 optional blocks? [Y/N]: Y <Return>
Enter TR-31 optional block identifier: TS <Return>
Enter optional block data: 2022-09-26T16:06:00Z <Return>
Enter more TR-31 optional blocks? [Y/N]: Y <Return>
Enter TR-31 optional block identifier: KC <Return>
The KCV is inserted into TR-31 optional block data
automatically.
Enter TR-31 optional block identifier: KP <Return>
automatically.
Enter TR-31 optional block identifier: 00 <Return>
Enter optional block data: ABCD4 <Return>
Enter optional block data: 123456EF <Return>
Enter more TR-31 optional blocks? [Y/N]: N <Return>
Key under ZMK: R YYYYYYYY……YYYYYY
Online-AUTH>
Example 4: This example generates a new double length DES key, and exports it to
(3DES Key Block X9.17 format.
LMK)
Enter key scheme (LMK): S <Return>
Enter ZMK: S XXXXXXXX……XXXXXX <Return>

All Rights Reserved

Key under LMK: S YYYYYYYY……YYYYYY
Online-AUTH>

All Rights Reserved
Example 5: This example generates a new double length DES key, and exports it to TR-31
(3DES Key Block format.
LMK)
Online> KG <Return>
Enter key usage: 72 <Return>
Enter exportability field for exported key block: <Return>
Enter TR-31 optional block identifier: KS <Return>
Enter optional block data: 0E11111111 <Return>
Enter TR-31 optional block identifier: IK <Return>
Enter optional block data: 112233445566778 <Return>
automatically.
automatically.
Enter TR-31 optional block identifier: KV <Return>

Online>
Example 6: This example generates a new double length DES key.

(AES Key Block
LMK) Online-AUTH> KG <Return>

All Rights Reserved

Online-AUTH>
Example 7: This example generates a new 128-bit AES key.

(AES Key Block
LMK) Online-AUTH> KG <Return>
Online-AUTH>

All Rights Reserved

Import Key (IK) Online  Offline  Secure 
Activity: command.ik.console
Command: IK
Function: To import a 3DES/AES key from encryption under a ZMK to encryption

under an LMK.
If an imported 3DES key does not have odd parity a warning will be issued
and odd parity will be forced on the key before encryption under the
specified LMK.
Authorization: The HSM must either be in the Authorized State, or the activity
command.ik.console must be authorized.

 Key Type: See the Key Type  Key Scheme (LMK).
Table in the Host Programmer's  ZMK to be used to decrypt the key.
Manual.  Key/Key Block to be imported.
 Key Scheme (LMK).
 ZMK to be used to decrypt the For import from Variant/X9.17:
key.  Key Usage: See the Key Usage Table
 Key/Key Block to be imported. in the payShield 10K Host
Table in the payShield 10K Host
For import from a key block format:

 Modified Key Usage
Outputs:  Key encrypted under an  Key Block containing the key

LMK.  Key Check Value.
Notes:  To import an AES key or to use an AES ZMK requires the command to
use an AES Key Block LMK.
support the import of a DEK (Key Usage = "D0" or "21") from variant or
X9.17 format.
 If the option "Enforce Atalla variant match to Thales key type" is set to YES
in the CS console command, the following matchings between Atalla
variant and Thales variant key types will be enforced:

All Rights Reserved
Key Type Atalla Thales Variant (*) Thales Variant ()

Variant
TPK 1 or 01 002 LMK 14-15 70D LMK 36-37/7
ZPK 001 LMK 06-07 001 LMK 06-07
ZEK 2 or 02 00B LMK 32-33 00B LMK 32-33
00A LMK 30-31 00A LMK 30-31
TAK 3 or 03 003 LMK 16-17 003 LMK 16-17
ZAK 008 LMK 26-27 008 LMK 26-27
CVK 402 LMK 14-15/4 402 LMK 14-15/4
TMK 4 or 04 002 LMK 14-15 80D LMK 36-37/8
TPK
PVK 002 LMK 14-15 70D LMK 36-37/7
002 LMK 14-15 002 LMK 14-15
TMK 5 or 05 002 LMK 14-15 80D LMK 36-37/8
BDK type-1 8 or 08 009 LMK 28-29 009 LMK 28-29
MK-AC 9 or 09 109 LMK 28-29/1 109 LMK 28-29/1
MK-SMI 9 or 09 209 LMK 28-29/2 209 LMK 28-29/2
MK-SMC 9 or 09 309 LMK 28-29/3 309 LMK 28-29/3
TEK 26 30B LMK 32-33/3 30B LMK 32-33/3
BDK type-2 30 609 LMK 28-29/6 609 LMK 28-29/6
BDK type-3 8 or 08 809 LMK 28-29/8 809 LMK 28-29/8
* Applies if the security setting "Enforce key type 002 separation for PCI
HSM compliance" has the value "N"
ø
Applies if the security setting "Enforce key type 002 separation for PCI
HSM compliance" has the value "Y"
 Data invalid; please re-enter - the encrypted ZMK does not contain the
correct characters, or the key check value does not contain 6 hexadecimal
characters. Re-enter the correct number of hexadecimal characters.
 Key parity error; re-enter key - the parity of the ZMK is not odd.
 Warning: key parity corrected - the parity of the key encrypted under the
ZMK is not odd.
Department.
Example 1: This example imports a key from X9.17 format.

(Variant LMK)
Online> IK <Return>
Enter Key type: 002 <Return>
Enter Key Scheme: U <Return>

All Rights Reserved
<Return>
Enter key: X XXXX XXXX XXXX XXXX XXXX XXXX XXXX XXXX
<Return>
Example 2: This example imports a key from TR-31 format.

(Variant LMK)
Online> IK <Return>
<Return>
Enter key: R XXXXXXXX……XXXXXX <Return>
Online>
Example 3: This example imports a key from X9.17 format.

(3DES Key Block
LMK) Online-AUTH> IK <Return>
Enter key: X XXXX XXXX XXXX XXXX XXXX XXXX XXXX XXXX
<Return>
Online-AUTH>
Example 4: This example imports a key from TR-31 format. Note that a new (more
(3DES Key Block restrictive) value for the imported key block's Key Usage field is entered
LMK) during the import process.
Online> IK <Return>
Enter key: R XXXXXXXX……XXXXXX <Return>
Enter modified key usage: 72 <Return>
Online>

All Rights Reserved
Example 5: This example imports a key from Thales Key Block format.
(3DES or AES Key
Block LMK) Online> IK <Return>
Enter key: S XXXXXXXX……XXXXXX <Return>
Online>

All Rights Reserved

Export Key (KE) Online  Offline  Secure 
Variant LMK
Authorization: Determined by KTT(E)
Key Block LMK

Authorization: If export to non-KB
Command: KE
Function: To translate a 3DES/AES key from encryption under the specified LMK to
encryption under a ZMK.
Authorization: This command examines the The authorization requirement for this
'Export' flag of the given key type command depends on the type of
within the Key Type Table to export being requested:
determine whether authorization is
required. If required, the HSM must Exported key
Authorization
either be in the Authorized State, or scheme
the activity export.{key}.console 'S' (Thales Key None
must be authorized, where 'key' is Block)
the key type code of the key being 'R' (TR-31 Key None
exported. Block)
'U', 'T' (Variant) Required
'Z', 'X', 'Y' (X9.17) Required
If authorization is required, the HSM

must either be in the Authorized State,
or the activity export.{key}.console
must be authorized, where 'key' is the
key usage code of the key being
exported.
For AES LMKs, keys can only be

exported in Thales Key Block format.

 Key Type: See the Key Type  Key Scheme (ZMK).
Table in the Host Programmer's  ZMK to be used to encrypt the key.
Manual.  Key to be exported.
 Key Scheme (ZMK).
 ZMK to be used to encrypt the For export to key block format:
key.  Exportability of exported key.
 Key to be exported.
For export to Thales Key Block &
TR-31:
 Key Usage: See the Key Usage
Manual.
 Mode of Use: See the Mode of
Use Table the payShield 10K
Host Programmer's Manual.

All Rights Reserved

Note export from a Variant LMK to
Thales Key Block is not permitted.
Outputs:  Key/Key Block encrypted under  Key/Key Block encrypted under the
the ZMK. ZMK.
 Key Check Value.  Key Check Value.
Notes:  To export an AES key or to use an AES ZMK requires the command to use
an AES Key Block LMK.
support the export of a DEK (Key Usage = "D0" or "21") to variant or X9.17
format.
 Data invalid; please re-enter - the encrypted ZMK or key does not contain
16 or 32 hex or 1 alpha + 32 hex or 1 alpha + 48 hex. Re-enter the correct
number of hexadecimal characters.
 Key parity error; re-enter key - the ZMK or key does not have odd parity on
each byte. Re-enter the key and check for typographic errors.
the payShield 10K Host Programmer's Manual.
Department.

All Rights Reserved
Example 1: This example exports a key to X9.17 format.

(Variant LMK)
Online-AUTH> KE <Return>
Enter Key Scheme: X <Return>
<Return>
Enter key: U XXXX XXXX XXXX XXXX XXXX XXXX XXXX XXXX
<Return>
Online-AUTH>
Example 2: This example exports a key to TR-31 format.

(Variant LMK)
Online-AUTH> KE <Return>
<Return>
<Return>
automatically.
automatically.

Online-AUTH>
Example 3: This example exports a key to X9.17 format.

(3DES Key Block
LMK) Online-AUTH> KE <Return>

All Rights Reserved
Online-AUTH>
Example 4: This example exports a key to TR-31 format.

(3DES Key Block
LMK) Online> KE <Return>
Enter exportability field for exported key block:
<Return>
Enter TR-31 optional block identifier: KS <Return>
Enter optional block data: 0E11111111 <Return>
Enter TR-31 optional block identifier: IK <Return>
automatically.
automatically.
Enter TR-31 optional block identifier: KV <Return>

Online>
Example 5: This example exports a key to Thales Key Block format.

(3DES or AES Key
Block LMK) Online> KE <Return>
Enter key scheme (ZMK): S <Return>
Enter exportability field for exported key block:
<Return>
Key under ZMK: S YYYYYYYY……YYYYYY
Online>

All Rights Reserved

Generate a Check Value (CK) Online  Offline  Secure 
Variant LMK
Authorization: Required if  6 digits
Activity: generate.{key}.console
Key Block LMK

Authorization: Not required.
Command: CK
Function: To generate a key check value (KCV) for a 3DES/AES key encrypted under a
specified LMK.
Authorization: This command only requires The HSM does not require any
authorization when calculating authorization to run this command.
either 8 or 16 digit Key Check Note: Key Check Values of key blocks
Values. If required, the HSM must are always 6-digits in length.
either be in the Authorized State, or
the activity
generate.{key}.console must be
authorized, where 'key' is the key
type of the key being used.
Regardless of the authorization
requirement, this command
examines the 'Generate' flag of the
given key type within the Key Type
Table to determine whether the
check value can be calculated.

 Key Type: See the Key Type  Key.
Manual.
 Key Length: 1 (single), 2
(double), 3 (triple).
 Key.
Outputs:  Key Check Value.  Key Check Value.

All Rights Reserved
 Incompatible LMK schemes - the LMK schemes are different.
 Data invalid; please re-enter - incorrect number of characters.
 Key parity error; re-enter key - the entered key does not have odd parity
on each byte. Re-enter the complete line (key and Key-Type code) and
check for typographic errors.
in the payShield 10K Host Programmer's Manual.
Department.
 Various key block field errors – the value entered is invalid, or
incompatible with previously entered values.
Example 1: This example generates a check value of a key.

(Variant LMK)
Online-AUTH> CK <Return>
Enter key type code: 001 <Return>
Enter key length flag [S/D/T]: D <Return>
Enter encrypted key: XXXX XXXX XXXX XXXX XXXX XXXX XXXX
XXXX <Return>
Key check value: ZZZZ ZZZZ ZZZZ ZZZZ
Online-AUTH>
Example 2: This example generates a check value of a key.

(Key Block LMK)
Online> CK <Return>
Enter key block: S XXXXXXXXXXXXXXX……XXXXXXXXX <Return>
Online>

All Rights Reserved
Variant  Key Block 

Set KMC Sequence Number (A6)
Online  Offline  Secure 
Activity: misc.console
Command: A6
Function: To set the value of the KMC sequence number held within the HSM protected
memory.
Note: This command is provided for the MasterCard OBKM functionality.
Authorization: The HSM must be in the Offline state to run this command. Additionally, the
HSM must be either in the Authorized State, or the activity misc.console must
be authorized.
Inputs: New sequence number value.
Outputs: None.
Errors: Not Authorized - The HSM is not in Authorized State

Not Offline – The HSM must be offline to run this command
Invalid Entry – The value entered is invalid (Counter can have any value between
00000000 and FFFFFFFF).

Current KMC sequence number is: 00000000 000000F3
Enter new value or <Enter> for no change: 2BAF <Return>
Current KMC sequence number is: 00000000 00002BAF
Offline-AUTH>

All Rights Reserved
Variant  Key Block 

Convert (KEK) ZMK into a KEKr or KWKs (EA) Online  Offline  Secure 
Command: EA
Function: To move a (KEK)ZMK from encryption under LMK Pair 4 – 5 to encryption under LMK Pair 4 – 5
variant 3 or 4.
Notes: This command is used to support the functionality provided for the Australian AS2805
standards.
The payShield must be in Authorized State.
This command supports Variant LMKs only.
Input: KEK (ZMK) encrypted under LMK pair 4 – 5: 32 Hex or 1 Alpha + 32 Hex or 1 Alpha + 48 Hex.
Key Check Value: 6 Hex
KEK type (R/ S) : KEKr or KEKs
Key scheme: Key scheme for encrypting key under LMK.
Output: KEKr or KEKs.
Errors: NOT AUTHORISED – Self explanatory.
KEY PARITY ERROR – The KEK (ZMK) does not have odd parity.
KEY CHECK VALUE FAILURE – The Key Check Value does not match the key.
MASTER KEY PARITY ERROR – The contents of LMK storage have been corrupted or erased.
Do not continue – inform the Security Department.
Example:
Online–AUTH> EA <Return>
Enter ZMK: U AAAA AAAA AAAA AAAA BBBB BBBB BBBB BBBB <Return>
Enter Key check value: XXXXXX <Return>
Enter KEK type (R/S): R <Return>
Key Scheme: U <Return>
KEKr : U CCCC CCCC CCCC CCCC DDDD DDDD DDDD DDDD
Online–AUTH>

All Rights Reserved
8.6 Payment System Commands

The payShield 10K provides the following console commands to support some of the card payment systems
host commands.

Generate a Card Verification Value (CV) 196
Generate a VISA PIN Verification Value (PV) 198
Load the Diebold Table (R) 200
Encrypt Decimalization Table (ED) 202
Translate Decimalization Table (TD) 203
Generate a MAC on an IPB (MI) 205

All Rights Reserved

Generate a Card Verification Value Online  Offline  Secure 
(CV) Authorization: Required
Command: CV
Function: To generate a VISA CVV or MasterCard CVC.
Authorization: The HSM must be either in the Authorized State, or the activity misc.console
must be authorized, using the Authorizing Officer cards of the relevant LMK.
Inputs:  LMK identifier: indicates the LMK to use when decrypting the supplied
CVK(s).
 Encrypted CVK
 Primary account number (PAN) for the card: up to 19 decimal digits.
 Card Expiry date: 4 decimal digits.
 Service code: 3 decimal digits.
Outputs:  Card Verification Value: 3 decimal digits.
 Data invalid; please re-enter - possibly incorrect key length. Could also be
incorrect PAN, card expiry date, or service code length or non-decimal PAN,
card expiry date or service code.
 Key parity error; please re-enter - the parity of the key entered is not odd.
Notes: Use of this command will always create an entry in the Audit Log.

All Rights Reserved
Example 1: This example generates a CVV using a CVK pair encrypted in variant format.
(Variant LMK)
Online-AUTH> CV <Return>
Enter key A: XXXX XXXX XXXX XXXX <Return>
Enter key B: XXXX XXXX XXXX XXXX <Return>
Enter PAN: 1234567812345678 <Return>
Enter expiry date: 0694 <Return>
Enter service code: 123 <Return>
CVV: 321
Online-AUTH>
Example 2: This example generates a CVV using a double length CVK in variant format.
(Variant LMK)
Enter key A: U XXXX XXXX XXXX XXXX XXXX XXXX XXXX XXXX
<Return>
Enter PAN: 1234567812345678 <Return>
CVV: 321
Online-AUTH>
Example 3: This example generates a CVV using a CVK in key block format.
(Key Block LMK)
Enter key block: S XXXXXXXX……XXXXXX <Return>
Enter PAN: 1234567812345678 <Return>
CVV: 321
Online-AUTH>

All Rights Reserved

Generate a VISA PIN Verification Value Online  Offline  Secure 
(PV) Authorization: Required
Command: PV
Function: To generate a VISA PIN Verification Value (PVV).
Inputs:  LMK identifier: indicates the LMK to use when decrypting the supplied
PVK(s).
 Encrypted PVK.
 The PVV data block comprising:
o The 11 right-most digits of the account number (excluding check digit):
11 decimal digits.
o The PIN verification key indicator (PVKI): 1 decimal digit.
o The 4 left-most digits of the clear PIN: 4 decimal digits.
Outputs:  The PIN Verification Value (PVV): 4 decimal digits.
 Data invalid; please re-enter - the PVK A, PVK B or the PVV data block field
is not 16 characters long. Re-enter the correct number of characters.
 Key parity error; please re-enter - the PVK A or PVK B does not have odd
parity on each byte. Re-enter the encrypted PVK A or PVK B and check for
typographic errors.
 Internal failure 12: function aborted - the contents of LMK storage have been
corrupted or erased. Do not continue. Inform the Security Department.
Notes:  The completion of this activity will always be entered in the audit log
irrespective of the AUDITOPTIONS settings,

All Rights Reserved
Example 1: This example generates a PVV using a PVK pair in variant format.
(Variant LMK)
Online-AUTH> PV <Return>
Enter key A: XXXX XXXX XXXX XXXX <Return>
Enter key B: XXXX XXXX XXXX XXXX <Return>
Enter PVV data block: XXXXXXXXXXX N NNNN <Return>
PVV: NNNN
Online-AUTH>
Example 2: This example generates a PVV using a double length PVK in variant format.
(Variant LMK)
Enter key A: U XXXX XXXX XXXX XXXX XXXX XXXX XXXX XXXX
<Return>
PVV: NNNN
Online-AUTH>
Example 3: This example generates a PVV using a PVK in key block format.
(Key Block LMK)
Enter key block: S XXXXXXXX……XXXXXX <Return>
PVV: NNNN
Online-AUTH>

All Rights Reserved

Load the Diebold Table (R) Online  Offline  Secure 
Command: R
Function: To load the Diebold table into user storage in the HSM.
Authorization: The HSM must be online and must be either in the Authorized State, or the
activity misc.console must be authorized, using the Authorizing Officer cards
of the relevant LMK.
Inputs:  LMK identifier: indicates the LMK to use when encrypting the supplied
values.
 Location in user storage at which to store the Diebold table. See notes
below.
Outputs:  The 512-character encrypted table: 16 lines of 32 hexadecimal characters

each.
 Command only allowed from Online-Authorized - the HSM is not online, or
 Invalid index - the specified location in user storage is out of range. Enter a
valid value.
 Data invalid; please re-enter - the entered index is not 3 hexadecimal
characters long, or a table entry is not 16 hexadecimal characters long. Re-
enter the correct number of hexadecimal characters.
 Invalid table: duplicate or missing values - some of the data entered is not a
valid entry for a Diebold table. Check the table and re-enter the data,
checking for typographic errors.
Notes:  Encryption of the Diebold Table:

o If the security setting "Enforce key type 002 separation for PCI HSM
compliance" has the value "N", the Diebold table is encrypted using
LMK pair 14-15 variant 0.
o If the security setting "Enforce key type 002 separation for PCI HSM
compliance" has the value "Y", the Diebold table is encrypted using
LMK pair 36-37 variant 6.
 User Storage is structured in different ways depending on whether the
security setting "User storage key length" has a fixed length value ( setting =
S(ingle), D(ouble), T(riple) ) or is variable ( setting = V(ariable) ).
o If the length is fixed, the Diebold table is stored as 32 contiguous blocks
of 16 characters. The index for the first block must be in the range 000-
FE0.
o If the length is variable, the Diebold table is stored as a single block of
512 characters. Because this needs to use one of the larger slots
capable of handling blocks larger than 100 bytes, the index must be in
the range 000-07F.
See the payShield 10K Host Programmer's Manual for further information.
 If the security setting "Enforce key type 002 separation for PCI HSM
compliance" is changed, the Diebold Table must be re-entered by using this
command. Therefore, it is important that the cleartext version of the table is
retained.

All Rights Reserved
Example: The security setting "User storage key length" has a fixed length value.
Online-AUTH> R <Return>
Enter index (000 – FE0): XXX <Return>
Now enter table, 16 hex digits/line
Line 01: XXXX XXXX XXXX XXXX <Return>
XXXX XXXX XXXX XXXX OK? [Y/N] Y <Return>
Line 02:
…
…
Line 32: XXXX XXXX XXXX XXXX <Return>
XXXX XXXX XXXX XXXX OK? [Y/N] Y <Return>
XXXX XXXX XXXX XXXX XXXX XXXX XXXX XXXX

…
…
XXXX XXXX XXXX XXXX XXXX XXXX XXXX XXXX (16 lines of
encrypted table are displayed)
Online-AUTH>
Note: The result of the "R" command gives no indication as to the LMK scheme or LMK identifier
used in the command. When this value is used with other (host) commands, the user must ensure
that the correct LMK is specified in the command.

All Rights Reserved

Encrypt Decimalization Table (ED) Online  Offline  Secure 
Command: ED
Function: To encrypt a 16 digit decimalization table for use with host commands using
IBM 3624 PIN Generation & Verification.
Inputs:  LMK identifier: indicates the LMK to use when encrypting the decimalization
table.
 Decimalization table. 16 decimal digits that specify the mapping between
hexadecimal & decimal numbers.
 The HSM by default checks that the decimalization table contains at least 8
different digits, with no digit repeated more than 4 times. This feature may
be disabled using the Configure Security parameter "Enable decimalization
table check". Disabling of this feature is not recommended.
Outputs:  Encrypted decimalization table:

 16 Hex characters when using a Variant LMK or a 3DES Key Block
LMK.
 32 Hex characters when using an AES LMK.
 Not Authorized - the HSM is not authorized to perform this operation.
 Decimalization table invalid - the decimalization table is not all decimal or
does not contain at least 8 different digits with no digit repeated more than 4
times.
 Master Key Parity Error - the contents of the HSM storage have been
corrupted or erased. Do not continue. Inform the security department.
Example: This example encrypts a decimalization table using a Variant LMK (same
(Variant or 3DES applies with 3DES Key Block LMK).
Key Block LMK)
Online–AUTH> ED <Return>
Enter decimalization table: 0123456789012345 <Return>
Encrypted decimalization table: XXXX XXXX XXXX XXXX
Online–AUTH>
Example: This example encrypts a decimalization table using an AES LMK.

(AES Key Block
LMK) Online–AUTH> ED <Return>
Enter decimalization table: 0123456789012345 <Return>
Encrypted decimalization table: XXXX XXXX XXXX XXXX XXXX
XXXX XXXX XXXX
Online–AUTH>
Note: The result of the "ED" command gives no indication as to the LMK scheme or LMK identifier

All Rights Reserved

Translate Decimalization Table (TD) Online  Offline  Secure 
Command: TD
Function: To translate an encrypted decimalization table from Encryption under an old

LMK to encryption under the corresponding new LMK.
Inputs:  LMK identifier: indicates the LMK to use when translating the decimalization
table.
 Encrypted Decimalization table. This is the result of encrypting a
decimalization table using the ED command. The size of the encrypted
decimalization table depends on the LMK used to encrypt it: for DES-based
Variant and 3DES Key Block LMKs, the size is 16 hex digits. For AES Key
Block LMKs, the size is 32 hex digits.
 The HSM by default checks that the decimalization table contains at least 8
different digits, with no digit repeated more than 4 times. This feature may
be disabled using the Configure Security parameter "Enable decimalization
table check". Disabling of this feature is not recommended.
Outputs:  Encrypted decimalization table:

 16 Hex characters when using a Variant LMK or a 3DES Key Block
LMK.
 32 Hex characters when using an AES LMK.
 Not Authorized - the HSM is not authorized to perform this operation.
 Decimalization Table Invalid - decimalization table not all
decimal or does not contain at least 8 different digits with no digit repeated
more than 4 times.
 Master Key Parity Error - the contents of the HSM storage have been
corrupted or erased. Do not continue. Inform the security department.
 No LMK in Key Change Storage - Key Change storage is empty.

All Rights Reserved
Example: Online–AUTH> TD <Return>

(Variant or 3DES Enter LMK id: 00 <Return>
Key Block LMK) Enter decimalization table encrypted under old LMK :
XXXXXXXXXXXXXXXX <Return>
Decimalization table encrypted under new LMK :
YYYYYYYYYYYYYYYY
Online–AUTH>
Example: Online–AUTH> TD <Return>

(AES Key Block Enter LMK id: 00 <Return>
LMK) Enter decimalization table encrypted under old LMK :
XXXXXXXXXXXXXXXX XXXXXXXXXXXXXXXX <Return>
Decimalization table encrypted under new LMK :
YYYYYYYYYYYYYYYY YYYYYYYYYYYYYYYY
Online–AUTH>
Note: The result of the "TD" command gives no indication as to the LMK scheme or LMK identifier

All Rights Reserved

Generate a MAC on an IPB (MI) Online  Offline  Secure 
Command: MI
Function: To generate a MAC on the Cryptogram component of a CAP IPB.
Inputs:  LMK identifier: indicates the LMK to use when generating the MAC.
 8 byte IPB represented as 16 hex ASCII characters.
Outputs:  4 byte MAC over the plaintext IPB input data.
 IPB is not 8 bytes. Please re-enter - the validation of the IPB failed.
 Warning: Less than 16 '1'bits in IPB - the IPB contains less than 16 '1' bits.
Example: Online-AUTH> MI <Return>

Enter IPB: FFFFFFFF00000000 <Return>
MAC: FB1A 3C1A
Online-AUTH>
Note: The result of the "MI" command gives no indication as to the LMK scheme or LMK identifier

All Rights Reserved
8.7 Smartcard Commands

The payShield 10K provides the following console commands to support HSM smartcards. Please note that
some of these commands are designed to operate only with the legacy HSM smartcards while other may
support both the legacy and new smartcards used in the payShield Manager.

Format an HSM Smartcard (FC) 207
Create an Authorizing Officer Smartcard (CO) 209
Verify the Contents of a Smartcard (VC) 210
Change a Smartcard PIN (NP) 211
Read Unidentifiable Smartcard Details (RC) 212
Eject a Smartcard (EJECT) 213
Note: DO NOT REPEATEDLY ENTER INVALID PINS. A LEGACY SMARTCARD "LOCKS" AFTER
EIGHT SUCCESSIVE INVALID PINS HAVE BEEN ENTERED. LEGACY SMARTCARDS
CAN BE "UNLOCKED" BY REFORMATTING, WHICH DELETES THE ENTIRE CONTENTS
OF THE CARD. NEW SMARTCARDS USED BY THE PAYSHIELD MANAGER LOCK AFTER
FIVE SUCCESSIVE INVALID PINS HAVE BEEN ENTERED. THEY MAY BE UNLOCKED BY
RECOMMISSIOING THEM.

All Rights Reserved

Format an HSM Smartcard (FC) Online  Offline  Secure 
Command: FC
Function: To format an HSM smartcard for use by the HSM.

Different formats are used for LMK storage and saving HSM settings.
payShield Manager cards do not need to be formatted.
Inputs:  (LMK cards): Smartcard PIN: 5 to 8 alphanumeric characters.

 Date: 6 numeric character format DDMMYY.
 Time: 6 numeric characters; format hhmmss.
 Issuer ID: maximum 35 alphanumeric characters.
 User ID: maximum 35 alphanumeric characters.
Outputs:  Text messages:

o Insert card and press ENTER.
o Format card for HSM settings/LMKs? [H/L]
o Enter new PIN for smartcard.
o Re-enter new PIN.
o Enter format code.
o Enter date.
o Enter time.
o Enter Issuer ID.
o Enter User ID.
o Format complete.
o Card already formatted, continue? [Y/N].
Note:  This command only operates with legacy HSM smartcards.
Errors:  Invalid PIN; re-enter - the PIN entered is fewer than 5 or greater than 8
digits.
 PINs did not agree - the new PINs entered for the card did not match each
other.
 Invalid input. Entry must be in numeric format - non numeric value is
entered for time or date.

All Rights Reserved
Example 1: Online> FC <Return>

Card already formatted, continue? [Y/N]: Y <Return>
Format card for HSM settings/LMKs? [H/L]: L <Return>
Erasing card
Formatting card . . .
Enter new PIN for Smartcard: ******* <Return>
Re-enter new PIN: ******* <Return>
Enter time [hhmmss]: 153540 <Return>
Enter date [ddmmyy]: 261093 <Return>
Enter User ID: Joe Small <Return>
Enter Issuer ID: Big Bank plc <Return>
Format complete
Online>
Example 2: Online> FC <Return>

Card already formatted, continue? [Y/N]: Y <Return>
Format card for HSM settings/LMKs? [H/L]: H <Return>
Erasing card
Formatting card . . .
Format complete
Online>

All Rights Reserved

Create an Authorizing Officer Online  Offline  Secure 
Smartcard (CO) Authorization: Not required
Command: CO
Function: To copy the Password for an Authorizing Officer to another smartcard

(RLMKs are supported) so that it can be used to set the HSM into the
Authorized State. Note that only LMK component cards 1 and 2 contain the
Password.
Inputs:  Smartcard PIN: 5 to 8 alphanumeric characters. PINs must be entered

within 60 seconds of being requested.

Insert Card for Component Set 1 or 2 and enter the PIN.
Insert Card for Authorizing Officer and enter the PIN.
Copy Complete.
Errors:  Card not formatted - card not formatted

 Smartcard error; command/return: 0003 - an invalid PIN was
entered.
 Invalid PIN; re-enter - PIN is fewer than 5 or greater than 8 digits.
 Card not blank - copy failed.
Example: Offline> CO <Return>

Insert Card for Component Set 1 or 2 and enter PIN:
******** <Return>
Insert Card for Authorizing Officer and enter PIN:
******** <Return>
Copy complete.
Offline>

All Rights Reserved

Verify the Contents of a Smartcard Online  Offline  Secure 
(VC) Authorization: Not required
Command: VC
Function: To verify the key component or share held on a smartcard. The HSM reads
the key component from the smartcard, computes the check value, compares
this with the check value stored on the card and displays the result.

Outputs:  Component Set check value:

o For Variant LMKs, the length of the displayed check value is
determined by the CS (Configure Security) setting "Restrict Key Check
Value to 6 hex chars".
o For Key Block LMKs, the length of the displayed check value is always
6 hex digits.
 Comparison: Pass or Fail.
 Text messages:
o Check:
o Compare with card:

entered.
Example: Online> VC <Return>

Scheme: Variant
Check: 012345.
Compare with card: Pass.
Online>
If a smartcard is defective or cannot be successfully verified, replace it. Copy a verified smartcard
(from the same set of components) onto a replacement.
Note: DISPOSE OF THE FAULTY SMARTCARD IN A SECURE MANNER.

All Rights Reserved

Change a Smartcard PIN (NP) Online  Offline  Secure 
Command: NP
Function: To select a new PIN for a smartcard (RACCs and RLMKs are supported)
without changing any of the other details stored on the card.
The old PIN must be submitted before a change is effected and the new PIN
must be supplied correctly at two consecutive prompts.


o Insert Card and press ENTER.
o Enter current PIN.
o Enter new PIN for smartcard.
o Re-enter new PIN.
o PIN change completed.

entered.
 PINs did not agree - the new PINs entered for the smartcard did not match.
Example: Online> NP <Return>

Enter current PIN: **** <Return>
Enter new PIN for smartcard: **** <Return>
Re-enter new PIN: **** <Return>
PINs did not agree
Enter new PIN for smartcard: **** <Return>
Re-enter new PIN: **** <Return>
PIN change completed
Online>

All Rights Reserved

Read Unidentifiable Smartcard Details Online  Offline  Secure 
(RC) Authorization: Not required
Command: RC
Function: To read otherwise unidentifiable smartcards (RACCs and RLMKs supported).
Inputs: None.

o Insert Card and press ENTER when ready.
o This card is formatted for saving and retrieving HSM settings.
o Version, as stored on card: decimal integer.
o Date, as stored on card; format: YY/MM/DD.
o Time, as stored on card; format: hh:mm:ss.
o User ID, as stored on card; free format alphanumeric.
o Issuer ID, as stored on card; free format alphanumeric.
o Data Zone Size, as stored on card: decimal integer.
o Max Data Free, as stored on card: decimal integer.

Example 1: Online> RC <Return>

Format version: 0001
Issue time: 11:53:00
Issue date: 93/10/25
User ID: Bill Weasel
Issuer ID: Big Bank plc
User-data zone size: 0000
Free: 0392
Online>
Example 2: Online> RC <Return>

This card is formatted for saving and retrieving HSM
settings.
Online>

All Rights Reserved

Eject a Smartcard (EJECT) Online  Offline  Secure 
Command: EJECT
Function: To eject the smartcard from the smartcard reader.
Inputs: None.
Outputs: None.
Errors: None.
Example: Online> EJECT <Return>

Online>

All Rights Reserved
8.8 DES Calculator Commands

The payShield 10K provides the following console commands to support the encryption and
decryption of data with a given plaintext single, double or triple-length DES key:

Single-Length Key Calculator (N) 215
Double-Length Key Calculator ($) 216
Triple-Length Key Calculator (T) 217

All Rights Reserved

Single-Length Key Calculator (N) Online  Offline  Secure 
Command: N
Function: To encrypt and decrypt the given data block with the given single-length key.
Inputs:  Key (no parity required): 16 hexadecimal characters.

 Data block: 16 hexadecimal characters.
Outputs:  The data encrypted with the key.

 The data decrypted with the key.
Errors:  Data invalid; please re-enter - the entered data does not comprise 16
hexadecimal characters. Re-enter the correct number of hexadecimal
characters.
Example: Online> N <Return>

Enter key: XXXX XXXX XXXX XXXX <Return>
Enter data: XXXX XXXX XXXX XXXX <Return>
Encrypted: YYYY YYYY YYYY YYYY
Decrypted: YYYY YYYY YYYY YYYY
Online>

All Rights Reserved

Double-Length Key Calculator ($) Online  Offline  Secure 
Command: $
Function: To encrypt and decrypt the given data block with the given double-length key.
Inputs:  The double-length key (odd parity is required): 32 hexadecimal characters.


Errors:  Data invalid; please re-enter - the entered data does not comprise 32
hexadecimal characters. Re-enter the correct number of hexadecimal
characters.
Example: Offline> $ <Return>

Enter key: XXXX XXXX XXXX XXXX XXXX XXXX XXXX XXXX
<Return>
Offline>

All Rights Reserved

Triple-Length Key Calculator (T) Online  Offline  Secure 
Command: T
Function: To encrypt and decrypt the given data block with the given triple-length key.
Inputs:  The triple-length key (odd parity is required): 48 hexadecimal characters.


Errors:  Data invalid; please re-enter - Re-enter the correct number of hexadecimal
characters.
Example: Offline> T <Return>

Enter key: XXXX XXXX XXXX XXXX XXXX XXXX XXXX XXXX XXXX
XXXX XXXX XXXX <Return>
Single, Double, or Triple length data? (S,D,T): S
<Return>
Offline>

All Rights Reserved
9 payShield Manager Commands

This section describes the commands used to configure the HSM for use with the payShield Manager.

Add a RACC to the whitelist (XA) 219
Decommission the HSM (XD) 220
Remove RACC from the whitelist (XE) 221
Commission the HSM (XH) 222
Generate Customer Trust Authority (XI) 223
Make an RACC left or right key (XK) 225
Commission a smartcard (XR) 226
Transfer existing LMK to RLMK (XT) 227
Decommission a smartcard (XX) 229
HSM commissioning status (XY) 230
Duplicate CTA share (XZ) 231
Note that the HSM's private key, the certified public key and the Domain Authority self-signed public key
certificate are recovered by use of the HSM Master Key (HRK) if a tamper attempt has occurred.

All Rights Reserved

Add a RACC to the whitelist (XA) Online  Offline  Secure 
Command: XA
Function: To add a RACC to the whitelist on the HSM.
Authorization: The HSM must be in Secure state to run this command.
Inputs:  None
Outputs:  None
Example 1: Secure> XA <Return>
Insert payShield Manager Smartcard and press ENTER:

<Return>
Enter PIN: ****** <Return>
Do you want to add card XYZ123 to the whitelist? Y

<Return>
Card XYZ123 added to whitelist.
Secure>

All Rights Reserved

Decommission the HSM (XD) Online  Offline  Secure 
Command: XD
Function: To decommission the HSM by deleting the payShield Managers keys and
groups.
Inputs:  None
Outputs:  None
Example 1: Secure> XD <Return>
Do you want to erase the payShield Manager's keys and

groups? [Y/N]: Y <Return>
Secure>

All Rights Reserved

Remove RACC from the whitelist (XE) Online  Offline  Secure 
Command: XE
Function: To remove an RACC from the whitelist.
Inputs:  None
Outputs:  None
Example 1: Secure> XE <Return>
Choice ID Type
1 ABC321 restricted
2 XYZ123 restricted
Which RACC do you want to remove? 1 <Return>
Card ABC321 removed from whitelist
Secure>

All Rights Reserved

Commission the HSM (XH) Online  Offline  Secure 
Command: XH
Function: To commission the HSM
Inputs:  None
Outputs:  None
Example 1: Secure> XH <Return>
Please have all Customer Trust Authority (CTA) payShield

Manager smartcards available
Insert first CTA payShield Manager Smartcard and press
ENTER: <Return>
Insert CTA payShield Manager Smartcard 2 of 3 and press
ENTER: <Return>
ENTER: <Return>
Starting the commissioning of the HSM process...

Please insert left key card and press ENTER: <Return>
Please insert right key card and press ENTER: <Return>
Successfully commissioned HSM
Secure>

All Rights Reserved

Generate Customer Trust Authority Online  Offline  Secure 
(XI) Authorization: Not required
Command: XI
Function: Generates the Customer Trust Authority and stores them on smartcards.
Inputs:  Country
 State
 Locality
 Organization
 Organizational Unit
 Common Name
 Email
 Number of private shares
 Number of shares needed to recover private key
Outputs:  None
Example 1: Secure> XI <Return>
Please enter the certificate Subject information:

Country Name (2 letter code) [US]: US <Return>
State or Province Name (full name) []: Florida
<Return>
Locality Name (eg, city) []: Plantation <Return>
Organization Name (eg, company) []: Thales <Return>
Organizational Unit Name (eg, section) []:
Production <Return>
Common Name (e.g. server FQDN or YOUR name) [CTA]:
CTA <Return>
Email Address []: [email protected] <Return>
Enter number of Customer Trust Authority private key

shares [3-9]: 3 <Return>
Enter number of shares to recover the Customer Trust
Authority private key [3-3]: 3 <Return>
Issued to: CTA, Issued by: CTA

Validity : Jan 9 10:28:49 2015 GMT to Jan 3 10:28:49
2040 GMT
Unique ID: EE3CB7CE8343B464CC04278188CF7EB3 - 3DE05514
(Root)
Insert payShield Manager Smartcard 1 of 3 and press

ENTER: <Return>
Enter new PIN for smartcard: ****** <Return>
Re-enter new PIN: ****** <Return>
Working....
CTA share written to smartcard.

ENTER: <Return>
Working....

All Rights Reserved

ENTER: <Return>
Working....
Successfully generated a Customer Trust Authority

Secure>

All Rights Reserved

Make an RACC left or right key (XK) Online  Offline  Secure 
Command: XK
Function: Defines a RACC as either a left or right key in the whitelist on the HSM.
Inputs: Left or Right (card type)
Outputs:  None
Example 1: Secure> XK <Return>
Insert payShield Manager Smartcard and press ENTER:

<Return>
Do you want to make ABC321 a [L]eft or [R]ight key? L
<Return>
Card ABC321 is now a left key.
Secure>

All Rights Reserved

Commission a smartcard (XR) Online  Offline  Secure 
Command: XR
Function: To commission a smartcard.
Inputs:  None
Outputs:  None
Example 1: Secure> XR <Return>
Please have all Customer Trust Authority (CTA) payShield

Manager smartcards available
Insert first CTA payShield Manager Smartcard and press
ENTER: <Return>
Enter PIN: ******
ENTER: <Return>
Enter PIN: ******
ENTER: <Return>
Enter PIN: ******
Enforce a PIN change on first use? [Y/N]: N <Return>
Insert a payShield Manager Smartcard to be commissioned
and press ENTER: <Return>
Do you wish to add the smartcard A3 to the HSM whitelist
[Y/N]: Y <Return>
Assign smartcard as a Left or Right Key RACC? [L/R/N]: N
<Return>
Would you like to commission another card? [Y/N]: N
<Return>
Secure>

All Rights Reserved

Transfer existing LMK to RLMK (XT) Online  Offline  Secure 
Command: XT
Function: To transfer an existing HSM LMK stored on legacy smartcards to payShield

Manager RLMK cards for use through the payShield Manager.
In order to transfer a Variant LMK you will be required to fully reassemble the
LMK (bring all the components together). Then, the fully formed Variant LMK
is split among shares onto the pre-commissioned payShield Manager RLMK
cards.
For Key Block LMKs, they are not stored as components on non-payShield
Manager smart cards, but as shares. However, you must bring a quorum of
share holders together, reconstitute the LMK, and then split it among shares
onto the pre-commissioned payShield Manager RLMK cards.
Inputs:  Number of shares to split LMK into

 Number of Components required to reconstitute LMK
Outputs:  None
Example 1: Secure> XT <Return>
Please have all the local LMK components and enough

commissioned RACCs to receive the LMK ready.

Enter PIN: ***** <Return>
Check: 268604
LMK Check: 268604

LMK status: Test
Is this the LMK you wish to transfer? [Y/N]: Y <Return>
Enter the number of shares to split the LMK into: [2-9]:

2 <Return>
The number of shares required to reconstitute the LMK:
[2-2]: 2 <Return>
Insert a commissioned card 1 of 2 and press ENTER:

<Return>
Card Check: E0CBF4

LMK share written to smartcard.
Insert a commissioned card 2 of 2 and press ENTER:

<Return>

All Rights Reserved
Card Check: E0CBF4

LMK share written to smartcard.
Want to test the reassembly of the LMK? Y <Return>
Please have all the RLMK shares ready

Insert RLMK card and press ENTER: <Return>
LMK share 1 read (1 of 2) Card Check: E0CBF4
Insert RLMK card and press ENTER: <Return>
LMK share 2 read (2 of 2) Card Check: E0CBF4
LMK Check 268604
Secure>

All Rights Reserved

Decommission a smartcard (XX) Online  Offline  Secure 
Command: XX
Function: To decommission a payShield Manager smartcard.
Authorization: The HSM may be in any state to run this command.
Inputs:  None
Outputs:  None
Example 1: Secure> XX <Return>
Please insert card to decommission and press ENTER:

<Return>
Warning: Resetting a payShield Manager Smartcard to its
original state
will erase all key material from the card.
Are you sure? [Y/N]: Y <Return>
payShield Manager Smartcard successfully decommissioned

Would you like to decommission another card? [Y/N]: N
<Return>
Secure>

All Rights Reserved

HSM commissioning status (XY) Online  Offline  Secure 
Command: XY
Function: To show the state of the HSM Management commissioning and whitelist.
Authorization: The HSM may be in any state to run this command.
Inputs:  None
Outputs:  Thales Trust installed

 Customer Trust Authority installed
 HSM Public Key installed
 Is HRK password user defined
 Is HRK available for use
 Authorized RACCs
Example 1: Note: The following contains sample output, e.g., Issue to: TES LC.
Online> XY <Return>
Thales Trust installed : Yes

1 - Issued to: A4665000000A, Issued by: Development
Factory TTA
Validity : Sep 26 15:35:30 2018 GMT to Sep 20
15:35:30 2043 GMT
Unique ID: B655F28FD784A9C2A5169FF4F4DD41EA -
D61B5F4A
Customer Trust Authority Installed : Yes

2 - Issued to: TES LC, Issued by: TES LC
Validity : Oct 5 13:11:12 2018 GMT to Sep 29
13:11:12 2043 GMT
Unique ID: 9FEACF2E361A2BADA0E2E9238D121E1D -
27871B3A (Root)
HSM Public Key Certificate Installed : Yes

3 - Issued to: A4665000000A, Issued by: TES LC
Validity : Oct 30 16:01:34 2018 GMT to Oct 24
16:01:34 2043 GMT
Unique ID: ABA92BB246260EFF838BD06062331E54 -
27871B3A
Is HRK passphrase user defined : Yes
Is HRK available for use : Yes
Authorized RACCs : 4
Serial Number Certificate
Number RACC Type
7307001132072979 BF9BBAA7525818AA Left
7307001145072979 392FDA0DD7B25CBA Left
7307001152072979 DBD139588ED7A17C Right
7307001265072979 223386DBE9391015 Right
Online>

All Rights Reserved

Duplicate CTA share (XZ) Online  Offline  Secure 
Command: XZ
Function: To duplicate a CTA share smartcard.
Inputs:  None
Outputs:  None
Example 1: Secure> XZ <Return>
Insert a CTA share payShield Manager Smartcard to be

duplicated:
Working...
Please insert a commissioned payShield Manager smartcard
and press ENTER: <Return>
Working...
Secure>

All Rights Reserved
10 Secure Host Communications

This section describes the commands used to configure a payShield 10K such that the host connection is
protected using TLS (known as Secure Host Communications).
The Certificate Requests and Certificates may be stored on / loaded from a regular USB memory stick.
The required format for the USB memory stick is FAT32. The Operating System used in the payShield 10K
supports most types of USB memory sticks, but may not have the drivers for some of the newer types. If
difficulties are experienced when trying to read from or write to a USB device, an alternative memory stick
should be used.
The HSM's certificate signing request (CSR) structure is compliant with PKCS#10. The client must use the
same key type as is included in the HSM's CSR.
The HSM uses certificate formats compliant with X.509.
The payShield 10K provides the following console commands to manage the HSM's private key, the certified
public key and the CA self-signed public key certificate to support secure host communications:

Generate Certificate Signing Request (SG) 233
Import Certificate (SI) 236
Export HSM Certificate's Chain of Trust (SE) 238
View Installed Certificate(s) (SV) 240
Delete Installed Certificate(s) (SD) 243
Generate HRK (SK) 244
Change HRK Passphrase (SP) 245
Restore HRK (SL) 246
The HRK enables the recovery of the HSM's private key, the certified public key and the CA self-signed public
key certificate used for payShield Manager.

All Rights Reserved

Generate Certificate Signing Request Online  Offline  Secure 
(SG) Authorization: Not required
Command: SG
Function: To generate (or use the existing) HSM's public/private key pair for use with
secure host communications, and extract the public key in the form of a
Certificate Signing Request (“.CSR”).
The private key is stored in tamper protected memory. It is backed up
internally using the HSM Master Key (HRK) – see command SK for details.
Inputs:  Certificate fields (Country, State, Locality, Org Name, Org Unit Name,
Common Name, E-mail Address).
 Key Type (RSA, ECDSA)
 Filename when saving to USB memory stick
Outputs:  Prompts, as above

 Key generation message
 Prompt to save to USB memory stick
 Certificate Signing Request
Errors:  File exists – replace?
Notes:  If the HSM's public/private key pair has already been created, then SG will
use the existing key pair. If a new key pair is required, use the SD console
command to delete the private key.
 The HRK must be installed (using the SK console command) prior to using
this command.
 The exported file will automatically have the extension “.CSR”.
 The size of RSA keys used is 2048-bits.
 The size of ECDSA keys used is either 256-bits, 384-bits or 521-bits (user
selectable).
 The client must use the same RSA/ECDSA key type as is included in the
HSM's CSR.
 A maximum certificate chain length of 6 is supported.
 The required format for the USB memory stick is FAT32. The Operating
System used in the payShield 10K supports most types of USB memory
stick, but may not have the drivers for some of the newer types. If difficulties
are experienced when trying to read from or write to a USB device, an
alternative memory stick should be used.

All Rights Reserved
Example 1: This example demonstrates the use of the SG console command to generate a 521-bit
ECDSA public/private key pair and output a certificate signing request.
Secure> SG <Return>
Please enter the Subject Information for the Certificate Request:
Country Name (2 letter code) []: UK <Return>

State or Province Name (full name) []: Greater London <Return>
Locality Name (eg, city) []: London <Return>
Organization Name (eg, company) []: Bank XYZ <Return>
Organizational Unit Name (eg, section) []: Operations <Return>
Common Name (e.g. server FQDN or YOUR name) []: HSM-0001
<Return>
Select key type:

1 - RSA
2 - ECDSA P-256
3 - ECDSA P-384
4 - ECDSA P-521
Type [4]: 4 <Return>
Generating key pair ......................+++

.......+++
DONE
Do you wish to save to a file [Y/N]: Y <Return>

Enter filename: HSM-0001 <Return>
-----BEGIN CERTIFICATE REQUEST-----
MIIC2TCCAcECAQAwgZMxCzAJBgNVBAYTAlVLMRcwFQYDVQQIEw5HcmVhdGVyIExv
bmRvbjEPMA0GA1UEBxMGTG9uZG9uMREwDwYDVQQKEwhCYW5rIFhZWjETMBEGA1UE
CxMKT3BlcmF0aW9uczERMA8GA1UEAxMISFNNLTAwMDIxHzAdBgkqhkiG9w0BCQEW
EGJpbGxAYmFua3h5ei5jb20wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIB
AQC+JhIisca5k7l5YIRNcDcq/QMb3jHzhQIbME4O9zDhTtmINFM7YrvZ6N2Sy1TU
za1cPf9JKR2X5D3ukaICtkTwxArj1WRnU2UnINTYeO0RWeBaouxO4ijSvzx5mCCg
RtcSQDK748+0xgWlZezkKkv+akOh4vYPdiOKx47wiS7UAENBaQI14C5cbnj6JMLe
f3hmzQzzu3vACAIDbuQXZ5A7w7ecGLSLahjEyx1H7PXpLnul2lPRlBcemVdqHi8f
dfXTAKE1RrKSrvU22sOn6uQLGFRTseIuC4tFvtZNJRHAtqCYpabV4vrBmNQDaw8W
p2FFu+e71ybqsLY0R5xt7ZABAgMBAAGgADANBgkqhkiG9w0BAQUFAAOCAQEAvVzS
iy5gJkAjUdqaBjr5MUoAXvk15fEg6gO+SV39X3mSsQklQdoHwFSNgOUWYHkTKPvN
vZnCxMlUK2nBhlu2Xz44yC/U7+E7FsaQz2nXrNx/gF3SY/a/ODA+Y9iSERIpwRCM
9CKapYONeBHqK/NIcgTOZ3SMsC9JXsvtxPyQ7vmbu4a/JpMantWfcLCA+z6i+S+H
WavGnPVGt9ERD5Cij7B6qSbbrkn+xoJARIGsXhbVQmdSxR8I8HUAQDYV+2VJo3bA
ct9ubVjaw2SSiQZp9xB7BOJjk/NQrTk5gG3BkDI/Ukp9A9s7YoW1oMY8YdIg/YRo
Y+LI5trvXN73V2X0Ow==
-----END CERTIFICATE REQUEST-----
Secure>

All Rights Reserved
Example 2: This example demonstrates the use of the SG console command to generate a 2048-bit
RSA public/private key pair and output a certificate signing request.
Secure> SG <Return>
Please enter the Subject Information for the Certificate Request:
Country Name (2 letter code) []: UK <Return>

State or Province Name (full name) []: Greater London <Return>
Locality Name (eg, city) []: London <Return>
Organization Name (eg, company) []: Bank XYZ <Return>
Organizational Unit Name (eg, section) []: Operations <Return>
Common Name (e.g. server FQDN or YOUR name) []: HSM-0002
<Return>
Select key type:

1 - RSA
2 - ECDSA P-256
3 - ECDSA P-384
4 - ECDSA P-521
Type [4]: 1 <Return>
Generating key pair ......................+++

.......+++
DONE

Enter filename: HSM-0002 <Return>
-----BEGIN CERTIFICATE REQUEST-----
MIIC2TCCAcECAQAwgZMxCzAJBgNVBAYTAlVLMRcwFQYDVQQIEw5HcmVhdGVyIExv
bmRvbjEPMA0GA1UEBxMGTG9uZG9uMREwDwYDVQQKEwhCYW5rIFhZWjETMBEGA1UE
CxMKT3BlcmF0aW9uczERMA8GA1UEAxMISFNNLTAwMDIxHzAdBgkqhkiG9w0BCQEW
EGJpbGxAYmFua3h5ei5jb20wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIB
AQDBJAjJVtpE2Covk13BpZCACN6hUoQeLRv62+M3Lioa/ckvrIDaFxRTmlBGAof/
nZR3uRXSRz5oo3MX+fG4QXuLCGujFPHUfdnJRFIGnxoxkrrXn5OyxtokLwdE3HrK
VgKeUPQvDluZVXCbFJ1rGGaBk6bRQCfb7hBI7gcba6NfLIPms/bXYgy5hKUbkf+N
rMGtKAHz70E7BRMyY95GFo6nDne579rUi8RDxC4vqIJgkaXbuv4evYxlliTsQ69O
wr0iRSygYHSYzA8TVcwJ1pNTO1Jeg2xJ8r4axs0r5IKxxpD2PDAv4DdyQ0TsZkTB
QfSxPnlD4sTeQW5s42Y0B02ZAgMBAAGgADANBgkqhkiG9w0BAQUFAAOCAQEAJqPX
alHvtQKsfxgzTn2nWiw/v/9v8Qs11MIRJ5/Y3x+fdRSSK55uwPmRIRlCYdM0xQ4C
tSW3jWUiB1P0a3XxC5O4cWfbXJSxWkoSiN6V5gZrCI9W1z05xAuJZtjdVcFbUvVI
pPw3LXXS2CxAsAbgtz3QG+MIdyiicE5vUN2kKxhhZaC8Ev3tpy2Uue8XGy1sDybu
8qx5I5tMUSAsYx4M956gJEL0Mt9k8phIhsbKz5IKDDEwuyurJlYoOqkVVZeuBKZu
YKJKdOtwzzuUesEcGQfbAleBR0ntezm0irWJRaCXEyg0e5DF0FfWGIE08ojx4dvh
w3mX71ZX4RGchVEsYQ==
-----END CERTIFICATE REQUEST-----
Secure>

All Rights Reserved

Import Certificate (SI) Online  Offline  Secure 
Command: SI
Function: To import a certificate for storage inside the HSM for use with secure host
communications.
The certificate may be one of the following:
 HSM certificate
 Client certificate
 Sub-CA certificate (for either HSM or client)
 Root-CA certificate (for either HSM or client)
Inputs:  File selection

 Prompt for import of additional certificates

 Filenames of certificates on USB memory stick
 Summary of imported certificate (Issued to/by, Validity, ID)
 Chain of Trust statement (for an HSM certificate)
Notes:  The HSM's public/private key pair must be installed (using the SG console
command) prior to using this command.
 The file(s) to be imported must have the extension ".CRT".
 The required format for the USB memory stick is FAT32. The Operating
System used in the payShield 10K supports most types of USB memory
stick, but may not have the drivers for some of the newer types. If difficulties
are experienced when trying to read from or write to a USB device, an
alternative memory stick should be used.
Example 1: This example demonstrates the use of the SI console command to import the root CA
certificate (that signed the HSM's certificate) into the HSM.
Secure> SI <Return>
Select File
1 – HSM-0001.crt
2 – BankXYZRootCA.crt
3 - Client.crt
4 - ClientRootCA.crt
File: 2 <Return>
Imported Trusted CA Certificate

Issued to: Bank XYZ, Issued by: Bank XYZ
Validity : May 9 10:59:22 2013 GMT to May 7 10:59:22
2023 GMT
Unique ID: 9C8FC713FAA31010 - AC03FAD5 (Root)
Do you wish to import another certificate? N <Return>
Secure>

All Rights Reserved
Example 2: This example demonstrates the use of the SI console command to import the HSM's
(now signed) certificate back into the HSM.
(Note that the root CA certificate has already been installed (see Example 1), and so the
HSM indicates that the "Chain of Trust" is complete.
Secure> SI <Return>
Select File
1 – HSM-0001.crt
2 - BankXYZRootCA.crt
3 - Client.crt
4 - ClientRootCA.crt
File: 1 <Return>
Imported CA-signed HSM Certificate

Issued to: HSM-0001, Issued by: Bank XYZ
2014 GMT
Unique ID: 2050 - AC03FAD5
Chain of Trust validated

Bank XYZ (Root)
Do you wish to import another certificate? N <Return>
Secure>

All Rights Reserved

Export HSM Certificate's Chain of Online  Offline  Secure 
Trust (SE) Authorization: Not required
Command: SE
Function: To export the HSM certificate's chain of trust (i.e. the chain of certificates
required to authenticate the HSM's certificate, up to and including the root CA
certificate).
Inputs: Filename when saving to USB memory stick
Outputs: Prompts, as above

Prompt to save to USB memory stick
Certificate Chain of Trust is displayed at the console, and (if requested) saved
to the USB memory stick
Errors: File exists – replace?
Notes: The HSM's public/private key pair must be installed (using the SG console
The exported file will automatically have the extension ".CRT".
A maximum certificate chain length of 6 is supported.
The required format for the USB memory stick is FAT32. The Operating
System used in the payShield 10K supports most types of USB memory stick,
but may not have the drivers for some of the newer types. If difficulties are
experienced when trying to read from or write to a USB device, an alternative
memory stick should be used.

All Rights Reserved
Example 1: This example demonstrates the use of the SE console command to export the HSM
certificate's chain of trust (in this case, just the root CA certificate) to a USB memory
stick.
Secure> SE <Return>

Enter filename: BankXYZRootCA <Return>
Bank XYZ
-----BEGIN CERTIFICATE-----
MIID+TCCAuGgAwIBAgIJAJyPxxP6oxAQMA0GCSqGSIb3DQEBBQUAMIGyMQswCQYD
VQQGEwJVSzEYMBYGA1UECBMPQnVja2luZ2hhbXNoaXJlMRUwEwYDVQQHEwxMb25n
IENyZW5kb24xDzANBgNVBAoTBlRoYWxlczEMMAoGA1UECxMDUE1HMR4wHAYDVQQD
ExVwYXlTaGllbGQgQ2VydGlmaWNhdGUxMzAxBgkqhkiG9w0BCQEWJGphbWVzLnRv
cmp1c3NlbkB0aGFsZXMtZXNlY3VyaXR5LmNvbTAeFw0xMzA1MDkxMDU5MjJaFw0y
MzA1MDcxMDU5MjJaMIGyMQswCQYDVQQGEwJVSzEYMBYGA1UECBMPQnVja2luZ2hh
bXNoaXJlMRUwEwYDVQQHEwxMb25nIENyZW5kb24xDzANBgNVBAoTBlRoYWxlczEM
MAoGA1UECxMDUE1HMR4wHAYDVQQDExVwYXlTaGllbGQgQ2VydGlmaWNhdGUxMzAx
BgkqhkiG9w0BCQEWJGphbWVzLnRvcmp1c3NlbkB0aGFsZXMtZXNlY3VyaXR5LmNv
bTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBANTFR+dFeafMZsMwgeOK
vWxjmaUOP6z5mK+qeD4wYvNP5cv1GVqKoMFTNkJL+jeBSyo39IR0T4AoalroUb6F
yi76nmv0VVqFgPWIS92bRBozGp8dZU09aJQGCuOIjEvKuUtddWrpp0ClFEnTXXsx
LpfjTal5vSl+D9lazkMiFxdi7OUQyf6CiVuoch7bq0A4nmcjSlPyE/b3FpJn6zul
S+/DvRo4N4wJBHkZftAyPHZUYaV84perRG4CRbirFUfpRH1kVC+P6Gal/KMKWlzE
kKJOIxZqtaU973/AD4CV2QZtMurFC9m9p84uOW2SinMeKEdolVTFgVo+h3KjFHM/
yVsCAwEAAaMQMA4wDAYDVR0TBAUwAwEB/zANBgkqhkiG9w0BAQUFAAOCAQEAoHEN
1QyqWSTXkhtAnu+F3gy/Qs/wYLszaYYlBUSQasjN866SzRC/jVtYT6UYabvOke5B
9Z4KNsICkRtmgdYpic0kjK40RjUdw4QZu4jC+EM4eY8HTa7fSaH1nxrkPAEUwNKZ
o3Re+3jQeIx6gi5rnLf/FZ1cEP1fySh0hzuSo2xSIY/hwUWhlZJYZKBu3wzfHG1d
GB7D4xU4jUTvkKJQDuCHUdSrf+cMstN9dkrhYNNw49L9tYrD0ZzlPM3rVXD28uAL
Wt+CPOtsjIixNRl8vZmEVJDWJaRibCcfrTeDBs4O3hmAgx/Mdv5FX/NSjhZZO15m
X4FkYiQv2CJb7J/vAw==
-----END CERTIFICATE-----
Secure>

All Rights Reserved

View Installed Certificate(s) (SV) Online  Offline  Secure 
Command: SV
Function: To view the list of currently installed certificates (for use with secure host
communications). Individual certificates can be displayed in full.
Authorization: The HSM can be in any state to run this command.
Inputs:  Certificate to be displayed in full.
Outputs:  The HSM's public/private key pair must be installed (using the SG console
 Prompts, as above
 List of currently installed certificates.
 Status of HSM's private key – installed or not installed
 HSM Certificate installed – maximum of 1 certificate
 Client Certificate(s) installed – maximum of 10 certificates
 CA Certificate(s) installed – maximum of 10 certificates
 Chain of trust validity – for the HSM's certificate chain
 Contents of selected certificate.

All Rights Reserved
Example 1: This example demonstrates the use of the SV console command to view the list of
currently installed certificates, and to display the contents of the HSM's certificate.
Secure> SV <Return>
HSM Private Key installed: Yes
HSM Certificate installed:

1 - Issued to: HSM-0002, Issued by: Bank XYZ
2014 GMT
Client certificate(s) installed:

2 - Issued to: APP-0001, Issued by: Applications
2014 GMT
Unique ID: 2016 - D221289A
CA Certificate(s) installed:
3 - Issued to: Applications, Issued by: Applications
2023 GMT
Unique ID: C14FF9DE78FB441A - D221289A (Root)
4 - Issued to: Bank XYZ, Issued by: Bank XYZ

2023 GMT
Chain of Trust validated:

Bank XYZ (Root)
Select an item to view: 1 <Return>
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 8273 (0x2051)
Signature Algorithm: sha1WithRSAEncryption
Issuer: C=UK, ST=Greater London, L=London, O=Bank XYZ,
OU=RootCA, CN=Bank XYZ/[email protected]
Validity
Not Before: May 21 15:05:51 2013 GMT
Not After : May 21 15:05:51 2014 GMT
Subject: C=UK, ST=Greater London, O=Bank XYZ,
OU=Operations, CN=HSM-0002/[email protected]
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (2048 bit)
Modulus:
00:aa:31:e6:90:46:fe:e9:26:8b:93:39:5a:8c:be:
…
3d:39:2b:d7:06:47:04:6a:54:d2:12:4e:ac:9a:a3:
5b:49
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
X509v3 Key Usage:

All Rights Reserved
Digital Signature, Non Repudiation, Key

Encipherment
Signature Algorithm: sha1WithRSAEncryption
b8:e9:e9:8f:2e:f9:50:93:a1:8b:8d:0b:e5:fd:ef:6f:6c:05:
…
59:0d:df:85:b7:48:c6:02:d9:16:f9:80:e5:c9:c2:69:7f:06:
2b:ba:18:9f
Do you wish to view another certificate? N <Return>
Online>

All Rights Reserved

Delete Installed Certificate(s) (SD) Online  Offline  Secure 
Command: SD
Function: To delete a currently installed certificate or private key (for use with secure host
communications).
Inputs:  Certificate to be deleted.

 List of currently installed certificates.
 Status of HSM's private key – installed or not installed
 HSM Certificate installed – maximum of 1 certificate
 Client Certificate(s) installed – maximum of 10 certificates
 CA Certificate(s) installed – maximum of 10 certificates
 Chain of trust validity – for the HSM's certificate chain
 Prompt to delete another certificate
Example 1: This example demonstrates the use of the SD console command to remove a client
certificate from the HSM.
Secure> SD <Return>
HSM Private Key installed: Yes
HSM Certificate installed:

1 - Issued to: HSM-0002, Issued by: Bank XYZ
Validity : May 21 15:05:51 2013 GMT to May 21
15:05:51 2014 GMT
Client certificate(s) installed:

2 - Issued to: APP-0001, Issued by: Applications
09:37:18 2014 GMT
Unique ID: 2016 - D221289A
CA Certificate(s) installed:
3 - Issued to: Applications, Issued by: Applications
09:24:10 2023 GMT
Unique ID: C14FF9DE78FB441A - D221289A (Root)
4 - Issued to: Bank XYZ, Issued by: Bank XYZ

10:59:22 2023 GMT
Chain of Trust validated:

Bank XYZ (Root)
5 – HSM Private Key
Select an item to delete (6 for ALL): 2 <Return>

Do you wish to delete another certificate? N <Return>
Secure>

All Rights Reserved

Generate HRK (SK) Online  Offline  Secure 
Command: SK
Function: To generate a new HSM Recovery Key (HRK). Once installed, the HRK will be
used to back-up secret key material inside the HSM into persistent memory (a
process known as key synchronization).
The following secret key material is backed-up in this process:
 Secure Host Communications key material:
o HSM's private key
 Remote Management key material:
o HSM's private key
o HSM's public key certificate
o CA public key certificate
Inputs:  Passphrases 1 & 2 (each entered twice for verification).
Outputs:  Prompts, as above.

 Passphrase rules.
 Creating HRK message.
 Key synchronization message.
Notes:  The HRK replaces the RMK (used in previous versions of software).
Example 1: This example demonstrates the use of the SK console command to generate
an HRK.
Secure> SK <Return>
**** NOTE ****

Passphrase rules as follows:
1 - Must be between 8 and 30 characters long.
2 - Can contain spaces
3 - Must be comprised of (at a minimum):
2 digits
2 uppercase characters
2 lowercase characters
2 symbols (e.g. !/?.#:')
Enter administrator 1 passphrase: ********************

Re-enter administrator 1 passphrase: ********************
Enter administrator 2 passphrase: **************

Re-enter administrator 2 passphrase: **************
Creating HRK. Please, wait ... DONE
HRK generated successfully
Key synchronization complete

Secure>

All Rights Reserved

Change HRK Passphrase (SP) Online  Offline  Secure 
Command: SP
Function: To change one of the passphrases associated with the HRK.
Inputs:  Existing passphrase 1 or 2.

 New passphrase 1 or 2 (entered twice for verification).

 Passphrase rules.
 Creating HRK message.
Example 1: This example demonstrates the use of the SP console command change
administrator #1's HRK passphrase.
Secure> SP <Return>
**** NOTE ****

Passphrase rules as follows:
1 - Must be between 8 and 30 characters long.
2 - Can contain spaces
3 - Must be comprised of (at a minimum):
2 digits
2 uppercase characters
2 lowercase characters
2 symbols (e.g. !/?.#:')
4 - Cannot use the same passphrase that was used within
the past 10 previous attempts
Select administrator password to change [1,2]: 1

Enter administrator 1 current passphrase:
********************
Enter administrator 1 new passphrase: ************
Re-enter administrator 1 new passphrase: ************
Changing passphrases. Please, wait ... DONE
HRK generated successfully
Secure>

All Rights Reserved

Restore HRK (SL) Online  Offline  Secure 
Command: SL
Function: To restore the HRK (and also the secret key material backed-up by the HRK)
in the event of erasure of tamper protected memory.
Inputs:  Passphrases 1 & 2.

 Restoring HRK message.
Errors:  HRK already loaded.
Example 1: This example demonstrates the use of the SL console command to generate
an HRK.
Secure> SL <Return>
Enter administrator 1 passphrase: ********************

Enter administrator 2 passphrase: **************
Recovering HRK. Please, wait ... DONE
HRK recovered successfully
Key synchronization complete
Secure>

All Rights Reserved
11 KMD Support Commands

This section describes the set of console commands that facilitate the operation of the Thales Key
Management. Please note the Key Management Device (KMD) is now end of sale and has been replaced by
the Trusted Management Device (TMD).

Generate KTK Components (KM) 248
Install KTK (KN) 249
View KTK Table (KT) 250
Import Key encrypted under KTK (KK) 251
Delete KTK (KD) 252

All Rights Reserved

Generate KTK Components (KM) Online  Offline  Secure 
Command: KM
Function: To generate the components of a KMD Transport Key (KTK), and store the
components on smartcards.
Authorization: None
Inputs:  Number of components to generate

 Prompt for smartcards & PINs to be entered
Outputs:  Check value of smartcards

 Check value of new KTK
Example 1: This example demonstrates the use of the KM console command to generate
two KTK components on smartcards.
Secure> KM <Return>

Insert blank card and enter PIN: ****** <Return>
Writing keys...
Checking keys...
1 copies made
Insert blank card and enter PIN: ****** <Return>
Writing keys...
Checking keys...
1 copies made
KTK Check Value: ZZZZZZ
Secure>

All Rights Reserved

Install KTK (KN) Online  Offline  Secure 
Command: KN
Function: To install a KMD Transport Key (KTK) into the HSM.
Authorization: None
Inputs:  KTK Identifier: 2 numeric digits

 Number of components to use
 Prompt for smartcards & PINs to be entered
Outputs:  Check value of smartcards

 Check value of new KTK
Example 1: This example demonstrates the use of the KN console command to install a
KTK in KTK Id 01, using two smartcards.
Secure> KN <Return>
Enter KTK id [00-19]: 01 <Return>
Enter comments: KTK for KMD in secure room <Return>
KTK in selected location must be erased before
proceeding.
Erase KTK? [Y/N]: Y <Return>
Load KTK in components

Insert card and enter PIN: ****** <Return>
Check: ZZZZZZ
Insert card and enter PIN: ****** <Return>

Check: ZZZZZZ
KTK check: ZZZZZZ

KTK id: 01
KTK key scheme: Variant
KTK algorithm: AES-256
Comments: KTK for KMD in secure room
Secure>

All Rights Reserved

View KTK Table (KT) Online  Offline  Secure 
Command: KT
Function: To display the KTK table.
Authorization: None
Inputs:  None
Outputs:  List of installed KTKs
Example 1: This example demonstrates the use of the KT console command to display
the list of all KTKs currently installed in the HSM.
Online> KT <Return>
KTK table:
ID Scheme Algorithm Check Comments
01 Variant 3DES(2key) 292489 KTK for KMD in secure
room
03 Variant 3DES(2key) 549235 KTK for 2nd KMD
Online>

All Rights Reserved

Import Key encrypted under KTK (KK) Online  Offline  Secure 
Activity: command.kk.console
Command: KK
Function: To translate a key from encryption under a KTK to encryption under an LMK.
Authorization: The HSM must either be in the Authorized State, or the activity
command.kk.console must be authorized.
Inputs:  LMK Identifier

 Key Type Code
 Key Scheme (LMK)
 KTK Identifier
 Key encrypted under KTK
Outputs:  Key encrypted under LMK
Example 1: This example demonstrates the use of the KK console command to import a
double-length DES ZMK (key type 000) from encryption under KTK Id 01 to
encryption under LMK Id 02.
Online-AUTH> KK <Return>

Enter Key Scheme (LMK): U <Return>
Enter KTK id: 01 <Return>

<Return>
LMK encrypted key: U YYYY YYYY YYYY YYYY YYYY YYYY YYYY
YYYY
Online-AUTH>

All Rights Reserved

Delete KTK (KD) Online  Offline  Secure 
Command: KD
Function: To delete a selected KTK from the HSM.
Authorization: None
Inputs:  KTK Identifier
Outputs:  Display of relevant entry from KTK table.
Example 1: This example demonstrates the use of the KD console command to delete a
previously installed KTK (KTK Id 01) from the HSM.
Secure> KD <Return>
Enter KTK id: 01 <Return>
KTK table entry:

ID Scheme Algorithm Check Comments
01 Variant 3DES(2key) 292489 KTK for KMD in secure
room
Confirm KTK deletion [Y/N]: Y <Return>

KTK deleted from main memory
Secure>

All Rights Reserved
Appendix A: Error Responses Excluded

from Audit Log
If the option to Audit Error Responses to Host Commands is selected using AUDITOPTIONS, those errors
which may require attention by the HSM Administrators or Security Officers are logged. The following non-00
error responses are not included in the Audit Log:
Not Audited if error response is:

Cmnd 01 02 43
A6 X
BC X
BE X
BK X
BY X
CG X
CK X X
CM X
CO X
CQ X
CU X
DA X X
DC X
DE X
DU X X
EA X X
EC X
EE X
EG X
EI X
F0 X
F2 X
FA X
FU X
G2 X
G4 X
GO X

All Rights Reserved
Not Audited if error response is:

Cmnd 01 02 43
GQ X
GS X
GU X
J0 X
K2 X
KE X
KO X
P0 X
PG X
PY X
QQ X
QS X
QU X
QW X
XM X
XK X
ZU X

All Rights Reserved
Appendix B: Technical Support Contacts

Our team of knowledgeable and friendly support staff are available to help. If your product is under
warranty or you hold a support contract with Thales, do not hesitate to contact us using the link below.
For more information, consult our standard Terms and Conditions for Warranty and Support.
https://supportportal.thalesgroup.com/csm

All Rights Reserved
Contact us
For all office locations and contact
information, please visit
cpl.thalesgroup.com/contact-us
> cpl.thalesgroup.com <

007-000997-008 PayShield 10K Console Guide V1.8a Rev A

Uploaded by

Copyright:

Available Formats

007-000997-008 PayShield 10K Console Guide V1.8a Rev A

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

007-000997-008 PayShield 10K Console Guide V1.8a Rev A

Uploaded by

Copyright:

Available Formats

cpl.thalesgroup.

Date: May 2023

© Thales Group Page 2 of 256

2 Console Commands – Listed Alphabetically ........................................................................................ 6

3 List of commands by Function............................................................................................................ 10

4 Configuration Commands ................................................................................................................... 16

5 Fraud Detection Commands ................................................................................................................ 72

6 Diagnostic Commands ........................................................................................................................ 76

7 Local Master Keys ............................................................................................................................... 97

8 Operational Commands ..................................................................................................................... 125

© Thales Group Page 3 of 256

9 payShield Manager Commands ........................................................................................................ 218

10 Secure Host Communications........................................................................................................... 232

11 KMD Support Commands .................................................................................................................. 247

Appendix A: Error Responses Excluded from Audit Log .................................................................. 253

Appendix B: Technical Support Contacts .......................................................................................... 255

© Thales Group Page 4 of 256

© Thales Group Page 5 of 256

2 Console Commands – Listed

CONFIGCMDS Configure Commands (CONFIGCMDS) 21

© Thales Group Page 6 of 256

DT Diagnostic Test (DT) 77

HEALTHSTATS View/Reset Health Check Counts (HEALTHSTATS) 94

© Thales Group Page 7 of 256

PING Test TCP/IP Network (PING) 89

© Thales Group Page 8 of 256

UPLOAD Upload Software and Licenses (UPLOAD) 19

© Thales Group Page 9 of 256

3 List of commands by Function

Function (Command) Page

© Thales Group Page 10 of 256

3.2 Fraud Detection Commands

Function (Command) Page

3.3 Diagnostic Commands

Function (Command) Page

3.4 LMK Commands

Function (Command) Page

© Thales Group Page 11 of 256

3.5 HSM Authorization

3.6 Logging Commands

Function (Command) Page

3.7 Time and Date Commands

Function (Command) Page

3.8 HSM Settings, Storage & Retrieval

Function (Command) Page

© Thales Group Page 12 of 256

3.9 Key Management Commands

Function (Command) Page

3.10 Payment System Commands

Function (Command) Page

3.11 Smartcard Commands

Function (Command) Page

© Thales Group Page 13 of 256

3.12 DES Calculator Commands

Function (Command) Page

3.13 payShield Manager Commands

Function (Command) Page

3.14 Secure Host Communications Commands

© Thales Group Page 14 of 256

* New HSM software is currently being installed. *

* New HSM License is currently being installed. *