User Manual - Interbank Clearing – SIX

Transcription

IBASEC
User Manual IBASEC
Version 3.18
14.10.2013
Solaris 10
Linux (Red Hat)
Windows Server 2008 R2
BBP Development
Version: 3.18
User Manual IBASEC
Datum: 14.10.2013
Table of Contents
Table of Contents............................................................................................................................ 2
1
Introduction ......................................................................................................................... 5
2
Installation ........................................................................................................................... 5
3
Quickstart ............................................................................................................................ 5
3.1
Configuration of a HSM ................................................................................................. 5
3.2
Installation of Web Application ....................................................................................... 7
3.3
Download of the Logs .................................................................................................... 8
3.4
Change the date on the HSM ........................................................................................ 8
3.5
Unlocking the HSM ........................................................................................................ 8
3.6
PIN changes for PED Key ............................................................................................. 8
3.7
Key Management, Use Cases, Guidance ...................................................................... 9
4
IBASEC Modules ............................................................................................................... 10
4.1
IBASEC Users and Login ............................................................................................ 10
4.2
SYSMAN - System Management Module .................................................................... 12
4.3
IBASEC - Host Interfaces ............................................................................................ 13
4.4
KRYPTO - HSM Interface ............................................................................................ 15
4.5
AUDIT - System Audit.................................................................................................. 19
4.6
USRMAN – User Management .................................................................................... 28
4.7
BPMAN – Business Partner Management ................................................................... 32
4.8
APPMAN – Application Management .......................................................................... 34
4.9
KEYMAN - Key Management ...................................................................................... 37
4.10
PROFMAN - Cryptographic Profile Management ......................................................... 42
4.11
CERTMAN - Certificate Manager (for SECOM) ........................................................... 43
5
HSM Setup and Handling .................................................................................................. 44
5.1
HSM Initialization ......................................................................................................... 45
5.1.1
Set Date and Time .............................................................................................. 45
5.1.2
Unlock HSM ........................................................................................................ 45
5.2
Key Storage Operation and PED Key Operation.......................................................... 46
5.2.1
Enter Password................................................................................................... 46
5.2.2
Configure Web Server......................................................................................... 46
5.2.3
Installation and Un-Installation of the Web Application ........................................ 46
5.3
Start and Stop of the Web Application ......................................................................... 47
5.3.1
Start Web Server ................................................................................................ 48
5.3.2
Stop Web Server................................................................................................. 48
5.4
HSM States ................................................................................................................. 48
5.5
Download Logs ( Maintenance Work ) ......................................................................... 49
5.6
Backup and Restore .................................................................................................... 50
5.6.1
Key Backup......................................................................................................... 50
5.6.2
Key Restore ........................................................................................................ 51
6
Key Management .............................................................................................................. 52
6.1
Passwords ................................................................................................................... 52
6.2
Key Generation............................................................................................................ 52
6.2.1
Generation of local certification keys ................................................................... 52
6.2.2
Generation of Production Keys ........................................................................... 53
6.2.3
Generation of TINT Keys .................................................................................... 54
6.2.4
Important remark................................................................................................. 54
6.3
Key Export ................................................................................................................... 55
6.4
Key Import ................................................................................................................... 57
6.5
Validation of the Keys .................................................................................................. 58
6.6
Miscellaneous Key Management Functions ................................................................. 58
page 2/150
BBP Development
Version: 3.18
User Manual IBASEC
Datum: 14.10.2013
6.7
6.8
6.9
6.10
6.11
6.12
6.13
6.14
6.15
6.16
6.17
6.18
6.19
Import the Provider Keys ............................................................................................. 59
Generation of the Production Keys .............................................................................. 59
Import and Validation of the SIS Root Certificate ......................................................... 59
Import the SIS Certificate ............................................................................................. 63
Create a Certification Request ..................................................................................... 64
Import of a SIS certification .......................................................................................... 66
Make a Key Backup ..................................................................................................... 67
Restore Keys ............................................................................................................... 67
Delete one Key ............................................................................................................ 67
Delete all Keys............................................................................................................. 69
Import old LOCERT Public Key ................................................................................... 70
Import of migrated Keys from the Database ................................................................. 70
Search and Find a Key ................................................................................................ 70
7
Privileges of IBASEC Users............................................................................................... 72
8
FAQ
76
9
Use Cases......................................................................................................................... 78
9.1
Use Cases Overview ................................................................................................... 78
9.2
Case 1: Install IBASEC from the CD ............................................................................ 81
9.3
Case 11: Connect a new HSM with "Premium Rollout" ................................................ 82
9.4
Case 12: Check the State of the HSM (get status) ....................................................... 88
9.5
Case 13: Change or set parameters ............................................................................ 91
9.6
Case 14: HSM Initialization .......................................................................................... 93
9.7
Case 15: Change and set passwords .......................................................................... 95
9.8
Case 16: Installation of a new Web Server Application Software ............................... 100
9.9
Case 17: Execute maintenance work and use of log files .......................................... 103
9.10
Case 18: Setup a zeroized HSM (Premium Rollout) .................................................. 105
9.11
Case 19: Change PIN code on HSM ......................................................................... 105
9.12
Case 32: Generate a local verification key (LOCERT) ............................................... 106
9.13
Case 33: Create a production key pair ....................................................................... 108
9.14
Case 34: Export your public key to the provider (SIC)................................................ 111
9.15
Case 35: Import a public key from SIC ...................................................................... 115
9.16
Case 36: Verify an imported external public key ........................................................ 118
9.17
Case 37: Backup key partition ................................................................................... 120
9.18
Case 38: Restore key partition................................................................................... 127
9.19
Case 39: Distribute public keys to further HSMs ........................................................ 130
9.20
Case 40: Delete a key (or all keys) ............................................................................ 132
9.21
Case 41: Certification of SECOM Private Keys by SIS .............................................. 135
9.22
Case 42: Deactivation of a Key.................................................................................. 139
9.23
Case 61: How to report a malfunction of IBASEC and/or the HSM ............................ 141
10
Audit Events and their Severities ..................................................................................... 144
(print date : 2013-10-14)
page 3/150
BBP Development
Version: 3.18
User Manual IBASEC
Datum: 14.10.2013
Confidentiality
Without authorization by SIX Interbank Clearing AG (SIC AG) this document may not be copied or
distributed.
History
Version
1.0
2.1
2.3
3.0
3.1
3.2
3.3
3.4
3.5
3.6
3.16
3.17
3.18
Date
06.07.2006
24.01.2007
26.03.2007
31.08.2007
29.02.2008
19.09.2008
30.10.2008
28.08.2009
08.03.2010
30.09.2010
30.06.2011
02.09.2012
14.10.2013
Author
O. Wirth, BBP
O. Wirth, BBP
OW
OW
OW
OW
OW
OW
OW
OW
OW
cgu
cgu
Description
user manual for pilots
Modules, Use Cases
after 2. SIC review
Release 3.1.4 and 3.2.0
Maintenance Release
new features, log parser....
return code 008/014.
complete list of privileges
key management with SIS
more Use Cases
more Use Cases
minor changes
updated text and screenshots
Documentation
Title:
User Manual IBASEC
Filename:
UserManual.pdf
References
Title
Date
Reference
Functional Specification for IBASEC 3 with SafeNet Luna
SP
26.4.2006
SPECS
latest on
your CD
RN
Release Notes for Solaris 10 or Windows Server 2008 R2
SIC / euroSIC User Manual
www.SIC.ch
Certificate and certification management for the SECOM
application using IBASEC
17.09.2010
CERT1
SIS FrontLine, IBASEC3: 2Kbit certification of private keys
(client side)
04.07.2008
CERT2
BBP believes that the information contained in this document is correct at the time of publication.
Nevertheless, BBP reserves the right to make changes as seen fit. The information contained
herein cannot be considered as a binding commitment on the part of BBP vis à vis third parties.
Furthermore, BBP recognizes the ownership of brand and product names belonging to other
companies, mentioned in this document.
page 4/150
BBP Development
Version: 3.18
User Manual IBASEC
Datum: 14.10.2013
1 Introduction
The following documentation describes the functionality and the important use cases of the
IBASEC implementation. The document is structured in the following sections:
Quickstart for HSM configuration and key management (sec.3 for the experienced user)
Short explanation of the modules of the server software (sec.4 for the sysadmin)
HSM setup and handling reference (sec. 5 as a reference manual)
New key management operations (sec. 6 for the security officer)
The most important use cases (sec. 9 for the operator)
2 Installation
For details of the installation, please refer to the Installation Guide on the CD [INSTALL]. For the
Solaris version, it is important to install the LibC patches as it is recommended in the Release
Notes [RELEASE]. In addition to that, it is also recommended to install the latest patch cluster.
3 Quickstart
3.1 Configuration of a HSM
The HSM LunaSP should come from the distributer in a IBASEC-ready-state (Premium Rollout).
The configuration was made according to your specific order (ip address, etc).
If you would like to configure the HSM yourself (and you have the necessary privileges) it is
recommended that you proceed with the Use Cases in section 9 or in four steps as follows:
Windows: for registering the HSM fingerprint, a PuTTY connection is needed
STEP 1: Setup of the HSM connection interface
GUI: Krypto - Configure Krypto - IP Address = 192.9.200.1
The HSMs are connected through a save private LAN (default 192.9.200.x) to the IBASEC server.
There are between 1 and 15 connections between IBASEC server and the HSMs
page 5/150
BBP Development
Version: 3.18
User Manual IBASEC
Datum: 14.10.2013
STEP 2: Add a new HSM or modify a registered HSM
GUI: Krypto - Configure - New… (add new HSM)
enter the IP address of the HSM (compare with the specifications that come along with the
HSM from the distributer)
the subnet mask of the HSM private LAN could be 255.255.255.0 (a c-class)
Max. Password entries, allow 5 consecutive wrong password entries until the HSM is locked
Autostart lets the HSM being automatically connected after startserver
the HSM are always in a Unattended Mode (GC720 could be run in OfficeMode too)
A registered HSM could be modified via GUI: HSM - Initialize HSM - Network Settings. If you use
all default settings you could skip step 1 and 2.
STEP 3: Set Passwords
Check your privileges and be ready to interact with the Admin PED key (blue key). See also
section 6.1
and follow Case 11:
Set HSM Admin Password from your PIN Letter
Set HSM Partition Password from your PIN Letter.
with Windows: make first a Putty connection to the HSM to register its fingerprint.
page 6/150
BBP Development
Version: 3.18
User Manual IBASEC
Datum: 14.10.2013
Enter the Admin Password from your PIN Letter to save it with the IBASEC server.
Do the same with the Partition Password (see Case 11)
STEP 4: Start the Web Application
after a cold start of your HSM it is recommended to start the web server first:
GUI: HSM - HSM Operations - Start Web Server
If the web server is not started when you open then HSM in the Krypto window, IBASEC falls into
the recovery state and starts the web server automatically (it takes about 2 minutes).
STEP 5: Open the HSM
GUI: Krypto - select a HSM - Open: This connects the HSM and brings it to the "Connected ActiveUnatended" mode.
3.2 Installation of Web Application
Should it ever happen, that you have to update the web application (web appliance) of the Tomcat
web server of the HSM, you do the following steps:
first read the "readme" on the CD that comes with the new application software
load the web application release to your IBASEC server (script is on CD)
GUI: HSM and mark the HSM to be configured
GUI: HSM Initialization (needs security privileges)
GUI: Uninstall Application (the current installation has to be removed first)
GUI: Install Application and select the designated version of software (e.g. luna104)
GUI: after the successful installation start the web server and open the HSM
page 7/150
BBP Development
Version: 3.18
User Manual IBASEC
Datum: 14.10.2013
3.3 Download of the Logs
The automatic daily maintenance-run saves a complete set of log files to the IBASEC log directory
($IBA_LOG). In addition of these daily files you could download an adhoc set of log files for
specific analysis of the current situation. Select from GUI:
HSM and mark the HSM in the list
HSM Operations
Download Logs..
The downloaded files are accessible in the log directory (cd $IBA_LOG)
3.4 Change the date on the HSM
The IBASEC server and the HSM(s) should be synchronized, e.g. running the same date and time.
For these purposes select from the GUI:
HSM and mark the HSM to be configured
HSM Initialization (needs security privileges)
Set Date and Time and confirm the configuration window
3.5 Unlocking the HSM
The dialog between the IBASEC server and the HSM is protected with the application password.
With the HSM Configuration Window the maximum allowed password entries are set. After max.
consecutive wrong password entries the HSM is "Locked". With the GUI function HSM - HSM
Initialization - Unlock HSM the HSM can be unlocked again.
3.6 PIN changes for PED Key
The PIN codes of the PED keys (blue and black) could be changed (see Case 19). An empty PIN
code (just press Enter) is allowed and recommended.
page 8/150
BBP Development
Version: 3.18
User Manual IBASEC
Datum: 14.10.2013
3.7 Key Management, Use Cases, Guidance
Set-up of the first HSM for the productive IBASEC sessions
Steps
Reference
Generate local certificate
See section 6.2.1
Import the provider keys
See section 6.7 and 6.8
Import or generate your production keys
See section 6.4 and 6.8
Make a Backup of the keys
See section 6.13
Set up of the next HSM for a productive IBASEC session
Steps
Reference
Restore the backup of the first HSM
Generate a productive key and send it to SIC
Steps
Generate a productive key pair
Export file as self-signed certificate
Make a backup of the keys
Reference
See section 6.8
See section 6.3
See section 6.13
Import of a SIC key
Steps
Import a key as self-signed certificate
Import a key in IBASEC2 Format
Reference
See section 6.4
See section 6.4
See section 6.13
Generate a productive key and send it to SIS
Steps
Generate a productive key pair
Create a certification request
Reference
See section 6.8
See section 6.11
See section 6.13
Import of a SIS certificate
Steps
Import the ROOT.CRT
Import of a certificate
Reference
See section 6.9
See section 6.12
See section 6.13
Import of migrated keys
Steps
Load old LOCERT key
Load of a key out of the IBASEC Database
Reference
See section 6.17
See section 6.18
See section 6.13
Delete one key on a HSM
Steps
Delete one key
Reference
See section 6.15
page 9/150
BBP Development
Version: 3.18
User Manual IBASEC
Datum: 14.10.2013
Delete all keys
Steps
Delete all key
Reference
See section 6.16
4 IBASEC Modules
4.1 IBASEC Users and Login
All interactive users of the IBASEC server must login to the server before they can perform any
actions. The actions a user is allowed to perform will depend on the ‘User Category’, which is
assigned to the user.
The user categories are as follows:
Security Officer
Is responsible for the security aspects of the system. E.g.:
The creation and management of user accounts
(see section ‘USRMAN – User Management’).
Key management functions (see section ‘KEYMAN – Key Management’).
Management of Business partner information (see section ‘BPMAN – Business
Partner Management’).
Management of cryptographic profiles (see section ‘PROFMAN – Profile
Management’).
Management of application information and application users.
(See section ‘APPMAN – Application Management’).
Note – many of these operations require confirmation by a second
Security Offices, so at least two Security Officer users must be defined in an
IBASEC server.
Administrator
Is responsible for the non-security related administration of the system. e.g.:
Making and reloading of backups (see section ‘SYSMAN – System Management’).
Configuring HSM interfaces (see section KRYPTO – HSM Interfaces’).
Configuring IBASEC interfaces – (see section ‘IBASEC –
Host Interfaces’).
Any number of Administrator Users can be defined.
Auditor
Can view and search the system Audit and message log databases.
(See section ‘Audit – System Audit’ ).
Any number of auditor users can be defined.
Operator
Is responsible for the day to day operation of the server. e.g.:
Starting and stopping the server, and monitoring its operation
(see section ‘SYSMAN – System Management’).
Opening and closing IBASEC interfaces and monitoring their operation.
Opening and closing KRYPTO Interfaces and monitoring their operation.
Any number of Operator Users can be defined.
page 10/150
BBP Development
Version: 3.18
User Manual IBASEC
Datum: 14.10.2013
The installation of the system provides an initial set of users as follows:
Username
Password
Category
operator1
operator
Operator
administrator1
administrator
Administrator
security1
security
Security
security2
security
Security
auditor1
auditor2
Auditor
Once the user is logged in, the functions, menus and screens that a user can see will depend on
his user category. In perticular, the main menu will contain only the modules that the user is
allowed to access.
Once a user is logged in the functions menus and screens that a user can see will depend on his
user category. In particular the main menu will contain only the modules that the user is allowed to
access.
To access the user functions of the IBASEC server, you must first login. To login to the IBASEC
server you must run the IBASEC User Interface program. The procedure to do this will depend on
whether you are using SUN Solaris or Windows as follows:
Login to the UNIX ibasec account on the server machine e.g.
login: ibasec
Password:
Last login: Wed Sep 23 13:52:12 from obiwan
Sun Microsystems Inc.
SunOS 5.6
Generic August 1997
ibasec@jedi 31 %
If you have logged in remotely you must set the DISPLAY variable to point to your remote display e.g.
ibasec@jedi 32 % setenv DISPLAY mycomputer:0.0
Now run the user interface program as follows:
ibasec@jedi 33 % startibasec
The login screen should now be displayed.
With the Windows version you select from the <Start> the IBASEC program "Ibasec Login"
the IBASEC Main menu
page 11/150
BBP Development
Version: 3.18
User Manual IBASEC
Datum: 14.10.2013
4.2 SYSMAN - System Management Module
The System Management module (SYSMAN) allows the IBASEC server to be started/stopped and
monitored.
To access the full functions of this module you must be a user in the Operator user category.
The monitoring functions are also accessible by users in the Admin user category.
For details of other system related activities e.g.
Making a full backup of the server
Saving Audit and Message Log files
Configuring Audit events scripts
The SYSMAN component manages and monitors the system state. The following states of the
system are possible:
State
Comment
Down
This is the state before the system has been started or after it has been
shutdown.
Only users in the ‘Operator’ User-Category can login in this state.
Startup
This is the state when an Operator User has requested a start of the system.
This is a transient state and the system should reach either the Online, Offline
or Error state within 30s-60s.
Only users in the ‘Operator’ User-Category can login in this state.
Online
All processes of the system are running, and there is at least one HSM
attached. Both Test and Production sessions are possible.
Offline
All processes of the system are running, BUT there is no HSM attached or
online. Only test sessions are possible with dummy cryptographic operations.
Shutdown
The system is closing down.
Updating
A backup is being restored.
Error
Either the system failed to start, or an error occurred while the system was
running. The system should be shutdown.
After some seconds (depending on the speed of your machine) the system should reach the
‘offline’ state (if no HSMs are online), or ‘online’ (if at least one HSM is online). This can be seen
from the ‘system state’ field in the ‘Overview’ screen.
Once the system reaches the offline or online state, users belonging to other user categories could
now login.
Backup and Restore of Database Files
The SYSMAN module provides functions to backup and restore the IBASEC Server’s database
files.
A backup of the database should be made whenever significant configuration changes are made.
A backup can also be used to transfer configuration from one IBASEC installation to another.
Note – the backup contains only configuration information e.g.
The configuration of the IBASEC interfaces.
The configuration of the KRYPTO Interfaces.
The KEYMAN key information.
Business partner information from BPMAN.
page 12/150
BBP Development
Version: 3.18
User Manual IBASEC
Datum: 14.10.2013
Application, and Application users information from APPMAN.
Cryptographic profile information from PROFMAN.
Interactive user information from USRMAN.
Audit configuration from Audit.
It does not contain
The program executables.
The event log or message log.
See section ‘System Management Information’ for details of how to back these up.
Backing up the Databases
To make a backup of the databases:
The system must be in the down state.
You must load a tape in the tape drive attached to the IBASEC Server Machine.
You must choose a name to identify the backup. This name will be used to retrieve the backup
from the tape later.
Select 'Save' from the ‘Backup’ menu on the ‘SYSMAN Overview’ screen. Enter the tape
device and the name of the backup, and click save. The backup will proceed.
Restoring the Databases
To restore the databases from a backup:
The system must be in a down state.
Load the tape in a tape-drive, which is attached to the server machine.
Select the ‘Load’ option from the ‘Backup’ menu on the ‘SYSMAN Overview’ screen.
Enter the tape device and the name of the backup to be loaded. Click ‘Load’. The load will
proceed.
Note – the load will fail if:
A backup set with the specified name is not found on the tape.
The backup was made from a server running a different version of software than this one.
The backup was made on a machine with a different configuration from this one, for example
the two systems have a different number of IBASEC interfaces.
In every case the system will be left untouched.
4.3 IBASEC - Host Interfaces
The IBASEC module provides functions for the configuration and monitoring of the Host Interfaces
of the IBASEC Server. It is via these interfaces that Host Applications access the security services
of the server for signing/verifying, encrypting/decrypting messages etc.
For details of how to configure Host Applications please refer to section ‘APPMAN – Application
Management’.
The exact number and types of the IBASEC interfaces in any particular server will depend on the
operating system being used and how the server was configured at installation time. However the
maximum number of interfaces possible is as follows:
Unix and Windows:
up to 4 tcp/ip interfaces
up to 1 CORBA interface (over tcp/ip)
page 13/150
BBP Development
Version: 3.18
User Manual IBASEC
Datum: 14.10.2013
TCP/IP Interfaces
The values should normally be set when the server is installed. If you need to change them please
refer also to the Installation Guide.
The values have the following meanings:
The Interface Name is set at installation time and cannot be changed.
IP Address should be set to the IP Address of the IBASEC Server Machine on the Bank’s
TCP/IP network.
Service should be set to correspond with the service name, which was defined in the services
during the installation procedure. Consult your system administrator.
Max Sessions – determines the maximum number of simultaneous sessions that this interface
can support (values 1-40)
Max Window – the maximum window size that this interface can support (values 0-99)
Character Set should be set to ASCII or EBCDIC as is required by the Host applications, which
will access the server.
Auto Start if set on will mean that the interface will always open when the server software is
started.
Secure this option is not available in this release.
page 14/150
BBP Development
Version: 3.18
User Manual IBASEC
Datum: 14.10.2013
The CORBA Interface
The values should normally be set when the Server is installed. The values have the following
meanings:
The Interface Name is set at installation time and cannot be changed.
Max Sessions – determines the maximum number of simultaneous sessions that this interface
can support (values 1-20) – for details of IBASEC Sessions see reference [1].
Auto Start if set on will mean that the interface will always open when the server software is
started.
Secure this option is not available in this release.
Character Set should be set to ASCII or EBCDIC as is required by the Host applications, which
will access the server.
Controlling and Monitoring Interfaces and Sessions
Before a Host Application can access the functions of the Security Server, the corresponding
interface of the server must be ‘opened’.
This can be done in one of two ways:
By selecting the interface from the ‘IBASEC Overview’ screen and clicking on the ‘Open’ button, or
by setting the auto-start flag for the interface. This will mean that the interface is opened
automatically when the server is started.
PEM Message Size
For PEM operations, the message size (header plus body) is limited to 103’600 bytes. In practice,
this means that the maximum payload is roughly 100’000 bytes. Larger messages will fail with a
“message too big” error.
4.4 KRYPTO - HSM Interface
The KRYPTO module provides facilities to configure and manage the HSM Private Network and
the connections with the HSMs. To monitor and control the HSMs you must be a user in the
Operator user-category. To be able to monitor and control and configure the interfaces you must
be a user in the Administrator user-category.
Each HSM is uniquely defined by its ‘unit address’, which is assigned to the HSM at installation
time – please refer to reference [INSTALL] for details of the HSM installation procedures. This unit
address also defines the IP address of the HSM according to the following formula ‘IP address =
192.9.200.<unit address>’.
The IBASEC server KRYPTO interface also has an IP address in the same network – which is
normally 192.9.200.1. All HSMs knows this address and will attempt to send event information to it.
page 15/150
BBP Development
Version: 3.18
User Manual IBASEC
Datum: 14.10.2013
If there is a conflict of IP addresses, then this default setting can be modified by the user. The IP
addresses can be modified to a value between 192.168.0 and 192.168.255.
The IBASEC server is preconfigured to support one HSM with unit address 31. The server can
support a number of HSMs, which can be added by a user in the administrator category through
the configuration options of the KRYPTO module.
The number of HSMs currently configured and their statuses is visible at any time in the ‘KRYPTO
Overview’ window.
Note – if no HSMs are connected, or no HSMs are online, the IBASEC Server will be offline and
only ‘dummy’ operations will be possible using test sessions. You should configure the server with
at least one HSM even if you want to operate in dummy mode.
Setting the KRYPTO Master Configuration
The KRYPTO master configuration defines the IP address of the IBASEC server on the HSM
private network, and the IP port on which the server will listen for event information from HSMs.
These values should normally be set to 192.9.200.1 (the port is set by default to 9720).
If you have chosen a different Network address for the HSM private network you should set the
address of the KRYPTO Interface to be <Your Network>.1 (e.g. 192.168.9.1). The Port number
should not be changed.
The KRYPTO master configuration can be changed by selecting the ‘Configure KRYPTO’ option
from the ‘Configure’ menu. It is only possible to modify the configuration if all HSMs are closed.
page 16/150
BBP Development
Version: 3.18
User Manual IBASEC
Datum: 14.10.2013
Adding a new HSM
To add a new HSM select the ‘New’ option from the ‘Configure' menu on the ‘KRYPTO Overview’
screen. The following screen will be displayed:
The fields should be entered as follows:
HSM – a unique name, which can be used to identify the HSM. E.g. ‘HSM31’ or ‘Master-HSM’
etc. (mandatory).
Unit address – the unit address of the HSM (mandatory).
IP – the IP address of the HSM (this is for information purposes only and will be filled by the
IBASEC Server).
Description – a free text description (optional).
Subnet Mask – should be 255.255.255.0 (mandatory).
Applications – by using the >> and << buttons you can select for which of the available
applications this HSM will be used. Note - you should ensure that this corresponds with the
keys, which are actually loaded in the HSM (mandatory).
Autostart – by selecting this option this HSM link will be started automatically when the IBASEC
Server is started.
Comm Timeout – This is the time period, which the IBASEC Server allows for the HSM to
respond to requests. A value of 3 seconds is typical (mandatory).
Poll Interval – This value determines how often the IBASEC Server will poll the HSM to check
the connection with it and its status. A value of 30 seconds is typical (mandatory).
page 17/150
BBP Development
Version: 3.18
User Manual IBASEC
Datum: 14.10.2013
Modifying HSM Configuration
The configuration of a HSM can be modified by selecting its entry in the ‘KRYPTO Overview’
screen and choosing the ‘Modify’ option from the ‘Configure’ menu.
Note - the HSM must be closed before you can modify its configuration.
The following fields can be modified (see the previous section for the possible values):
HSM
Description
Sub-net
Applications
Auto-start
Comm Timeout
Poll Interval
Note - You cannot modify the unit address within the HSM configuration. If you wish to change the
unit address of the HSM you must create a new configuration entry for the new unit address.
The modification is active next time the link to the HSM is
opened.
Deleting a HSM
The configuration of a HSM can be deleted by selecting its entry in the ‘KRYPTO Overview’ screen
and choosing the ‘Delete’ option from the ‘Configure’ menu.
Note the HSM must be closed before it can be deleted.
The deletion is immediately active.
Controlling and Monitoring HSMs
The ‘KRYPTO Overview’ window shows the current status of all the HSMs currently configured in
the Server.
The screen shows the following information:
HSM - The name of the HSM as entered via the configuration screen.
Status - the current status of the HSM connection. See below for the list of statuses and their
meaning.
Transact - the number of operations that this HSM has performed since its link was opened.
Queue - the number of requests that are queued to this HSM.
Overload - the number of times this HSM has reported an overload condition. This is for
information only.
Transact/s - the maximum number of transactions per second processed by this HSM since the
connection was made.
Transact/h - the maximum number of transactions per hour processed by this HSM since the
connection was made.
page 18/150
BBP Development
Version: 3.18
User Manual IBASEC
Datum: 14.10.2013
The statuses of a HSM connection are as follows:
Status
Comment
Closed
There is currently no connection with the HSM.
Connecting
The IBASEC Server is creating a connection with the HSM.
Fetching Keys
The IBASEC Server is fetching the list of keys from this HSM.
Online
The IBASEC Server has a connection with the HSM and it is available
for Cryptographic operations.
Offline
The IBASEC Server has a connection with the HSM but it is currently
offline (see the HSM User Manual reference [3]).
Error
Either no connection could be established with the HSM, or the HSM
reports an error. In each case the IBASEC server will continue to try to
make a connection until either it is successful, or it is stopped by a user.
Corrupted Verify
A verification has failed on this HSM but was successful on another.
This means that this HSM is suspect and has been put offline.
The connection with the HSM can be opened or closed manually by selecting the HSM from the
‘KRYPTO Overview’ window and clicking on the ‘Open’ or ‘Close’ button as appropriate.
A HSM can be opened at any time and as soon as it reaches the Online state it will be used for
cryptographic operations.
A HSM can be closed at any time. Any outstanding operations will either be re-routed to another
HSM or will be returned to the caller.
The ‘Remote’ menu on the ‘KRYPTO Overview’ window allows some information to be obtained
from a specific HSM. Note the HSM must be online for these options to be active. Select the required HSM from the ‘KRYPTO Overview’ window and issue the command:
Get Date and Time – shows the current date and time as set in the HSM.
Get Status - retrieves the current status of the HSM.
4.5 AUDIT - System Audit
The Audit module provides functions to manage and view the central audit-trail database. This
contains details of all errors, and significant events within the system. The Audit module also
contains functions to manage the message logs, which are optional logs of data-flow through the
server and as a new functionality, you have a tool for an easy analysis of some Hsm Logs.
With the IBASEC version 3.3.9 or later, another new functionality has been added to the Audit
Maintenance: the $IBA_LOG directory will be cleaned up after each Audit Maintenance, i.e. all
subdirectories of $IBA_LOG older then 30 days (this is the default, otherwise set the holding time
with IBA_HSM_LOG_MAX_DAYS) will be deleted.
The Audit database can be viewed by users belonging to the Operator, Auditor or Administrator
user-categories. To configure the Audit module a user must belong to the Administrator usercategory. To search the Audit database and message log files a user must belong to the Auditor
user-category.
Auditable events fall into two categories:
System events – e.g. system started, system stopped, interface opened, etc.
Security events – e.g. key added, verification failed, etc.
Within each category events also have a severity:
Info
Warning
page 19/150
BBP Development
Version: 3.18
User Manual IBASEC
Datum: 14.10.2013
Error
All events are always stored in the Audit-Trail database. They can also optionally be printed in realtime to a printer, which is attached to the server. Some events of type error can also trigger an
alarm script, which can be used for example to access a pager system.
The Audit module performs a daily maintenance during which it will create archives of the Audit
Trail, and delete audit trail and message and audit files older than a configurable number of days.
The audit maintenance can also run a user supplied script, which can be used for example to
transfer audit archive files and message log files to another machine for archiving.
Viewing the Audit Trail
The entire audit trail is visible from the ‘Audit’ main window.
Where
Date/Time – indicates when the event happened.
Type – indicates whether the event is a System event or a Security event.
Severity – indicates the severity of the event i.e. Info, Warning or Error.
ID – is a number uniquely identifying the exact event.
Facility – indicates for example which HSM originated the event, or which IBASEC interface
originated the event.
The scroll bars allow the whole trail to be viewed. The screen also shows the current number of
entries in the audit trail (Event Database) and the current number of entries in the message
logs, plus details of when the last maintenance occurred.
page 20/150
BBP Development
Version: 3.18
User Manual IBASEC
Datum: 14.10.2013
Searching and Viewing the Message Log
If message logging is active a user from the Auditor User-Category can also search the Message
Logs:
The message logs are searchable based on the following parameters:
Date/Time
When the message was received, including before, after, between etc.
Req Type
The type of request performed. One of the following: Sign, Verify, Hybrid
Crypt, Hybrid Decrypt, Sign Plain, Verify Plain, Encrypt Plain, Decrypt Plain,
Sign and Encrypt Plain, Decrypt and Verify Plain, Hash Plain.
User ID
The identification of the Application user.
Source BP
The BP–Id of the sender of the message.
Dest BP
The BP-Id of the receiver of the message.
Result
The result of the operation (in the form nnn/mmm – major error code, minor
error code e.g. ‘008002’, see reference [1]).
The results are displayed in a window from which it is also possible to view the exact content of a
particular message.
Searching the message logs can take some time, and can also adversely affect the performance of
the system. Therefore the result is limited to the first 100 messages found to fulfil the search
parameters.
page 21/150
BBP Development
Version: 3.18
User Manual IBASEC
Datum: 14.10.2013
Analyze the HSM Logs
This functionality is only available with the IBASEC version 3.3.9 (Solaris 10) and later.
The HSM produces a lot of log files. After each manual "Download Logs" or the daily automatic
"HSM Maintenance" there will be also an automatic HSM log file parsing and a clean-up of old Log
directories (IBA_HSM_LOG_MAX_DAYS default is 30). That means that the daily HSM log file
directory will be parsed for critical events. This are the parameters that control the HSM log file
parser:
The environment variable (or registry entry with Windows) IBA_HSM_MAINTENANCE_TIME
sets the daily time of the HSM maintenance. If unset, the default would be 02:30.
Example: IBA_HSM_MAINTENANCE_TIME="18:30"
The HSM log parser is per default switched on. To disable the log parser, the environment
variable (or registry entry with Windows) has to be set IBA_LOGPARSER=0
The HSM maintenance produces each day a new directory like this:
$IBA_LOG/HSM31_20080617. These directories can be selected for parsing with the following
windows.
Audit > HSM Logs...
page 22/150
BBP Development
Version: 3.18
User Manual IBASEC
Datum: 14.10.2013
Result Codes
The IBASEC server adds an error code to the EDIFACT header of each message. This code
consists of two three-digit numbers: The major and minor error codes. A successfully processed
message has a code ‘000’. Example of an error: ‘008002 - parameter errors, unknown BP id’. The
list below shows these errors.
Major
Minor
000
Meaning
Success.
001
-
Window size exceeded.
002
-
Unknown function. This will raise a CORBA standard exception.
003
-
Request received without a session. This will raise a standard CORBA exception
004
-
System Error.
005
-
Security Error.
006
-
Session closed by server.
001
Server has gone into an offline state.
002
Operator requests a session close.
003
Communications error detected.
004
Server closing down.
005
Invalid test session
007
Format errors.
001
Message data too short or missing.
002
Message data too long.
003
Signature too short.
004
Signature too long.
005
Invalid length.
006
Invalid offset.
007
Invalid EBCDIC character.
008
Invalid ASCII character.
009
Key too short.
010
Key too long.
011
Invalid HEX character.
012
Invalid Date.
013
IV Too Short.
014
IIV Too Long.
015
Certificate too short.
016
Certificate too long.
017
Offset too long
018
Trailer too long
019
Invalid message length
020
Key length not zero
021
IV length is not zero
022
IV length is zero
page 23/150
BBP Development
Version: 3.18
User Manual IBASEC
Datum: 14.10.2013
023
Field not decimal
024
Invalid Certificate
008
Parameter errors.
001
Illegal Parameter.
002
Unknown BP id.
003
Unknown algorithm descriptor.
004
Unknown HSM.
005
Unknown Certification Authority.
006
Unknown Filter Type.
007
Unknown Code Type.
008
Unknown Usage Type
009
Unknown Continuation Flag
010
Unkown Mode of Operation
011
Invalid Char
012
Invalid Mode of Operation
013
Illegal Algo Description
014
BP in TEST >=6 chars (since 3.3.9)
009
Session Errors.
001
A request for a session contains an incorrect server id.
002
An unknown user is requesting a session.
003
An unknown application has been requested.
004
Wrong function. Function not allowed for this application id.
005
(Not Used).
006
A user has requested use of an application, which he is not allowed to use.
007
There are too many sessions.
008
This application is not allowed to create a session of this type.
009
This User-Id is not allowed to create a session of this type.
010
Management sessions not allowed for this application id.
011
Production session not possible.
012
Wrong window size.
013
Test session not allowed
014
Listener is missing
015
Interface is closed
016
Security Session not possible
010
EDIFACT Errors.
001
011
The format of an EDIFACT message is not correct.
Key Errors.
001
No Public Key.
002
No Secret Key.
003
No certificate for CA.
page 24/150
BBP Development
Version: 3.18
User Manual IBASEC
Datum: 14.10.2013
004
Key not accessible.
005
Key already loaded
012
Verification Error.
001
Message verification failed
002
Message to be verified out of validity window
013
Interchange Errors.
001
No interchange.
002
An interchange already exists.
003
Discontinuity in Part Number
001
Illegal PEM format
002
Missing mandatory field
001
Feature not supported
014
015
page 25/150
BBP Development
Version: 3.18
User Manual IBASEC
Datum: 14.10.2013
Configuring Audit
The ‘Configure’ menu on the ‘Audit’ main window allows the audit configuration to be modified:
Audit Configuration
For Audit the following can be configured:
Audit Printer – the identity of the printer to be used to print audit events (optional).
Typical values are:
on Unix:
/dev/ttyb
on NT:
COM1
Leave the field empty if you do not want to print events.
Alarm Script – the identity of the script to be called when alarm events occur (optional).
Storage Period – the number of days for which audit event related information will be stored.
Message Log Configuration
For Message Logging the following can be configured:
Storage Period – the number of days for which Message Log files are kept.
Commit – This flag indicates whether writes to the message log files will be committed per write.
Setting this flag will provide more security against a lost file in case of an error or crash, however at
the expense of some performance (i.e. on = safer but slower).
page 26/150
BBP Development
Version: 3.18
User Manual IBASEC
Datum: 14.10.2013
The applications windows indicate for which applications message logging is active. Use the >>
and << buttons to change this.
Note - a change of message logging status for an application will not affect currently open sessions
for that application. i.e. if message logging is turned off, sessions which are currently logging for
the application will continue to do so until they are closed. Conversely if message logging is turned
on for an application message logging will begin with the next new session opened for that
application.
Audit Maintenance Configuration
For Audit Maintenance the following can be configured:
Time - the time of day when the audit maintenance should run. It is recommended to choose a
time outside of your normal operational day, as, although maintenance can occur whilst data is
flowing through the server, there can be some impact on performance.
Maintenance Script - the identity of a user supplied script to be run as part of the audit
maintenance procedure. The shell script should be placed in the $IBA_SCRIPT directory. The
working directory for output files would be IBASEC's home directory (/opt/ibasec)
Audit Alarm Scripts
The IBASEC Server considers some audit events to be ‘Alarm’ events, and for these it can call a
user supplied ‘Alarm Script’ which could for-example forward the message to a Paging system.
See the section “Error Codes” for the full list of events including all alarm events.
For each of these events the Audit module can call a user supplied script with a name as
configured in the Audit Configuration. The script should reside in the ‘scripts’ directory, the exact
location of which depends on how your system was installed.
In a typical installation this would be as follows:
Unix
/opt/ibasec/<server-id>/scripts
Windows
C:\Program Files (x86)\Ibasec3\<server-id>\var\script
On Unix the environment variable $IBA_SCRIPT points to this directory.
The calling interface for the script is:
Scriptname <event-id> <event-type> <severity> <facilitycode> <facilitysubcode> <text>
Configuring Audit Maintenance Scripts
The Audit Maintenance procedure (see section ‘Audit System Audit’) can optionally call a user
supplied script. This script could for example FTP the current audit and message log files to
another system for archiving. The script should reside in the ‘scripts’ directory, the exact location of
which will depend on how your system was installed. In a typical installation this would be as
follows:
Unix
/opt/ibasec/<server-id>/scripts
Windows
C:\Program Files (x86)\Ibasec3\<server-id>\var\script
On Unix the environment variable $IBA_SCRIPT (or $IBA_SCRIPTS) points to this directory. The
name of the script is user configurable via the ‘Audit Configuration’ screen.
As an example: to clean the logfiles from your IBASEC server see script in Use Case 17
page 27/150
BBP Development
Version: 3.18
User Manual IBASEC
Datum: 14.10.2013
4.6 USRMAN – User Management
The User Management module allows users from the Security User-Category to manage user
accounts.
Most operations in the USRMAN module operate on the ‘four-eyes’ principle; this means that
changes or additions made by one Security User must be approved by a second Security User.
For this reason the IBASEC server must always have at least TWO Security Users configured.
User Categories
Each user of the system belongs to a User-Category, either Operator, Auditor, Administrator, or
Security. This defines the set of functions of the server that the user is allowed to access. For
further details please refer to section ‘IBASEC Users’.
User Statuses
Each user of the system has a status as follows:
Enable
The user is active and can log in.
Disable
The user is active but is not allowed to log in.
Waiting For Approval
Some changes have been made to the user’s settings. The user is not
allowed to login until a second Security officer approves the changes.
Usernames
All users of the system are identified by a username, and all users must enter a personal password
before they can access the system. Usernames must be chosen according to the following criteria:
It must be unique within a particular instance of the Security Server.
If must contain at least 8 characters and at most 32 characters.
If is case sensitive.
It can comprise alphanumeric characters i.e. A-Z, a-z and 0-9. No special characters are
allowed.
It cannot contain the same character repeater over more that two consecutive characters i.e.
userAA is allowed userAAA is not.
Passwords and Password Restrictions
User passwords must be chosen according to the following criteria:
It must not be the same as the username.
It must contain at least 8 characters and at most 32 characters.
It is case sensitive.
It can comprise alphanumeric characters i.e. A-Z, a-z and 0-9. No special characters are
allowed.
It cannot contain the same character repeater over more that two consecutive characters i.e.
userAA is allowed userAAA is not.
Must not be a password, which has been used before within the last 10 password changes.
It is also possible to assign restrictions to a user’s password, which will determine how often it must
be changed. These are as follows:
The maximum number of uses that a password can have. After this number of logins the
password must be changed.
The maximum number of days for which the password can exist. After this period that
password will automatically expire and will have to be changed.
These restrictions are optional and can be set or modified at any time by a Security User.
page 28/150
BBP Development
Version: 3.18
User Manual IBASEC
Datum: 14.10.2013
Successful and Failed Logins
Each successful and failed login is recorded by the USRMAN module. If a user has three
consecutive unsuccessful login attempts the system will automatically disable him. To login again
he must be re-enabled by a Security User.
This restriction does not apply to the last active Security User in the system. In this case the user is
disabled for 30 min only, and then automatically re-enabled.
Adding, Deleting and Modifying Users
The ‘USRMAN Overview’ window shows the complete list of currently configured users, their user
Category and Status:
From this window it is possible to add, delete and modify users. For a list of standard users
preconfigured at installation time, see chapter ‘IBASEC users’.
page 29/150
BBP Development
Version: 3.18
User Manual IBASEC
Datum: 14.10.2013
Adding a User
To add a new user select the ‘Add’ option from the ‘User’ menu:
The fields should be filled as follows:
Username – see above for restrictions on the username (mandatory).
Full Name – free text, the full name of the user (optional)
Password – the user’s password, see above for restrictions on the password (mandatory).
Address – free text, the address of the user (optional).
Telephone – free text, the telephone number of the user (optional).
User Category – the category to which the user belongs (mandatory).
Max Uses – the maximum password uses: either none (infinite), or a number between 1 and 999.
Max days – the maximum number of days for which the password is valid, either none (indefinite),
or a number between 1 and 999.
Inactivity Timeout – the maximum number of seconds of inactivity allowed for the user. Either none
or the period in seconds after which the user will automatically be logged out.
The other fields on the screen are filled automatically by the IBASEC Server.
Once the user has been created his status will be WaitingForApproval and a second Security User
must approve and enable the user from the ‘Status’ menu on the ‘USRMAN Overview’ screen.
page 30/150
BBP Development
Version: 3.18
User Manual IBASEC
Datum: 14.10.2013
Modifying a user
To modify a user, select the entry from the ‘USRMAN’ main window and choose ‘Modify’ from the
‘User’ menu.
The following fields are modifiable:
Full Name
Address
Telephone
User Category
Max Uses
Max days
Inactivity Timeout
See the previous section for how these fields can be filled. Once the user has been modified his
status will be WaitingForApproval and a second Security User must approve and enable the user
from the ‘Status’ menu on the ‘USRMAN Overview’ screen.
Deleting a user
To delete a user select the appropriate row from the ‘USRMAN Overview’ screen and choose the
‘Delete’ option from the ‘User’ menu. If the user is currently logged in he can continue to work, but
he will not be able to login again.
Enabling and Disabling a user
A Security User can disable a user by selecting the ‘Disable’ function from the ‘Status’ menu in the
‘USRMAN Overview’ screen. A disabled user will no longer be able to login. Similarly by selecting
Enable, a Security officer can re-enable a disabled user.
Changing a user’s Password
A security user can change another user’s password by selecting the user from the ‘USRMAN
Overview’ window and choosing the ‘Change Password’ function from the ‘User’ menu. Once the
password has been modified the user’s status will be WaitingForApproval and a second Security
User must approve and enable the user from the ‘Status’ menu on the ‘USRMAN Overview’
screen.
page 31/150
BBP Development
Version: 3.18
User Manual IBASEC
Datum: 14.10.2013
4.7 BPMAN – Business Partner Management
The BPMAN module provides facilities for users of the Security User – Category to manage the list
of Business Partners (or BP-Ids) that the server will use to validate messages sent and received.
A business partner is a party in a secure communication. A Business Partner is assigned to a
particular application and is either assigned for use in test sessions or production sessions (not
both). In addition a Business Partner has an assigned Cryptographic profile which defines which
algorithms and key sizes will be used when creating messages coming from the Business Partner,
and which can be used to check the algorithms and key sizes in used messages received from the
Business Partner.
In SIC and euroSIC the business partners are the LUDs. The IBASEC server validates the source
and destination business partners of all request messages, so all used BP-Ids must be configured.
The IBASEC Server also compares the Test/Production setting of a BP-Id against the session on
which the request message is received, and will reject the request with an ‘Unknown BP’ error if
there is a mismatch. Test BP-Ids are only valid on Test sessions. Production BP-Ids are only valid
on Production Sessions.
The functions to view, add, modify and delete BP-Ids are only available to users in the Security
User-Category.
The list of currently configured BP-Ids is shown on the ‘Business Partner Overview’ window:
page 32/150
BBP Development
Version: 3.18
User Manual IBASEC
Datum: 14.10.2013
Selecting the search button you will get the following mask:
this lists all business partners for the SIC application with a validity that ends before 19.8.2007
Adding a Business Partner
To add a Business partner, select the ‘New’ option from the ‘Edit’ menu on the ‘Business Partner
Overview’ window. The following screen will be displayed:
Where the fields should be filled as follows:
Application - the pull-down menu gives the list of currently configured applications (mandatory).
BP - The BP-Id to be entered. Must be unique within the application (mandatory).
Priority - The priority with which messages from this BP-Id will be treated. High, Medium or Low.
This may be important in a high volume system with many Business Partners and many HSMs. In
a system with few BP-Ids or few HSMs this setting will have little affect.
page 33/150
BBP Development
Version: 3.18
User Manual IBASEC
Datum: 14.10.2013
Test/Production - Determines if this BP-Id will be used for Test or Production sessions. In release
V2.0 there is an additional state called ‘not used’ (see below).
Profile - The default cryptographic profile for this BP-Id. The pull-down menu contains the list of
currently configured profiles.
Verify Profile - Determines if the IBASEC server will check messages received from this BP-Id
against the Profile. If this option is set and there is a mismatch, an audit event will be generated but
the message will continue to be processed.
Modifying a Business Partner
To modify a business partner, select the appropriate entry from the ‘Business Partner Overview’
window and choose the ‘Modify’ option from the ‘Edit’ menu.
All fields except the BP-Id itself are modifiable.
Any changes are immediately active once they have been saved.
Deleting a Business Partner
To delete a business partner, select the appropriate entry from the ‘Business Partner Overview’
window and choose the ‘Delete’ option from the ‘Edit’ menu.
The deletion is immediately active.
Automatic Update of the BP Table
The current IBASEC server software maintains a table with all known BPs. The IBASEC server
only processes security commands, which refer to BPs contained in this table. New BPs have to be
entered manually by the security officer. They can be configured to be used either by a test or a
productive session.
The IBASEC Release V2.x and 3.x is proposed to be enhanced in that new BPs are automatically
added to the BP table, when new keys of new BPs are loaded into the system. Newly added BPs
are set to a ‘not used’ state by default. They have to be manually configured for either test or
productive use by help of the existing BP configuration function.
4.8 APPMAN – Application Management
The APPMAN module provides functions do define the applications and application users, which
the server can be used for (e.g. SIC, euroSIC etc), and defines the host applications, which are
allowed to use each application (these are called the application users).
For each application two things are defined:
The default cryptographic profile for the application.
The list of functions, which can be used in connection with this application.
The IBASEC Server contains two pre-configured applications; SIC and EURO. There should be
no need to change the settings for these applications.
The APPMAN functions are only available to users in the Security User Category. Some
functions in APPMAN are subject to the ‘four-eyes’ principle and require changes to be
confirmed by a second security user.
The list of currently configured applications can be seen from the ‘Applications Overview’ window:
page 34/150
BBP Development
Version: 3.18
User Manual IBASEC
Datum: 14.10.2013
Application Users and User-IDs
The APPMAN module also defines the Application users (host applications) for each application.
When a Host Application creates a session it must identify itself with its ‘User-Id’. This User-Id must
have been configured in the APPMAN Application users database, and the requested Application
must match one that the User-Id is configured to use.
The APPMAN module can also define for each User-Id with what priority requests from this User-Id
will be served and whether an IMS header should be prepended to all messages sent to this host
application.
The list of currently configured application users can be seen by clicking the ‘Users’ button on the
‘Applications Overview’ window. This will display the ‘User Overview’ window as follows:
page 35/150
BBP Development
Version: 3.18
User Manual IBASEC
Datum: 14.10.2013
Adding an Application
Note - the SIC and EURO applications are already configured and should not be changed.
To add a new application, select the ‘New Application’ option from the ‘Configure’ menu on the
‘Applications Overview’ window. The following screen will be displayed:
The values that can be entered are:
Application – the name of the application, maximum 6 characters, mandatory
Use Compression – the mode of compression; values: automatic when encrypting messages are
longer than 3800 bytes, always enabled or disabled.
Allow Management session – for these applications the use of management session is allowed.
This enables the use of the functions LoadPublicKey,GetPublicKey, DeletePrivateKey,
DeletePublicKey,GetPublicKeyDir, GetPrivateKeyDir and GetHSMStatus.
Default Profile – the name of the default cryptographic profile for the application. The pull-down
list will contain all the currently configured profiles.
Validity window – the time stamp of incoming signed messages is verified to be within a user
definable time window, in days.
The required functions. Note - any function that is not checked will not be accessible in the context
of a session for the newly defined application, and any attempt to use it will cause an error.
Modifying an Application
Note - the SIC and EURO applications are already configured and should not be changed.
To modify an application, select the application from the ‘Applications Overview’ window, and
choose the ‘Modify Application’ option from the ‘Configure’ menu.
The Default Profile and the list of allowed functions can be changed.
Any changes will only affect sessions, which are opened after the changes were made. Already
open sessions will not be changed.
Deleting an Application
To delete an application, select the application from the ‘Applications Overview’ window, and
choose ‘Delete Application’ from the ‘Configure’ menu.
Note – before deleting an application you must be sure that no Application users are configured to
use the application, and that no HSMs are configured to use it either.
page 36/150
BBP Development
Version: 3.18
User Manual IBASEC
Datum: 14.10.2013
4.9 KEYMAN - Key Management
The IBASEC Server provides facilities for the remote management of keys within HSMs. These are
the Key Management functions and are available to users within the Security User-Category.
Each HSM can contain a number of keys:
Private Keys are secret. They are created by the bank, and loaded manually into
HSMs using security modules.
Public Keys are either generated with the corresponding Secret Keys by a bank, or
are loaded from a security module or the IBASEC Server.
The KEYMAN module stores information about which Private Keys are loaded into which HSM. It
also provides functions to delete Private Keys from specific HSMs.
Note - Secret Keys can only be loaded via security modules and not by the security server.
The KEYMAN module also stores information about which Public Keys are loaded into each HSM.
It also stores a copy of each Public Key in its internal database. The KEYMAN module provides
facilities to load and delete Public Keys from HSMs either under operator instruction, or
automatically.
The KEYMAN key database is automatically synchronized with the HSMs so that when keys are
manually added or removed from a HSM, the KEYMAN database will be changed automatically. If
changes are made to a HSM whilst it is not connected to the server, the server will synchronize the
next time a connection is made.
Key States
Keys held within the KEYMAN key database exist in a number of states as follows:
State
Meaning
Private
Public
Active
A key which is available for cryptographic operations and which is Yes
loaded in one or more HSMs.
Yes
Deleted
A key which has been deleted from all HSMs. It cannot be used
for cryptographic operations.
Yes
Yes
Expiring
A key that will expire in a few days and no replacement (public or Yes
private) is yet loaded.
Yes
Blocked
A private key that expired less than three days ago. If can still be
used for decryption, but not for signing.
Yes
No
Expired
A private key which expired more than three days ago. It cannot
be used. Or: An expired Public Key. It can still be used for verification but not for encryption.
Yes
Yes
Error
A key, which failed to authenticate when loaded into a HSM. The
key cannot be used.
Key Management and Distribution
The KEYMAN module provides functions for managing the keys within HSMs.
Manually Managing Keys in HSMs
From the ‘Key Management Overview’ window it is possible to select an individual HSM and
application and using the ‘Keys’ menu:
Display Keys – view the keys loaded in the HSM for this application.
Delete Keys – delete keys from the HSM.
From the ‘Key Overview’ window (the results of a free search of the Key Database) is possible to
select an individual key and
page 37/150
BBP Development
Version: 3.18
User Manual IBASEC
Datum: 14.10.2013
Delete it from an individual HSM in which it is loaded.
Delete it from all HSMs in which it is loaded.
Load it into an individual HSM assigned to the appropriate application (Public Keys only).
Load it into all HSMs assigned to the application (Public Keys only).
Load it into HSMs according to the Key Distribution Algorithm
Automatically Managing Keys in HSMs
The KEYMAN module can also provide facilities to automatically distribute Public Keys between
the available HSMs. This is known as the Key Distribution Algorithm and it will distribute keys
based on the priority of the BP-Id, which owns the key (as defined in BPMAN).
The user can configure
How many HSMs of an Application should contain the keys of High-Priority BP-Ids.
How many HSMs of an Application should contain the keys of Medium-Priority BP-Ids.
How many HSMs of an Application should contain the keys of Low-Priority BP-Ids.
The Key Distribution Algorithm will attempt to ensure that all HSMs have the same number of
keys loaded.
Overview of Keys
The number of keys loaded into each HSM and their owning application can be seen from the ‘Key
Management Overview’ window as follows:
For each HSM there is an entry for each application that the HSM is configured to use. Each entry
contains:
HSM – the name of the HSM as defined in section ‘KRYPTO – HSM Interfaces’.
Application – the name of the application.
Private – the number of Secret Keys loaded in this HSM for this application.
High – the number of Public Keys belonging to BP-Ids of High Priority (as defined in BPMAN)
for this application.
Medium – the number of Public Keys belonging to BP-Ids of Medium Priority (as defined in
BPMAN) for this application.
page 38/150
BBP Development
Version: 3.18
User Manual IBASEC
Datum: 14.10.2013
Low – the number of Public Keys belonging to BP-Ids of Low Priority (as defined in BPMAN) for
this application.
Total – the total number of keys loaded in this HSM for this application.
Note – The Key Rollover Rules work only on the side of SIS, but not on the side of the bank.
Therefore they are not explained here.
Searching the Key Database
The KEYMAN module provides facilities to search the Key Database.
Free Search
Selecting the ‘Free Search’ option form the ‘Find’ menu on the ‘Key Management Overview'
window displays the ‘Key Search’ window in which the search criteria can be entered:
Where the fields can be entered as follows:
The type of the key as above, or all.
The key status as above, or all.
The Application of the Key - the pull-down menu contains the list of currently configured
applications, or all.
The Owner BP-Id.
The Owner Security-Party - not used in this version.
The Certificate Reference - can be used to enter the Key Hash in this version.
Start date - the start date of the key, a range can also be entered.
End-date - the expiry date of the key, a range can also be entered.
The Key Usage - see above, or all.
Issuer Security Party - not used in this version.
HSM - the HSM in which the key is loaded. The pull-down menu contains the list of currently
configured HSMs. All can also be entered.
page 39/150
BBP Development
Version: 3.18
User Manual IBASEC
Datum: 14.10.2013
The results are displayed in the ‘Key Overview’ window:
From this window it is possible to display details of an individual key by selecting a key and clicking
the ‘Details’ button. Depending on the type of key either the ‘Private Key Details’ window or the
‘Public Key Details’ window is displayed:
Private Key
The ‘Public Key’ button will display the corresponding Public Key (if it is available in the database).
page 40/150
BBP Development
Version: 3.18
User Manual IBASEC
Datum: 14.10.2013
Public Key
The ‘Certificate’ button will display the raw key information. The ‘Print’ button will make a hard-copy
of the key.
This is the Public Key Certificate - which will be printed to the printer defined in the Login setup
(see section ‘Login/Logout’).
Search for Deleted Keys
This option will immediately display all keys, which have been deleted from all HSMs.
Search for Expired Keys
This option will immediately display all keys, which have expired.
page 41/150
BBP Development
Version: 3.18
User Manual IBASEC
Datum: 14.10.2013
4.10 PROFMAN - Cryptographic Profile Management
The IBASEC Server maintains a list of cryptographic profiles which define a set of cryptographic
algorithms, key sizes etc. Each business partner defined in the BPMAN module is assigned a
profile and this will be used in the absence of other instructions to define:
The algorithms and key sizes to be used when creating a message sent by a Business Partner.
The algorithms and key-sizes, which are expected to have been used in messages received
from a Business Partner.
The IBASEC server contains one pre-defined profile called SIC-Default. This profile currently
matches the requirements of both SIC and euroSIC. There should be no need to add of modify
profiles at the moment.
The functions to view and modify Cryptographic profiles are only available to users in the Security
User-Category. The list of currently configured profiles is visible from the ‘Profile Overview’
window:
For each algorithm supported by the server it is also possible to set some defaults. These can be
seen by clicking on the ‘Defaults’ button on the ‘Profile Overview’ window. By selecting an
algorithm and clicking on the ‘Edit’ button is possible to view and modify the defaults.
page 42/150
BBP Development
Version: 3.18
User Manual IBASEC
Datum: 14.10.2013
Adding a Profile
To add a profile all the IBASEC interfaces must be offline (see section ‘IBASEC – Host Interfaces’).
From the ‘Edit’ menu on the ‘Profile Overview’ window select the ‘Add’ option. The following screen
will be displayed:
SECOM Default
SHA256
RSA
2048
AES
PKCS#1
BASE64
This should be filled as follows:
Profile Name - must contain a unique name for the profile (mandatory).
Hash Algorithm - the pull-down menu contains the list of supported hash algorithms
(mandatory).
Sign Algorithm - the pull-down menu contains the list of supported sign algorithms (mandatory).
Modulus - the pull-down menu contains the list of supported key lengths (mandatory).
Data Encryption Algorithm - the pull-down menu contains the list of supported encryption
algorithms (mandatory).
Default Filter: Function used to filer IV, signatures, encrypted key data, used if no parameter
value is supplied in the input
Key Encryption Algorithm - The key encryption algorithm. Pull down list containing: TBSS and
PKCS#1
4.11 CERTMAN - Certificate Manager (for SECOM)
See section 6 of this document.
page 43/150
BBP Development
Version: 3.18
User Manual IBASEC
Datum: 14.10.2013
5 HSM Setup and Handling
For the IBASEC Version 3.1 with the LunaSP the GUI has been extended with an additional HSMbutton. Be aware that you need special rights to execute those <HSM> functions (see chapter 5). A
warning indicates that an inappropriate entry would destroy the HSM configuration.
The HSM operations will be grouped as followed as:
Network und date setting, Unlocking of the HSM
Setting of the key storage and PED keys
Placing the HSM Passwords on the IBASEC server
Installation und Uninstallation of the web application
Start and Stop of the Web Application
Key Backup and Restore
Maintenance Work
All HSM handling is centralized under this <HSM> function:
To apply most of the HSM operations, the HSM must be in the "Disconnected" state
page 44/150
BBP Development
Version: 3.18
User Manual IBASEC
Datum: 14.10.2013
5.1 HSM Initialization
5.1.1
Set Date and Time
Setting the date and time of the HSM means to adjust it to the date and time of the IBASEC
server. Check the flag on this window and press <OK>. For a proper keymanagement it is
important, that the date and time of the IBASEC server and the HSM are equal. A tolerance of a
few minutes is acceptable.
5.1.2
Unlock HSM
After a number of consecutive wrong password entries the HSM falls into a LOCKED state. For the
maximum allowed password entries see the HSM Configuration Window in 2.1.1.
By selecting this function, the HSM will be unlocked and the HSM overview shows again
"ActiveUnattended".
page 45/150
BBP Development
Version: 3.18
User Manual IBASEC
Datum: 14.10.2013
5.2 Key Storage Operation and PED Key Operation
5.2.1
Enter Password
With the new SafeNet LunaSP HSM, the system operates with three different passwords to protect
different operations:
Admin Password : the HSM can be accessed by SSH; the admin password is the password of the
preinstalled admin user with the default password "pass*12345"
Partition Password: protects the access to the keys in the key storage of the HSM also called “key
partition”. The first partition password is created by the "HSM Init" function and has to be saved. In
this case, the "Old Password" entry remains empty.
Application Password: the password used by the server to trigger any key management
operations.
Changing the partition password needs the old password and the partition PED key.
Connecting a new HSM with "Premium Rollout", i.e. with a preparation to work with an IBASEC
server, The Admin and the Partition password has to be saved with the IBASEC server. See Case
11.
5.2.2
Configure Web Server
After the "Init HSM" function a few settings of the partition policy and the web server have to be set
or confirmed. To see the details of the executed lunashell commands press again <view logs>.
Please keep an eye on the PED to be ready for the requested PED key handling. The blue and
black key (Admin and Partition) is needed.
Reminder:
If you would like to cancel any operation, press <Cancel>. With <Close> an eventually running
operation continues and is not abandoned.
Using this function assumes that the web server appliance is properly installed (should come with
the Premium Rollout). If the command fails because of a missing web server application you have
to install it first with the function "Install Application"
This operation could be executed several times.
5.2.3
Installation and Un-Installation of the Web Application
Install Application
The newest web application has been installed by the Premium Rollout. Before you could install
another version of the web application (appliance) you have to uninstall the present installation. A
warning would prevent you to do a new installation.
*** Please backup your key partition before you install a new web application! ***
The web application delivered by SIC only has to be copied to the IBASEC server according to the
instructions that come along with the new software release. The software is protected with a hash
page 46/150
BBP Development
Version: 3.18
User Manual IBASEC
Datum: 14.10.2013
(a so called fingerprint). You have to confirm this fingerprint published by SIC before you may
upload the appliance software.
Again see the <View Logs> and after successfully loaded appliance start the web server before
you reopen the HSM. With the "Get Status" function in Krypto - Remote you will find the new
release version number and date. The installation of the web application may take up to 15
minutes.
After the installation of the application the web server should be started again:
GUI: HSM - HSM Operations - Start Web Server
Uninstall Application
This function is only needed to clear the HSM for a new "Install Application".
5.3 Start and Stop of the Web Application
Select an HSM from the list of available HSM. HSM's will be available by defining and adding them
in the Krypto Module. Make sure that this HSM is in a proper "Premium Rollout" state.
For the normal operation of the HSM there is no direct interference to the HSM of the operator
needed. But the following functions are supported:
Start Web Server (e.g. after a cold start of the HSM)
Stop Web server
Download Logs (if you need the Logs with the most accurate events)
page 47/150
BBP Development
Version: 3.18
User Manual IBASEC
Datum: 14.10.2013
5.3.1
Start Web Server
After a cold start or a reboot of the HSM the web server does not start automatically! If you open a
HSM without starting its web server the IBASEC server detects an error and falls into the recovery
procedure. The recovery procedure starts the web server and opens the HSM. so there is actually
no need for this function. But starting the web server manually with this function and then open the
HSM is faster because the recovery function needs some time to analyze the situation and then
take the right actions.
Key needed: No.
Yes, but after a cold start or a power loss longer then 20 minutes the blue (Admin) key is needed!
5.3.2
Stop Web Server
This function is only needed for analyses and investigation of the web server.
5.4 HSM States
The HSM that comes from your distributor is specially prepared for the IBASEC application. We
name it "Premium Rollout" state. The IBASEC GUI can only interact which a Premium Rollout
HSM.
Compared with the HSM GC720 the new LunaSP HSM is (almost) stateless. The only correct
productive state is "Connected - ActiveUnattended". E.g. the HSM is "Open" and is ready to be
productive. To "Close" the HSM with the Close-button in the Krypto Overview Window or in HSM
Overview Window sets the HSM to "Disconnected" and the Application State is "-".
If the Application State should be "Initialized" (Unattended Mode not set) or "Inactive" (Application
Password not set) the "Configure Web Server" function failed (see ViewLogs: maybe the sp
command is missing, e.g. the web application is not yet installed).
After max. consecutive wrong password entries the HSM falls into a "Locked" state. With the GUI
function HSM - HSM Initialization - Unlock HSM the HSM can be unlocked again.
page 48/150
BBP Development
Version: 3.18
User Manual IBASEC
Datum: 14.10.2013
5.5 Download Logs ( Maintenance Work )
If the environment variable (or Windows registry entry) IBA_HSM_MAINTENANCE_TIME is set, an
automatic daily download (and delete) of the logs into the $IBA_LOG directory is done.
example of .cshrc:
setenv IBA_HSM_MAINTENANCE_TIME "05:30"
For some reasons it might be helpful to have a more accurate set of log files available. This
function will not replace or affect the automatic download and delete. It creates an additional log
view.
This function needs no PED keys. The <View Logs> gives you a list of all files downloaded from
the HSM. They are available in the $IBA_LOG directory of your IBASEC server.
The following files are downloaded to the $IBA_LOG directory:
logs.tar
supportInfo.txt
log_shell_audit.log
log_tomcat.log
log_web_debug.log
log_shell_debug.log
log_tomcat.log.2006-09-14
log_web_error.log
log_shell_debug.log.2006-09-267
log_web_info.log
log_shell_error.log
log_shell_info.log
log_web_audit.log
page 49/150
BBP Development
Version: 3.18
User Manual IBASEC
Datum: 14.10.2013
5.6 Backup and Restore
Backup and Restore procedures are overwriting and always as a whole. There is no update
function or incremental backup possible.
5.6.1
Key Backup
With a Key Backup the whole partition is copied to a Backup Token . All productive private and
public keys and certificates even the uncertified keys are copied to the Backup Token. The
Backup Token should be inserted before you launch the backup procedure.
Keep a check on the display of the LunaPED for the requested PED key application (blue, black
and red keys are needed). If the backup token (PC Card) has been already used with other HSMs
that do not belong to the same group, the backup will fail. If you insist to overwrite the used token
you have to repeat the procedure 3 times until it accepts the overwriting of the token.
page 50/150
BBP Development
Version: 3.18
User Manual IBASEC
Datum: 14.10.2013
press "View Logs" to see the activities in detail:
5.6.2
Key Restore
With a Key Restore the whole partition is overwritten by the Backup Token. The PED key handling
is the same as with backup. There is no partial restore available with LunaSP. Its always a
complete and replacing restore.
page 51/150
BBP Development
Version: 3.18
User Manual IBASEC
Datum: 14.10.2013
6 Key Management
The key management functions with the HSM are:
Generation of keys (local certificate key, RSA keys, TINT key )
Loading of public and private keys
Loading of TINT keys
Deleting of keys
Storing of private keys to the security module
Verification of key in the HSM.
Some of the functions are triggered from the server, and some of the key management functions
are following a different concept (backup and restore, see section 5.6). This chapter describes the
key management operations of IBASEC. These are
Key generation
Load a key to the IBASEC server
Deletion of a key from the IBASEC server
Export a key to a file
Import a key from a file
Validation of a key
Fingerprint letter operation (Export to File, Print )
Search for a key
The available keys can be shown with the following list:
GUI: Krypto – Keys - Show Keys in HSM (of selected HSM)
GUI: Keyman - Find - Free Search: list of keys for a defined filter
6.1 Passwords
The IBASEC Server uses three passwords protecting different operations:
The admin password (the HSM can be accessed by SSH, the admin password is the password of
the installed admin user). It must be at least 8 characters in length and must include characters
from at least three of the following four groups:
lowercase alphabetic (abcd...xyz)
uppercase alphabetic (ABCD...XYZ)
numeric (0123456789)
special (non-alphanumeric, -_!@#$%&*...)
The partition password (the password of the key storage also called “key partition” to protect the
access of the key)
The application password (the password used by the server to protect the key management
operations). The application password is important for the key management
6.2 Key Generation
There are three types of keys to be generated:
Local certification keys
Productive keys
SIC AG internal keys (TINT keys; for SIC only )
6.2.1 Generation of local certification keys
The first step to set-up the HSM for production mode is to generate a pair of local certificate keys.
The keys will be used to secure the transfer of the production public keys from and to the IBASEC
server. The local certification key will be generated using the KEYMAN menu entry HSM Key
page 52/150
BBP Development
Version: 3.18
User Manual IBASEC
Datum: 14.10.2013
management  Create LOCERT keys. The following figure shows the dialog to generate the
LOCERT keys.
this example creates a LOCERT key pair on HSM31
6.2.2 Generation of Production Keys
The next step is to generate your own production keys of which the public keys will be delivered to
SIC (in file format). The key has to be exported to the IBA_EXPORT directory. These will be
described in a later section of the document. The production key will be generated using the
KEYMAN menu entry HSM Key management  Create RSA keys. The following figure shows the
dialog to generate a productive RSA key pair.
page 53/150
BBP Development
Version: 3.18
User Manual IBASEC
Datum: 14.10.2013
This table shows the possible valid settings:
Application
Valid setting
SIC
Application: SIC
Business Partner: <your Business Partner>
Key Size: RSA [2048 bits]
Key Usage: Sign & Encipher
Start date and end date: according to the policy of your bank
Application password: see section 3.1
euroSIC
Application: EURO
SECOM
Application: SECOM
SIC (for SIC only)
Key Usage: can be TK Verify & Sign, TK Encipher & Sign
euroSIC (for SIC)
Key Usage: can be TK Verify & Sign, TK Encipher & Sign
6.2.3 Generation of TINT Keys
These keys will be used for SIC internal storage operations. The TINT key will be generated using
the KEYMAN menu entry HSM Key management -> Create TINT key. The following figure shows
the dialog to generate a TINT key.
The following table shows the valid settings:
Valid setting
Application
SIC,EURO
Business Partner TINT1, …, TINT4
Test/Prod Flag
T or P
6.2.4 Important remark
After each key generation, it is strongly recommended to make a key backup (see section 5.6) in
order not to lose your private key information.
page 54/150
BBP Development
Version: 3.18
User Manual IBASEC
Datum: 14.10.2013
6.3 Key Export
The transport between the bank and SIX is done via a file-based mechanism. The IBASEC server
allows exporting the public key in the following file format:
The Self-Signed Certificate
After the key generation, the IBASEC server generates automatically two files with the following file
name pattern:
<application>-<bp>-<keyhash>.crt
The public key as self-signed certificate
The self-signed certificate format needs the related private key to be generated, so maybe the
server reports that a key cannot be exported as “self-signed”. A part from the automatic export, the
key can be exported using the following procedure:
Keyman menu, search for the key to be exported with “Find - Free Search” . The key search could
be controlled with some filter arguments (see section 6.20):
Select the key to export and "Export Key as Self-Signed Certificate" for an export fur internal use
or to the provider.
page 55/150
BBP Development
Version: 3.18
User Manual IBASEC
Datum: 14.10.2013
With the following dialog you have to enter the filename that will be placed in the $IBA_EXPORT
directory (/var/ibasec/<serverid>/export).
e.g. for export key to SIC
A truly signed Export Letter (or fingerprint letter) should go with the key file to confirm the integrity
of the key. So after "export self-signed certificate" you select "Details" to get this window for
printing the accompanying letter.
page 56/150
BBP Development
Version: 3.18
User Manual IBASEC
Datum: 14.10.2013
6.4 Key Import
The key import is used to load public keys from a foreign system. As mentioned in the previous
section, the file type is as follows:
The Self-Signed Certificates with the extension .crt
The file extension should indicate which type of file you received. You have to apply the following
import procedure:
Store the file into the $IBA_IMPORT directory on your server
Use the KRYPTO menu entry “Key  Import Self-Signed Certificate”.
page 57/150
BBP Development
Version: 3.18
User Manual IBASEC
Datum: 14.10.2013
To import a self-signed certificate, you have to select the related file.
e.g. SIC imports key from Bank
Self-Signed Certificates have to be validated. For details check the following section.
6.5 Validation of the Keys
An imported self-signed certificate has to be validated. Select the KRYPTO menu entry
“KeysValidate Keys”. The dialog shows the list of keys ready to be validated. You have to select
the key to be validated and to enter the application password and finger print.
If this is done successfully, the key can be used as a normal public key.
6.6 Miscellaneous Key Management Functions
The following key management functions can be selected from the IBASEC Server GUI:
Load Public Key (from the Key Search Result Window, select “Key-> Load Key” to load a key from
the IBASEC Server database into one or more HSM)
Delete Public Key / Delete Private Key (to delete one or more key, search for those key, select in
the Key Result Window for those key, and select “Key-> Delete Key”).
(Delete All Keys use the HSM  HSM Installation Erase HSM for Transport menu entry to
remove the keys stored in the HSM)
page 58/150
BBP Development
Version: 3.18
User Manual IBASEC
Datum: 14.10.2013
6.7 Import the Provider Keys
To setup your production environment you have to load the following keys from the CD into your
system:
Appl.
BP
Key Hash
Fingerprint
SIC
SIC
EURO
EURO
SICB
SICP
ESIA
ESIB
5C3B
3FEA
6A63
7EAC
AF64
EF86
71A4
55BB
09BF
D081
0FD9
D355
0D7B
6D8D
4E9C
F8F9
BAD7
8303
C90E
A002
7A35
2985
DFBF
DC80
3908
20E2
BB9A
EE7A
F0A9
B775
B2E3
3A70
8CE9
AEDB
C535
DE91
AFFC
F75D
BC4F
8CB0
F6A9
B168
D507
E47E
4AA8
76A3
34E8
2F48
3450
AD2A
10B3
3F2B
0E9D
19B6
167B
C420
ATTENTION: These fingerprints are valid from 11.06.2012 until 01.08.2015
For SECOM application you also have to load the ROOT.CRT and
SECOM-SECN-5053B310.CRT (valid until 10.06.2016) into your system. This operation is
described in section 6.9ff.
6.8 Generation of the Production Keys
If you have to create a new production key, check the following parameters of the table
Application
Business Partner
SIC
xxx0
EURO
yyy0
SECOM
<according to your setup>
For the additional information, check the table
6.9 Import and Validation of the SIS Root Certificate
This describes the import of the SIS certificate through the file interface. Similar could be done
using the SOAP interface. For the root certificate import, you have to copy your root certificate to
the "certs" directory. For a standard installation, this is /var/ibasec/prod/certs/SIS CA/FromProxy.
LOCERT must be present in HSM
Import ROOT.CRT
Validate ROOT.CRT with fingerprint
Import SECOM-SECN-5053B310.CRT (automatically validated by the ROOT.CRT)
In CERTMAN menu, you have to look for the “Operations” button:
And in the “Operations” Dialog, select the “Import Certificates from File” button:
page 59/150
BBP Development
Version: 3.18
User Manual IBASEC
Datum: 14.10.2013
You will see the following selection of certificates:
Select the entry “ROOT.CRT” and press the “Import” button. After a while, you will see the
following information:
page 60/150
BBP Development
Version: 3.18
User Manual IBASEC
Datum: 14.10.2013
After the successful load, there should be the PKI key in the special area of keys to verify. The PKI
key must now be verified by the user using the KRYPTO menu entry “Key  Validate key”. The
dialog must look like this
You have to select the PKI key and have to enter the fingerprint as show in the figure. The server
confirms the load with a dialog telling you the key is confirmed and shows the public key detail of
the key.
page 61/150
BBP Development
Version: 3.18
User Manual IBASEC
Datum: 14.10.2013
This indicates the successful load of the root certificate.
page 62/150
BBP Development
Version: 3.18
User Manual IBASEC
Datum: 14.10.2013
6.10 Import the SIS Certificate
You can import the SIS Certificate via the file interface. (For the SOAP interface, please refer to the
document “Certificate and Certification Management”.)
The certificate from SIS will be stored in the following directory:
/var/ibasec/<serverid>/certs/SIS CA/FromProxy
You have to perform the following steps:
In CERTMAN menu, you have to look for the “Operations” button:
And in the “Operations” Dialog, select the “Import Certificates from File”:
page 63/150
BBP Development
Version: 3.18
User Manual IBASEC
Datum: 14.10.2013
This dialog with the certificate file will be displayed.
Select the entry “SECOM-SECN- 5053B310.CRT” and press the “Import” button.
After a while, you will see the following information:
You can verify the load of the SECN key with a free search in the KEYMAN module.
6.11 Create a Certification Request
You should have created a SECOM key pair with the common settings (please refer to the section
6.2.2 and check the information for SECOM). If this is done, a certification request for the key can
be created using the following steps.
With a letter, you receive from SIS a reference number and an authorization code. You will have to
enter this information before creating a certification request.
In CERTMAN menu, you have to look for the “Operations...” button:
And in the “Operations” dialog, select the “Export Certification Request to File” button:
page 64/150
BBP Development
Version: 3.18
User Manual IBASEC
Datum: 14.10.2013
In the dialog below, you first have to enter the reference number and the authorization code.
After these credentials are entered, the dialog allows you to create a certification request for a key,
and to export it on a file to be sent to SIS.
page 65/150
BBP Development
Version: 3.18
User Manual IBASEC
Datum: 14.10.2013
Enter the filename for the selected key. After a successful certification, the file appears in the
directory /var/ibasec/<serverid>/certs/SIS CA/ToProxy.
After the export, carefully check that the certification request corresponds to the right key hash,
and to the right reference number:
Also check the audit event log:
If everything is correct, then send this file to SIS to get the certificate.
To import the certificate, follow the steps of section 6.10.
6.12 Import of a SIS certification
The following operations are provided for the SIS only. With this setting, SIS is enabled to import
certification request to their IBASEC system.
In CERTMAN menu, you have to click the “Operations” button and continue with "Import for
Certification":
page 66/150
BBP Development
Version: 3.18
User Manual IBASEC
Datum: 14.10.2013
6.13 Make a Key Backup
The procedure is described in section 5.6.1.
6.14 Restore Keys
The procedure is describe in section 5.6.2.
6.15 Delete one Key
For this operation you have to search for this key using the KEYMAN menu entry “Free Search”.
To delete the key with the hash 0835D0FC14F2C972, enter this information in the reference text
field.
Then press “Search” and look for the result.
page 67/150
BBP Development
Version: 3.18
User Manual IBASEC
Datum: 14.10.2013
Mark the key and select “Delete Key on HSM” from the menu. IBASEC offers the possibility to
delete the key from one HSM or from all HSMs:
The deleted key is shown in the list:
If the HSM wasn't online during the deletion, the status of the key is “Being deleted”. To remove
the key from the IBASEC KEYMAN database, select the “Purge Key on Server” from the menu and
confirm it.
page 68/150
BBP Development
Version: 3.18
User Manual IBASEC
Datum: 14.10.2013
6.16 Delete all Keys
To remove all keys from one HSM, search in the “Free Search” with the setting of a HSM (see
figure )
This setting displays the key of the HSM31. The result windows should display a list of keys:
page 69/150
BBP Development
Version: 3.18
User Manual IBASEC
Datum: 14.10.2013
Press CTRL+A to select all keys and then select from the menu “Delete Key” and confirm the
following dialog.
The keys will be deleted one by one.
The same procedure could be done for the purging of keys.
6.17 Import old LOCERT Public Key
For this operation, you have to export the LOCERT public key using the Export Key function. This
file will be written to the IBASEC directory /var/ibasec/<serverid>/export. The import of the key is
described in section 6.4.
6.18 Import of migrated Keys from the Database
After the old LOCERT public key has imported in to IBASEC, the system is able to load the migrate
key. Depending of the key auto distribution, this will be done automatically or must be done
manually.
6.19 Search and Find a Key
The IBASEC GUI helps you to find a specific key and supports you with several filters. Select the
following function:
GUI: Keyman - Find - Free Search
page 70/150
BBP Development
Version: 3.18
User Manual IBASEC
Datum: 14.10.2013
Apply the filters by selecting from the combo-boxes.
page 71/150
BBP Development
Version: 3.18
User Manual IBASEC
Datum: 14.10.2013
7 Privileges of IBASEC Users
MODULE, Operation
Audit
Administrator
Security
Operator
Superuser
0 APPMAN
0 Add Application
X
X
1 Modify Application
X
X
2 Delete Application
X
X
3 Add Application User
X
X
4 Delete Application User
X
X
5 Modify Application User
X
X
6 Enable Application User
X
X
7 Disable Application User
X
X
8 Approve Application User
X
X
0 Add Profile
X
X
1 Delete Profile
X
X
2 Modify Profile
X
X
3 Modify Default Settings
X
X
1 PROFMAN
2 BPMAN
0 Search Business Partner
X
X
X
1 Add Business Partner
X
X
2 Delete Business Partner
X
X
X
X
3 Modify Business Partner
X
3 IBASEC
0 Configure Interface
X
X
1 Open Interface
X
X
2 Close Interface
X
X
4 KRYPTO
0 Open HSM
X
X
1 Close HSM
X
X
X
X
X
X
2 Add HSM
X
3 Modify HSM
X
4 Delete HSM
X
X
X
page 72/150
BBP Development
Version: 3.18
User Manual IBASEC
Datum: 14.10.2013
5 List Keys
X
X
6 Show Keys
X
X
7 Get HSM Date and Time
X
X
8 Get HSM Status
X
X
9 Test Connection
X
X
10 Start Download
X
X
11 Stop Download
X
X
12 Get Download Status
X
X
5 AUDIT
0 ViewStat
X
1 Configure Audit
X
X
X
X
X
2 Search Events
X
X
3 Search Message Log
X
X
6 KEYMAN
0 GetK
X
X
1 DelKGc
X
X
2 Rebalance Keys
X
X
3 Configure Keys
X
X
4 Search Key
X
X
5 Find Deleleted Keys
X
X
6 Find Revoked Keys
X
X
7 FndExpK
X
X
8 LoadK
X
X
9 DelK
X
X
10 PrgK
X
X
11 RedistK
X
X
7 SYSMAN
0 SysOvw
X
X
X
1 Start IBASEC Server
X
X
2 Stop IBASEC Server
X
X
3 Make Backup
X
X
4 Load Backup
X
X
5 ShowRls
X
X
X
6 LoadRls
X
X
X
7 CfgSysDflts
X
X
page 73/150
BBP Development
Version: 3.18
User Manual IBASEC
Datum: 14.10.2013
8 USRMAN
0 Add User
X
X
1 Approve User
X
X
2 Enable User
X
X
3 Disable User
X
X
4 Modify User
X
X
5 Set Password for User
X
X
6 Delete User
X
X
7 Add User Category
X
X
8 Delete User Category
X
X
0 Modify CA
X
X
1 Add CA
X
X
2 Delete CA
X
X
3 Manually Get Certificates
X
X
4 Ping CA
X
X
5 Send Certification Request
X
X
6 Retrieve Certificates by SN
X
X
7 Retrieve Certificates by BP
X
X
8 Change Fetch Schedule
X
X
9 Get Directory Information
X
X
10 Change Certificates by BP
X
X
11 Change Certificates by SN
X
X
12 Get Status
X
X
9 CA
10 HSM
0 Network Settings
X
X
1 Validate Key
X
X
2 Create RSA Key
X
X
3 Create TINT Key
X
X
4 Import Selfsigned Key
X
X
5 Export Selfsigned Key
X
X
6 Set Date and Time
X
X
7 Unlock HSM
X
X
8 Initialize HSM
X
X
9 Enter Passwords
X
X
page 74/150
BBP Development
Version: 3.18
User Manual IBASEC
Datum: 14.10.2013
10 Configure Web Server
X
X
11 Install HSM Application
X
X
12 Uninstall HSM Application
X
X
13 Erase for Transport
X
X
14 Start Web Server
X
X
X
15 Stop Web Server
X
X
X
X
X
X
17 Backup Key Partition
X
X
X
18 Restore Key Partition
X
X
X
16 Download HSM Logs
X
page 75/150
BBP Development
Version: 3.18
User Manual IBASEC
Datum: 14.10.2013
8 FAQ
How can I export my public keys to the provider (e.g. to SIC)?
Select from the IBASEC GUI:
- Keyman - Find - Free Search and mark the public key to be exported (to SIC)
- select "Export self-signed certificate" and give it a good name (see section 6.3)
- print an accompanying letter (Public Key Certificate) and sign it (by authorized
person)
- send file and signed letter to your provider
How can I copy a PED key?
- Connect a PED to a HSM (to power it)
- press "<" (Exit)
- press "4" (Admin)
- press "1" (PED Key)
- plug-in the PED key to copy and press "1" (Login)
- press "7" (Duplicate) and plug-in a new used or blank PED key when asked.
Is it possible to change the PED key PIN code on the HSM?
- YES, you can change the PIN code of the Admin and the Partition PED key (see Case 19).
How could I change the passwords?
- The IBASEC server "knows" three passwords: admin, partition and application passwords (see
section 6.1 and 3.1). Open the Main menu - HSM - HSM initialisation - Enter Password and enter
the old an new password of the selected password.
Where can I find the License and the capabilities of my HSM?
- see "HSM Procedures, Cookbook" section 9.1
- you need a ssh connection to your HSM: ssh -l admin 192.9.200.31
- login as "admin"
- [HSM31] lunash:> hsm displayLicense
What happens after a power failure with my HSM?
- if the power loss is less then 20 minutes, the HSM will boot again without any PED key
interaction. If its longer then 20 minutes the HSM will do a reboot like a could boot, e.g. you have to
apply PED keys (blue and black key) and the Web Application should be started via GUI.
ATTENTION: with some HSMs, already a short power loss might make it necessary to apply PED
keys!
May I move a running HSM?
- Yes, you may move it. There is no tilt protection as you know it from the GC720.
How could I replace a HSM at the same IBASEC server?
With Solaris you should delete the according line in the file /opt/ibasec/.ssh/known_hosts to avoid
a fingerprint conflict (warning only)
Then you have to add a new HSM in the Krypto Overview Window and enter the HSM passwords
of the new HSM. See STEP 1 ..5 in chapter 3.1
My HSM is "Locked". What can I do?
With the GUI function: HSM - HSM Initialization - Unlock HSM you can unlock it again... but you
need Superuser privileges! Beware of too many consecutive wrong password entries. See section
3.5
page 76/150
BBP Development
Version: 3.18
User Manual IBASEC
Datum: 14.10.2013
How can I make sure that the web server application code is original from SIC?
The original and save java code for the HSM web server is signed by SIC AG. Installing the Web
Application (see GUI - HSM - HSM Initialization - Install Web Application) needs a certificate from
SIC AG. The certificate has been installed by your supplier. Compare the fingerprint of the
certificate with the published fingerprint of SIC AG.
lunashell command> spconfig codesign key list
see also:
www.bbp.ch > Products & Services > IBASEC > IBASEC FAQs
or direct
http://www.bbp.ch/ibasecfaq/phpBB3/index.php
page 77/150
BBP Development
Version: 3.18
User Manual IBASEC
Datum: 14.10.2013
9 Use Cases
9.1 Use Cases Overview
Description:
These use cases should provide you with step-by-step support to do some important procedures of
setting up the hardware, the IBASEC server and the key management.
Conventions:
All IBASEC server handling is done via the "Main menu" (IBASEC GUI)
The LCD display of the PED (pin entry device) is illustrated with this view and the upcoming
operations are indicated:
SLOT 01:
LOGIN SO/HSM ADMIN...
Insert a SO /
HSM Admin
PED Key.
Press ENTER.
.
Important notes
Terminal entries
.
.
(slot 01 means your backup token)
insert the PED Admin key (blue key)
important notes
# ./installibasec
Attention, e.g. limited time to handle PED
page 78/150
BBP Development
Version: 3.18
User Manual IBASEC
Datum: 14.10.2013
List of Use Cases:
No.
Description
Page
Setup of the IBASEC Server
IBASEC installation on Solaris or Windows or Linux
1
Install IBASEC from CD (Solaris or Windows or Linux)
81
Setup of the HSM
Preparing the HSM Luna SP for collaboration with the IBASEC
server
11
Connect a new HSM with Premium Rollout
12
Check the state of the HSM
13
Change or set parameters
14
Reinitialize the HSM
15
Change and set passwords
16
Installation of a new web application software
17
Execute maintenance work and use of log files
18
Setup a zeroized HSM (for experts)
19
Change PIN code of PED keys
82
88
91
93
95
100
103
105
105
Key Management
Handling of the private and public keys
Overview: Setup the first HSM for productive session
32
Generate a local verification key (LOCERT)
33
Create a production key pair for SIC
34
Export your public key with fingerprint to the provider
35
Import a public key from SIC
36
Verify an imported external public key
37
Backup key partition
38
Restore key partition
39
Distribute public keys to further HSM
40
Delete a key (or all keys)
41
Certification of SECOM Private Keys by SIS
42
Deactivation of a Key
106
108
111
115
118
120
127
130
132
135
139
Malfunction Diagnosis
What can I do when something goes wrong
61
How to report a malfunction of HSM and/or IBASEC
141
page 79/150
BBP Development
Version: 3.18
User Manual IBASEC
Datum: 14.10.2013
Overview - Description “Setup the first HSM for productive session”:
This is a short summary and check list for the setup of your first productive session. For more
details see the referenced Use Cases and the indexed sections of this user manual.
Connect the first HSM to your IBASEC server  Case 11, 12, 13
Setup your local secrets or save the admin and partition password of the HSM supplier with the
IBASEC server  Case 14, 15
Generate a local verification key pair (LOCERT) with the first HSM  Case 32
Backup and restore it to the other HSMs  Case 37, 38
Create your own set of RSA key pairs and export the public key to your provider (SIC)  Case
33, 34, 35
Import the public key of your providers and validate them with your local certificate (LOCERT)
 35, 36)
Display the keys and setup your key managment parameters for key distribution
Make a backup of the key partition of your first HSM  Case 37
Check and configure the other database informations like applications (Appman), business
partners (Bpman), Pofiles (Profman) and certificate parameters (Certman)
page 80/150
BBP Development
Version: 3.18
User Manual IBASEC
Datum: 14.10.2013
9.2 Case 1: Install IBASEC from the CD
Description:
The new IBASEC server software (release 3.x.16) comes on a CD. All the Release Notes, User
Manual and Installation Guide are pdf-files in the /doc directory.
Prerequisite:
Solaris or Windows or Linux server with CD access
Adobe Acrobat Reader
Privileges: root access
Reference:
IBASEC Server Release 3.x, Installation Guide
(Solaris 10 or Windows 2008 R2 or Linux (Red Hat))
For technical details, please make use of the Installation Guide
page 81/150
BBP Development
Version: 3.18
User Manual IBASEC
Datum: 14.10.2013
9.3 Case 11: Connect a new HSM with "Premium Rollout"
Description:
The SafeNet Hardware Security Module (LunaSP HSM) comes from your supplier in an "IBASEC
specific state", ready to connect to your server. The HSM is individually prepared according to your
HSM order.
Prerequisite:
LunaSP HSM in "Premium Rollout" state
ready and running IBASEC server version 3. x
IBASEC Main menu (GUI) running with administrator privileges
Instructions from "Premium Rollout"
Reference:
IBASEC Server Release 3.x, Installation Guide (Solaris 10 or Windows 2008)
Compare with Case 13: Change parameters
Compare with Case 14: Replace HSM
Compare with Case 15: Change passwords
Physical connection of the HSM:
Your IBASEC server has two ethernet ports. With the first port (e.g. eth0) the IBASEC server is
connected to your bank application servers. At the second port (e.g. eth1) a save private LAN is
connected. The HSMs are operating in this protected private LAN. The default ip address class of
the private LAN is 192.9.200.x. These should be non-public ip addresses. The new HSM has a
unique ip address (e.g. 192.9.200.31) according to your order.
Connect the new HSM to the private LAN. Use the RJ45 plug at the rear of your HSM that is
marked with "1". It's a 10/100Mbit Fast Ethernet Plug-and-Pay Adapter. the second RJ45 plug
marked with "2" is not used.
It is recommended that your private LAN connection between IBASEC server and the HSM(s) is
straight forward without any delaying routers.
Connect the HSM to the 220V power. In case of a power loss of less then 20 minutes, the HSM
could reboot automatically (without manual interference). An UPS (uninterruptible power supply)
could provide you more operational security.
Switch on your HSM with the main power switch at the rear of the HSM
The second power switch at the rear of your HSM does a proper shut down or cold boot of the
HSM.
Let the powered HSM two minutes to boot properly. The K5 HSM indicates the ready state on a
small LCD display on the front panel. The IT expert might check the proper connection of the HSM
with a ping from the IBASEC server: ping 192.9.200.31
Make a SSH-connection from the IBASEC server to the HSM to register the hardware
fingerprint. With Windows use the freeware terminal PuTTY (see Case 14 or FAQ at www.bbp.ch).
page 82/150
BBP Development
Version: 3.18
User Manual IBASEC
Datum: 14.10.2013
Connect a Pin Entry Device (PED) to your HSM:
The IBASEC specific HSM uses the "Trusted Path Authentication", e.g. authorization is managed
by a PED and iKeys (PED Keys).
Connect the PED with the adequate cable to the plug in front of the HSM: The PED is powered by
this data cable and shows readiness on its LCD display:
SCP mode...
Awaiting command...
. < . EXIT
. > . LOG
After the physical connection of a new HSM, it has to be registered with the IBASEC server, e.g. a
new HSM has to be added to the HSM list and its parameters have to be set. The following window
shows the default setting of these parameters. Compare also with Case 13: "Change or set
parameters" and Case 14: "Replace HSM".
Menu  Krypto
Menu  Krypto  Configure
The screenshot of this example shows that already three other HSMs are registered with the
IBASEC server. Before you add the first HSM to the list, you should select "Configure Krypto" and
check for the right ip-address of your installation in the private LAN environment.
With a Windows installation, a new HSM should be connected with PuTTY (use the ip address and
not the hostname) to register the fingerprint of the HSM in the Windows Registry.
page 83/150
BBP Development
Version: 3.18
User Manual IBASEC
Datum: 14.10.2013
Menu  Krypto  Configure  Add new HSM
HSM (name), Unit Number, IP Address and Description belong together and depend of course
from the ordered ip address of your HSM. The Unit Number and therefore the last octet of the ip
address is limited to < 100.
SubnetMask depends on your HSM private LAN
Max. Password Entries: the IBASEC - HSM dialog is password protected. Too many consecutive
wrong passwords should lock the connection. The limit is set here.
Autostart: Do NOT set the Autostart flag now! Only after a successful first-time opening of a HSM
the Autostart flag could be checked to enabling automatic opening after an IBASEC server start.
Comm Timeout: 6 s
Poll Interval: 30 s
Selected Applications: select your applications (NKAPP is not available)
The Mode Setting is always "Unattended". The Office Mode, as known from IBASEC 2.x with
Gretacoders, is no more available with the Luna SP HSMs
The supplier of your HSM has setup the parameters and secrets of the HSM. If you would
like to change the secrets you should apply either "Change and set Passwords" (Case
15) or completely "Reinitialize the HSM" (Case 14). But first finish the HSM connection
with the supplied secrets.
Change the Admin and the Partition Password according to your PIN letter (Premium Rollout):
The Admin Password gives you and the IBASEC server ssh-access to the HSM. The IBASEC
server has to know this password. So we have to save it with the IBASEC server. The partition
password is an important secret to control the access to the key partition of the HSM (the save
storage of all your public and private keys). The IBASEC server has to know this password. So we
have to save it with the IBASEC server. To change the Application password please follow Case
15.
page 84/150
BBP Development
Version: 3.18
User Manual IBASEC
Datum: 14.10.2013
Menu  HSM
mark the HSM and select "Set HSM Admin Password on IBASEC Server" and the following
warning will show up:
Menu  HSM  HSM Initialization  Set Initial HSM Admin Password
Set Admin Password:
This is the new Admin
Password from the PIN
Letter that comes from the
HSM supplier (Premium
Rollout).
Press <OK> to set the initial Admin password
Extract from PIN_Letter:
HSM-Serial #
Admin-Password
Partitions-Password
IP Address
Application-Password
iKeys for PED
012345
12345-12345
1234-abcd-1234-abcd
192.9.200.31
See Note #1 on next page
It can be set individually without knowing the old ApplicationPassword.
iKeys have no PIN. Just press the <Enter> button on the PED if
you were asked to enter a PIN.
All iKeys of a specific color (i.e blue, black and red) are identical and
page 85/150
BBP Development
Version: 3.18
User Manual IBASEC
Datum: 14.10.2013
may be used irrespective of HSM’s.
Menu  HSM  HSM Initialization  Set Initial HSM Partition Password
Set Partition Password:
This is the new Partition
Password from the PIN
Letter that comes from the
HSM supplier (Premium
Rollout).
Press <OK> to set the initial Partition password
Extract from PIN_Letter:
HSM-Serial #
Admin-Password
Partitions-Password
IP Address
Application-Password
iKeys for PED
012345
12345-12345
1234-abcd-1234-abcd
192.9.200.31
See Note #1 on next page
It can be set individually without knowing the old ApplicationPassword.
iKeys have no PIN. Just press the <Enter> button on the PED if
you were asked to enter a PIN.
All iKeys of a specific color (i.e blue, black and red) are identical and
may be used irrespective of HSM’s.
page 86/150
BBP Development
Version: 3.18
User Manual IBASEC
Datum: 14.10.2013
Now your HSM is ready to operate with the IBASEC server version 3.x. The first time and again
with each cold boot of the HSM it is recommended to start the web server of the HSM manually. If
you open the HSM with a halted web server, the IBASEC server falls into the recovery mode and
finally starts the web server itself. You could watch this actions by opening the "Audit" (see main
menu).
To save time we start the web server manually:
Menu  HSM  HSM Operations  Start Web Server
The first time start of the web server (after a cold boot of the HSM) the black partition PED key
is needed:
SLOT 03:
.
LOGIN USER/PARTITION. .
Insert a User /
Partition Owner
PED Key.
Press ENTER.
SLOT 03:
.
LOGIN USER/PARTITION. .
Enter new PED PIN:
no PED keys are needed if the HSM is not cold booted
enter PIN code of PED key (if any)
"Premium Rollout" comes without PIN code.
Recommendation: Do NOT use PIN codes unless you
know the purpose of it.
Now you are free to open the new HSM. Remember, we have not selected the Autostart flag at the
beginning. If the new HSM works properly you could set it to Autostart.
Check the state of the opened HSM  Case 12
page 87/150
BBP Development
Version: 3.18
User Manual IBASEC
Datum: 14.10.2013
9.4 Case 12: Check the State of the HSM (get status)
Description:
A successful opening of the HSM to the status "connected ActiveUnattended" indicates that the
HSM is in a proper operative state. To get more information about the parameters and
configuration of the selected HSM try the Get Status function.
Prerequisite:
a connected HSM, either open or closed
IBASEC Main menu (GUI) running with security privileges
Get Status of HSM:
Menu  Krypto  Remote (with selected HSM)
If possible, the HSM should be "connected ActiveUnattended" to get the status.
page 88/150
BBP Development
Version: 3.18
User Manual IBASEC
Datum: 14.10.2013
Press "Export" to export and print the status information of the selected HSM.
page 89/150
BBP Development
Version: 3.18
User Manual IBASEC
Datum: 14.10.2013
For more information about the status of the HSM see also Case 17 about log files or select Menu
 HSM  HSM Operations  Download Logs...
page 90/150
BBP Development
Version: 3.18
User Manual IBASEC
Datum: 14.10.2013
9.5 Case 13: Change or set parameters
Description:
specific state", ready to connect to your server. The HSM is individually prepared according to your
HSM order. A few parameters are free to be optimized for your application and workload.
Prerequisite:
Solaris server (possibly with CD access)
Privileges: root access
Change Parameters:
Menu  Krypto
Menu  Krypto  Configure
Menu  Krypto  Configure  Add new HSM:
After the physical connection of new HSM it has to be registered with the IBASEC server, e.g. a
new HSM has to be added to the HSM list and its parameter have to be set. The following window
shows the default setting of these parameters.
page 91/150
BBP Development
Version: 3.18
User Manual IBASEC
Datum: 14.10.2013
To modify the parameters do..
Menu  Krypto  Configure  Modify HSM
HSM (name), Unit Number, IP Address and Description belong together
SubnetMask depends on your HSM private LAN
Max. Password Entries: the IBASEC - HSM dialog is password protected. Too many consecutive
wrong passwords should lock the connection. The limit is set here.
Autostart: after a successful installation and opening of a HSM the Autostart flag could be checked
to enabling an automatic opening after a IBASEC server start.
Comm Timeout: 6 s
Poll Interval: 36 s
Selected Applications (NKAPP is not available, PKI should be selected with SECOM))
The Mode Setting is always "Unattended". The Office Mode, as known from IBASEC 2.x with
Gretacoders is no more available with the HSMs
Follow-up actions:
Restore the keys (key partition) from a backup token  Case 38
page 92/150
BBP Development
Version: 3.18
User Manual IBASEC
Datum: 14.10.2013
9.6 Case 14: HSM Initialization
Description:
A HSM could be replaced with the same IP address or removed and replaced with a new IP
address. Let's replace it with the same IP address. If you intend to give away your old HSM you
should clean it from all personal data (Main menu  HSM  HSM Initialization  Erase HSM for
Transport)
These operations should be done by an IT expert. Please consult your Integrator.
Prerequisite:
New HSM with "Premium Rollout" and the ordered IP address
Administration and Partition Password of new HSM
PED keys: blue, red and black
Reference:
SIC/euroSIC User Manual
Replace HSM:
remove properly your old HSM from the IBASEC installation
close the selected HSM
Menu  Krypto
switch off the Autostart flag for the HSM with Menu  Krypto  Configure  Modify HSM
uncheck the "Autostart" to avoid automatic start (opening) of the new HSM
switch off the power of the HSM and disconnect it from the ethernet cable
connect the new HSM and power it.
open a ssh-terminal (with PuTTY from
Windows) and connect to the HSM
Your server has detected that the fingerprint of the
new hardware has changed.
With Unix you have to delete the concerning line in
the file /opt/ibasec/.ssh/known_hosts
lets have a look at the new HSM (this is optional):
page 93/150
BBP Development
Version: 3.18
User Manual IBASEC
Datum: 14.10.2013
With Unix do a ssh login:
ibasec@<srv> % ssh -l admin 192.9.200.35
login as: admin
[email protected]'s password:
Luna Command Line Shell v4.0.0-19 - (c) 2006 SafeNet, Inc. All
rights reserved.
[HSM35] lunash:>
[HSM35] lunash:>hsm show
Appliance Details:
==================
Software Version:
4.0.0-19
HSM Details:
============
HSM Label:
Serial #:
Firmware:
Hardware Model:
Authentication Method:
HSM Admin login status:
HSM Admin login attempts left:
MofN activation status:
HSM35
300002
4.6.0
Luna K5
PED keys
Not Logged In
3 before HSM zeroization!
M of N not used
Partitions created on HSM:
==========================
Partition: 300002001,
Name: keypar
FIPS 140-2 Operation:
=====================
The HSM is NOT in FIPS 140-2 approved operation mode.
Command Result : 0 (Success)
[HSM35] lunash:>
and lets have a second look by detecting the state of the HSM  Case 12
now we create our own secrets (PED keys, partition password) by initializing the HSM:
follow Case15 to change the Admin and the Partition password.
page 94/150
BBP Development
Version: 3.18
User Manual IBASEC
Datum: 14.10.2013
9.7 Case 15: Change and set passwords
Description:
The IBASEC Server uses three passwords protecting different operations:
Admin Password
Partition Password
Application Password
The Admin and the Application Password are set by default. The Partition Password is created by
initializing and installing a new LunaSP HSM partition ( Case 14). This partition password has to
be saved with the IBASEC server (set new partition password)
Prerequisite:
Reference:
User manual IBASEC, section 6.1 and 3.1 STEP 3
Set new Partition Password:
You have added and setup a new HSM or you have replaced it with an HSM that was already
installed with another IBASEC server (Case 14). So the partition password should be known. This
partition password has to be saved with the IBASEC server:
IBASEC Main Menu
Menu  HSM
page 95/150
BBP Development
Version: 3.18
User Manual IBASEC
Datum: 14.10.2013
mark the HSM and then select "Enter Password" and the following warning will show up:
Menu  HSM  HSM Initialization  Set Initial HSM Partition Password...
This is not a password change. The HSM created partition password has to be handed over to the
IBASEC server by entering the password with the function "Set Initial HSM Partition Password".
Change the Partition Password:
If you would like to change the partition password in the HSM and with the IBASEC server you
have to enter the old and the new partition password:
Menu  HSM  HSM Initialization  Change HSM Partition Password...
page 96/150
BBP Development
Version: 3.18
User Manual IBASEC
Datum: 14.10.2013
Change the Admin Password:
The admin password gives ssh access to the HSM with the user "admin". A brand new HSM from
SafeNet could be ssh-connected with the user "admin" and the factory password "chrysalis". After
the Premium Rollout has initialized the HSM for the IBASEC application the new password is
documented in the PIN Letter from the supplier. The admin password could be changed:
mark the HSM and
Menu  HSM  HSM Initialization  Change HSM Admin Password
and the following warning will show up:
Menu  HSM  HSM Initialization  Change HSM Admin Password...
page 97/150
BBP Development
Version: 3.18
User Manual IBASEC
Datum: 14.10.2013
The new Admin password has to comply with the HSM password requirements.
see section 6.1
press <OK> to change the admin password "pass*12345" to "xYz-54321"
page 98/150
BBP Development
Version: 3.18
User Manual IBASEC
Datum: 14.10.2013
Set the Application Password:
To further secure the communication between the IBASEC server and the HSM(s) via the secure
private LAN an application password is used to scramble the communication. This password is set
by default and it could be changed:
Stop the Web Server first.
Menu  HSM  HSM Initialization and mark the HSM
mark the HSM and select "Set HSM Application Password" and the following warning will show up:
Menu  HSM  HSM Initialization  Enter Password...
press <OK> to set the new application password.
After a "Setting a new Application Password", the web server has to be (stopped and) restarted.
page 99/150
BBP Development
Version: 3.18
User Manual IBASEC
Datum: 14.10.2013
9.8 Case 16: Installation of a new Web Server Application Software
Description:
The IBASEC Server communicates with the HSM in http (hypertext transfer protocol). It is the well
known communication between an internet browser and a web server. The HSM runs an
Apache/Tomcat web server. Special Java Code has been developed by SIC to enable the
communication between the IBASEC server and the HSM. The Java Code is protected by a
signature that will be compared with the SIC certificate on your HSM. All IBASEC specific HSMs
have already installed this certificate (ibasec3-dsazert.pem).
A "Premium Rollout" HSM has the newest web server application installed already!
Prerequisite:
"Premium Rollout" HSM with code sign certificate from SIC
Copy the new appliance software from the SIC CD to the IBASEC server:
put CD in drive of IBASEC server
mount CD
mkdir $IBA_RELEASE/luna<XXX>
cp <mnt point of cd>/lunaHSM_v<version>/* $IBA_RELEASE/luna<XXX>
Reference:
User manual IBASEC, section 3.2 and 5.2.3 .
Uninstall the existing web server application first:
Before you could install a new web server application (appliance), the old installation has to be
undeployed first. Do the following:
IBASEC Main Menu
Menu  HSM  HSM Initialization (with a marked HSM)
page 100/150
BBP Development
Version: 3.18
User Manual IBASEC
Datum: 14.10.2013
Confirm the following "Uninstall Application" button and watch the audit event log.
Install a web server application:
The web server application is signed by SIC and verified with a already installed
ibasec3-dsazert.pem certificate. The latest version of the software comes with the IBASEC CD. If a
later version should be distributed by SIC, you have to copy it to the IBASEC server. Follow the
instructions coming with the new distribution.
Menu  HSM  HSM Initialization (with a marked HSM)
select "Install Application"
Select the newest software release, and start upload.
page 101/150
BBP Development
Version: 3.18
User Manual IBASEC
Datum: 14.10.2013
Watch the successful installation and deployment with the audit event log.
If you forgot to uninstall the present installation you'll get the following message:
After the successful installation, you have to start the web server, and to open the HSM.
page 102/150
BBP Development
Version: 3.18
User Manual IBASEC
Datum: 14.10.2013
9.9
Case 17: Execute maintenance work and use of log files
Description:
A few files and directories for audit and monitoring of the IBASEC activities have to be maintained
because they are constantly growing with the usage of IBASEC.
Some of these operations should be done by an IT expert.
Prerequisite:
ssh (putty with Windows) connection to the IBASEC server
Reference:
User manual IBASEC, section 3.3 and 3.1 STEP 3
see also section 4.5 for details
Audit event file EVT:
The audit event file that could be displayed with the "Audit" button from the Main menu is saved in
the $IBA_DB directory (default: /var/ibasec/prod/db) and copied according the setting in the Audit
Config windows (Menu  Audit  Configure) to the $IBA_LOG directory (/var/ibasec/prod/log)
file: evt20061230094500.dat
drwxr-xr-x 14 ibasec ibasec
512 Oct 11 16:33 ../
-rw-r--r-- 1 ibasec ibasec 39368 Jan 2 13:15 AUDIT
-rw-r--r-- 1 ibasec ibasec 10208 Oct 11 16:33 CA
-rw-r--r-- 1 ibasec ibasec 1245400 Jan 2 13:28 EVT
-rw-r--r-- 1 ibasec ibasec 2084328 Nov 30 09:42 IBASEC
-rw-r--r-- 1 ibasec ibasec 1649200 Jan 1 19:11 KRYPTO
-rw-r--r-- 1 ibasec ibasec 41913 Jan 2 13:24 SYSMAN
HSM Log Files:
All the log files from the HSM (there are about 18 different log files!) should be copied in a
subdirectory of the $IBA_LOG directory and then be deleted on the HSM:
drwxrwxr-x 2 ibasec ibasec
512 Sep 10 02:30 HSM31_20060921/
2048 Sep 22 02:36 HSM31_20060922/
1024 Sep 23 02:32 HSM31_20060923/
The environment varible (or Windows registry entry) IBA_HSM_MAINTENANCE_TIME has to be
set for automatic downloading and deleteing HSM Log files.
example of .cshrc
setenv IBA_HSM_MAINTENANCE_TIME "04:30"
# daily download and delete at 04:30
If the environment varibale IBA_HSM_MAINTENANCE_TIME is unset, there will be no
downloading and deleteing of HSM log files!
page 103/150
BBP Development
Version: 3.18
User Manual IBASEC
Datum: 14.10.2013
Besides the daily copies you coud trigger an additional set of log files with the function:
Menu  HSM  HSM operations  Download Logs ...
"Download Logs" produces a directory /var/ibasec/prod/log/HSM34_20070102
with a full set of log files that could be read and printed with a text editor.
It is recommended that you regularly archive and cleanup the Log directory.
This is an example script to cleanup the cumulating log files from the IBASEC server. It could be
executed as cron-job or as Maintenance Script (see sect. 4.5).
% /opt/ibasec/prod/scripts/remove_hsm_logs -help
This script is commonly called via the crontab facility.
To run this script automatically each day at 18:00, type :
ibasec% setenv EDITOR vi
ibasec% crontab -e
<add the following line at the end of file>
00 18 * * * csh -c '/opt/ibasec/prod/scripts/remove_hsm_logs -maxdays 30' >>
/var/ibasec/prod/log/cleanup.log
page 104/150
BBP Development
Version: 3.18
User Manual IBASEC
Datum: 14.10.2013
9.10 Case 18: Setup a zeroized HSM (Premium Rollout)
Description:
specific state", ready to connect to your server. An unprepared or a zeroized HSM could fail at the
specific IBASEC operations. If you would like to create all of the HSM/IBASEC secrets (PED keys,
passwords) yourself, you also have to setup the HSM from scratch.
These operations should be done by an IT expert. Please consult your Integrator.
9.11 Case 19: Change PIN code on HSM
The IBASEC operations with the HSM Luna SP are secured with these three PED keys:
Admin PED Key (blue key) with PIN code
Partition PED Key (black key) with PIN code
Domain PED Key (red key) without PIN code
Please note, that the PIN code is bound to the HSM Partition and not to the PED keys.
But.. the PED key carries the flag "ask for PIN code. yes/no" !
The PIN code that is requested to apply with a Admin PED key is the same for all Admin PED keys
with this HSM. So when you change e.g. a PIN code with the Admin PED key it has changed for all
Admin PED keys at this HSM. With another HSM, the same Admin PED key could request another
PIN code! But be aware, that the PED key must know whether it should ask for a PIN code.
Change PIN code with Admin PED key (blue key) via ssh
connect to the HSM via ssh
enter: hsm changePw
confirm "Reuse Id, Yes/No" with Yes
enter the new PIN code twice
Change PIN code with Partition PED key (black key) via ssh
connect to the HSM via ssh
enter: partition resetPw -par keypar
from the menu select 1. change black PED key data
confirm "Reuse Id, Yes/No" with Yes
enter the new PIN code twice
Make new copies of your PED keys to make sure that you will be asked for the PIN code.
page 105/150
BBP Development
Version: 3.18
User Manual IBASEC
Datum: 14.10.2013
9.12 Case 32: Generate a local verification key (LOCERT)
Description:
The first step to set-up an HSM for production mode is to generate a pair of local certificate keys.
The keys will be used to secure the transfer of the production public keys from and to the IBASEC
server.
Prerequisite:
IBASEC Main menu (GUI) running with security officer privileges
Application password
Reference:
User manual IBASEC, section 6.2.1 [UM]
Create a LOCERT key pair:
Menu  Keyman
Menu  Keyman  HSM Keymanagement
Menu  Keyman  HSM Keymanagement  Create LOCERT Key...
page 106/150
BBP Development
Version: 3.18
User Manual IBASEC
Datum: 14.10.2013
make sure that your Caps-Lock is not switched on!
select your first HSM, enter Key size, start and end date and the application password.
verify the "active" status of this key in the Keyman module.
Considering the key management with SIS see the reference [Cert, SIS]
If you operate with more then one HSM at your IBASEC server you should backup this LOCERT
key pair and restore it to the other HSM's.  Case 37, 38.
page 107/150
BBP Development
Version: 3.18
User Manual IBASEC
Datum: 14.10.2013
9.13 Case 33: Create a production key pair
Description:
All SIC- and euroSIC-participants need a separate key pair per LUD (business partner, logic
connection). Such a key pair has to be created.
Prerequisite:
Existing LOCERT
Existing application "SIC"
Existing business partner or LUD "XXX0" created in Bpman (section 4.7)
Application Password
PED keys: no
Reference:
Instructions from SIC key management ([email protected])
To start from IBASEC GUI menu
Menu  Krypto
To properly connect a HSM to the IBASEC server see  Case 11 and 12
page 108/150
BBP Development
Version: 3.18
User Manual IBASEC
Datum: 14.10.2013
Menu  Keyman
Menu  Keyman  HSM Keymanagement  Create RSA Key pair
As Business Partner take XXX0 . Select the first HSM (31). It is recommended that you create all
your necessary keys on the first HSM, then backup it and restore the same set of keys to the other
HSM(s)
Select the Application: SIC, EURO, SECOM
In this case your business partner (or LUD) is SICS (ask SIC key management for further details)
Select the Key size, the usage and the period of validity  table of [UM] 6.2.2
Enter Application Password  [UM] 3.1
Create RSA Key pair - Create
Create - Yes (yes/no are displayed in the system language)
page 109/150
BBP Development
Version: 3.18
User Manual IBASEC
Datum: 14.10.2013
To monitor the success (or failure) of the keypair creation you could also open the audit window:
Menu  Audit
verify the "active" status of this key in the Keyman module.
Follow-up actions:
List the active keys to see the success of the key generation
Export a public key to a provider (e.g. to SIC)  Case 34
View details of key(pair)
Print fingerprint letter of public key  Case 34
Backup the key partition of this first HSM(31)  Case 37
Restore the Backup of the first HSM(31) to the other HSM(s)  Case 38
page 110/150
BBP Development
Version: 3.18
User Manual IBASEC
Datum: 14.10.2013
9.14 Case 34: Export your public key to the provider (SIC)
Description:
A locally created keypair ( Case 33) has to be sent as file to the provider. An accompanying
fingerprint letter has to be created.
Prerequisite:
a created key pair
PED keys: no
Reference:
Instructions from SIC keymanagemt ([email protected])
To start IBASEC GUI menu
Menu  Keyman  Find
page 111/150
BBP Development
Version: 3.18
User Manual IBASEC
Datum: 14.10.2013
Menu  Keyman  Find  Free Search ...
Set your criteria (filter) to easily find the public key to export:
Menu  Keyman  Find  Free Search  Search
Mark the public key for export to your provider. Open the Key pulldown menu and select "Export
Key as Self-Signed Certificate..":
page 112/150
BBP Development
Version: 3.18
User Manual IBASEC
Datum: 14.10.2013
Press <OK> and remember where you have placed your certificate file on your system. Together
with this file a so called fingerprint letter has to be printed:
In your Search Window (Menu  Keyman  Find  Free Search  Search) select <Print Letter>
to print the fingerprint letter or <Export Letter to File> if you like to print it on another workstation.
Select a printer. If no printer is installed, you could direct the output to a file.
page 113/150
BBP Development
Version: 3.18
User Manual IBASEC
Datum: 14.10.2013
The fingerprint letter has to be signed by an authorized person, and sent by fax to the SIC
Operation Center (Fax 058 499 47 41).
Moreover, it has to be sent as an e-mail attachment to the SIC Operation Center ([email protected]), together with the self-signed certificate file, which before has to be copied from .crt to
.txt and then zipped.
Follow-up actions:
Backup the first HSM(31)  Case 37
for the key management with SIS see the the separate manual: Certificate and
certification management for the SECOM application using IBASEC
page 114/150
BBP Development
Version: 3.18
User Manual IBASEC
Datum: 14.10.2013
9.15 Case 35: Import a public key from SIC
Description:
Public keys from a foreign system can be imported with two type of files: the IBASEC 2 file format
and self-signed certificates. You get the public keys from SIC always as self-signed certificates
Prerequisite:
self-signed certificates from SIC
Application password (no PED keys)
Reference:
User manual IBASEC, section 6.7 [UM]
Instructions from SIC keymanagemt ([email protected])
IBASEC GUI main menu
Menu  Krypto (select a HSM to activate the Keys menu)
Before you can select a self-signed certificate file you have to place the file from SIC in the
foreseen directory ($IBA_IMPORT). The certificates come with the IBASEC CD.
Copy the files from SIC to /var/ibasec/prod/import
(you might find them on the IBASEC CD directory /certs)
page 115/150
BBP Development
Version: 3.18
User Manual IBASEC
Datum: 14.10.2013
Menu  Krypto  Keys  Import Self-Signed Certificate
With Unix, the filenames are case-sensitive, e.g. the files have to end with .crt (not with .CRT)
Select the file from the "Filename" combo-box (all files from the /var/ibasec/prod/import directory
are shown) and press "Import"
The key was successfully imported from the certificate file.
It could be, that the entered application password was wrong and too many consecutive wrong
attempts have locked the HSM for further use.
In this case you have to unlock the HSM and that needs the Admin key (blue PED key):
page 116/150
BBP Development
Version: 3.18
User Manual IBASEC
Datum: 14.10.2013
Menu  HSM  HSM Initialization  Unlock HSM
Now you have to do the validation procedure again.
for the key management with SIS see the the separate manual: Certificate and
certification management for the SECOM application using IBASEC
Certificates are imported with the module Certman.
page 117/150
BBP Development
Version: 3.18
User Manual IBASEC
Datum: 14.10.2013
9.16 Case 36: Verify an imported external public key
Description:
An asymmetric cryptographic function requires the exchange of public keys of the two
communicating sides. Your providers (SIC and SIS) deliver there public keys to to your installation.
There keys come with fingerprints to verify the authenticity. To allow you to exchange these keys
among your HSMs they have to be validated by your local certificate (LOCERT).
Prerequisite:
Connected (first) HSM
A PED (pin entry device) connected the HSM
PED keys: blue (Admin), red (Domain), black (Partition)
Imported public keys  Case 35
Reference:
User manual IBASEC, section 6.5
The keys i.e. the self signed certificate files have to be copied to the $IBA_IMPORT directory of
your IBASEC server (default: /var/ibasec/prod/import)  Case 35
To start IBASEC GUI menu
Menu  Krypto
Menu  Krypto  Keys  Validate Key in HSM
page 118/150
BBP Development
Version: 3.18
User Manual IBASEC
Datum: 14.10.2013
Select the imported key you wish to validate, then enter the application password and the
fingerprint of certificate (from SIC) and press "Validate".
Confirm the validation of the key.
page 119/150
BBP Development
Version: 3.18
User Manual IBASEC
Datum: 14.10.2013
9.17 Case 37: Backup key partition
Description:
With a Key Backup the whole partition is copied to a Backup Token. The Backup Token should be
inserted before you launch the backup procedure.
Keep a check on the display of the LunaPED for the requested PED key application. If the backup
token has been already used with other HSMs that do not belong to the same group, the backup
will fail. If you insist to overwrite the used token you have to repeat the procedure 3 times until it
accepts the overwriting of the token.
Prerequisite:
IBASEC Main menu (GUI) running with administration privileges
Disconnected (first) HSM
A PED (pin entry device) connected the the HSM
Backup Token for SafeNet Luna SA
Reference:
To start IBASEC GUI menu  Case 1
Menu  HSM
Select (mark) a HSM.
The selected HSM should be "Disconnected" otherwise "Close" it with the <Close> button.
Insert a new or already used backup token (SafeNet Luna SA BACKUP TOKEN) into the slot (01)
of the selected HSM.
Select the "Key Backup" function
page 120/150
BBP Development
Version: 3.18
User Manual IBASEC
Datum: 14.10.2013
Menu  HSM  Backup and Restore  Key Backup
Press "Key Backup" and watch your PED (pin entry device)
SLOT 03:
Insert a SO /
HSM Admin
PED Key.
Press ENTER.
.
.
SLOT 03:
Enter PED PIN:
.
.
SLOT 01:
Insert a SO /
HSM Admin
PED Key.
Press ENTER.
.
.
.
SLOT 01:
Enter PED PIN
.
.
(slot 03 means your HSM partition)
enter the PIN code of your Admin key
(empty PIN code is possible)
page 121/150
BBP Development
Version: 3.18
User Manual IBASEC
Datum: 14.10.2013
SLOT 01:
INITIALIZE HSM...
Insert a SO /
HSM Admin
PED Key.
Press ENTER.
.
.
.
SLOT 01:
INITIALIZE HSM...
This PED Key has a
valid Identity for
SO / HSM Admin.
Reuse Id? YES/NO
.
.
SLOT 01:
INITIALIZE HSM...
Enter new PED PIN:
.
.
ATTENTION: press: <YES>
if you select NO, your inserted PED key will get a new
ID and it cannot be used anymore for the other HSMs.
Confirm new PED PIN:
SLOT 01:
INITIALIZE HSM...
Copy this PED Key?
YES/NO
.
.
SLOT 01:
Insert a SO /
HSM Admin
PED Key.
Press ENTER.
.
.
SLOT 01:
Enter PED PIN:
.
.
enter the PIN code of your Admin key and confirm it.
Recommendation: do not use PIN Codes, (an empty
PIN code is possible and recommended)
or give all keys the same PIN code.
(get advice about the usage and purpose of PED PIN
codes)
You can copy the PED Keys later: <NO>
page 122/150
BBP Development
Version: 3.18
User Manual IBASEC
Datum: 14.10.2013
SLOT 01:
SET DOMAIN...
Insert a SO /
Domain
PED Key.
Press ENTER.
.
.
SLOT 01:
SET DOMAIN...
This PED Key has a
valid Identity for
Domain
Reuse Id? YES/NO
.
.
SLOT 01:
SET DOMAIN...
Copy this PED Key?
YES/NO
.
.
SLOT 01:
CREATE USER/PARTITION
Insert a
Partition
PED Key.
Press ENTER.
.
.
.
SLOT 01:
This PED Key has a
valid Identity for
SO / HSM Admin.
Reuse Id? YES/NO
.
.
SLOT 01:
Enter new PED PIN:
.
.
Confirm new PED PIN:
insert the PED Domain key (red key)
press: <YES>
press: <NO>
insert the PED Partition key (black key)
press: <YES>
enter the PIN code of your Partition key and confirm
.
page 123/150
BBP Development
Version: 3.18
User Manual IBASEC
Datum: 14.10.2013
SLOT 01:
Copy this PED Key?
YES/NO
.
.
SLOT 03:
LOGIN USER/PARTITION.
Insert a
Partition
PED Key.
Press ENTER.
.
.
SLOT 03:
Enter PED PIN:
.
.
enter the PIN code of your Partition key
*** Attention: Your time to insert PED keys and enter the PIN codes is LIMITED! ***
*** If the handling is to slow a TIMEOUT error will occur ***
Watch the Logs by pressing "View Logs"
Lets have a look at the Logs (press "View Logs"). The successful partition backup operation should
return:
Object "..." (handle ...) cloned to handle .. on target
...
Object "..." (handle ...) cloned to handle .. on target
'partition backup' successful.
page 124/150
BBP Development
Version: 3.18
User Manual IBASEC
Datum: 14.10.2013
This looks good. Congrats, you have successfully made a backup of your key partition.
If, on the way, one of the messages is like
...
Problem cloning object "..." (handle ...) from source to target.
(RC_DATA_INVALID)
...
then the backup is unusable! In this case, the backup should end with something like
...
Error: 'partition backup' failed. (C0000102 : RC_DATA_INVALID)
Command Result : 65535 (Luna Shell execution)
but we think this might not be reliable. Therefore, we recommend checking not only the last two
lines, but also all lines before.
Again, be aware that the time for the PED key handling is limited. If you are too slow, the Log could
look like this:
page 125/150
BBP Development
Version: 3.18
User Manual IBASEC
Datum: 14.10.2013
This was too slow,
see the line "Error: 'partition backup' failed. (300134: LUNA_RET_SP_TIMEOUT)"
Wait until the progress bar shows 100% executed. If the backup is correct, then remove the
backup token, and keep it at a safe place.
Follow-up actions:
Restore the Backup of the first HSM(31) to the other HSM(s)  Case 38
page 126/150
BBP Development
Version: 3.18
User Manual IBASEC
Datum: 14.10.2013
9.18 Case 38: Restore key partition
Description:
With a Key Backup the whole partition is copied to a Backup Token. If several HSMs are in use,
the backup of the first HSM is restored to the other HSMs so that all have the same keys ready for
operation.
Prerequisite:
Disonnected HSM (closed)
A PED (pin entry device) connected the HSM
Backup Token for SafeNet Luna SA
Reference:
To start IBASEC GUI menu  Case 1
Menu  HSM
Insert the Backup Token into the card reader of the HSM (both slots are accepted). A double beep
confirms acceptance.
press "Key Restore" of selected HSM.
Press "Key Restore" and watch your PED (pin entry device)
page 127/150
BBP Development
Version: 3.18
User Manual IBASEC
Datum: 14.10.2013
with "View Logs" you could watch the progress of the key partition restore
SLOT 03:
Insert a SO /
HSM Admin
PED Key.
Press ENTER.
.
.
SLOT 03:
Enter PED PIN:
.
.
SLOT 01:
Insert a SO /
HSM Admin
PED Key.
Press ENTER.
.
.
SLOT 01:
Enter PED PIN:
.
.
page 128/150
BBP Development
Version: 3.18
User Manual IBASEC
Datum: 14.10.2013
SLOT 01:
LOGIN USER/PARTITION
Insert a
Partition
PED Key.
Press ENTER.
.
.
.
SLOT 01:
Enter PED PIN:
.
.
enter the PIN code of your Partition key
Check the log. The successful partition restore
operation should return:
Object "..." (handle ...) cloned to handle ... on target
...
Object "..." (handle ...) cloned to handle ... on target
'partition restore' successful.
If, on the way, one of the messages is like
...
Problem cloning object "…" (handle …) from source to target. (RC_DATA_INVALID)
...
then the backup is unusable! In this case, the backup should end with something like
...
Error: 'partition restore' failed. (C0000102 : RC_DATA_INVALID)
Command Result : 65535 (Luna Shell execution)
but we think this might not be reliable. Therefore, we recommend checking not only the last two
lines, but also all lines before.
Wait until the progress bar shows 100% executed. If the restore is correct, then remove the backup
token and keep it in a safe place again.
page 129/150
BBP Development
Version: 3.18
User Manual IBASEC
Datum: 14.10.2013
9.19 Case 39: Distribute public keys to further HSMs
Description:
With a Key Backup the whole partition is copied to a Backup Token. If several HSMs are in use,
the backup of the first HSM is restored to the other HSMs so that all have the same keys ready for
operation.
Prerequisite:
Reference:
Main menu
Menu  Keyman
page 130/150
BBP Development
Version: 3.18
User Manual IBASEC
Datum: 14.10.2013
Menu  Keyman  Keys  Configure
Distribute Keys Automatically. Remember: you could also backup the first HSM and restore all its
keys to the further HSMs
Per default: the keys of "High Priority" applications are distributed to "All" HSM. To be more
selective: you could distribute the public keys of "Medium Priority" application to two further HSMs
Follow-up actions:
Restore the Backup of the first HSM to the other HSM(s)  Case 37,38
page 131/150
BBP Development
Version: 3.18
User Manual IBASEC
Datum: 14.10.2013
9.20 Case 40: Delete a key (or all keys)
Description:
All keys are stored in the HSM. The public keys are also stored in the IBASEC server database
KTYPTO. To delete a key means removing it from a HSM partition. To purge a key means
removing it from the IBASEC server database.
Prerequisite:
at least one HSM is in "connected ActiveUnattended" mode and has loaded keys
Reference:
User manual IBASEC, section 6.16, 6.17
Delete a key:
Delete a single key or delete all keys differs only in the selection of the key(s).
Main menu
Menu  Keyman
page 132/150
BBP Development
Version: 3.18
User Manual IBASEC
Datum: 14.10.2013
Menu  Keyman  Find  Free Search...
Search a selection of keys with the "Free Search..." routine. In this case we would like to see all
keys of HSM39. For more search criteria (filters) see section 6.20 of this manual.
Menu  Keyman  Find  Free Search  Search
Mark the key you would like to delete. Select "Details" to make sure to select the right key for
deletion. With Ctrl-A you could select all keys in the list.
page 133/150
BBP Development
Version: 3.18
User Manual IBASEC
Datum: 14.10.2013
Menu  Keyman  Find  Free Search  Search  Key
Delete Key..
Purge Key in db..
deletes keys in HSM but not in the IBASEC server database
deletes keys in the IBASEC server database KRYPTO
Delete Key...
You could delete the key in one single HSM or in all connected HSMs. Provided that all HSMs are
"connected and ActiveUnatended" (see Krypto). A deleted public key that has not been deleted in
the database (not purged) is automatically reloaded the next time you open the HSM. To
completely get rid of a key means that you also have to "Purge key in db..."
Follow-up actions:
Purge keys in IBASEC server database KRYPTO
page 134/150
BBP Development
Version: 3.18
User Manual IBASEC
Datum: 14.10.2013
9.21 Case 41: Certification of SECOM Private Keys by SIS
Description:
These are the steps to get your (Bank's) private keys certified by SIS.
Prerequisite:
IBASEC Main menu (GUI) running with superuser privileges.
For the message exchange with SIS (application SECOM) we need the following certificates.
The SIS certificates are delivered with the IBASEC CD or could be downloaded from the
SIS site.
a LOCERT must be present in HSM
Imported ROOT.CRT
Validated ROOT.CRT with fingerprint
Imported SECOM-SECN-5053B310.CRT (automatically validated by the ROOT.CRT)
Reference:
"IBASEC3: 2Kbit certification of private keys (client's side)" to be downloaded from SIS site
[CERT2]. See also chapters 6.8...6.14 of this manual.
Step 1: Profile
Ensure that you have a valid 2Kbit profile for the SECOM application like this:
Step 2: Create Key Pair
Create your RSA key pair for the SECOM application: Keyman - HSM Keymanagement - Create
RSA Key Pair.
IMPORTANT: Always use the same (Master-) HSM to create new private keys. With
backup/restore you could then distribute them to your other HSMs. No partial, only complete
backup/restore of HSMs is possible!
page 135/150
BBP Development
Version: 3.18
User Manual IBASEC
Datum: 14.10.2013
Step 3: Create your Certification Request and send it to SIS
Now you have to place a certification request at SIS for your newly created key. With the order
form "428" you will receive a reference number and an authorization code from SIS. Enter this
information to Certman - SIS CA Operations - Export Certification Request to File >:
To export your certification request, select your key and press <Export>.
After the export, carefully check that the certification request corresponds to the right key hash,
and to the right reference number:
page 136/150
BBP Development
Version: 3.18
User Manual IBASEC
Datum: 14.10.2013
Also check the audit event log:
If everything is correct, then send your certification request (xy.crt) file via email to SIS
[email protected] to get their certification (see next step).
Step 4: Import the Certificate
Generally, you will receive the certificate as zip file via email on the same day. Save the unzipped
certificate in the directory $IBA_CERT/SIS CA/FromProxy/ and go to Certman - SIS CA Operations
- Import Certificate from File: Select your file and press <Import>.
page 137/150
BBP Development
Version: 3.18
User Manual IBASEC
Datum: 14.10.2013
The next window shows your imported certificate.
Notice that your old certificate must not be deleted before its end of validity.
After the successful import, it's time again to make a new backup of the HSM Key Partition, and to
distribute it to your other HSMs.
Additionally, the certificate has to be imported (as in step 4) on each other HSM.
Normally, during the overlapping period (time when both the old and the new certificate are valid),
the old certificate is used. Therefore, the new certificate will come into operation the day after the
validity end date of the old certificate. However, you can put it into operation earlier by deactivating
the key of the old certificate (see Case 42).
page 138/150
BBP Development
Version: 3.18
User Manual IBASEC
Datum: 14.10.2013
9.22 Case 42: Deactivation of a Key
Deactivation of a key allows marking on the IBASEC server (not on the HSM) that this key can no
longer be used. In contrast to deletion, the key could be reactivated later.
Deactivation works only for SECOM, but not for SIC and EURO !
Deactivation can be:
manual
automatic
The automatic deactivation is used only by SIS, and is not described here.
The manual deactivation can be used by the bank during the overlapping period of its old and new
SECOM certificate, to force the use of the new certificate. Here is the procedure:
Define an environment variable IBA_HANDLE_DEACTIVATE_KEYS and set it to the value "1".
On Unix, this is done by editing the file .cshrc.local in the home directory of the IBASEC user
(default: /opt/ibasec), and adding the line:
setenv IBA_HANDLE_DEACTIVATE_KEYS 1
On Windows, it is done by editing the registries (Start > Run > regedit) and adding the new key
IBA_HANDLE_DEACTIVATE_KEYS with value "1" to:
HKEY_LOCAL_MACHINE\Software\bbp\ibasec3
Then restart IBASEC.
Now deactivate the old SECOM Private Key (Keyman > Find > Free Search > Key > Deactivate
Key):
To see the new key status, refresh the window by leaving and re-entering it:
page 139/150
BBP Development
Version: 3.18
User Manual IBASEC
Datum: 14.10.2013
Finally check the audit event log:
page 140/150
BBP Development
Version: 3.18
User Manual IBASEC
Datum: 14.10.2013
9.23 Case 61: How to report a malfunction of IBASEC and/or the HSM
Description:
Whenever a malfunction of the IBASEC installation should appear, its in the majority of cases not
obvious in which part of the installation the source of the failure lies. Therefore the reporting to the
IBASEC support has to be comprehensive.
Prerequisite:
access to the IBASEC server with user "ibasec" (ssh or PuTTY)
Reference:
Access the IBASEC server (ssh or PuTTY):
Login as ibasec user and start the ibasecadmin program. Select diag
login as: ibasec
Using keyboard-interactive authentication.
Password:
Last login: Fri Dec 29 14:44:20 2006 from 62.2.194.99
Sun Microsystems Inc.
SunOS 5.9
Generic May 2002
ibasec@numenor 31 % ibasecadmin
--------------------------------------------------------IBASEC ADMINISTRATION TOOLS
--------------------------------------------------------addtcp
deltcp
diag
gui
kill
patch
purgekeys
resetcat
start
add a new interface
delete an interface
generate a report
start ibasec GUI (require X11)
kill ibasec
install ibasec patch
purge key database
reset user category database
start ibasec in text mode
Choice : [?,??,q]: diag
...
...
...
...file won't be protected.
Password ([enter] to skip password protection) :
12345678
Crypting file using supplied password ...
Don't forget to provide the password to the helpdesk.
14180148 -rw-r--r-1 ibasec
ibasec
13907365 Dec 29
15:33 /tmp/ibasecdiag-numenor-20061229-153036.tar.gz.crypt
Press 'Enter' to continue.
page 141/150
BBP Development
Version: 3.18
User Manual IBASEC
Datum: 14.10.2013
After a few minutes the procedure has collected enough information to be analysed by the IBASEC
support.
The information file (/tmp/ibasecdiag-numenor-20061229-153036.tar.gz.crypt) could
be crypted (optional, here with password 12345678), so you could send it by email to your
supporter.
An even more revealing procedure could be "ibasecdiag". But this program needs more knowledge
of the IBASEC installation and is therefore designated to th IT expert.
ibasec@numenor 46 % cd /opt/ibasec/prod/scripts
ibasec@numenor 47 % ibasecdiag
NAME
ibasecdiag : IBASEC diagnostic utility
SYNOPSIS
ibasecdiag
[ -help | -version | -history |
-short [ -dir full_path_dir -id "id" ] |
-full [ -dir full_path_dir -id "id" ] |
-live [ interval ] [ count ] ]
-help
-version
-history
-short
-full
-live
-dir
:
:
:
:
:
:
:
-id
dir
id
interval
count
:
:
:
:
:
print full help
print the version of this utility
print history
generate a short report file
generate a full report
live monitor
change the storage_directory where the report
will be stored (/tmp by default)
specify a diagnostic id(alter report filename)
full path directory
report file id
sampling interval in seconds (default is 1)
number of times the statistics are repeated
(default is infinite)
ibasec@numenor 48 %
Example of ibasecdiag application:
live monitoring in 600 sec (10 min) interval
direct output to a text file
% ibasecdiag -live 600 | tee /tmp/ibasecdiag-live.txt
page 142/150
BBP Development
Version: 3.18
User Manual IBASEC
Datum: 14.10.2013
Set Flags for more Log information:
To get more information of the communication between the IBASEC server and the HSM you could
switch on three different flags that produce three different text files in the var/log directory:
Windows Registry:
Start > Run > regedit >
HKEY_LOCAL_MACHINE\Software\bbp\ibasec3
IBA_LOG_XML_ERR
1
IBA_LOG_XML_WARN 1
IBA_LOG_XML_DATA 1
to log XML requests with errors
to log XML requests with warnings
to log all XML requests
HSM31_err.txt
HSM31_warn.txt
HSM31_data.txt
The text files will be saved in the directory: c:\Program Files (x86)\Ibasec3\prod\var\Log
Solaris environment variables:
temporary setting:
setenv IBA_LOG_XML _ERR
setenv IBA_LOG_XML_WARN
setenv IBA_LOG_XML _DATA
1
1
1
The text files are saved in the directory $IBA_LOG
setenv IBA_SSHCMD_TRACE
1
(/opt/ibasec/sshcmd-<pid>.txt)
or set the variables in .cshrc for permanent application
page 143/150
BBP Development
Version: 3.18
User Manual IBASEC
Datum: 14.10.2013
10 Audit Events and their Severities
Code
00001
00002
00003
00004
00005
01000
01001
01002
01003
01004
01005
01006
01007
01008
01009
01018
01019
01020
01021
01022
Description of the Error
Printer error. Printing will be disabled
Printing now again enabled
Maintenance started
Maintenance complete
Entries purges from event database
An IBASEC interface has opened
An IBASEC interface has closed
An IBASEC interface is in the error state
A session has been opened on an IBASEC interface
A Session has been closed on an IBASEC interface.
This can be for one of the following reasons:
A close session request was received from the
application user.
The server has gone offline. All productive sessions
are automatically closed if there are no HSMs currently
accessible. (The server state is visible from the
‘SYSMAN Overview’ screen).
The session was closed by a user of the IBASEC User
Interface.
There was an error opening a session on an IBASEC
interface. This can be for one of the following reasons:
An internal system error occurred.
The Server Id in the request message does not match
the Id of this server. (see the ‘SYSMAN Overview’
screen).
The application requested is unknown (see APPMAN)
The User-Id in the request message is unknown (see
APPMAN)
The requesting User-Id is not allowed to use the
application requested (see APPMAN).
A request has been received on the IBASEC interface
to use a function which cannot be used with the
application of the session.
This feature is not supported
Data sent to a session which does not exist
Production command sends over a test session
A verification request failed because the received and
recalculated signatures did not match.
An EDIFACT message passed on an IBASEC session
could not be parsed (i.e. there was a format error in
the EDIFACT message).
An internal system error occurred in the IBASEC
server
A request to open an IBASEC session has been
received from an application user who is not currently
enabled.
An algorithm Id in a request message passed on the
IBASEC interface is unknown.
Severity
Error
Information
Information
Information
Information
Information
Information
Warning
Information
Information
Category
System
System
System
System
System
System
System
System
System
Security
Information
Security
Information
Security
Information
Information
Information
Alarm
Security
Security
Security
Security
Error
Security
Error
System
Information
Security
Information
Security
page 144/150
BBP Development
Version: 3.18
User Manual IBASEC
Datum: 14.10.2013
01023
01024
01025
01026
01027
01028
01029
01030
01031
01032
01033
01034
01035
01036
01037
01038
01039
01040
01041
01042
01043
01044
01045
01050
01051
01052
A business partner Id (BP-Id) in a request message
passed on the IBASEC interface is unknown (i.e. is not
configured in BPMAN)
Wrong profile error – one of more of the cryptographic
parameters in a message received from a Business
Partner does not match the default parameters define
for the business partner in his default profile.
No Public Key could be found for the Business
Partner. This is either a request to encrypt a message,
or a request to verify a message.
No private key could be found for the Business
Partner. This is either a request to sign a message or a
request to decrypt a message.
No CA Public Key was available to verify a certificate.
Key not accessible – a key for the requested operation
exists but is currently not accessible e.g. because the
HSM containing it is not online.
IBASEC message error – an invalid filter parameter
was passed.
IBASEC message error – an invalid character set
parameter was passed.
IBASEC message error – the amount of application
data passed was too short.
IBASEC message error – the amount of application
data passed was too long
IBASEC message error – an invalid offset parameter
was passed.,
IBASEC message error – an invalid length parameter
was passed.
IBASEC message error – the length of a signature
passed with the message was incorrect.
IBASEC message error – the length of a trailer passed
with the message was too long.
IBASEC message error – a date or time field contained
a date or time with invalid format or value.
IBASEC message error – the length of an IV passed
with the message was incorrect.
IBASEC message error – the length of a session key
passed with the message was incorrect.
IBASEC TCP/IP Listener Error. The server is unable to
listen for connection requests on an IBASEC interface.
IBASEC TCP/IP or corba communications error.
IBASEC TCP/IP or corba internal error.
IBASEC Message Parsing error. A message received
on an IBASEC interface could not be parsed.
Invalid cryptographic mode of operation specified
Invalid cryptographic algorithm specified
An application user has been added through the
APPMAN module.
An application user has been modified through the
APPMAN module.
An application user has been deleted through the
APPMAN module.
Information
Security
Error
Security
Error
Security
Error
Security
Error
Error
Security
Security
Information
Security
Information
Security
Information
Security
Information
Security
Information
Security
Information
Security
Information
Security
Information
Security
Information
Security
Information
Security
Information
Security
Error
System
Error
Error
Warning
System
System
System
Information
Information
Information
Security
Security
Security
Information
Security
Information
Security
page 145/150
BBP Development
Version: 3.18
User Manual IBASEC
Datum: 14.10.2013
01053
01054
01055
01056
01060
01061
01062
01063
01080
01082
01090
01091
01092
01093
01094
01095
01096
01097
01098
01110
01111
01112
01120
01121
01122
01123
01124
01200
02000
02001
02002
02003
02005
02006
02007
02008
02009
02010
02011
02012
02013
02014
02015
02016
02017
02018
03000
03001
03002
An application user has been approved through the
APPMAN module
An application user has been disabled through the
APPMAN module
An application user has been enabled through the
APPMAN module
A dummy request has been sent over a production
session
Invalid Message Length
Unknown Continuation Flag
Invalid Decimal
Invalid Hex
Error during PEM message parsing
Missing mandatory fields (PEM, EDIFACT, …)
Ibasec process listen Error
Ibasec process communication Error
Ibasec process internal error
Too many session opened
System resource exceeded (memory, IPC, socket, …)
New connection accepted
IbasecListenerMaxSessionEvent
Ibasec session not available
Unknown ibasec session
New BP added
BP modified
BP deleted
New profile added
Profile modified
Profile deleted
Profile Encrypt defaults IV modified
Profile Hash defaults IV modified
Error during internal message parsing
A startup of the IBASEC server has been requested.
The System -State is now “ready”
The System-State is now “online”
The System-State is now “offline”
The System-State is now “error”
Process not found
One of the processes of the server failed to start
One of the processes of the server is missing
A shutdown of the server has been requested
Software Update started
Software Update ended
Software Update failed
Backup started
Backup ended
Backup failed
Reload started
Reload ended
Reload failed
KRYPTO Interface (to HSM) closed.
KRYPTO Interface connecting
KRYPTO Interface online
Information
Security
Information
Security
Information
Security
Warning
Security
Information
Information
Information
Information
Error
Error
Error
Error
Alarm
Warning
Alarm
Information
Error
Information
Information
Information
Information
Information
Information
Information
Information
Information
Information
Warning
Information
Information
Information
Information
Alarm
Reserved
Information
Information
Information
Reserved
Reserved
Reserved
Reserved
Reserved
Reserved
Reserved
Reserved
Reserved
Information
Information
Information
System
System
System
System
Security
Security
System
System
System
System
System
System
System
System
System
Security
Security
Security
Security
Security
Security
Security
Security
System
System
System
System
System
System
Reserved
System
System
System
Reserved
Reserved
Reserved
Reserved
Reserved
Reserved
Reserved
Reserved
Reserved
System
System
System
page 146/150
BBP Development
Version: 3.18
User Manual IBASEC
Datum: 14.10.2013
03003
03004
03005
03006
03010
03011
03012
03013
03014
03015
03016
03017
03017
03018
03019
03020
03021
03022
03023
03024
03025
03026
03027
03028
03029
03101
03102
03103
03104
03105
03106
03107
03108
03109
03120
03121
03122
03123
03124
03125
03126
03127
03128
03129
03130
KRYPTO Interface offline
KRYPTO Interface error
Fetching Keys from HSM
GC Configuration modified
Two HSMs disagree on a verification result (one fails
and the other succeeds). This event belongs to the
HSM that failed.
Interface is locked (maybe too many wrong password
series)
Interface is blocked
Interface in backup mode
Interface initialized
Interface inactive
Interface in manufacturer state
Interface cache refreshing
Interface cache refreshed
Maintenance started
Maintenance completed
Maintenance ended with error
Appliance Software installation started
Appliance Software installation completed
Appliance Software installation ended with error
Appliance Software uninstallation started
Appliance Software uninstallation completed
Appliance Software uninstallation ended with error
Running an HSM Job
Fail to run an HSM Job
Luna PED operation required (probably a PED key)
Key added to KEYMAN database
Key purged from KEYMAN database
A private key has been marked as deleted in the
KEYMAN database
A Public Key has been marked as deleted in the
KEYMAN database
A Public Key has been marked as unloaded in the
KEYMAN database
A Public Key has been marked as active (loaded and
available for use), in the KEYMAN database
Public key added to Keyman Database
Public key removed from Keyman Database
Private key removed from Keyman Database
A Public Key has been loaded into as HSM
A Public Key has been deleted from an HSM
A private key has been deleted from an HSM
Automatic key distribution has been started
Automatic key distribution has ended
Configuration of distribution priority weights has been
corrected
Public key successfully imported
Importing public key failed
Public key successfully exported
Not-used BP added
Not-used BP could not added
Information
Warning
Information
Information
Warning
System
System
System
System
Security
Alarm
Security
Alarm
Warning
Warning
Warning
Warning
Information
Information
Information
Information
Warning
Information
Information
Warning
Information
Information
Warning
Information
Error
Information
Information
Information
Information
Security
Security
Security
Security
Security
Security
Security
Security
Security
Security
Security
Security
Security
Security
Security
Security
Security
Security
Security
Security
Security
Security
Information
Security
Information
Security
Information
Security
Information
Information
Information
Information
Information
Information
Information
Information
Warning
Security
Security
Security
Security
Security
Security
Security
Security
System
Information
Warning
Information
Information
Error
System
System
System
Security
Security
page 147/150
BBP Development
Version: 3.18
User Manual IBASEC
Datum: 14.10.2013
03131
03132
03133
03134
03135
03136
03137
03137
03138
03139
03140
03141
03142
03143
03144
03145
03146
03147
03148
03149
03150
03151
03152
03153
03154
03155
03156
03157
03200
03201
03202
03203
03204
03205
03206
03207
03208
03209
03210
03211
03212
03213
03214
03215
03216
03217
03218
A public key has been activated
A private key has been activated
A public key has been deactivated
A private key has been deactivated
Test/Not Used change has been completed
Certificate successfully exported
Cannot open event port
Importing public key failed
Certificate successfully imported
CA Id unknown
Certificate not found
File creation error
File exists
Invalid Certificate
Public Key for that certificate is already loaded
Root Key not loaded. Try 'Init CA' first
The certificate is not valid
The certificate is already in the database
certificate file not found
Invalid Certificate file
Certificate successfully deleted
No certificate found
Copy to restore directory failed
Certificate file could deleted
Invalid certificate application
Delete key request performed via the GUI
Load key request performed via the GUI
Purge key request performed via the GUI
A Public Key could not be fetched from an HSM
because no valid Local Certification key exists in the
HSM
A Public Key could not be loaded into an HSM
because no valid Local Certification key exists in the
HSM
A key has been ignored because the HSM is not
configured to use this application
CA certificate not found for the belonging CA
CA certificate not in one HSM
Certificate will be ignored because of the serial number
in bpman
HSM reports error aborted
HSM reports invalid certificate
HSM reports public memory full
HSM reports error exception
Certificate imported
Invalid Certificate
Public key already loaded
HSM is offline
No key for PKI application was found
No key for LOCERT application was found
Please check if the CA key is loaded in the HSM
The key to be certificated was not found
The encoding of the certification request info failed
Information
Information
Information
Information
Information
Information
Error
Warning
Information
Warning
Warning
Warning
Warning
Warning
Warning
Warning
Warning
Warning
Warning
Warning
Warning
Warning
Warning
Warning
Warning
Warning
Warning
Warning
Warning
Security
Security
Security
Security
Security
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
Warning
System
Warning
Security
Warning
Warning
Warning
Security
Security
Security
Warning
Warning
Warning
Warning
Information
Warning
Warning
Warning
Warning
Warning
Warning
Warning
Warning
Security
Security
Security
Security
Security
Security
Security
Security
Security
Security
Security
Security
Security
page 148/150
BBP Development
Version: 3.18
User Manual IBASEC
Datum: 14.10.2013
03219
03220
03221
03222
03223
03224
03225
03226
03227
03228
03229
03230
04000
04001
04002
04003
04004
04005
04006
04007
04008
04009
04010
04011
04012
04013
04014
09000
09001
09002
09003
09004
09006
09007
09008
09009
09010
09011
09012
09013
09014
09015
09016
09017
09018
09019
09020
09021
09022
09023
The encoding of the certification request ailed
Generation of certification request was sucessful
Private key not found
Public key not found
Distribution stopped because key is not productive
Distribution stopped because key is already in all
HSMs
Distribution stopped because key is loaded in enough
HSM
Distribution stopped because an HSM exception
Invalid public X509 certificate
Invalid private X509 certificate
Missing X509 certificate
HSM Internal error
A user has logged into the server
A user has logged out of the server
A user login has failed
A user account has been automatically disabled
A new user account has been added
A user account has been modified
A user account has been deleted
A user account has been enabled
A user account has been disabled
A user account has been approved
A user’s password has been changed
A user’s account was auto re-enabled after some
seconds
User login failed: user disabled
User login failed: max days reached
User login failed: max uses reached
CA Scheduler started
Key certification successful
Key certification failed
No LDAP profile defined
Too many LDAP profile defined
CAAuditSystemHTMLEvent
No SOAP profile defined
Too manu SOAP profile defined
CA Access File test successful
CA Access File test failed
SOAP ping facility successful
LDAP ping facility successful
CA ping facility successful
CMP ping facility successful
KRYPTOAuditSystemSetRemoteEvent
No private key found for CA certification
No public key found for CA certification
Change CA scheduler time
Corba exception received during CA operations
Missing certification request
Cannot connect to web connector
LDAP ping successful
LDAP ping failed
Warning
Information
Warning
Warning
Information
Information
Security
Security
Security
Security
Security
Security
Information
Security
Information
Information
Information
Information
Information
Information
Information
Information
Information
Information
Information
Information
Information
Information
Information
Information
Information
Security
Security
Security
Security
Security
Security
Security
Security
Security
Security
Security
Security
Security
Security
Security
Security
Security
Information
Alarm
Alarm
Information
Information
Information
Information
Information
Information
Reserved
Reserved
Information
Information
Reserved
Reserved
Information
Information
Information
Information
Information
Information
Error
Information
Information
Information
Error
Security
Security
Security
Security
Security
Security
Security
Security
Security
Security
Security
Security
Security
Security
Security
Security
Security
Security
Security
Security
Security
Security
Security
Security
Security
Security
page 149/150
BBP Development
Version: 3.18
User Manual IBASEC
Datum: 14.10.2013
09024
09025
09100
09101
09102
09103
09104
09105
09106
09107
09108
09109
09110
09111
09112
09113
09114
09115
09116
09117
09118
09119
09120
09121
09122
09123
09124
09124
09125
09126
09127
09128
09129
09130
09131
09132
09133
09134
SOAP ping successful
SOAP ping unsuccessful
LDAP ping successful
LDAP ping unsuccessful
CAAuditSystemSOAPSuccessfulEvent
CAAuditSystemSOAPFailedEvent
Invalid certification parameters
New certification request created
CAAuditSystemExportCertificationEvent
Cannot export file : file already exists
Cannot export file : error during writing
Unhanded exception during CA operations
Certification request fetched from SOAP connection
Cannot send certification request : certificate already
exists
Invalid Certification format detected
Missing ‘BeginCertificate’ field on certification request
Fail to read certification request file
Line too big in certification request
Certification request file does not exist
Attempt to load a key from an invalid certificate
Attempt to use a non existing keyrollover rule
Unhandled exception during certification request
process
Key loaded from certificate
Cannot perform this CA operation via file access
Cannot perform this CA operation via LDAP access
Missing proxy BP
SOAP request failed
Processing of key certificate completed
Cannot perform a key certification request : all
resources are busy
No such key rollover rules found
CAInvalidRequestEvent
Key successfully loaded
Unknown BP found during CA operation
Cannot retrieve certification request
Too many certification request
Communication to webconnector failed
Timeout received during LDAP operation
Certification parameter displayed on the screen (GUI)
Information
Information
Information
Information
Reserved
Reserved
Information
Information
Reserved
Information
Information
Error
Information
Error
Security
Security
Security
Security
Reserved
Reserved
Security
Security
Reserved
Security
Security
Security
Security
Security
Information
Information
Information
Information
Information
Alarm
Alarm
Information
Security
Security
Security
Security
Security
Security
Security
Security
Information
Information
Information
Information
Information
Information
Alarm
Security
Security
Security
Security
Security
Security
Security
Error
Reserved
Information
Information
Error
Error
Error
Error
Information
Security
Reserved
Security
Security
Security
Security
Security
Security
Security
page 150/150

User Manual - Interbank Clearing – SIX

Transcription

Similar documents

DVU Log-in Credentials

Teacher Pages

The Willingdon Extended Day Program

HSM Today Issue 17 (PDF | 1.5 MB)

New to Neat Repeatz? Get Started in 2 Easy Steps!

Laxmi Khattri [email protected]

New Parent access HO - Delaware City Schools

Security Password Form

The Architecture of the Model