ADYTON Reference Guide

Transcription

REFERENCE GUIDE
ADYTON
revolutionary
security
•••••• an atos company
ADYTON reference guide
Legal disclaimer and copyrights
The information in this document is subject to change without notice and shall not be construed as a
commitment by Atos Worldline S.A./N.V. (“Worldline”)
The content of this document, including but not limited to trademarks, designs, logos, text, images, is
the property of Worldline and is protected by the Belgian Act of 30.06.1994 related to author’s rights and
by the other applicable Acts.
The word ADYTON and other trademarks used in this document are the property of Worldline. Worldline
trademarks used in this document are indicated. Linux is a registered trademark of Linus Torvalds, Java
is a registered trademark of Sun Microsystems Inc. and ARM is a registered trademark of ARM Limited.
The contents of this document can be reproduced by or on behalf of third parties with the prior written
consent of Worldline and following its instructions. Worldline accepts no responsibility for errors and
omissions introduced when translating or reworking this document.
Except with respect to the limited licence to download and print certain material from this document for
non-commercial and personal use only, nothing contained in this document shall grant any licence or
right to use any of Worldline's proprietary material.
While Worldline has made every attempt to ensure that the information contained in this document is
correct, Worldline does not provide any legal or commercial warranty on the document that is described
in this specification. The technology is thus provided “as is” without warranties of any kind, expressed
or implied, included those of merchantability and fitness for a particular purpose. Worldline does not
warrant or assume any legal liability or responsibility for the accuracy, completeness, or usefulness of
any information, product or processes disclosed.
To the fullest extent permitted under applicable law, neither Worldline nor its affiliates, directors,
employees and agents shall be liable to any party for any damages that might result from the use of the
technology as described in this document (including without limitation direct, indirect, incidental, special,
consequential and punitive damages, lost profits).
These terms shall be governed by and construed in accordance with the laws of Belgium. You
irrevocably consent to the jurisdiction of the courts located in Brussels for any action arising from or
related to the use of this document.
Document information
document title
ADYTON reference guide
security
unrestricted
last modified
24 September 2014
owner
Filip Demaertelaere
author
Niels Grundtvig Nielsen
product version
1.0
document release 3.41
© Worldline 2013, 2014
ad_rfgCover.fm
last updated 24/9/14
public
REFERENCE GUIDE
ADYTON
Contents
Introduction ............................................................................................................ 1
Design ................................................................................................................ 1
What’s new in this version .................................................................................. 2
Change log ......................................................................................................... 2
ADYTON overview.................................................................................................. 5
ADYTON rack..................................................................................................... 7
Accessories ........................................................................................................ 8
Chip card ...................................................................................................... 8
For standalone installation............................................................................ 8
Cables for rack installation ........................................................................... 8
USB stick (not included) ............................................................................... 8
User roles................................................................................................................ 9
Administrator ...................................................................................................... 9
Security Officer ................................................................................................... 9
Key custodian ................................................................................................... 10
Interfaces .............................................................................................................. 11
Display.............................................................................................................. 11
Keypad ............................................................................................................. 13
Authentication devices ..................................................................................... 14
Installing and setting up ADYTON...................................................................... 15
Standalone or rack-mounted ............................................................................ 15
Power up .......................................................................................................... 15
Insert ADYTON in rack ..................................................................................... 16
Remove ADYTON from rack ...................................................................... 16
Initial configuration ........................................................................................... 17
Operating ADYTON .............................................................................................. 21
Logging on........................................................................................................ 21
Logging off........................................................................................................ 21
Screensaver mode ........................................................................................... 21
Reboots and availability ................................................................................... 22
Filter ................................................................................................................. 23
Audit trail .......................................................................................................... 24
Warnings .......................................................................................................... 25
i
PUBLIC
adytonRFGTOC.fm
REFERENCE GUIDE
ADYTON
Network services.................................................................................................. 27
Specifications....................................................................................................... 29
ADYTON module.............................................................................................. 29
Rack ................................................................................................................. 30
Interfaces (ADYTON and rack) ........................................................................ 30
Certification and compliance ............................................................................ 31
Menu tree .............................................................................................................. 33
Keys ................................................................................................................. 34
Users ................................................................................................................ 36
Device .............................................................................................................. 37
Network ............................................................................................................ 38
Status ............................................................................................................... 39
Update.............................................................................................................. 40
Downtime during reboot ............................................................................. 40
Appendix A. Working with the audit trail ........................................................... 41
Reading the audit trail ...................................................................................... 42
Verifying the audit trail...................................................................................... 43
Appendix B. Editing and updating the licence .................................................. 45
Editing .............................................................................................................. 46
Updating a licence............................................................................................ 47
Appendix C. Configuring an SSL connection ................................................... 49
Appendix D. Custody procedures and secure transport ................................. 51
Secure transport............................................................................................... 51
Appendix E. ADYTON MIB files .......................................................................... 53
Key information ................................................................................................ 53
Keyset footprint ................................................................................................ 53
Software footprint ............................................................................................. 54
Performance..................................................................................................... 54
SNMP Trap....................................................................................................... 54
ii
PUBLIC
adytonRFGTOC.fm
REFERENCE GUIDE
ADYTON
Introduction
Secure data transaction systems – including token generation, transaction processing,
digital signatures, data protection – rely on a fast and powerful Hardware Security
Module (encryption device). The ADYTON from Worldline offers a revolutionary solution,
with a radically new hardware-based cryptographic accelerator providing unprecedented
security, speed and user-friendliness.
ADYTON adds a new dimension to overall security by including three authentication
methods: fingerprint, chip-card and password, all easily accessible at the front of the
device. ADYTON guarantees dual control for Administrators and Security Officers.
Meeting all current international standards, ADYTON is also ready to match future
regulatory requirements.
Design
The styling combines fashion and functional perfection – it is the product of ingenious
minds. The aluminium housing removes the need for active cooling such as a fan,
meaning a lower energy footprint, lower noise and higher reliability. The design includes
capacitive keys with distinct illumination, a fingerprint-reader, chip-card-reader, USB
connectors and a high-resolution colour display.
With the robust guide rails on each side, ADYTON easily slides into the ADYTON Rack
frame for simple, secure installation in IT-cabinets. This particular rack features two
physical locks, covered mounting holes, two hot-swappable power supplies and 1-gigabit
LAN connectors.
The design quality of the ADYTON has been recognised by awards including:
•
red dot design award 2012
The red dot is acknowledged as the seal of quality for exceptional product design.
•
IF award 2013
The iF product design award has been an internationally recognized label for
award-winning design for 60 years, a symbol for outstanding design.
1
PUBLIC
ad_rfg_introduction.fm
REFERENCE GUIDE
ADYTON
What’s new in this version
When a generated key is shared between key custodians, a timestamp now provides an
additional level of verification. See Key custodian, on page 10.
Audit verification has been simplified. See Working with the audit trail, on page 41. The
Audit trail now includes:
•
•
information on all failed user authentication attempts
every cloning operation
Option 4 View configuration from the Network menu now displays additional information
on SSL authentication failures. See page 38.
Option 7 from the Status menu has been renamed 7 Footprints, and displays an
additional software version checksum. See page 39.
The ADYTON now supports SSL connections on port 4002; see Network services, on
page 27. When using an SSL connection on this port, all exchanges between the
ADYTON and the client are authenticated and may also be encrypted. You can also
select one of three security levels. See Configuring an SSL connection, on page 49.
Information about data elements used by SNMP is now included in ADYTON MIB files,
on page 53. Some extra features have been added to the SNMP functions.
An OID for performance is now provided. See Performance, on page 54.
Changes/updates in this version are highlighted in green and with a change bar.
Significant deletions are struck through in grey.
Change log
Initial configuration now lets you update software, licences or both; see Step 6.
Update software, on page 19
New options for exporting symmetric keys are described under Keys, on
page 34.
The menu options 1 Push configuration and 2 Pull configuration have been
renamed, though the functionality remains unchanged: see Update, on page 40.
Licence files now include a fixed flag for key-tables: see Editing and updating
the licence, on page 45, which also includes a whitelist of flags that may be
changed.
More information about how to read an audit trail is included under Reading the
audit trail, on page 42
Information on firewall settings for using network services is in Ports and
services, on page 27.
2
PUBLIC
REFERENCE GUIDE
ADYTON
Access to cryptographic services is now licence-based. Each ADYTON licence
specifies the list of available services, and the System Administrator can restrict
availability by turning off one or more services in the list. See Appendix B.
Editing and updating the licence, on page 45, for more information.
Version 2.1 includes a new menu option to activate/deactivate SNMP traps.
3
PUBLIC
REFERENCE GUIDE
ADYTON
4
– empty for double-sided printing –
REFERENCE GUIDE
ADYTON
ADYTON overview
The ADYTON front panel integrates a high-resolution colour display, a touch-sensitive
keypad, a USB port, a fingerprint reader and a chip-card reader. For more information on
the keypad, including the shift/shortcut functions, see Keypad, on page 13.
abc
def
ghi
jkl
mno
pqrs
tuv
wxyz
1
2
4
8
6
A
B
D
E
i
C
F
9
[
7
5
3
0
Figure 1.
OK
Front panel
Power and networking connectors are easily accessible whether the ADYTON is used
standalone or rack-mounted.
5
PUBLIC
ad_rfg_overview.fm
REFERENCE GUIDE
ADYTON
Clearly visible security stickers let you check the integrity of the unit before mounting it
in a rack.
1
7
2
3
6
4
5
Figure 2.
Connectors and security stickers
1
Tamper-evident, holographic sticker (second sticker on underside of
ADYTON)
2
anti-removal lug
3
power supply socket
4
1Gb Ethernet connection
5
USB B (device) connection
6
ADYTON rack interface
7
Kensington lock point
There are two tamper-evident stickers (see Figure 2. Connectors and security stickers,
on page 6) on every ADYTON. Every sticker has its own unique security number, and
uses an extensive range of holographic techniques including:
•
•
•
microtext (for example, the word GENUINE on the crossbar of the A of Atos)
3D and lens effects
rainbow colours that change with the viewing angle
The stickers are also printed on a special backing, so that any attempt to peel them off
or re-use them leaves a visible tear.
6
PUBLIC
ad_rfg_overview.fm
ADYTON rack
The 19” rack was specifically designed to reach a high security level and fit in standard
IT cabinets. The lockable security clips (each with its own key) to either side hold the
ADYTON securely in place thanks to its integrated anti-removal lugs. Closed, the
security clips hide the fixation points, front plate screws and rack fixing screws. The USB
connector on the ADYTON remains available.
Figure 3.
ADYTON rack with ADYTON – front view, security clips open
1
2
Figure 4.
ADYTON rack – back view
1
two 1 Gigabit Ethernet connectors
Note: Ethernet IP1 connector is positioned to the RIGHT of Ethernet IP2
connector.
2
two power connectors for redundant, hot-swappable 12V power supply
ADYTON is immediately powered up when inserted into the rack
To remove a power connector, push the locking lever to the right and pull the connector
from its socket.
7
PUBLIC
ad_rfg_overview.fm
REFERENCE GUIDE
ADYTON
Accessories
ADYTON chip cards and cables are available as accessories.
Chip card
Figure 5.
Chip card
Chip cards are used for
•
•
user authentication
storing key components
You are recommended to use separate chip cards for user authentication and storage.
Every chip card has a unique serial number.
For standalone installation
•
•
•
1x power adaptor (Mean Well, model no. GS60A12)
input: 100-240VAC, 50/60Hz, 1.4A
output: 12V, 5.0 A, max. 60W
Cables for rack installation
2 x power cords with IEC 60320 C14 power plugs
USB stick (not included)
ADYTON supports standard USB sticks formatted as FAT16 and FAT32.
8
PUBLIC
ad_rfg_overview.fm
REFERENCE GUIDE
ADYTON
User roles
ADYTON works with only two user roles: Administrators and Security Officers. The
minimum requirement is to have two Administrators and two Security Officers (A and B;
one per group) enrolled in ADYTON.
Dual authentication is required for most operations, but there are also some freely
accessible functions such as view settings or performance. When dual authentication is
required, the wizards will indicate which user role has to log on.
We recommend enrolling more than two users in each group, to make sure back-ups are
available.
Administrator
The Administrator role is used to enrol users (but not security officers) and perform
configuration tasks. Administrators are grouped together in one single group, indicated
by the icon in the title bar. The title bar also shows the number of logged on
Administrators (0-n).
After two administrators have logged on, tasks that require dual authentication can be
performed without entering the credentials again. The same person may be enrolled both
as an Administrator and as a Security Officer, but must set up different accounts (with
different user names, fingerprints and chip cards) for each role.
The Administrator is also responsible for managing the audit trail; see Audit trail, on
page 24.
While the ADYTON is being configured, the first two administrator accounts can be set
up without logging on. After this, additional administrators can only be enrolled with two
administrators logged on.
Security Officer
The Security Officer role is used for all key management tasks. Security Officer users are
divided into group A and B, indicated by the two icons in the title bar. The icon on the left
refers to Security Officers A and the icon on the right to Security Officers B. The number
of users logged on is indicated in the icons (0-n).
Dual authentication means that at least one Security Officer from each group has to be
logged on.
It is mandatory to use two different security officers (one for each group) to guarantee
dual control. The same individual may be enrolled both as an Administrator and as a
Security Officer, but must set up different accounts (with different user names) for each
role.
9
PUBLIC
ad_rfg_roles.fm
REFERENCE GUIDE
ADYTON
While the ADYTON is being configured, the first two security officer accounts can be set
up without logging in. After this, additional security officers can only be enrolled with two
security officers logged in; at least one of them must belong to the same group as the
new security officer.
Key custodian
Key custodians are responsible for key components, including their secure storage.
Their intervention is required when importing cleartext key components (Load Key) or
exporting cleartext key components (Output Key).
Keys are either encrypted or split into two/three components before being handed to key
custodians. When keys are split correctly in a single operation, the same timestamp is
displayed at the start and end of the operation. Each custodian is responsible for only
one component of any key.
Key Custodians do not normally need to be enrolled in ADYTON, though customer
procedures may make it a requirement. They operate under the control of the Security
Officers (dual control).
10
PUBLIC
ad_rfg_roles.fm
REFERENCE GUIDE
ADYTON
Interfaces
Thanks to its well-designed interfaces, using ADYTON is as simple as using a smartphone.
•
•
•
•
wizards guide the user through each menu
menu titles and short menu trees help navigating through the menus
icons show the available functions corresponding to a key on the keypad
authentication devices are easily accessible and work very fast
Display
ADYTON uses a high-resolution LCD colour display and a consistent structure for menu
screens.
Figure 6. Display
The display is NOT a touch screen.
title bar
The title bar contains the title of the active menu, and shows which users are
logged on. They are identified by icons on the right-hand end of the title bar.
Icons on the left-hand end of the title bar identify the active menu; there is more
information on menu icons under Menu tree, on page 33.
Table 1 Title bar icons
icon
description
Administrators – the number shows how many administrators are
logged on.
1
Security Officers – Left: Security Officer A; Right: Security Officer B.
The numbers show how many security officers are logged on in each
group.
11
PUBLIC
ad_rfg_interfaces.fm
REFERENCE GUIDE
ADYTON
main window
To navigate through the main window use the cursors, shortcut keys or the Back
command. To confirm a selection, touch OK.
function bar
The function bar shows icons for the available functions. Touch the
corresponding key or follow the on-screen instructions to perform the function.
Table 2 Function bar icons
icon
description
Back to main menu. All other shortcuts are also available when this
icon is shown.
OK key
previous page / one step back
left/right cursor (for example, to scroll through keys)
up/down cursor
alphabetic input, lower case (ASCII keys)
alphabetic input, upper case (ASCII keys)
numeric input (ASCII keys)
hexadecimal input (HEX and numeric keys available)
insert ADYTON chip card
remove ADYTON chip card
place finger on fingerprint reader
insert USB device
remove USB device
12
PUBLIC
REFERENCE GUIDE
ADYTON
Keypad
The ADYTON touch-sensitive keypad is made up of:
•
•
•
•
•
•
alphanumeric keys (phone-style)
HEX keys, also used as shortcut keys
cursor keys
Shift / Shortcut key
backspace / Back key
OK key (also for use with checkboxes)
abc
def
ghi
jkl
mno
pqrs
tuv
wxyz
1
4
5
8
3
6
A
B
D
E
i
C
F
9
[
7
2
0
OK
Figure 7. Keypad
Touch Shift/Shortcut to:
•
•
enter an upper-case letter from the alphanumeric keys
use a shortcut function (shown in blue) from the HEX keys
The Shift/Shortcut key changes from white to blue. After you enter an upper-case
letter or touch a shortcut key, the Shift/Shortcut key changes back to white.
The following shortcuts are available.
Table 3 Shortcut keys
normal shifted
description
A
Log off (Exit)
Log off users. The Log off menu opens
B
Information
Open the General Information menu and view serial number,
owner name, firmware and package name
C
Main Menu
Back to the main menu
D
View Keys
Display the list of security keys currently loaded
13
PUBLIC
REFERENCE GUIDE
ADYTON
Table 3 Shortcut keys (continued)
normal shifted
description
E
Network
View the network configuration
F
Performance
View the current performance values (for example,
commands, used capacity)
Back
Go back one page / one step
OK
Select
select a radio button; select/clear a checkbox
Authentication devices
ADYTON offers three authentication devices on the front panel:
•
Fingerprint reader
The thumbprint is probably the most convenient. When enrolling a user, ADYTON
will need several passes to read the print completely. Do not change fingers while
registering a fingerprint!
Local legislation may restrict the use of biometric data.
•
Chip-card reader
Insert the card with the chip facing to the left.
•
ASCII keypad
Users can enter case-sensitive passwords on the keypad.
Note: When enrolling a user you have to define all three authentication tokens. For
logging on later, the user only needs to use two of them.
14
PUBLIC
REFERENCE GUIDE
ADYTON
Installing and setting up ADYTON
To meet PCI SSC requirements for secure transport of cryptographic devices, you must
work with clear procedures that guarantee the chain of custody at all times. An overview
(and a link to the detailed PCI SSC requirements) is included in Custody procedures and
secure transport, on page 51.
Standalone or rack-mounted
ADYTON can be operated as a standalone device on a desktop, or integrated into in ITcabinets with the ADYTON Rack.
Table 4 Characteristics
standalone
Touch
rack-mounted
to switch on ADYTON
one 1Gb Ethernet
ADYTON automatically switched on
two 1Gb Ethernet
power supply via separate 12V adaptor two hot-swappable power supplies
(redundant)
USB device connector on the side of
the module
USB device connector on the front of
the rack
Power up
To power up ADYTON in standalone configuration:
1. plug the power supply cable from the adaptor into the power supply socket on
ADYTON
2. connect the adaptor to a mains power socket
3. touch the power button on the front panel
In rack configuration, ADYTON is powered instantaneously when fully inserted into the
rack.
15
PUBLIC
ad_rfg_setup.fm
REFERENCE GUIDE
ADYTON
Insert ADYTON in rack
ADYTON has two guide rails on each side for installing the device in the ADYTON rack.
To insert ADYTON into the rack:
1. open the rack doors fully
2. carefully slide the ADYTON into the rack
3. connect the two redundant power supplies
You can also connect the power supplies before inserting the ADYTON into the
rack.
4. close and lock the doors
Remove ADYTON from rack
To remove ADYTON from the rack:
1. unlock and open the rack doors
2. carefully slide the ADYTON out of the rack
3. close the doors
16
PUBLIC
ad_rfg_setup.fm
REFERENCE GUIDE
ADYTON
Initial configuration
At the first power up, ADYTON will start the initialisation wizard, which will guide you
through the process. The initialisation status is indicated by the Wizard icon in the title
bar.
The first three screens in the initialisation process are:
•
Welcome screen
From any point in the wizard you can go back to this screen by touching Shift/
Shortcuts and then the Main menu shortcut.
•
General Information screen
Displays the serial number, owner name, firmware and installed package. You
cannot modify this information, but it may be used for audit purposes (serial number,
version).
•
ADYTON name screen
Enter a name with the ASCII-Keys. Use the [Shift]-key for upper case. The setting
is displayed in the function bar by ABC or abc
If you make a mistake during initialisation, touch Shift/Shortcuts and then the Main menu
shortcut to go back to the Welcome screen and start again. Any information you had
already entered will be discarded. You cannot go back one step.
If you reboot during the initialisation, ADYTON will go to the step where you rebooted.
After the first three screens the initialisation wizard guides you through the six steps of
the initial configuration.
Note: after you configure the network connection or connections, you can complete
the ADYTON configuration manually or duplicate the configuration of another
ADYTON.
Step 1.
Configure network connection
Prepare the following information: IP-address, Subnet Mask and Gateway.
•
Standalone
In standalone configuration there is only one Ethernet connector available. The
wizard will only guide you through the setup of IP1.
When placed in an ADYTON rack, ADYTON will ask you for the IP2 configuration
after starting up.
•
Rack configuration
In the rack, ADYTON can use two Ethernet connections (IP1 and IP2). The wizard
guides you through the setup of IP1 and IP2.
17
PUBLIC
ad_rfg_setup.fm
REFERENCE GUIDE
ADYTON
Using the network services provided by ADYTON requires access to a number of
different ports. See Network services, on page 27.
You can now select:
ᆦ 0DQXDOO\, to configure the ADYTON manually by continuing with steps 2 to 6
ᆧ &ORQLQJIURPPDVWHU, to duplicate the configuration of another ADYTON as
described under 2 Pull cloning, on page 40.
Step 2.
Enroll user (Administrators)
In this step the wizard asks you to enroll at least two administrators. For each
administrator, you need:
•
•
an ADYTON chip card
an individual who will record a fingerprint and define a password
Use at least two different people, to guarantee dual control.
Step 3.
Configure date/time
In this step the wizard prompts you to select the time zone before you set the time and
date.
•
Select the time zone and touch OK.
Use the ASCII keys to select a city/country. You can use the cursor keys to scroll
through the list, or enter all or part of the name with the alphanumeric keys. The list
is refreshed each time you add a letter, to show the nearest match.
•
Step 4.
Use the ASCII keys to enter the date and time, then touch OK
Enroll user (Security Officers)
In this step the wizard asks you to enroll at least two different security officers. You need:
•
•
two ADYTON chip cards
two security officers – each of them will record a fingerprint and define a password
It is mandatory to use two different security officers (one for group A and group B)
to guarantee dual control.
Step 5.
Load key
In this step the wizard asks you if you want to load a key (Yes or No). If you select Yes,
you have to select the key usage, put in a key name and enter the key components.
18
PUBLIC
ad_rfg_setup.fm
REFERENCE GUIDE
ADYTON
Step 6.
Update software
The wizard asks you if you want to update the software (Yes or No), the licence, or both.
If you select Yes for either update, be ready to insert the USB storage device with the
updates.
See also Configuring an SSL connection, on page 49.
19
PUBLIC
ad_rfg_setup.fm
REFERENCE GUIDE
ADYTON
20
ad_rfg_setup.fm
REFERENCE GUIDE
ADYTON
Operating ADYTON
To power up ADYTON in standalone configuration:
1. plug the power supply cable from the adaptor into the power supply socket on
ADYTON
2. connect the adaptor to a mains power socket
3. touch the power button on the front panel
In rack configuration, ADYTON is powered instantaneously when fully inserted into the
rack.
Logging on
Users only need to log on to ADYTON when prompted. Since most operations require
dual authentication, people with the right roles should be present. Logging on requires
two of the three authentication tokens:
•
•
•
chip card
fingerprint
password
Logging off
There are three ways to log off users:
•
open the User management menu and select 5 Log off user; then select the
corresponding user and touch OK to confirm
•
•
use the shortcut to go directly to the Log off menu
wait 15 minutes until ADYTON switches into screensaver mode, where ALL users
will be logged off automatically
Users are also logged off automatically when the ADYTON reboots; see Reboots
and availability, on page 22.
Screensaver mode
15 minutes after the last input, ADYTON switches into screensaver mode:
•
•
•
•
display is OFF
keypad illumination is OFF
users are LOGGED OFF automatically
the power LED (green) remains ON
To return to normal mode, tap anywhere on the keypad or touch the power button.
21
PUBLIC
ad_rfg_operating.fm
REFERENCE GUIDE
ADYTON
Reboots and availability
While operating ADYTON, the device remains available for all cryptographic services
accessed by the Ethernet ports (host communication). The exception is when the device
needs to be rebooted due to a software upgrade: while rebooting, the host needs to set
up the ADYTON connection again.
Users are logged off automatically when the ADYTON reboots. They receive a warning
in advance before any operation that will require a reboot.
Example: a master ADYTON remains 100% available for cryptographic services while
it is being cloned. The slave ADYTON continues to deliver cryptographic services during
the cloning, unless the software version on the clone and master is different. In this case,
cryptographic services will be unavailable from the slave while it reboots at the end of the
cloning. When cloning involves a software update on the slave, the operator will be
warned about a reboot before starting the cloning.
22
PUBLIC
ad_rfg_operating.fm
REFERENCE GUIDE
ADYTON
Filter
The text entry field at the top of the screen is a filter with auto-complete. As you add
characters to the field, the filter redefines the list of options to show only words including
those characters.
Consider the following list of cities:
Amsterdam
Brussels
Frankfurt
Antwerp
Bucharest
Glasgow
Athens
Budapest
Hamburg
Barcelona
Cardiff
Helsinki
Berlin
Copenhagen
Istanbul
Bremen
Donetsk
Kiev
Bristol
Dublin
Melmby
•
•
if you enter B, the list is refreshed to show Barcelona, Berlin, Bremen, Bristol…
if you enter en, the list is refreshed to show Athens, Bremen, Copenhagen
You can then use the arrow keys to move the selection highlight up and down the list.
23
PUBLIC
ad_rfg_operating.fm
REFERENCE GUIDE
ADYTON
Audit trail
The audit trail is digitally signed by ADYTON to guarantee integrity and authenticity. It
contains a record of:
•
•
•
every change to the configuration of the ADYTON
every unsuccessful attempt at user authentication
every cloning operation
It is not possible to deactivate this functionality.
The Administrator is warned when the audit trail buffer is 60% full. If the audit trail
reaches 90% full, ADYTON is restricted to Export audit trail.
You are recommended to check the audit trail regularly. You can export the audit trail as
a delimited text file and read it in a spreadsheet or a text editor:
•
From the Device menu, select 3 Export audit trail
This function copies the complete audit trail to a USB device and resets the audit
trail on ADYTON.
•
From the Status menu select 5 Audit trail
The function copies the complete audit trail to a USB device but does not reset the
audit trail on ADYTON or clear the buffer. The screen shows how much of the audit
trail buffer is occupied (in %).
24
PUBLIC
ad_rfg_operating.fm
REFERENCE GUIDE
ADYTON
Warnings
!
Read this section carefully before deleting administrators or security officers, reverting
the ADYTON to default settings, or using the Decommission option.
Remember that to continue normal operations, you need:
•
•
at least two security officers, from different groups
at least two administrators
Deleting security officers
–
there must always be at least two security officers defined, one security
officer group A and one security officer group B
–
if you delete the security officer from a group with only one member, all
keys will be erased.
At the initial configuration, you define at least two security officers: one for group
A and one for group B. Key management operations always require dual
authentication by two security officers, from different groups. If one or other
group does not include a security officer, dual authentication is no longer
possible and ADYTON will erase all keys.
Deleting administrators
At the initial configuration, you define at least two administrators. As soon as
there is only one administrator defined, ADYTON restarts with the factory
default settings. All the configuration information you have entered is lost.
Decommission
Use this option only at end-of-life, when you no longer require the ADYTON unit.
This option destroys all data, keys and software, and the ADYTON will no longer
boot up.
Back to default settings
Use this option only when you want to erase all data you have entered. This
option has no effect on software upgrades.
After resetting the ADYTON, you will need to run the installation wizard again to
set up administrators and security officers.
25
PUBLIC
ad_rfg_operating.fm
REFERENCE GUIDE
ADYTON
26
ad_rfg_operating.fm
REFERENCE GUIDE
ADYTON
Network services
Using the network services provided by ADYTON requires access to a number of
different ports. Make sure the ports for any service you want to use are not blocked by a
firewall.
Table 5 Ports and services
service
protocol
port
cryptographic services (SSL)
SSL
4002
cryptographic services (TCP/IP)
TCP
4000
cryptographic services (http) *
TCP
8080
SNMP
UDP
161
SNMP-trap
UDP
162
cloning
TCP
6000
* note that http access to cryptographic services may be disabled by the
licence
cryptographic services (SSL)
These services are accessible through the network interface, using Transport
Layer Security (TLS) v1.2 with mutual authentication. Three different
configurations are supported, allowing an optimal balance between speed and
security.
–
for more information on SSL security levels,see Configuring an SSL
connection, on page 49
–
for more information on TLS, see the IETF memo at tools.ietf.org/html/
rfc5246
cryptographic services (TCP/IP)
These services are accessible through the network interface using native TCP/
IP calls. See the ADYTON Software Documentation (delivered with every
ADYTON licence) for more information, in particular sections DS2 to DS5.
cryptographic services (http)
These services are intended for cryptographic operations on large amounts of
data processed in a single HTTP post, for example file encryption. See the
ADYTON Software Documentation (delivered with every ADYTON licence) for
more information, in particular the section HTTP.
27
PUBLIC
ad_rfg_services.fm
REFERENCE GUIDE
ADYTON
SNMP and SNMP-trap
ADYTON supports version 3 of the Simple Network Management Protocol
(SNMP v3) for obtaining information using SNMP Get and SNMP Traps. Any
standard SNMP tool can be used with ADYTON, but the user name must always
be adyton – lower-case.
For a list of the data elements that can be retrieved, see ADYTON MIB files, on
page 53.
cloning
For information on cloning, see 1 Push cloning and 2 Pull cloning, on page 40.
28
PUBLIC
ad_rfg_services.fm
REFERENCE GUIDE
ADYTON
Specifications
Table 6 DEP and ADYTON at a glance
DEP
ADYTON
movement alarm
yes
no
entry of backup key
yes (DMK)
yes (DMK or ABK)
off-line mode
yes
no (see note)
connection to port
1000
4000
support for DCC cards
yes
no
support for DCS cards
yes
yes (reading only)
ADYTON chip card (stores key components)
no
yes
•
•
A key backup created on a DEP can be restored on an ADYTON, but an ADYTON
backup cannot be used on a DEP.
ADYTON off-line mode: local operations have no impact on host connections, except
when the ADYTON is rebooted after a software update. See also Reboots and
availability, on page 22.
ADYTON module
general specifications
–
–
tamper-evident, tamper-responsive and tamper-proof design
–
around 7,000 digital RSA private key and over 10,000 symmetric key
transactions per second
–
–
–
–
host authentication through SSL (optional)
colour display, fingerprint reader (FIPS 201), chip-card reader, USB-Host,
HEX-keypad
push/pull cloning
dimensions: 24 cm wide x 7 cm high x 18.5 cm deep
power supply 100-240 VAC, 50/60Hz, 1.4A
operating conditions
–
–
operating temperature: 0°C – 35°C
relative humidity: 10% – 90% (non-condensing)
communications
–
–
USB device
1 gigabit LAN connector
29
PUBLIC
ad_rfg_specifications.fm
REFERENCE GUIDE
ADYTON
basic cryptographics
–
–
–
–
–
–
–
–
–
random generator (SP800-90)
RSA (X9.31 key generation, encrypt/decrypt, sign/verify)
ECC (key generation, encrypt/decrypt, sign/verify)
(T)DES (encrypt/decrypt, MAC)
AES (encrypt/decrypt, MAC)
HMAC
MD5, SHA1, SHA2, SHA256, SHA512
X509
All functions supported by OpenSSL Crypto Library (www.openssl.org)
Rack
The optional ADYTON rack farther increases the reliability of the module, and makes it
possible to hot-swap ADYTON.
•
19" rack for integration in standard IT cabinets – 2U High
actual measurements 48 cm wide x 8.8 cm high x 43 cm deep; weight ~15 kg
•
•
•
•
2 redundant hot-swappable power supplies (100-240 VAC, 47-63Hz, 1.5-1A)
2 redundant 1Gb Ethernet
2 physical locks (different keys) to prevent unauthorised removal of ADYTON
USB device connector on front
Interfaces (ADYTON and rack)
•
•
•
•
•
•
•
Dedicated API – for a list of the complete API, please contact your account manager
PKCS #11
JCE (Java Cryptographic Extension)
EJBCA
IAIK-JCE
OpenSSL Engine
SNMP
30
PUBLIC
Certification and compliance
•
•
•
•
•
FIPS 140-2 Level 3 certified
Hardware FIPS 140-2 Level 4 certified
FIPS 140-3 (draft) compliant
Fingerprint reader FIPS 201 certified
FCC and EC certified, ROHS compliant
31
PUBLIC
REFERENCE GUIDE
ADYTON
32
REFERENCE GUIDE
ADYTON
Menu tree
If you are reading this document on-line, click on any command name to see related
access rights and brief notes.
Keys
1 Load key
2 Generate key
3 Delete key
4 View keys
5 Backup keys
6 Restore keys
7 Output key
Network
1 Configure IP1
2 Configure IP2
3 Configure SSL
4 View configuration
Users
1 Enroll user
2 View users
3 Modify user
4 Delete user
5 Log off users
Status
1 General information
2 Logged on users
3 Date/time
4 Licence
5 Audit trail
6 Performance
7 Footprints
1 Set ADYTON name
2 Activate traces
3 Activate SNMP traps
4 Export audit trail
5 Set date/time
6 Back to default settings
7 Decommission
ADYTON
Update
1 Push cloning
2 Pull cloning
3 Update licence
4 Update software
33
PUBLIC
ad_rfg_menuTree.fm
Device
REFERENCE GUIDE
ADYTON
Keys
For recommendations on all aspects of key management, see the Payment Card
Industry (PCI) PIN Security Requirements. (online document)
1 Load key
ACCESS
Dual security officer
Key names are used to identify the key in the server commands.
–
in DEP compatibility mode (DS2/DS3/DS4), certain restrictions apply. See
the section “ADYTON key-name restrictions” of the software
documentation.
–
In DS5, key names are free text but must match the names used by the
host application
2 Generate key
ACCESS
3 Delete key
ACCESS
4 View keys
ACCESS
No authentication required
–
–
Select a key and touch [OK] to show details
–
You can also use the shortcut
Scroll left/right to view details of the previous/next key.
to view the list of keys
5 Backup keys
ACCESS
Dual security officer or dual administrator
The ADYTON backup key is used to create a backup file containing all the keys.
–
–
all keys in ADYTON are backed up: partial/selective backup is not possible
it is not possible to make a backup protected by the DEP Master Key (DMK)
6 Restore keys
ACCESS
Dual security officer or dual administrator
Supports the restore of a key backup file (ADYTON or DEP)
–
when restoring an ADYTON key backup file, use the same key name as
used for the creation of the ADYTON key backup file
If keys are already present in ADYTON, the Restore operation will execute
replace and add.
–
when restoring a DEP key backup file, enter the correct value of the DEP
Master Key (DMK TDES or DMK AES)
34
PUBLIC
ad_rfg_menuTree.fm
REFERENCE GUIDE
ADYTON
7 Output key
ACCESS
Key Custodian
Asymmetric keys can be exported as key cryptograms on a USB stick
Symmetric keys can be exported as:
–
–
a single key cryptogram stored on an ADYTON chip card or USB stick
two or three key components (plain text files) stored on separate ADYTON
chip cards
35
PUBLIC
ad_rfg_menuTree.fm
REFERENCE GUIDE
ADYTON
Users
1 Enroll user
For initialisation: no authentication required.
Afterwards: Dual security officer or dual administrator
ACCESS
–
The first two Administrator accounts can be created without any operator
logon.
Once two Administrator accounts are in the user account table, additional
Administrators can only be enrolled under dual Administrator control.
–
The first Security Officer Group A account and the first Security Officer
Group B account can be created without any operator logon.
Additional Security Officers can only be enrolled under dual Security
Officer control. When at least one Security Officer from Group A and at
least one Security Officer from Group B are logged on, all dual control
Security Officer services are available.
When all the security officers logged on are from the same group, new
security officers can only be enrolled in that group.
2 View users
ACCESS
To show user details, select the user and touch [OK]. Use the arrow keys to
scroll.
3 Modify user
ACCESS
The user in question must be authenticated
After authentication (using two tokens) is accepted, the user can update
password, fingerprint or chip card.
4 Delete user
ACCESS
To avoid a situation where a user cannot be deleted, no authentication is
required.
For more details see Warnings, on page 25.
5 Log off users
ACCESS
You can also use the shortcut
36
PUBLIC
ad_rfg_menuTree.fm
REFERENCE GUIDE
ADYTON
Device
1 Set ADYTON name
ACCESS
Dual administrator
2 Activate traces
ACCESS
Dual administrator
All inputs and outputs (server commands) are logged in clear text, even when
using SSL. In case of confidential information, procedural actions will be taken
to protect the data (for example, cardholder data in case of PCI DSS).
3 Activate SNMP traps
ACCESS
Dual administrator
Toggle between:
–
Activate SNMP traps; you will need to specify the IP address of the trap
receiver
–
Deactivate SNMP traps
4 Export audit trail
ACCESS
Dual administrator
The export function copies the audit trail to a USB device as a delimited text file
you can read in a spreadsheet or a text editor, together with a digital signature
and certificate tree, and resets the audit trail on ADYTON. See Working with the
audit trail, on page 41, for additional information.
If the buffer for the audit trail reaches 90% only the Export audit trail function can
be performed.
5 Set date/time
ACCESS
Dual administrator
Daylight saving time is automatically applied
!
6 Back to default settings
ACCESS
Deletes all keys and user entered data, but has no effect on date/time settings
or software updates. For more details see Warnings, on page 25.
!
7 Decommission ADYTON
ACCESS
Dual administrator
Decommissioning may only be used for an end of life ADYTON. After
decommissioning, ADYTON will not boot any more.
Undoing this action involves huge costs, due to hardware intervention in a repair
environment. For more details see Warnings, on page 25.
37
PUBLIC
ad_rfg_menuTree.fm
REFERENCE GUIDE
ADYTON
Network
1 Configure IP1
ACCESS
2 Configure IP2
ACCESS
3 Configure SSL
ACCESS
Dual administrator
Select the level of encryption required, and load certificates if necessary.
See Configuring an SSL connection, on page 49.
4 View configuration
ACCESS
Scroll left/right to view details of IP1, details of IP2, counters for active sessions
and counters for sessions refused because of authentication failure.
ADYTON supports a maximum of 128 active sessions concurrently, including
up to 32 SSL sessions. The restriction on SSL sessions is for performance
reasons.
38
PUBLIC
ad_rfg_menuTree.fm
REFERENCE GUIDE
ADYTON
Status
1 General information
ACCESS
2 Logged on users
ACCESS
To show the details, select the user and touch [OK]. Use the arrow keys to scroll.
3 Date/time
ACCESS
4 Licence
ACCESS
Copies the licence to a USB device as a file you can read in a text editor.
A licence file contains a list of cryptographic services, which can be edited to
enable or disable individual services.
See Editing and updating the licence, on page 45, for additional information.
5 Audit trail
ACCESS
Copies the audit trail to a USB device as a delimited text file you can read in a
spreadsheet or a text editor, together with a digital signature and certificate tree,
but does not reset the audit trail on ADYTON. It also shows how much of the
audit trail buffer is still free, as a percentage.
See Working with the audit trail, on page 41, for additional information.
6 Performance
ACCESS
Shows the performance in real-time and an estimation of the available capacity
– can be used to scale an ADYTON park.
7 Footprints
ACCESS
Shows the number of keys installed, a checksum based on the key values and
a checksum based on the binaries and software package – can be used to
compare installations on different ADYTONs.
39
PUBLIC
ad_rfg_menuTree.fm
REFERENCE GUIDE
ADYTON
Update
1 Push cloning
ACCESS
Dual administrator
Duplicate the configuration of a master ADYTON on one or more clone
ADYTONS, by pushing the configuration from master to clones.
•
the remote ADYTON or ADYTONS must be idle or displaying the main menu before
you can start pushing the configuration
•
if the clone ADYTON needs to reboot after the configuration has been duplicated,
you receive a warning
2 Pull cloning
ACCESS
Dual administrator (remote login)
Duplicate the configuration of a (remote) master ADYTON on a clone ADYTON,
by pulling the configuration from master to clone. This can also be done by
running the initialisation wizard on the slave ADYTON again.
•
the remote (master) ADYTON must be idle or displaying the main menu before you
can start pulling the configuration; you receive a warning if this is not the case
•
if a clone ADYTON needs to reboot after the configuration has been duplicated, you
receive a warning
3 Update licence
ACCESS
Dual administrator
Loads updated licence file from the USB stick. An administrator can edit the
licence file to enable/disable specific cryptographic services covered by the
licence.
See Editing and updating the licence, on page 45, for additional information.
!
The ADYTON will not run unless a valid licence is file installed.
4 Update software
ACCESS
Dual administrator
ADYTON has to be rebooted at the end of the software update, which causes a
short downtime.
Downtime during reboot
When the ADYTON needs to be rebooted because of a software upgrade, the host
needs to set up communications again; this involves a short downtime. See Reboots and
availability, on page 22.
40
PUBLIC
ad_rfg_menuTree.fm
REFERENCE GUIDE
ADYTON
Appendix A. Working with the audit trail
Exporting the audit trail from ADYTON puts the following files on the USB stick:
file with a fixed name
•
•
•
AtosRootCa_FactIntCa.cer
AtosRootCa.cer
FactIntCa.cer
files with a variable name
•
certification tree
The filename starts with the ADYTON serial number; for example
8700C7D4091B415D_MmSign.cer
•
audit-trail log
The filename starts with the ADYTON serial number and ends with a timestamp; for
example
8700C7D4091B415D_adyton-audit-trail_20130201_114055.log
As described under Reading the audit trail, on page 42, you can read the audit trail
in a spreadsheet or a text editor.
•
audit-trail signature
The filename starts with the ADYTON serial number and includes a timestamp; for
example
8700C7D4091B415D_adyton-audit-trail_20130201_114055signature.bin
41
PUBLIC
ad_rfg_appxAudit.fm
REFERENCE GUIDE
ADYTON
Reading the audit trail
Figure 8. Audit trail opened in spreadsheet
The general structure of each record is:
column A
unique, sequentially incremented record number
note: Resetting the log deletes all current entries, but does not reset the sequential
numbering.
columns B, C
date/time
column D
description of the operation
column E
users logged on at that moment
column F
integrity check (for internal use)
42
PUBLIC
ad_rfg_appxAudit.fm
REFERENCE GUIDE
ADYTON
Verifying the audit trail
You can use OpenSSL (version 1.0.1c or higher) from a terminal window to verify the
signature of the audit trail, as follows.
Note that the verification process has been simplified, and now starts from a single
{fname}_MmSign.cer file instead of requiring the administrator to prepare a specific
.pem file.
Step 1.
verify the certificate tree
openssl verify -verbose -CAfile AtosRootCa_FactIntCa.cer {certificate tree}
When verification is successful, the message {certificate tree}: OK is displayed.
Step 2.
calculate hash over audit trail
openssl dgst -sha256 -binary < {audit-trail.log} > hash.bin
Step 3.
verify the audit trail signature
openssl pkeyutl -verify -in hash.bin -sigfile -pkeyopt digest:sha256 -pkeyopt
rsa_padding_mode:pss
openssl pkeyutl -verify -in hash.bin -sigfile {audit-trail signature}
-certin -inkey {certificate tree} -pkeyopt digest:sha256 -pkeyopt
rsa_padding_mode:pss
When verification is successful, the message Signature Verified Successfully
is displayed.
43
PUBLIC
ad_rfg_appxAudit.fm
REFERENCE GUIDE
ADYTON
44
ad_rfg_appxAudit.fm
REFERENCE GUIDE
ADYTON
Appendix B. Editing and updating the
licence
As delivered by Worldline, each ADYTON contains a software licence that determines
which cryptographic services the ADYTON can run. It is not possible to add services to
the licence.
Exporting the licence from ADYTON puts a plain text file with the extension .lic on the
USB stick. An administrator can upload an edited .lic file to disable or enable one or
more services provided by the licence.
Using the services provided by ADYTON requires access to a number of different ports:
see Table 5 Ports and services, on page 27. Make sure the ports for any service you
want to use are not blocked by a firewall.
45
PUBLIC
ad_rfg_appxEditLicence.fm
REFERENCE GUIDE
ADYTON
Editing
Step 1.
Open the .lic file in a text editor
owner = "Atos Worldline";
datetime = "29/07/2013 07:42:04";
mode = "gold";
version = "1.0";
allow_key_table_change_by_host = "yes";
ds3 :
{
i_std_echo = 1;
i_std_get_serial_nr = 1;
i_dukt_ver_mac_tdes = 1;
i_dukt_gen_mac_tdes = 1;
i_dukt_der_ipek_2 = 1;
i_dukt_der_ses_key_2 = 1;
};
ds5 :
{
rsa_generate_x9_31_key = 1;
rsa_generate_key = 1;
rsa_decrypt = 1;
};
http = 1;
-----BEGIN SIGNATURE----f374b96f82e4d78adc016a03429d972d90c62846b8c1b629b328ae5ddcc037a011340d9cee8
cb4820bfafba5f08660fbdfb9e01fbdcd8604cee1dd71a0e0ee129fc16475419455e129e255
000002008e052ccf9819d186b3208804238cf804f6fc522e7ec10a0206780eb2021fa832698
5b967c318f3a7f12bb92428619d579e40a6fe51376cbaf9e9c99cd784e869677822aedf5d86
7583bb5122c4b2338ce94f58ab894d534ee347542069901a1b3bcf3f3f0133bdc378eaefda4
697df320f8f5e6080612091e959d58b38f88648606adbec9daaa74d0a17f9dda7a7eab153b1
e60b089dc7a2637141578df8800a9a55c36193e8c06043abadfe113ebfd51ecf186f75367f9
1a193a46b6fbfe82e78a85264d24836a844e87079f8298c98023c0738091828666a83220a73
de77570ede15a1d1a15c1b481b01dadae0b6a2dcb7cc49063f0135c85b185bbe66038ccc2d6
41303a9e42b61713cf9b4f79eabe06120105400fb11b4679d23cc12837ab894d534ee34e660
-----END SIGNATURE-----
Step 2.
Enable/disable cryptographic services as required
•
•
to disable a service, locate its entry in the licence file and change = 1 to = 0
to enable a service, locate its entry in the licence file and change = 0 to = 1
Only integer values may be changed.
Step 3.
Save the updated file
46
PUBLIC
REFERENCE GUIDE
ADYTON
Updating a licence
Step 1.
Select Update > Update licence
Enter credentials for two Administrators, if these have not been authenticated already.
Step 2.
Insert the USB stick with the updated licence file.
The update runs automatically. When it is completed, the system displays the message
Licence updated. Remove USB stick.
47
PUBLIC
REFERENCE GUIDE
ADYTON
48
REFERENCE GUIDE
ADYTON
Appendix C. Configuring an SSL
connection
The ADYTON listens for SSL connections on port 4002. For this type of connection, the
ADYTON and its clients exchange and validate public keys before agreeing on a secure
session key and exchanging information. When using an SSL connection between
ADYTON and client, the client may choose how to achieve an optimal balance between
speed and security:
•
use port 4002, for an SSL connection with support authentication and (optionally)
encryption
•
use port 4000, for a non SSL connection without either authentication or encryption
The type of connection determines how requests for connection are handled. The
connection security level specified by the client requesting the connection must match or
exceed the security level specified by the ADYTON.
Step 1.
Select Network > Configure SSL
Enter credentials for two Administrators.
Step 2.
Set the level of security specified by the ADYTON
HIGH
On port 4002, the ADYTON and the client are authenticated. All exchanges
must be both authenticated and encrypted.
Port 4000 is blocked.
Loading a certificate file is mandatory for a high security setting.
MEDIUM
must be authenticated, but encryption is optional.
Port 4000 is blocked.
Loading a certificate file is mandatory for a medium security setting.
LOW
must be authenticated, but encryption is optional.
On port 4000, messages may be exchanged without authentication or
encryption.
Loading a certificate file is optional for a low security setting, but required in order
to establish connections using port 4002.
49
PUBLIC
ad_rfg_appxSSL.fm
REFERENCE GUIDE
ADYTON
When you display the Configure SSL menu, the list always shows the current level of
security. To select a level, move the highlight with the up/down arrows and confirm your
selection with Shift + OK.
Step 3.
Load/overwrite certification file (optional)
When you use a certification file, you are prompted to insert a USB stick and select a
.pem file. The certification file needs to contain the whole certificate tree, and may also
contain a revocation list.
Any problem with the file is reported.
50
PUBLIC
ad_rfg_appxSSL.fm
REFERENCE GUIDE
ADYTON
Appendix D. Custody procedures and
secure transport
To meet PCI SSC requirements, you must work with clear procedures that guarantee the
chain of custody at all times. A documented chain of custody must exist to ensure that
all cryptographic hardware is controlled from its receipt through its installation and use.
This means that it must be clear who has responsibility during all the phases: initial,
transport, delivery …
Before you start to install and set up the ADYTON, make sure the accompanying
documentation meets the Payment Card Industry (PCI) PIN Security Requirements.
(online document)
Secure transport
Good practice for secure transport of an ADYTON includes the following:
•
•
•
•
•
log hardware serial number before transport
transport rack and ADYTON separately
copy the ADYTON audit trail before transport
check audit trail after transport
check the two tamper evident stickers before and after transport
Verify both the authenticity and the integrity of the stickers: see page 6 for more
information.
•
•
•
check hardware serial number after transport
boot up the ADYTON to check for tamper alarm
from the Device menu, run 6 Back to default settings to clear all keys and user
information
The ADYTON has been transported securely if the tamper-evident stickers are OK, the
audit trails before and after transport match, and no tamper alarm is given when you boot
up the ADYTON. Make a full report after carrying out these checks.
51
PUBLIC
ad_rfg_appxSecureTransport.fm
REFERENCE GUIDE
ADYTON
52
ad_rfg_appxSecureTransport.fm
REFERENCE GUIDE
ADYTON
Appendix E. ADYTON MIB files
ADYTON OID are presented in four groups:
•
•
•
•
key information
keyset footprint
software footprint
SNMP trap
The prefix for Worldline ADYTON object IDs (OID) is 1.3.6.1.4.1.18270.100
Key information
Values returned by a GET operation on an ADYTON.Keys OID can be used to retrieve
information about the whole key-table. This option is equivalent to using View Keys from
the ADYTON menu.
OID
description
returns
type
.1.1 key usage
description of key
display string
.1.2 key name
name associated with key
display string
.1.3 key type
type of key
display string
.1.4 key length
length of key
display string
.1.5 key check value
(CV)
check value computed over
the key value
octet string (size (0..6))
Keyset footprint
Shows the checksum based on the key values – can be used to compare installations on
different ADYTONs.
OID
description
returns
type
.2
keyset footprint
full keyset checksum over
the key-table (32 bytes)
octet string
(size (64))
53
PUBLIC
ad_rfg_appxMIBfiles.fm
REFERENCE GUIDE
ADYTON
Software footprint
Shows the checksum based on the version of the software – can be used to compare
installations on different ADYTONs.
OID
description
returns
type
.3
software footprint
full software checksum (32 bytes)
over the ADYTON package on this
device
octet string
(size (64))
Performance
Shows the recent performance/load of the ADYTON as the average number of
transactions over the last 5 minutes.
OID
description
returns
type
.4
performance value number of transactions per second
averaged over the last 5 minutes
integer
SNMP Trap
Values sent to SNMP server can be used to monitor the health of the ADYTON power
supplies.
OID
description
sent
.10
trap notification activated
send this notification when trap functionality
has been activated
.11
power failure notification sent
send this notification when either of the
redundant power-supplies in an ADYTON
rack fails
54
PUBLIC
ad_rfg_appxMIBfiles.fm

ADYTON Reference Guide

Transcription

Similar documents

How to make a saddle rack

Invu Document Management Product Sheet

Invu Document Management Product Sheet

Trail of Tears (Robert Lindneux in 1942)

adyton

What is CETech? - CE Systems, your technical file solution

Ribbon Cutting Ceremony - Great Rivers United Way

Goldtouch Adjustable USB

TotalCard™ Key Management Data Sheet

Brochure AP-810-AH-T

rhodes food group (pty) ltd - Anti