user manual ibasec - interbank clearing – six · user manual ibasec datum: 14.10.2013 page 8/150...

IBASEC

User Manual IBASEC

Version 3.18

14.10.2013

Solaris 10 Linux (Red Hat)

Windows Server 2008 R2

BBP Development Version: 3.18

User Manual IBASEC Datum: 14.10.2013

page 2/150

Table of Contents

Table of Contents............................................................................................................................ 2 1 Introduction ......................................................................................................................... 5 2 Installation ........................................................................................................................... 5 3 Quickstart ............................................................................................................................ 5

3.1 Configuration of a HSM ................................................................................................. 5 3.2 Installation of Web Application ....................................................................................... 7 3.3 Download of the Logs .................................................................................................... 8 3.4 Change the date on the HSM ........................................................................................ 8 3.5 Unlocking the HSM ........................................................................................................ 8 3.6 PIN changes for PED Key ............................................................................................. 8 3.7 Key Management, Use Cases, Guidance ...................................................................... 9

4 IBASEC Modules ............................................................................................................... 10 4.1 IBASEC Users and Login ............................................................................................ 10 4.2 SYSMAN - System Management Module .................................................................... 12 4.3 IBASEC - Host Interfaces ............................................................................................ 13 4.4 KRYPTO - HSM Interface ............................................................................................ 15 4.5 AUDIT - System Audit .................................................................................................. 19 4.6 USRMAN – User Management .................................................................................... 28 4.7 BPMAN – Business Partner Management ................................................................... 32 4.8 APPMAN – Application Management .......................................................................... 34 4.9 KEYMAN - Key Management ...................................................................................... 37 4.10 PROFMAN - Cryptographic Profile Management ......................................................... 42 4.11 CERTMAN - Certificate Manager (for SECOM) ........................................................... 43

5 HSM Setup and Handling .................................................................................................. 44 5.1 HSM Initialization ......................................................................................................... 45

5.1.1 Set Date and Time .............................................................................................. 45 5.1.2 Unlock HSM ........................................................................................................ 45

5.2 Key Storage Operation and PED Key Operation .......................................................... 46 5.2.1 Enter Password................................................................................................... 46 5.2.2 Configure Web Server......................................................................................... 46 5.2.3 Installation and Un-Installation of the Web Application ........................................ 46

5.3 Start and Stop of the Web Application ......................................................................... 47 5.3.1 Start Web Server ................................................................................................ 48 5.3.2 Stop Web Server ................................................................................................. 48

5.4 HSM States ................................................................................................................. 48 5.5 Download Logs ( Maintenance Work ) ......................................................................... 49 5.6 Backup and Restore .................................................................................................... 50

5.6.1 Key Backup ......................................................................................................... 50 5.6.2 Key Restore ........................................................................................................ 51

6 Key Management .............................................................................................................. 52 6.1 Passwords ................................................................................................................... 52 6.2 Key Generation ............................................................................................................ 52

6.2.1 Generation of local certification keys ................................................................... 52 6.2.2 Generation of Production Keys ........................................................................... 53 6.2.3 Generation of TINT Keys .................................................................................... 54 6.2.4 Important remark ................................................................................................. 54

6.3 Key Export ................................................................................................................... 55 6.4 Key Import ................................................................................................................... 57 6.5 Validation of the Keys .................................................................................................. 58 6.6 Miscellaneous Key Management Functions ................................................................. 58



page 3/150

6.7 Import the Provider Keys ............................................................................................. 59 6.8 Generation of the Production Keys .............................................................................. 59 6.9 Import and Validation of the SIS Root Certificate ......................................................... 59 6.10 Import the SIS Certificate ............................................................................................. 63 6.11 Create a Certification Request ..................................................................................... 64 6.12 Import of a SIS certification .......................................................................................... 66 6.13 Make a Key Backup ..................................................................................................... 67 6.14 Restore Keys ............................................................................................................... 67 6.15 Delete one Key ............................................................................................................ 67 6.16 Delete all Keys ............................................................................................................. 69 6.17 Import old LOCERT Public Key ................................................................................... 70 6.18 Import of migrated Keys from the Database ................................................................. 70 6.19 Search and Find a Key ................................................................................................ 70

7 Privileges of IBASEC Users............................................................................................... 72 8 FAQ 76

9 Use Cases ......................................................................................................................... 78 9.1 Use Cases Overview ................................................................................................... 78 9.2 Case 1: Install IBASEC from the CD ............................................................................ 81 9.3 Case 11: Connect a new HSM with "Premium Rollout" ................................................ 82 9.4 Case 12: Check the State of the HSM (get status) ....................................................... 88 9.5 Case 13: Change or set parameters ............................................................................ 91 9.6 Case 14: HSM Initialization .......................................................................................... 93 9.7 Case 15: Change and set passwords .......................................................................... 95 9.8 Case 16: Installation of a new Web Server Application Software ............................... 100 9.9 Case 17: Execute maintenance work and use of log files .......................................... 103 9.10 Case 18: Setup a zeroized HSM (Premium Rollout) .................................................. 105 9.11 Case 19: Change PIN code on HSM ......................................................................... 105 9.12 Case 32: Generate a local verification key (LOCERT) ............................................... 106 9.13 Case 33: Create a production key pair ....................................................................... 108 9.14 Case 34: Export your public key to the provider (SIC) ................................................ 111 9.15 Case 35: Import a public key from SIC ...................................................................... 115 9.16 Case 36: Verify an imported external public key ........................................................ 118 9.17 Case 37: Backup key partition ................................................................................... 120 9.18 Case 38: Restore key partition ................................................................................... 127 9.19 Case 39: Distribute public keys to further HSMs ........................................................ 130 9.20 Case 40: Delete a key (or all keys) ............................................................................ 132 9.21 Case 41: Certification of SECOM Private Keys by SIS .............................................. 135 9.22 Case 42: Deactivation of a Key .................................................................................. 139 9.23 Case 61: How to report a malfunction of IBASEC and/or the HSM ............................ 141

10 Audit Events and their Severities ..................................................................................... 144

(print date : 2013-10-14)



page 4/150

Confidentiality Without authorization by SIX Interbank Clearing AG (SIC AG) this document may not be copied or distributed. History

Version Date Author Description

1.0 06.07.2006 O. Wirth, BBP user manual for pilots

2.1 24.01.2007 O. Wirth, BBP Modules, Use Cases

2.3 26.03.2007 OW after 2. SIC review

3.0 31.08.2007 OW Release 3.1.4 and 3.2.0

3.1 29.02.2008 OW Maintenance Release

3.2 19.09.2008 OW new features, log parser....

3.3 30.10.2008 OW return code 008/014.

3.4 28.08.2009 OW complete list of privileges

3.5 08.03.2010 OW key management with SIS

3.6 30.09.2010 OW more Use Cases

3.16 30.06.2011 OW more Use Cases

3.17 02.09.2012 cgu minor changes

3.18 14.10.2013 cgu updated text and screenshots

Documentation Title: User Manual IBASEC Filename: UserManual.pdf References

Title Date Reference

Functional Specification for IBASEC 3 with SafeNet Luna SP

26.4.2006

SPECS

Release Notes for Solaris 10 or Windows Server 2008 R2 latest on your CD

RN

SIC / euroSIC User Manual www.SIC.ch

Certificate and certification management for the SECOM application using IBASEC

17.09.2010

CERT1

SIS FrontLine, IBASEC3: 2Kbit certification of private keys (client side)

04.07.2008

CERT2

BBP believes that the information contained in this document is correct at the time of publication. Nevertheless, BBP reserves the right to make changes as seen fit. The information contained herein cannot be considered as a binding commitment on the part of BBP vis à vis third parties. Furthermore, BBP recognizes the ownership of brand and product names belonging to other companies, mentioned in this document.



page 5/150

1 Introduction The following documentation describes the functionality and the important use cases of the IBASEC implementation. The document is structured in the following sections:

Quickstart for HSM configuration and key management (sec.3 for the experienced user)

Short explanation of the modules of the server software (sec.4 for the sysadmin)

HSM setup and handling reference (sec. 5 as a reference manual)

New key management operations (sec. 6 for the security officer)

The most important use cases (sec. 9 for the operator)

2 Installation For details of the installation, please refer to the Installation Guide on the CD [INSTALL]. For the Solaris version, it is important to install the LibC patches as it is recommended in the Release Notes [RELEASE]. In addition to that, it is also recommended to install the latest patch cluster.

3 Quickstart

3.1 Configuration of a HSM The HSM LunaSP should come from the distributer in a IBASEC-ready-state (Premium Rollout). The configuration was made according to your specific order (ip address, etc). If you would like to configure the HSM yourself (and you have the necessary privileges) it is recommended that you proceed with the Use Cases in section 9 or in four steps as follows: STEP 1: Setup of the HSM connection interface GUI: Krypto - Configure Krypto - IP Address = 192.9.200.1

The HSMs are connected through a save private LAN (default 192.9.200.x) to the IBASEC server. There are between 1 and 15 connections between IBASEC server and the HSMs

Windows: for registering the HSM fingerprint, a PuTTY connection is needed



page 6/150

STEP 2: Add a new HSM or modify a registered HSM GUI: Krypto - Configure - New… (add new HSM)

enter the IP address of the HSM (compare with the specifications that come along with the

HSM from the distributer)

the subnet mask of the HSM private LAN could be 255.255.255.0 (a c-class)

Max. Password entries, allow 5 consecutive wrong password entries until the HSM is locked

Autostart lets the HSM being automatically connected after startserver

the HSM are always in a Unattended Mode (GC720 could be run in OfficeMode too)

A registered HSM could be modified via GUI: HSM - Initialize HSM - Network Settings. If you use all default settings you could skip step 1 and 2. STEP 3: Set Passwords Check your privileges and be ready to interact with the Admin PED key (blue key). See also section 6.1 and follow Case 11:

Set HSM Admin Password from your PIN Letter

Set HSM Partition Password from your PIN Letter.

with Windows: make first a Putty connection to the HSM to register its fingerprint.



page 7/150

Enter the Admin Password from your PIN Letter to save it with the IBASEC server. Do the same with the Partition Password (see Case 11) STEP 4: Start the Web Application after a cold start of your HSM it is recommended to start the web server first: GUI: HSM - HSM Operations - Start Web Server If the web server is not started when you open then HSM in the Krypto window, IBASEC falls into the recovery state and starts the web server automatically (it takes about 2 minutes). STEP 5: Open the HSM GUI: Krypto - select a HSM - Open: This connects the HSM and brings it to the "Connected - ActiveUnatended" mode.

3.2 Installation of Web Application

Should it ever happen, that you have to update the web application (web appliance) of the Tomcat web server of the HSM, you do the following steps:

first read the "readme" on the CD that comes with the new application software

load the web application release to your IBASEC server (script is on CD)

GUI: HSM and mark the HSM to be configured

GUI: HSM Initialization (needs security privileges)

GUI: Uninstall Application (the current installation has to be removed first)

GUI: Install Application and select the designated version of software (e.g. luna104)

GUI: after the successful installation start the web server and open the HSM



page 8/150

3.3 Download of the Logs

The automatic daily maintenance-run saves a complete set of log files to the IBASEC log directory ($IBA_LOG). In addition of these daily files you could download an adhoc set of log files for specific analysis of the current situation. Select from GUI:

HSM and mark the HSM in the list

HSM Operations

Download Logs..

The downloaded files are accessible in the log directory (cd $IBA_LOG)

3.4 Change the date on the HSM

The IBASEC server and the HSM(s) should be synchronized, e.g. running the same date and time. For these purposes select from the GUI:

HSM and mark the HSM to be configured

HSM Initialization (needs security privileges)

Set Date and Time and confirm the configuration window

3.5 Unlocking the HSM

The dialog between the IBASEC server and the HSM is protected with the application password. With the HSM Configuration Window the maximum allowed password entries are set. After max. consecutive wrong password entries the HSM is "Locked". With the GUI function HSM - HSM Initialization - Unlock HSM the HSM can be unlocked again.

3.6 PIN changes for PED Key The PIN codes of the PED keys (blue and black) could be changed (see Case 19). An empty PIN code (just press Enter) is allowed and recommended.



page 9/150

3.7 Key Management, Use Cases, Guidance Set-up of the first HSM for the productive IBASEC sessions

Steps Reference

Generate local certificate See section 6.2.1 Import the provider keys See section 6.7 and 6.8 Import or generate your production keys See section 6.4 and 6.8 Make a Backup of the keys See section 6.13

Set up of the next HSM for a productive IBASEC session

Steps Reference

Restore the backup of the first HSM

Generate a productive key and send it to SIC

Steps Reference

Generate a productive key pair See section 6.8

Export file as self-signed certificate See section 6.3

Make a backup of the keys See section 6.13

Import of a SIC key

Steps Reference

Import a key as self-signed certificate See section 6.4

Import a key in IBASEC2 Format See section 6.4


Generate a productive key and send it to SIS

Steps Reference

Generate a productive key pair See section 6.8

Create a certification request See section 6.11


Import of a SIS certificate

Steps Reference

Import the ROOT.CRT See section 6.9

Import of a certificate See section 6.12


Import of migrated keys

Steps Reference

Load old LOCERT key See section 6.17

Load of a key out of the IBASEC Database See section 6.18


Delete one key on a HSM

Steps Reference

Delete one key See section 6.15



page 10/150

Delete all keys

Steps Reference

Delete all key See section 6.16

4 IBASEC Modules

4.1 IBASEC Users and Login All interactive users of the IBASEC server must login to the server before they can perform any actions. The actions a user is allowed to perform will depend on the ‘User Category’, which is assigned to the user. The user categories are as follows:

Security Officer Is responsible for the security aspects of the system. E.g.:

The creation and management of user accounts

(see section ‘USRMAN – User Management’).

Key management functions (see section ‘KEYMAN – Key Management’).

Management of Business partner information (see section ‘BPMAN – Business

Partner Management’).

Management of cryptographic profiles (see section ‘PROFMAN – Profile

Management’).

Management of application information and application users.

(See section ‘APPMAN – Application Management’).

Note – many of these operations require confirmation by a second

Security Offices, so at least two Security Officer users must be defined in an

IBASEC server.

Administrator Is responsible for the non-security related administration of the system. e.g.:

Making and reloading of backups (see section ‘SYSMAN – System Ma-

nagement’).

Configuring HSM interfaces (see section KRYPTO – HSM Interfaces’).

Configuring IBASEC interfaces – (see section ‘IBASEC –

Host Interfaces’).

Any number of Administrator Users can be defined.

Auditor Can view and search the system Audit and message log databases.

(See section ‘Audit – System Audit’ ).

Any number of auditor users can be defined.

Operator Is responsible for the day to day operation of the server. e.g.:

Starting and stopping the server, and monitoring its operation

(see section ‘SYSMAN – System Management’).

Opening and closing IBASEC interfaces and monitoring their operation.

Opening and closing KRYPTO Interfaces and monitoring their operation.

Any number of Operator Users can be defined.



page 11/150

The installation of the system provides an initial set of users as follows:

Username Password Category

operator1 operator Operator

administrator1 administrator Administrator

security1 security Security

security2 security Security

auditor1 auditor2 Auditor

Once the user is logged in, the functions, menus and screens that a user can see will depend on his user category. In perticular, the main menu will contain only the modules that the user is

allowed to access. Once a user is logged in the functions menus and screens that a user can see will depend on his user category. In particular the main menu will contain only the modules that the user is allowed to access. To access the user functions of the IBASEC server, you must first login. To login to the IBASEC server you must run the IBASEC User Interface program. The procedure to do this will depend on whether you are using SUN Solaris or Windows as follows:

Login to the UNIX ibasec account on the server machine e.g.

login: ibasec

Password:

Last login: Wed Sep 23 13:52:12 from obiwan

Sun Microsystems Inc. SunOS 5.6 Generic August 1997

ibasec@jedi 31 %

If you have logged in remotely you must set the DISPLAY variable to point to your remote display e.g.

ibasec@jedi 32 % setenv DISPLAY mycomputer:0.0

Now run the user interface program as follows:

ibasec@jedi 33 % startibasec

The login screen should now be displayed.

With the Windows version you select from the <Start> the IBASEC program "Ibasec Login" the IBASEC Main menu



page 12/150

4.2 SYSMAN - System Management Module The System Management module (SYSMAN) allows the IBASEC server to be started/stopped and monitored. To access the full functions of this module you must be a user in the Operator user category. The monitoring functions are also accessible by users in the Admin user category. For details of other system related activities e.g.

Making a full backup of the server

Saving Audit and Message Log files

Configuring Audit events scripts

The SYSMAN component manages and monitors the system state. The following states of the system are possible:

State Comment

Down This is the state before the system has been started or after it has been

shutdown.

Only users in the ‘Operator’ User-Category can login in this state.

Startup This is the state when an Operator User has requested a start of the system.

This is a transient state and the system should reach either the Online, Offline

or Error state within 30s-60s.

Only users in the ‘Operator’ User-Category can login in this state.

Online All processes of the system are running, and there is at least one HSM

attached. Both Test and Production sessions are possible.

Offline All processes of the system are running, BUT there is no HSM attached or

online. Only test sessions are possible with dummy cryptographic operations.

Shutdown The system is closing down.

Updating A backup is being restored.

Error Either the system failed to start, or an error occurred while the system was

running. The system should be shutdown.

After some seconds (depending on the speed of your machine) the system should reach the ‘offline’ state (if no HSMs are online), or ‘online’ (if at least one HSM is online). This can be seen from the ‘system state’ field in the ‘Overview’ screen. Once the system reaches the offline or online state, users belonging to other user categories could now login. Backup and Restore of Database Files The SYSMAN module provides functions to backup and restore the IBASEC Server’s database files. A backup of the database should be made whenever significant configuration changes are made. A backup can also be used to transfer configuration from one IBASEC installation to another. Note – the backup contains only configuration information e.g.

The configuration of the IBASEC interfaces.

The configuration of the KRYPTO Interfaces.

The KEYMAN key information.

Business partner information from BPMAN.



page 13/150

Application, and Application users information from APPMAN.

Cryptographic profile information from PROFMAN.

Interactive user information from USRMAN.

Audit configuration from Audit.

It does not contain The program executables. The event log or message log. See section ‘System Management Information’ for details of how to back these up. Backing up the Databases To make a backup of the databases:

The system must be in the down state.

You must load a tape in the tape drive attached to the IBASEC Server Machine.

You must choose a name to identify the backup. This name will be used to retrieve the backup

from the tape later.

Select 'Save' from the ‘Backup’ menu on the ‘SYSMAN Overview’ screen. Enter the tape

device and the name of the backup, and click save. The backup will proceed.

Restoring the Databases To restore the databases from a backup:

The system must be in a down state.

Load the tape in a tape-drive, which is attached to the server machine.

Select the ‘Load’ option from the ‘Backup’ menu on the ‘SYSMAN Overview’ screen.

Enter the tape device and the name of the backup to be loaded. Click ‘Load’. The load will

proceed.

Note – the load will fail if:

A backup set with the specified name is not found on the tape.

The backup was made from a server running a different version of software than this one.

The backup was made on a machine with a different configuration from this one, for example

the two systems have a different number of IBASEC interfaces.

In every case the system will be left untouched.

4.3 IBASEC - Host Interfaces The IBASEC module provides functions for the configuration and monitoring of the Host Interfaces of the IBASEC Server. It is via these interfaces that Host Applications access the security services of the server for signing/verifying, encrypting/decrypting messages etc. For details of how to configure Host Applications please refer to section ‘APPMAN – Application Management’. The exact number and types of the IBASEC interfaces in any particular server will depend on the operating system being used and how the server was configured at installation time. However the maximum number of interfaces possible is as follows: Unix and Windows:

up to 4 tcp/ip interfaces

up to 1 CORBA interface (over tcp/ip)



page 14/150

TCP/IP Interfaces

The values should normally be set when the server is installed. If you need to change them please refer also to the Installation Guide. The values have the following meanings:

The Interface Name is set at installation time and cannot be changed.

IP Address should be set to the IP Address of the IBASEC Server Machine on the Bank’s

TCP/IP network.

Service should be set to correspond with the service name, which was defined in the services

during the installation procedure. Consult your system administrator.

Max Sessions – determines the maximum number of simultaneous sessions that this interface

can support (values 1-40)

Max Window – the maximum window size that this interface can support (values 0-99)

Character Set should be set to ASCII or EBCDIC as is required by the Host applications, which

will access the server.

Auto Start if set on will mean that the interface will always open when the server software is

started.

Secure this option is not available in this release.



page 15/150

The CORBA Interface

The values should normally be set when the Server is installed. The values have the following meanings:

The Interface Name is set at installation time and cannot be changed.

Max Sessions – determines the maximum number of simultaneous sessions that this interface

can support (values 1-20) – for details of IBASEC Sessions see reference [1].

Auto Start if set on will mean that the interface will always open when the server software is

started.

Secure this option is not available in this release.

Character Set should be set to ASCII or EBCDIC as is required by the Host applications, which

will access the server.

Controlling and Monitoring Interfaces and Sessions Before a Host Application can access the functions of the Security Server, the corresponding interface of the server must be ‘opened’. This can be done in one of two ways: By selecting the interface from the ‘IBASEC Overview’ screen and clicking on the ‘Open’ button, or by setting the auto-start flag for the interface. This will mean that the interface is opened automatically when the server is started. PEM Message Size For PEM operations, the message size (header plus body) is limited to 103’600 bytes. In practice, this means that the maximum payload is roughly 100’000 bytes. Larger messages will fail with a “message too big” error.

4.4 KRYPTO - HSM Interface The KRYPTO module provides facilities to configure and manage the HSM Private Network and the connections with the HSMs. To monitor and control the HSMs you must be a user in the Operator user-category. To be able to monitor and control and configure the interfaces you must be a user in the Administrator user-category. Each HSM is uniquely defined by its ‘unit address’, which is assigned to the HSM at installation time – please refer to reference [INSTALL] for details of the HSM installation procedures. This unit address also defines the IP address of the HSM according to the following formula ‘IP address = 192.9.200.<unit address>’. The IBASEC server KRYPTO interface also has an IP address in the same network – which is normally 192.9.200.1. All HSMs knows this address and will attempt to send event information to it.



page 16/150

If there is a conflict of IP addresses, then this default setting can be modified by the user. The IP addresses can be modified to a value between 192.168.0 and 192.168.255. The IBASEC server is preconfigured to support one HSM with unit address 31. The server can support a number of HSMs, which can be added by a user in the administrator category through the configuration options of the KRYPTO module. The number of HSMs currently configured and their statuses is visible at any time in the ‘KRYPTO Overview’ window. Note – if no HSMs are connected, or no HSMs are online, the IBASEC Server will be offline and only ‘dummy’ operations will be possible using test sessions. You should configure the server with at least one HSM even if you want to operate in dummy mode. Setting the KRYPTO Master Configuration The KRYPTO master configuration defines the IP address of the IBASEC server on the HSM private network, and the IP port on which the server will listen for event information from HSMs. These values should normally be set to 192.9.200.1 (the port is set by default to 9720). If you have chosen a different Network address for the HSM private network you should set the address of the KRYPTO Interface to be <Your Network>.1 (e.g. 192.168.9.1). The Port number should not be changed. The KRYPTO master configuration can be changed by selecting the ‘Configure KRYPTO’ option from the ‘Configure’ menu. It is only possible to modify the configuration if all HSMs are closed.



page 17/150

Adding a new HSM To add a new HSM select the ‘New’ option from the ‘Configure' menu on the ‘KRYPTO Overview’ screen. The following screen will be displayed:

The fields should be entered as follows:

HSM – a unique name, which can be used to identify the HSM. E.g. ‘HSM31’ or ‘Master-HSM’

etc. (mandatory).

Unit address – the unit address of the HSM (mandatory).

IP – the IP address of the HSM (this is for information purposes only and will be filled by the

IBASEC Server).

Description – a free text description (optional).

Subnet Mask – should be 255.255.255.0 (mandatory).

Applications – by using the >> and << buttons you can select for which of the available

applications this HSM will be used. Note - you should ensure that this corresponds with the

keys, which are actually loaded in the HSM (mandatory).

Autostart – by selecting this option this HSM link will be started automatically when the IBASEC

Server is started.

Comm Timeout – This is the time period, which the IBASEC Server allows for the HSM to

respond to requests. A value of 3 seconds is typical (mandatory).

Poll Interval – This value determines how often the IBASEC Server will poll the HSM to check

the connection with it and its status. A value of 30 seconds is typical (mandatory).



page 18/150

Modifying HSM Configuration The configuration of a HSM can be modified by selecting its entry in the ‘KRYPTO Overview’ screen and choosing the ‘Modify’ option from the ‘Configure’ menu. Note - the HSM must be closed before you can modify its configuration. The following fields can be modified (see the previous section for the possible values):

HSM

Description

Sub-net

Applications

Auto-start

Comm Timeout

Poll Interval

Note - You cannot modify the unit address within the HSM configuration. If you wish to change the unit address of the HSM you must create a new configuration entry for the new unit address. The modification is active next time the link to the HSM is opened. Deleting a HSM The configuration of a HSM can be deleted by selecting its entry in the ‘KRYPTO Overview’ screen and choosing the ‘Delete’ option from the ‘Configure’ menu. Note the HSM must be closed before it can be deleted. The deletion is immediately active. Controlling and Monitoring HSMs The ‘KRYPTO Overview’ window shows the current status of all the HSMs currently configured in the Server.

The screen shows the following information:

HSM - The name of the HSM as entered via the configuration screen.

Status - the current status of the HSM connection. See below for the list of statuses and their

meaning.

Transact - the number of operations that this HSM has performed since its link was opened.

Queue - the number of requests that are queued to this HSM.

Overload - the number of times this HSM has reported an overload condition. This is for

information only.

Transact/s - the maximum number of transactions per second processed by this HSM since the

connection was made.

Transact/h - the maximum number of transactions per hour processed by this HSM since the

connection was made.



page 19/150

The statuses of a HSM connection are as follows:

Status Comment

Closed There is currently no connection with the HSM.

Connecting The IBASEC Server is creating a connection with the HSM.

Fetching Keys The IBASEC Server is fetching the list of keys from this HSM.

Online The IBASEC Server has a connection with the HSM and it is available

for Cryptographic operations.

Offline The IBASEC Server has a connection with the HSM but it is currently

offline (see the HSM User Manual reference [3]).

Error Either no connection could be established with the HSM, or the HSM

reports an error. In each case the IBASEC server will continue to try to

make a connection until either it is successful, or it is stopped by a user.

Corrupted Verify A verification has failed on this HSM but was successful on another.

This means that this HSM is suspect and has been put offline.

The connection with the HSM can be opened or closed manually by selecting the HSM from the ‘KRYPTO Overview’ window and clicking on the ‘Open’ or ‘Close’ button as appropriate. A HSM can be opened at any time and as soon as it reaches the Online state it will be used for cryptographic operations. A HSM can be closed at any time. Any outstanding operations will either be re-routed to another HSM or will be returned to the caller. The ‘Remote’ menu on the ‘KRYPTO Overview’ window allows some information to be obtained from a specific HSM. Note the HSM must be online for these options to be active. Select the requi-red HSM from the ‘KRYPTO Overview’ window and issue the command:

Get Date and Time – shows the current date and time as set in the HSM.

Get Status - retrieves the current status of the HSM.

4.5 AUDIT - System Audit The Audit module provides functions to manage and view the central audit-trail database. This contains details of all errors, and significant events within the system. The Audit module also contains functions to manage the message logs, which are optional logs of data-flow through the server and as a new functionality, you have a tool for an easy analysis of some Hsm Logs. With the IBASEC version 3.3.9 or later, another new functionality has been added to the Audit Maintenance: the $IBA_LOG directory will be cleaned up after each Audit Maintenance, i.e. all subdirectories of $IBA_LOG older then 30 days (this is the default, otherwise set the holding time with IBA_HSM_LOG_MAX_DAYS) will be deleted. The Audit database can be viewed by users belonging to the Operator, Auditor or Administrator user-categories. To configure the Audit module a user must belong to the Administrator user-category. To search the Audit database and message log files a user must belong to the Auditor user-category. Auditable events fall into two categories:

System events – e.g. system started, system stopped, interface opened, etc.

Security events – e.g. key added, verification failed, etc.

Within each category events also have a severity:

Info

Warning



page 20/150

Error

All events are always stored in the Audit-Trail database. They can also optionally be printed in real-time to a printer, which is attached to the server. Some events of type error can also trigger an alarm script, which can be used for example to access a pager system. The Audit module performs a daily maintenance during which it will create archives of the Audit Trail, and delete audit trail and message and audit files older than a configurable number of days. The audit maintenance can also run a user supplied script, which can be used for example to transfer audit archive files and message log files to another machine for archiving. Viewing the Audit Trail The entire audit trail is visible from the ‘Audit’ main window.

Where

Date/Time – indicates when the event happened.

Type – indicates whether the event is a System event or a Security event.

Severity – indicates the severity of the event i.e. Info, Warning or Error.

ID – is a number uniquely identifying the exact event.

Facility – indicates for example which HSM originated the event, or which IBASEC interface

originated the event.

The scroll bars allow the whole trail to be viewed. The screen also shows the current number of

entries in the audit trail (Event Database) and the current number of entries in the message

logs, plus details of when the last maintenance occurred.



page 21/150

Searching and Viewing the Message Log If message logging is active a user from the Auditor User-Category can also search the Message Logs:

The message logs are searchable based on the following parameters:

Date/Time When the message was received, including before, after, between etc.

Req Type The type of request performed. One of the following: Sign, Verify, Hybrid

Crypt, Hybrid Decrypt, Sign Plain, Verify Plain, Encrypt Plain, Decrypt Plain,

Sign and Encrypt Plain, Decrypt and Verify Plain, Hash Plain.

User ID The identification of the Application user.

Source BP The BP–Id of the sender of the message.

Dest BP The BP-Id of the receiver of the message.

Result The result of the operation (in the form nnn/mmm – major error code, minor

error code e.g. ‘008002’, see reference [1]).

The results are displayed in a window from which it is also possible to view the exact content of a particular message. Searching the message logs can take some time, and can also adversely affect the performance of the system. Therefore the result is limited to the first 100 messages found to fulfil the search parameters.



page 22/150

Analyze the HSM Logs This functionality is only available with the IBASEC version 3.3.9 (Solaris 10) and later. The HSM produces a lot of log files. After each manual "Download Logs" or the daily automatic "HSM Maintenance" there will be also an automatic HSM log file parsing and a clean-up of old Log directories (IBA_HSM_LOG_MAX_DAYS default is 30). That means that the daily HSM log file directory will be parsed for critical events. This are the parameters that control the HSM log file parser:

The environment variable (or registry entry with Windows) IBA_HSM_MAINTENANCE_TIME

sets the daily time of the HSM maintenance. If unset, the default would be 02:30.

Example: IBA_HSM_MAINTENANCE_TIME="18:30"

The HSM log parser is per default switched on. To disable the log parser, the environment

variable (or registry entry with Windows) has to be set IBA_LOGPARSER=0

The HSM maintenance produces each day a new directory like this:

$IBA_LOG/HSM31_20080617. These directories can be selected for parsing with the following

windows.

Audit > HSM Logs...



page 23/150

Result Codes The IBASEC server adds an error code to the EDIFACT header of each message. This code consists of two three-digit numbers: The major and minor error codes. A successfully processed message has a code ‘000’. Example of an error: ‘008002 - parameter errors, unknown BP id’. The list below shows these errors.

Major Minor Meaning

000 Success.

001 - Window size exceeded.

002 - Unknown function. This will raise a CORBA standard exception.

003 - Request received without a session. This will raise a standard CORBA exception

004 - System Error.

005 - Security Error.

006 - Session closed by server.

001 Server has gone into an offline state.

002 Operator requests a session close.

003 Communications error detected.

004 Server closing down.

005 Invalid test session

007 Format errors.

001 Message data too short or missing.

002 Message data too long.

003 Signature too short.

004 Signature too long.

005 Invalid length.

006 Invalid offset.

007 Invalid EBCDIC character.

008 Invalid ASCII character.

009 Key too short.

010 Key too long.

011 Invalid HEX character.

012 Invalid Date.

013 IV Too Short.

014 IIV Too Long.

015 Certificate too short.

016 Certificate too long.

017 Offset too long

018 Trailer too long

019 Invalid message length

020 Key length not zero

021 IV length is not zero

022 IV length is zero



page 24/150

023 Field not decimal

024 Invalid Certificate

008 Parameter errors.

001 Illegal Parameter.

002 Unknown BP id.

003 Unknown algorithm descriptor.

004 Unknown HSM.

005 Unknown Certification Authority.

006 Unknown Filter Type.

007 Unknown Code Type.

008 Unknown Usage Type

009 Unknown Continuation Flag

010 Unkown Mode of Operation

011 Invalid Char

012 Invalid Mode of Operation

013 Illegal Algo Description

014 BP in TEST >=6 chars (since 3.3.9)

009 Session Errors.

001 A request for a session contains an incorrect server id.

002 An unknown user is requesting a session.

003 An unknown application has been requested.

004 Wrong function. Function not allowed for this application id.

005 (Not Used).

006 A user has requested use of an application, which he is not allowed to use.

007 There are too many sessions.

008 This application is not allowed to create a session of this type.

009 This User-Id is not allowed to create a session of this type.

010 Management sessions not allowed for this application id.

011 Production session not possible.

012 Wrong window size.

013 Test session not allowed

014 Listener is missing

015 Interface is closed

016 Security Session not possible

010 EDIFACT Errors.

001 The format of an EDIFACT message is not correct.

011 Key Errors.

001 No Public Key.

002 No Secret Key.

003 No certificate for CA.



page 25/150

004 Key not accessible.

005 Key already loaded

012 Verification Error.

001 Message verification failed

002 Message to be verified out of validity window

013 Interchange Errors.

001 No interchange.

002 An interchange already exists.

003 Discontinuity in Part Number

014

001 Illegal PEM format

002 Missing mandatory field

015

001 Feature not supported



page 26/150

Configuring Audit The ‘Configure’ menu on the ‘Audit’ main window allows the audit configuration to be modified:

Audit Configuration For Audit the following can be configured: Audit Printer – the identity of the printer to be used to print audit events (optional). Typical values are: on Unix: /dev/ttyb on NT: COM1 Leave the field empty if you do not want to print events. Alarm Script – the identity of the script to be called when alarm events occur (optional). Storage Period – the number of days for which audit event related information will be stored. Message Log Configuration For Message Logging the following can be configured: Storage Period – the number of days for which Message Log files are kept. Commit – This flag indicates whether writes to the message log files will be committed per write. Setting this flag will provide more security against a lost file in case of an error or crash, however at the expense of some performance (i.e. on = safer but slower).



page 27/150

The applications windows indicate for which applications message logging is active. Use the >> and << buttons to change this. Note - a change of message logging status for an application will not affect currently open sessions for that application. i.e. if message logging is turned off, sessions which are currently logging for the application will continue to do so until they are closed. Conversely if message logging is turned on for an application message logging will begin with the next new session opened for that application. Audit Maintenance Configuration For Audit Maintenance the following can be configured:

Time - the time of day when the audit maintenance should run. It is recommended to choose a

time outside of your normal operational day, as, although maintenance can occur whilst data is

flowing through the server, there can be some impact on performance.

Maintenance Script - the identity of a user supplied script to be run as part of the audit

maintenance procedure. The shell script should be placed in the $IBA_SCRIPT directory. The

working directory for output files would be IBASEC's home directory (/opt/ibasec)

Audit Alarm Scripts The IBASEC Server considers some audit events to be ‘Alarm’ events, and for these it can call a user supplied ‘Alarm Script’ which could for-example forward the message to a Paging system. See the section “Error Codes” for the full list of events including all alarm events. For each of these events the Audit module can call a user supplied script with a name as configured in the Audit Configuration. The script should reside in the ‘scripts’ directory, the exact location of which depends on how your system was installed. In a typical installation this would be as follows: Unix /opt/ibasec/<server-id>/scripts Windows C:\Program Files (x86)\Ibasec3\<server-id>\var\script On Unix the environment variable $IBA_SCRIPT points to this directory. The calling interface for the script is: Scriptname <event-id> <event-type> <severity> <facilitycode> <facilitysubcode> <text> Configuring Audit Maintenance Scripts The Audit Maintenance procedure (see section ‘Audit System Audit’) can optionally call a user supplied script. This script could for example FTP the current audit and message log files to another system for archiving. The script should reside in the ‘scripts’ directory, the exact location of which will depend on how your system was installed. In a typical installation this would be as follows: Unix /opt/ibasec/<server-id>/scripts Windows C:\Program Files (x86)\Ibasec3\<server-id>\var\script On Unix the environment variable $IBA_SCRIPT (or $IBA_SCRIPTS) points to this directory. The name of the script is user configurable via the ‘Audit Configuration’ screen. As an example: to clean the logfiles from your IBASEC server see script in Use Case 17



page 28/150

4.6 USRMAN – User Management The User Management module allows users from the Security User-Category to manage user accounts. Most operations in the USRMAN module operate on the ‘four-eyes’ principle; this means that changes or additions made by one Security User must be approved by a second Security User. For this reason the IBASEC server must always have at least TWO Security Users configured. User Categories Each user of the system belongs to a User-Category, either Operator, Auditor, Administrator, or Security. This defines the set of functions of the server that the user is allowed to access. For further details please refer to section ‘IBASEC Users’. User Statuses Each user of the system has a status as follows:

Enable The user is active and can log in.

Disable The user is active but is not allowed to log in.

Waiting For Approval Some changes have been made to the user’s settings. The user is not

allowed to login until a second Security officer approves the changes.

Usernames All users of the system are identified by a username, and all users must enter a personal password before they can access the system. Usernames must be chosen according to the following criteria:

It must be unique within a particular instance of the Security Server.

If must contain at least 8 characters and at most 32 characters.

If is case sensitive.

It can comprise alphanumeric characters i.e. A-Z, a-z and 0-9. No special characters are

allowed.

It cannot contain the same character repeater over more that two consecutive characters i.e.

userAA is allowed userAAA is not.

Passwords and Password Restrictions User passwords must be chosen according to the following criteria:

It must not be the same as the username.

It must contain at least 8 characters and at most 32 characters.

It is case sensitive.

It can comprise alphanumeric characters i.e. A-Z, a-z and 0-9. No special characters are

allowed.

It cannot contain the same character repeater over more that two consecutive characters i.e.

userAA is allowed userAAA is not.

Must not be a password, which has been used before within the last 10 password changes.

It is also possible to assign restrictions to a user’s password, which will determine how often it must be changed. These are as follows:

The maximum number of uses that a password can have. After this number of logins the

password must be changed.

The maximum number of days for which the password can exist. After this period that

password will automatically expire and will have to be changed.

These restrictions are optional and can be set or modified at any time by a Security User.



page 29/150

Successful and Failed Logins Each successful and failed login is recorded by the USRMAN module. If a user has three consecutive unsuccessful login attempts the system will automatically disable him. To login again he must be re-enabled by a Security User. This restriction does not apply to the last active Security User in the system. In this case the user is disabled for 30 min only, and then automatically re-enabled. Adding, Deleting and Modifying Users The ‘USRMAN Overview’ window shows the complete list of currently configured users, their user Category and Status:

From this window it is possible to add, delete and modify users. For a list of standard users preconfigured at installation time, see chapter ‘IBASEC users’.



page 30/150

Adding a User To add a new user select the ‘Add’ option from the ‘User’ menu:

The fields should be filled as follows: Username – see above for restrictions on the username (mandatory). Full Name – free text, the full name of the user (optional) Password – the user’s password, see above for restrictions on the password (mandatory). Address – free text, the address of the user (optional). Telephone – free text, the telephone number of the user (optional). User Category – the category to which the user belongs (mandatory). Max Uses – the maximum password uses: either none (infinite), or a number between 1 and 999. Max days – the maximum number of days for which the password is valid, either none (indefinite), or a number between 1 and 999. Inactivity Timeout – the maximum number of seconds of inactivity allowed for the user. Either none or the period in seconds after which the user will automatically be logged out. The other fields on the screen are filled automatically by the IBASEC Server. Once the user has been created his status will be WaitingForApproval and a second Security User must approve and enable the user from the ‘Status’ menu on the ‘USRMAN Overview’ screen.



page 31/150

Modifying a user To modify a user, select the entry from the ‘USRMAN’ main window and choose ‘Modify’ from the ‘User’ menu. The following fields are modifiable:

Full Name

Address

Telephone

User Category

Max Uses

Max days

Inactivity Timeout

See the previous section for how these fields can be filled. Once the user has been modified his status will be WaitingForApproval and a second Security User must approve and enable the user from the ‘Status’ menu on the ‘USRMAN Overview’ screen. Deleting a user To delete a user select the appropriate row from the ‘USRMAN Overview’ screen and choose the ‘Delete’ option from the ‘User’ menu. If the user is currently logged in he can continue to work, but he will not be able to login again. Enabling and Disabling a user A Security User can disable a user by selecting the ‘Disable’ function from the ‘Status’ menu in the ‘USRMAN Overview’ screen. A disabled user will no longer be able to login. Similarly by selecting Enable, a Security officer can re-enable a disabled user. Changing a user’s Password A security user can change another user’s password by selecting the user from the ‘USRMAN Overview’ window and choosing the ‘Change Password’ function from the ‘User’ menu. Once the password has been modified the user’s status will be WaitingForApproval and a second Security User must approve and enable the user from the ‘Status’ menu on the ‘USRMAN Overview’ screen.



page 32/150

4.7 BPMAN – Business Partner Management The BPMAN module provides facilities for users of the Security User – Category to manage the list of Business Partners (or BP-Ids) that the server will use to validate messages sent and received. A business partner is a party in a secure communication. A Business Partner is assigned to a particular application and is either assigned for use in test sessions or production sessions (not both). In addition a Business Partner has an assigned Cryptographic profile which defines which algorithms and key sizes will be used when creating messages coming from the Business Partner, and which can be used to check the algorithms and key sizes in used messages received from the Business Partner. In SIC and euroSIC the business partners are the LUDs. The IBASEC server validates the source and destination business partners of all request messages, so all used BP-Ids must be configured. The IBASEC Server also compares the Test/Production setting of a BP-Id against the session on which the request message is received, and will reject the request with an ‘Unknown BP’ error if there is a mismatch. Test BP-Ids are only valid on Test sessions. Production BP-Ids are only valid on Production Sessions. The functions to view, add, modify and delete BP-Ids are only available to users in the Security User-Category. The list of currently configured BP-Ids is shown on the ‘Business Partner Overview’ window:



page 33/150

Selecting the search button you will get the following mask:

this lists all business partners for the SIC application with a validity that ends before 19.8.2007 Adding a Business Partner To add a Business partner, select the ‘New’ option from the ‘Edit’ menu on the ‘Business Partner Overview’ window. The following screen will be displayed:

Where the fields should be filled as follows: Application - the pull-down menu gives the list of currently configured applications (mandatory). BP - The BP-Id to be entered. Must be unique within the application (mandatory). Priority - The priority with which messages from this BP-Id will be treated. High, Medium or Low. This may be important in a high volume system with many Business Partners and many HSMs. In a system with few BP-Ids or few HSMs this setting will have little affect.



page 34/150

Test/Production - Determines if this BP-Id will be used for Test or Production sessions. In release V2.0 there is an additional state called ‘not used’ (see below). Profile - The default cryptographic profile for this BP-Id. The pull-down menu contains the list of currently configured profiles. Verify Profile - Determines if the IBASEC server will check messages received from this BP-Id against the Profile. If this option is set and there is a mismatch, an audit event will be generated but the message will continue to be processed. Modifying a Business Partner To modify a business partner, select the appropriate entry from the ‘Business Partner Overview’ window and choose the ‘Modify’ option from the ‘Edit’ menu. All fields except the BP-Id itself are modifiable. Any changes are immediately active once they have been saved. Deleting a Business Partner To delete a business partner, select the appropriate entry from the ‘Business Partner Overview’ window and choose the ‘Delete’ option from the ‘Edit’ menu. The deletion is immediately active. Automatic Update of the BP Table The current IBASEC server software maintains a table with all known BPs. The IBASEC server only processes security commands, which refer to BPs contained in this table. New BPs have to be entered manually by the security officer. They can be configured to be used either by a test or a productive session. The IBASEC Release V2.x and 3.x is proposed to be enhanced in that new BPs are automatically added to the BP table, when new keys of new BPs are loaded into the system. Newly added BPs are set to a ‘not used’ state by default. They have to be manually configured for either test or productive use by help of the existing BP configuration function.

4.8 APPMAN – Application Management The APPMAN module provides functions do define the applications and application users, which the server can be used for (e.g. SIC, euroSIC etc), and defines the host applications, which are allowed to use each application (these are called the application users). For each application two things are defined:

The default cryptographic profile for the application.

The list of functions, which can be used in connection with this application.

The IBASEC Server contains two pre-configured applications; SIC and EURO. There should be

no need to change the settings for these applications.

The APPMAN functions are only available to users in the Security User Category. Some

functions in APPMAN are subject to the ‘four-eyes’ principle and require changes to be

confirmed by a second security user.

The list of currently configured applications can be seen from the ‘Applications Overview’ window:



page 35/150

Application Users and User-IDs The APPMAN module also defines the Application users (host applications) for each application. When a Host Application creates a session it must identify itself with its ‘User-Id’. This User-Id must have been configured in the APPMAN Application users database, and the requested Application must match one that the User-Id is configured to use. The APPMAN module can also define for each User-Id with what priority requests from this User-Id will be served and whether an IMS header should be prepended to all messages sent to this host application. The list of currently configured application users can be seen by clicking the ‘Users’ button on the ‘Applications Overview’ window. This will display the ‘User Overview’ window as follows:



page 36/150

Adding an Application Note - the SIC and EURO applications are already configured and should not be changed. To add a new application, select the ‘New Application’ option from the ‘Configure’ menu on the ‘Applications Overview’ window. The following screen will be displayed:

The values that can be entered are: Application – the name of the application, maximum 6 characters, mandatory Use Compression – the mode of compression; values: automatic when encrypting messages are longer than 3800 bytes, always enabled or disabled. Allow Management session – for these applications the use of management session is allowed. This enables the use of the functions LoadPublicKey,GetPublicKey, DeletePrivateKey, DeletePublicKey,GetPublicKeyDir, GetPrivateKeyDir and GetHSMStatus. Default Profile – the name of the default cryptographic profile for the application. The pull-down list will contain all the currently configured profiles. Validity window – the time stamp of incoming signed messages is verified to be within a user definable time window, in days. The required functions. Note - any function that is not checked will not be accessible in the context of a session for the newly defined application, and any attempt to use it will cause an error. Modifying an Application Note - the SIC and EURO applications are already configured and should not be changed. To modify an application, select the application from the ‘Applications Overview’ window, and choose the ‘Modify Application’ option from the ‘Configure’ menu. The Default Profile and the list of allowed functions can be changed. Any changes will only affect sessions, which are opened after the changes were made. Already open sessions will not be changed. Deleting an Application To delete an application, select the application from the ‘Applications Overview’ window, and choose ‘Delete Application’ from the ‘Configure’ menu. Note – before deleting an application you must be sure that no Application users are configured to use the application, and that no HSMs are configured to use it either.



page 37/150

4.9 KEYMAN - Key Management The IBASEC Server provides facilities for the remote management of keys within HSMs. These are the Key Management functions and are available to users within the Security User-Category. Each HSM can contain a number of keys:

Private Keys are secret. They are created by the bank, and loaded manually into HSMs using security modules.

Public Keys are either generated with the corresponding Secret Keys by a bank, or are loaded from a security module or the IBASEC Server.

The KEYMAN module stores information about which Private Keys are loaded into which HSM. It also provides functions to delete Private Keys from specific HSMs. Note - Secret Keys can only be loaded via security modules and not by the security server. The KEYMAN module also stores information about which Public Keys are loaded into each HSM. It also stores a copy of each Public Key in its internal database. The KEYMAN module provides facilities to load and delete Public Keys from HSMs either under operator instruction, or automatically. The KEYMAN key database is automatically synchronized with the HSMs so that when keys are manually added or removed from a HSM, the KEYMAN database will be changed automatically. If changes are made to a HSM whilst it is not connected to the server, the server will synchronize the next time a connection is made. Key States Keys held within the KEYMAN key database exist in a number of states as follows:

State Meaning Private Public

Active A key which is available for cryptographic operations and which is

loaded in one or more HSMs.

Yes Yes

Deleted A key which has been deleted from all HSMs. It cannot be used

for cryptographic operations.

Yes Yes

Expiring A key that will expire in a few days and no replacement (public or

private) is yet loaded.

Yes Yes

Blocked A private key that expired less than three days ago. If can still be

used for decryption, but not for signing.

Yes No

Expired A private key which expired more than three days ago. It cannot

be used. Or: An expired Public Key. It can still be used for verifi-

cation but not for encryption.

Yes Yes

Error A key, which failed to authenticate when loaded into a HSM. The

key cannot be used.

Key Management and Distribution The KEYMAN module provides functions for managing the keys within HSMs. Manually Managing Keys in HSMs From the ‘Key Management Overview’ window it is possible to select an individual HSM and application and using the ‘Keys’ menu: Display Keys – view the keys loaded in the HSM for this application. Delete Keys – delete keys from the HSM. From the ‘Key Overview’ window (the results of a free search of the Key Database) is possible to select an individual key and



page 38/150

Delete it from an individual HSM in which it is loaded. Delete it from all HSMs in which it is loaded. Load it into an individual HSM assigned to the appropriate application (Public Keys only). Load it into all HSMs assigned to the application (Public Keys only). Load it into HSMs according to the Key Distribution Algorithm Automatically Managing Keys in HSMs The KEYMAN module can also provide facilities to automatically distribute Public Keys between the available HSMs. This is known as the Key Distribution Algorithm and it will distribute keys based on the priority of the BP-Id, which owns the key (as defined in BPMAN). The user can configure

How many HSMs of an Application should contain the keys of High-Priority BP-Ids.

How many HSMs of an Application should contain the keys of Medium-Priority BP-Ids.

How many HSMs of an Application should contain the keys of Low-Priority BP-Ids.

The Key Distribution Algorithm will attempt to ensure that all HSMs have the same number of

keys loaded.

Overview of Keys The number of keys loaded into each HSM and their owning application can be seen from the ‘Key Management Overview’ window as follows:

For each HSM there is an entry for each application that the HSM is configured to use. Each entry contains:

HSM – the name of the HSM as defined in section ‘KRYPTO – HSM Interfaces’.

Application – the name of the application.

Private – the number of Secret Keys loaded in this HSM for this application.

High – the number of Public Keys belonging to BP-Ids of High Priority (as defined in BPMAN)

for this application.

Medium – the number of Public Keys belonging to BP-Ids of Medium Priority (as defined in

BPMAN) for this application.



page 39/150

Low – the number of Public Keys belonging to BP-Ids of Low Priority (as defined in BPMAN) for

this application.

Total – the total number of keys loaded in this HSM for this application.

Note – The Key Rollover Rules work only on the side of SIS, but not on the side of the bank. Therefore they are not explained here. Searching the Key Database The KEYMAN module provides facilities to search the Key Database. Free Search Selecting the ‘Free Search’ option form the ‘Find’ menu on the ‘Key Management Overview' window displays the ‘Key Search’ window in which the search criteria can be entered:

Where the fields can be entered as follows:

The type of the key as above, or all.

The key status as above, or all.

The Application of the Key - the pull-down menu contains the list of currently configured

applications, or all.

The Owner BP-Id.

The Owner Security-Party - not used in this version.

The Certificate Reference - can be used to enter the Key Hash in this version.

Start date - the start date of the key, a range can also be entered.

End-date - the expiry date of the key, a range can also be entered.

The Key Usage - see above, or all.

Issuer Security Party - not used in this version.

HSM - the HSM in which the key is loaded. The pull-down menu contains the list of currently

configured HSMs. All can also be entered.



page 40/150

The results are displayed in the ‘Key Overview’ window:

From this window it is possible to display details of an individual key by selecting a key and clicking the ‘Details’ button. Depending on the type of key either the ‘Private Key Details’ window or the ‘Public Key Details’ window is displayed: Private Key

The ‘Public Key’ button will display the corresponding Public Key (if it is available in the database).



page 41/150

Public Key

The ‘Certificate’ button will display the raw key information. The ‘Print’ button will make a hard-copy of the key. This is the Public Key Certificate - which will be printed to the printer defined in the Login setup (see section ‘Login/Logout’). Search for Deleted Keys This option will immediately display all keys, which have been deleted from all HSMs. Search for Expired Keys This option will immediately display all keys, which have expired.



page 42/150

4.10 PROFMAN - Cryptographic Profile Management The IBASEC Server maintains a list of cryptographic profiles which define a set of cryptographic algorithms, key sizes etc. Each business partner defined in the BPMAN module is assigned a profile and this will be used in the absence of other instructions to define:

The algorithms and key sizes to be used when creating a message sent by a Business Partner.

The algorithms and key-sizes, which are expected to have been used in messages received

from a Business Partner.

The IBASEC server contains one pre-defined profile called SIC-Default. This profile currently matches the requirements of both SIC and euroSIC. There should be no need to add of modify profiles at the moment. The functions to view and modify Cryptographic profiles are only available to users in the Security User-Category. The list of currently configured profiles is visible from the ‘Profile Overview’ window:

For each algorithm supported by the server it is also possible to set some defaults. These can be seen by clicking on the ‘Defaults’ button on the ‘Profile Overview’ window. By selecting an algorithm and clicking on the ‘Edit’ button is possible to view and modify the defaults.



page 43/150

Adding a Profile To add a profile all the IBASEC interfaces must be offline (see section ‘IBASEC – Host Interfaces’). From the ‘Edit’ menu on the ‘Profile Overview’ window select the ‘Add’ option. The following screen will be displayed:

SECOM Default

SHA256 RSA 2048 AES PKCS#1 BASE64

This should be filled as follows:

Profile Name - must contain a unique name for the profile (mandatory).

Hash Algorithm - the pull-down menu contains the list of supported hash algorithms

(mandatory).

Sign Algorithm - the pull-down menu contains the list of supported sign algorithms (mandatory).

Modulus - the pull-down menu contains the list of supported key lengths (mandatory).

Data Encryption Algorithm - the pull-down menu contains the list of supported encryption

algorithms (mandatory).

Default Filter: Function used to filer IV, signatures, encrypted key data, used if no parameter

value is supplied in the input

Key Encryption Algorithm - The key encryption algorithm. Pull down list containing: TBSS and

PKCS#1

4.11 CERTMAN - Certificate Manager (for SECOM) See section 6 of this document.



page 44/150

5 HSM Setup and Handling For the IBASEC Version 3.1 with the LunaSP the GUI has been extended with an additional HSM-button. Be aware that you need special rights to execute those <HSM> functions (see chapter 5). A warning indicates that an inappropriate entry would destroy the HSM configuration. The HSM operations will be grouped as followed as:

Network und date setting, Unlocking of the HSM

Setting of the key storage and PED keys

Placing the HSM Passwords on the IBASEC server

Installation und Uninstallation of the web application

Start and Stop of the Web Application

Key Backup and Restore

Maintenance Work

All HSM handling is centralized under this <HSM> function:

To apply most of the HSM operations, the HSM must be in the "Disconnected" state



page 45/150

5.1 HSM Initialization

5.1.1 Set Date and Time

Setting the date and time of the HSM means to adjust it to the date and time of the IBASEC server. Check the flag on this window and press <OK>. For a proper keymanagement it is important, that the date and time of the IBASEC server and the HSM are equal. A tolerance of a few minutes is acceptable.

5.1.2 Unlock HSM

After a number of consecutive wrong password entries the HSM falls into a LOCKED state. For the maximum allowed password entries see the HSM Configuration Window in 2.1.1. By selecting this function, the HSM will be unlocked and the HSM overview shows again "ActiveUnattended".



page 46/150

5.2 Key Storage Operation and PED Key Operation

5.2.1 Enter Password

With the new SafeNet LunaSP HSM, the system operates with three different passwords to protect different operations: Admin Password : the HSM can be accessed by SSH; the admin password is the password of the preinstalled admin user with the default password "pass*12345" Partition Password: protects the access to the keys in the key storage of the HSM also called “key partition”. The first partition password is created by the "HSM Init" function and has to be saved. In this case, the "Old Password" entry remains empty. Application Password: the password used by the server to trigger any key management operations. Changing the partition password needs the old password and the partition PED key. Connecting a new HSM with "Premium Rollout", i.e. with a preparation to work with an IBASEC server, The Admin and the Partition password has to be saved with the IBASEC server. See Case 11.

5.2.2 Configure Web Server

After the "Init HSM" function a few settings of the partition policy and the web server have to be set or confirmed. To see the details of the executed lunashell commands press again <view logs>. Please keep an eye on the PED to be ready for the requested PED key handling. The blue and black key (Admin and Partition) is needed. Reminder: If you would like to cancel any operation, press <Cancel>. With <Close> an eventually running operation continues and is not abandoned. Using this function assumes that the web server appliance is properly installed (should come with the Premium Rollout). If the command fails because of a missing web server application you have to install it first with the function "Install Application" This operation could be executed several times.

5.2.3 Installation and Un-Installation of the Web Application

Install Application The newest web application has been installed by the Premium Rollout. Before you could install another version of the web application (appliance) you have to uninstall the present installation. A warning would prevent you to do a new installation. *** Please backup your key partition before you install a new web application! *** The web application delivered by SIC only has to be copied to the IBASEC server according to the instructions that come along with the new software release. The software is protected with a hash



page 47/150

(a so called fingerprint). You have to confirm this fingerprint published by SIC before you may upload the appliance software.

Again see the <View Logs> and after successfully loaded appliance start the web server before you reopen the HSM. With the "Get Status" function in Krypto - Remote you will find the new release version number and date. The installation of the web application may take up to 15 minutes. After the installation of the application the web server should be started again: GUI: HSM - HSM Operations - Start Web Server Uninstall Application This function is only needed to clear the HSM for a new "Install Application".

5.3 Start and Stop of the Web Application Select an HSM from the list of available HSM. HSM's will be available by defining and adding them in the Krypto Module. Make sure that this HSM is in a proper "Premium Rollout" state.

For the normal operation of the HSM there is no direct interference to the HSM of the operator needed. But the following functions are supported: Start Web Server (e.g. after a cold start of the HSM) Stop Web server Download Logs (if you need the Logs with the most accurate events)



page 48/150

5.3.1 Start Web Server

After a cold start or a reboot of the HSM the web server does not start automatically! If you open a HSM without starting its web server the IBASEC server detects an error and falls into the recovery procedure. The recovery procedure starts the web server and opens the HSM. so there is actually no need for this function. But starting the web server manually with this function and then open the HSM is faster because the recovery function needs some time to analyze the situation and then take the right actions.

Key needed: No. Yes, but after a cold start or a power loss longer then 20 minutes the blue (Admin) key is needed!

5.3.2 Stop Web Server

This function is only needed for analyses and investigation of the web server.

5.4 HSM States

The HSM that comes from your distributor is specially prepared for the IBASEC application. We name it "Premium Rollout" state. The IBASEC GUI can only interact which a Premium Rollout HSM. Compared with the HSM GC720 the new LunaSP HSM is (almost) stateless. The only correct productive state is "Connected - ActiveUnattended". E.g. the HSM is "Open" and is ready to be productive. To "Close" the HSM with the Close-button in the Krypto Overview Window or in HSM Overview Window sets the HSM to "Disconnected" and the Application State is "-". If the Application State should be "Initialized" (Unattended Mode not set) or "Inactive" (Application Password not set) the "Configure Web Server" function failed (see ViewLogs: maybe the sp command is missing, e.g. the web application is not yet installed). After max. consecutive wrong password entries the HSM falls into a "Locked" state. With the GUI function HSM - HSM Initialization - Unlock HSM the HSM can be unlocked again.



page 49/150

5.5 Download Logs ( Maintenance Work ) If the environment variable (or Windows registry entry) IBA_HSM_MAINTENANCE_TIME is set, an automatic daily download (and delete) of the logs into the $IBA_LOG directory is done. example of .cshrc: setenv IBA_HSM_MAINTENANCE_TIME "05:30" For some reasons it might be helpful to have a more accurate set of log files available. This function will not replace or affect the automatic download and delete. It creates an additional log view.

This function needs no PED keys. The <View Logs> gives you a list of all files downloaded from the HSM. They are available in the $IBA_LOG directory of your IBASEC server. The following files are downloaded to the $IBA_LOG directory: logs.tar

supportInfo.txt

log_shell_audit.log

log_tomcat.log

log_web_debug.log

log_shell_debug.log

log_tomcat.log.2006-09-14

log_web_error.log

log_shell_debug.log.2006-09-267


log_web_info.log

log_shell_error.log


log_shell_info.log

log_web_audit.log



page 50/150

5.6 Backup and Restore Backup and Restore procedures are overwriting and always as a whole. There is no update function or incremental backup possible.

5.6.1 Key Backup

With a Key Backup the whole partition is copied to a Backup Token . All productive private and public keys and certificates even the uncertified keys are copied to the Backup Token. The Backup Token should be inserted before you launch the backup procedure. Keep a check on the display of the LunaPED for the requested PED key application (blue, black and red keys are needed). If the backup token (PC Card) has been already used with other HSMs that do not belong to the same group, the backup will fail. If you insist to overwrite the used token you have to repeat the procedure 3 times until it accepts the overwriting of the token.



page 51/150

press "View Logs" to see the activities in detail:

5.6.2 Key Restore

With a Key Restore the whole partition is overwritten by the Backup Token. The PED key handling is the same as with backup. There is no partial restore available with LunaSP. Its always a complete and replacing restore.



page 52/150

6 Key Management The key management functions with the HSM are:

Generation of keys (local certificate key, RSA keys, TINT key )

Loading of public and private keys

Loading of TINT keys

Deleting of keys

Storing of private keys to the security module

Verification of key in the HSM.

Some of the functions are triggered from the server, and some of the key management functions are following a different concept (backup and restore, see section 5.6). This chapter describes the key management operations of IBASEC. These are

Key generation

Load a key to the IBASEC server

Deletion of a key from the IBASEC server

Export a key to a file

Import a key from a file

Validation of a key

Fingerprint letter operation (Export to File, Print )

Search for a key

The available keys can be shown with the following list: GUI: Krypto – Keys - Show Keys in HSM (of selected HSM) GUI: Keyman - Find - Free Search: list of keys for a defined filter

6.1 Passwords The IBASEC Server uses three passwords protecting different operations: The admin password (the HSM can be accessed by SSH, the admin password is the password of the installed admin user). It must be at least 8 characters in length and must include characters from at least three of the following four groups:

lowercase alphabetic (abcd...xyz)

uppercase alphabetic (ABCD...XYZ)

numeric (0123456789)

special (non-alphanumeric, -_!@#$%&*...)

The partition password (the password of the key storage also called “key partition” to protect the access of the key) The application password (the password used by the server to protect the key management operations). The application password is important for the key management

6.2 Key Generation There are three types of keys to be generated: Local certification keys Productive keys SIC AG internal keys (TINT keys; for SIC only )

6.2.1 Generation of local certification keys

The first step to set-up the HSM for production mode is to generate a pair of local certificate keys. The keys will be used to secure the transfer of the production public keys from and to the IBASEC server. The local certification key will be generated using the KEYMAN menu entry HSM Key



page 53/150

management Create LOCERT keys. The following figure shows the dialog to generate the LOCERT keys. this example creates a LOCERT key pair on HSM31

6.2.2 Generation of Production Keys

The next step is to generate your own production keys of which the public keys will be delivered to SIC (in file format). The key has to be exported to the IBA_EXPORT directory. These will be described in a later section of the document. The production key will be generated using the KEYMAN menu entry HSM Key management Create RSA keys. The following figure shows the dialog to generate a productive RSA key pair.



page 54/150

This table shows the possible valid settings:

Application Valid setting

SIC Application: SIC Business Partner: <your Business Partner> Key Size: RSA [2048 bits] Key Usage: Sign & Encipher Start date and end date: according to the policy of your bank Application password: see section 3.1

euroSIC Application: EURO Business Partner: <your Business Partner> Key Size: RSA [2048 bits] Key Usage: Sign & Encipher Start date and end date: according to the policy of your bank Application password: see section 3.1

SECOM Application: SECOM Business Partner: <your Business Partner> Key Size: RSA [2048 bits] Key Usage: Sign & Encipher Start date and end date: according to the policy of your bank Application password: see section 3.1

SIC (for SIC only) Key Usage: can be TK Verify & Sign, TK Encipher & Sign

euroSIC (for SIC) Key Usage: can be TK Verify & Sign, TK Encipher & Sign

6.2.3 Generation of TINT Keys

These keys will be used for SIC internal storage operations. The TINT key will be generated using the KEYMAN menu entry HSM Key management -> Create TINT key. The following figure shows the dialog to generate a TINT key.

The following table shows the valid settings:

Valid setting

Application SIC,EURO

Business Partner TINT1, …, TINT4

Test/Prod Flag T or P

6.2.4 Important remark

After each key generation, it is strongly recommended to make a key backup (see section 5.6) in order not to lose your private key information.



page 55/150

6.3 Key Export The transport between the bank and SIX is done via a file-based mechanism. The IBASEC server allows exporting the public key in the following file format:

The Self-Signed Certificate

After the key generation, the IBASEC server generates automatically two files with the following file

name pattern:

<application>-<bp>-<keyhash>.crt The public key as self-signed certificate

The self-signed certificate format needs the related private key to be generated, so maybe the server reports that a key cannot be exported as “self-signed”. A part from the automatic export, the key can be exported using the following procedure:

Keyman menu, search for the key to be exported with “Find - Free Search” . The key search could

be controlled with some filter arguments (see section 6.20):

Select the key to export and "Export Key as Self-Signed Certificate" for an export fur internal use

or to the provider.



page 56/150

With the following dialog you have to enter the filename that will be placed in the $IBA_EXPORT

directory (/var/ibasec/<serverid>/export).

e.g. for export key to SIC

A truly signed Export Letter (or fingerprint letter) should go with the key file to confirm the integrity of the key. So after "export self-signed certificate" you select "Details" to get this window for printing the accompanying letter.



page 57/150

6.4 Key Import The key import is used to load public keys from a foreign system. As mentioned in the previous section, the file type is as follows:

The Self-Signed Certificates with the extension .crt

The file extension should indicate which type of file you received. You have to apply the following import procedure:

Store the file into the $IBA_IMPORT directory on your server

Use the KRYPTO menu entry “Key Import Self-Signed Certificate”.



page 58/150

To import a self-signed certificate, you have to select the related file.

e.g. SIC imports key from Bank

Self-Signed Certificates have to be validated. For details check the following section.

6.5 Validation of the Keys An imported self-signed certificate has to be validated. Select the KRYPTO menu entry “KeysValidate Keys”. The dialog shows the list of keys ready to be validated. You have to select the key to be validated and to enter the application password and finger print.

If this is done successfully, the key can be used as a normal public key.

6.6 Miscellaneous Key Management Functions The following key management functions can be selected from the IBASEC Server GUI: Load Public Key (from the Key Search Result Window, select “Key-> Load Key” to load a key from the IBASEC Server database into one or more HSM) Delete Public Key / Delete Private Key (to delete one or more key, search for those key, select in the Key Result Window for those key, and select “Key-> Delete Key”). (Delete All Keys use the HSM HSM Installation Erase HSM for Transport menu entry to remove the keys stored in the HSM)



page 59/150

6.7 Import the Provider Keys To setup your production environment you have to load the following keys from the CD into your system:

Appl. BP Key Hash Fingerprint SIC SICB 5C3B AF64 09BF 0D7B BAD7 7A35 3908 F0A9 8CE9 AFFC F6A9 4AA8 3450 0E9D

SIC SICP 3FEA EF86 D081 6D8D 8303 2985 20E2 B775 AEDB F75D B168 76A3 AD2A 19B6

EURO ESIA 6A63 71A4 0FD9 4E9C C90E DFBF BB9A B2E3 C535 BC4F D507 34E8 10B3 167B

EURO ESIB 7EAC 55BB D355 F8F9 A002 DC80 EE7A 3A70 DE91 8CB0 E47E 2F48 3F2B C420

ATTENTION: These fingerprints are valid from 11.06.2012 until 01.08.2015 For SECOM application you also have to load the ROOT.CRT and SECOM-SECN-5053B310.CRT (valid until 10.06.2016) into your system. This operation is described in section 6.9ff.

6.8 Generation of the Production Keys If you have to create a new production key, check the following parameters of the table

Application Business Partner

SIC xxx0

EURO yyy0

SECOM <according to your setup>

For the additional information, check the table

6.9 Import and Validation of the SIS Root Certificate This describes the import of the SIS certificate through the file interface. Similar could be done using the SOAP interface. For the root certificate import, you have to copy your root certificate to the "certs" directory. For a standard installation, this is /var/ibasec/prod/certs/SIS CA/FromProxy.

LOCERT must be present in HSM

Import ROOT.CRT

Validate ROOT.CRT with fingerprint

Import SECOM-SECN-5053B310.CRT (automatically validated by the ROOT.CRT) In CERTMAN menu, you have to look for the “Operations” button:

And in the “Operations” Dialog, select the “Import Certificates from File” button:



page 60/150

You will see the following selection of certificates:

Select the entry “ROOT.CRT” and press the “Import” button. After a while, you will see the following information:



page 61/150

After the successful load, there should be the PKI key in the special area of keys to verify. The PKI key must now be verified by the user using the KRYPTO menu entry “Key Validate key”. The dialog must look like this

You have to select the PKI key and have to enter the fingerprint as show in the figure. The server confirms the load with a dialog telling you the key is confirmed and shows the public key detail of the key.



page 62/150

This indicates the successful load of the root certificate.



page 63/150

6.10 Import the SIS Certificate You can import the SIS Certificate via the file interface. (For the SOAP interface, please refer to the document “Certificate and Certification Management”.) The certificate from SIS will be stored in the following directory: /var/ibasec/<serverid>/certs/SIS CA/FromProxy You have to perform the following steps: In CERTMAN menu, you have to look for the “Operations” button:

And in the “Operations” Dialog, select the “Import Certificates from File”:



page 64/150

This dialog with the certificate file will be displayed.

Select the entry “SECOM-SECN- 5053B310.CRT” and press the “Import” button. After a while, you will see the following information:

You can verify the load of the SECN key with a free search in the KEYMAN module.

6.11 Create a Certification Request You should have created a SECOM key pair with the common settings (please refer to the section 6.2.2 and check the information for SECOM). If this is done, a certification request for the key can be created using the following steps. With a letter, you receive from SIS a reference number and an authorization code. You will have to enter this information before creating a certification request. In CERTMAN menu, you have to look for the “Operations...” button:

And in the “Operations” dialog, select the “Export Certification Request to File” button:



page 65/150

In the dialog below, you first have to enter the reference number and the authorization code. After these credentials are entered, the dialog allows you to create a certification request for a key, and to export it on a file to be sent to SIS.



page 66/150

Enter the filename for the selected key. After a successful certification, the file appears in the directory /var/ibasec/<serverid>/certs/SIS CA/ToProxy. After the export, carefully check that the certification request corresponds to the right key hash, and to the right reference number:

Also check the audit event log:

If everything is correct, then send this file to SIS to get the certificate. To import the certificate, follow the steps of section 6.10.

6.12 Import of a SIS certification The following operations are provided for the SIS only. With this setting, SIS is enabled to import certification request to their IBASEC system. In CERTMAN menu, you have to click the “Operations” button and continue with "Import for Certification":



page 67/150

6.13 Make a Key Backup The procedure is described in section 5.6.1.

6.14 Restore Keys The procedure is describe in section 5.6.2.

6.15 Delete one Key For this operation you have to search for this key using the KEYMAN menu entry “Free Search”. To delete the key with the hash 0835D0FC14F2C972, enter this information in the reference text field.

Then press “Search” and look for the result.



page 68/150

Mark the key and select “Delete Key on HSM” from the menu. IBASEC offers the possibility to delete the key from one HSM or from all HSMs:

The deleted key is shown in the list:

If the HSM wasn't online during the deletion, the status of the key is “Being deleted”. To remove the key from the IBASEC KEYMAN database, select the “Purge Key on Server” from the menu and confirm it.



page 69/150

6.16 Delete all Keys To remove all keys from one HSM, search in the “Free Search” with the setting of a HSM (see figure )

This setting displays the key of the HSM31. The result windows should display a list of keys:



page 70/150

Press CTRL+A to select all keys and then select from the menu “Delete Key” and confirm the following dialog.

The keys will be deleted one by one. The same procedure could be done for the purging of keys.

6.17 Import old LOCERT Public Key For this operation, you have to export the LOCERT public key using the Export Key function. This file will be written to the IBASEC directory /var/ibasec/<serverid>/export. The import of the key is described in section 6.4.

6.18 Import of migrated Keys from the Database After the old LOCERT public key has imported in to IBASEC, the system is able to load the migrate key. Depending of the key auto distribution, this will be done automatically or must be done manually.

6.19 Search and Find a Key The IBASEC GUI helps you to find a specific key and supports you with several filters. Select the following function: GUI: Keyman - Find - Free Search



page 71/150

Apply the filters by selecting from the combo-boxes.



page 72/150

7 Privileges of IBASEC Users

MODULE, Operation Audit Administrator Security Operator Superuser

0 APPMAN

0 Add Application X X

1 Modify Application X X

2 Delete Application X X

3 Add Application User X X

4 Delete Application User X X

5 Modify Application User X X

6 Enable Application User X X

7 Disable Application User X X

8 Approve Application User X X

1 PROFMAN

0 Add Profile X X

1 Delete Profile X X

2 Modify Profile X X

3 Modify Default Settings X X

2 BPMAN

0 Search Business Partner X X X

1 Add Business Partner X X

2 Delete Business Partner X X

3 Modify Business Partner X X X

3 IBASEC

0 Configure Interface X X

1 Open Interface X X

2 Close Interface X X

4 KRYPTO

0 Open HSM X X

1 Close HSM X X

2 Add HSM X X X

3 Modify HSM X X X X

4 Delete HSM X X



page 73/150

5 List Keys X X

6 Show Keys X X

7 Get HSM Date and Time X X

8 Get HSM Status X X

9 Test Connection X X

10 Start Download X X

11 Stop Download X X

12 Get Download Status X X

5 AUDIT

0 ViewStat X X X X

1 Configure Audit X X

2 Search Events X X

3 Search Message Log X X

6 KEYMAN

0 GetK X X

1 DelKGc X X

2 Rebalance Keys X X

3 Configure Keys X X

4 Search Key X X

5 Find Deleleted Keys X X

6 Find Revoked Keys X X

7 FndExpK X X

8 LoadK X X

9 DelK X X

10 PrgK X X

11 RedistK X X

7 SYSMAN

0 SysOvw X X X

1 Start IBASEC Server X X

2 Stop IBASEC Server X X

3 Make Backup X X

4 Load Backup X X

5 ShowRls X X X

6 LoadRls X X X

7 CfgSysDflts X X



page 74/150

8 USRMAN

0 Add User X X

1 Approve User X X

2 Enable User X X

3 Disable User X X

4 Modify User X X

5 Set Password for User X X

6 Delete User X X

7 Add User Category X X

8 Delete User Category X X

9 CA

0 Modify CA X X

1 Add CA X X

2 Delete CA X X

3 Manually Get Certificates X X

4 Ping CA X X

5 Send Certification Request X X

6 Retrieve Certificates by SN X X

7 Retrieve Certificates by BP X X

8 Change Fetch Schedule X X

9 Get Directory Information X X

10 Change Certificates by BP X X

11 Change Certificates by SN X X

12 Get Status X X

10 HSM

0 Network Settings X X

1 Validate Key X X

2 Create RSA Key X X

3 Create TINT Key X X

4 Import Selfsigned Key X X

5 Export Selfsigned Key X X

6 Set Date and Time X X

7 Unlock HSM X X

8 Initialize HSM X X

9 Enter Passwords X X



page 75/150

10 Configure Web Server X X

11 Install HSM Application X X

12 Uninstall HSM Application X X

13 Erase for Transport X X

14 Start Web Server X X X

15 Stop Web Server X X X

16 Download HSM Logs X X X X

17 Backup Key Partition X X X

18 Restore Key Partition X X X



page 76/150

8 FAQ

How can I export my public keys to the provider (e.g. to SIC)? Select from the IBASEC GUI: - Keyman - Find - Free Search and mark the public key to be exported (to SIC) - select "Export self-signed certificate" and give it a good name (see section 6.3) - print an accompanying letter (Public Key Certificate) and sign it (by authorized person) - send file and signed letter to your provider How can I copy a PED key? - Connect a PED to a HSM (to power it) - press "<" (Exit) - press "4" (Admin) - press "1" (PED Key) - plug-in the PED key to copy and press "1" (Login) - press "7" (Duplicate) and plug-in a new used or blank PED key when asked. Is it possible to change the PED key PIN code on the HSM? - YES, you can change the PIN code of the Admin and the Partition PED key (see Case 19). How could I change the passwords? - The IBASEC server "knows" three passwords: admin, partition and application passwords (see section 6.1 and 3.1). Open the Main menu - HSM - HSM initialisation - Enter Password and enter the old an new password of the selected password. Where can I find the License and the capabilities of my HSM? - see "HSM Procedures, Cookbook" section 9.1 - you need a ssh connection to your HSM: ssh -l admin 192.9.200.31 - login as "admin" - [HSM31] lunash:> hsm displayLicense What happens after a power failure with my HSM? - if the power loss is less then 20 minutes, the HSM will boot again without any PED key interaction. If its longer then 20 minutes the HSM will do a reboot like a could boot, e.g. you have to apply PED keys (blue and black key) and the Web Application should be started via GUI. ATTENTION: with some HSMs, already a short power loss might make it necessary to apply PED keys! May I move a running HSM? - Yes, you may move it. There is no tilt protection as you know it from the GC720. How could I replace a HSM at the same IBASEC server? With Solaris you should delete the according line in the file /opt/ibasec/.ssh/known_hosts to avoid a fingerprint conflict (warning only) Then you have to add a new HSM in the Krypto Overview Window and enter the HSM passwords of the new HSM. See STEP 1 ..5 in chapter 3.1 My HSM is "Locked". What can I do? With the GUI function: HSM - HSM Initialization - Unlock HSM you can unlock it again... but you need Superuser privileges! Beware of too many consecutive wrong password entries. See section 3.5



page 77/150

How can I make sure that the web server application code is original from SIC? The original and save java code for the HSM web server is signed by SIC AG. Installing the Web Application (see GUI - HSM - HSM Initialization - Install Web Application) needs a certificate from SIC AG. The certificate has been installed by your supplier. Compare the fingerprint of the certificate with the published fingerprint of SIC AG. lunashell command> spconfig codesign key list see also:

www.bbp.ch > Products & Services > IBASEC > IBASEC FAQs or direct http://www.bbp.ch/ibasecfaq/phpBB3/index.php



page 78/150

9 Use Cases

9.1 Use Cases Overview Description: These use cases should provide you with step-by-step support to do some important procedures of setting up the hardware, the IBASEC server and the key management. Conventions: All IBASEC server handling is done via the "Main menu" (IBASEC GUI)

The LCD display of the PED (pin entry device) is illustrated with this view and the upcoming operations are indicated:

(slot 01 means your backup token) insert the PED Admin key (blue key)

Important notes Terminal entries Attention, e.g. limited time to handle PED

SLOT 01: .

LOGIN SO/HSM ADMIN... .

Insert a SO /

HSM Admin

PED Key.

Press ENTER.

.

important notes

# ./installibasec



page 79/150

List of Use Cases: No. Description Page

Setup of the IBASEC Server IBASEC installation on Solaris or Windows or Linux

1 Install IBASEC from CD (Solaris or Windows or Linux) 81 Setup of the HSM Preparing the HSM Luna SP for collaboration with the IBASEC server

11 Connect a new HSM with Premium Rollout 82 12 Check the state of the HSM 88 13 Change or set parameters 91 14 Reinitialize the HSM 93 15 Change and set passwords 95 16 Installation of a new web application software 100 17 Execute maintenance work and use of log files 103 18 Setup a zeroized HSM (for experts) 105 19 Change PIN code of PED keys 105 Key Management Handling of the private and public keys

Overview: Setup the first HSM for productive session 32 Generate a local verification key (LOCERT) 106 33 Create a production key pair for SIC 108 34 Export your public key with fingerprint to the provider 111 35 Import a public key from SIC 115 36 Verify an imported external public key 118 37 Backup key partition 120 38 Restore key partition 127 39 Distribute public keys to further HSM 130 40 Delete a key (or all keys) 132 41 Certification of SECOM Private Keys by SIS 135 42 Deactivation of a Key 139 Malfunction Diagnosis What can I do when something goes wrong

61 How to report a malfunction of HSM and/or IBASEC 141



page 80/150

Overview - Description “Setup the first HSM for productive session”: This is a short summary and check list for the setup of your first productive session. For more details see the referenced Use Cases and the indexed sections of this user manual.

Connect the first HSM to your IBASEC server Case 11, 12, 13

Setup your local secrets or save the admin and partition password of the HSM supplier with the

IBASEC server Case 14, 15

Generate a local verification key pair (LOCERT) with the first HSM Case 32

Backup and restore it to the other HSMs Case 37, 38

Create your own set of RSA key pairs and export the public key to your provider (SIC) Case

33, 34, 35

Import the public key of your providers and validate them with your local certificate (LOCERT)

35, 36)

Display the keys and setup your key managment parameters for key distribution

Make a backup of the key partition of your first HSM Case 37

Check and configure the other database informations like applications (Appman), business

partners (Bpman), Pofiles (Profman) and certificate parameters (Certman)



page 81/150

9.2 Case 1: Install IBASEC from the CD Description: The new IBASEC server software (release 3.x.16) comes on a CD. All the Release Notes, User Manual and Installation Guide are pdf-files in the /doc directory. Prerequisite: Solaris or Windows or Linux server with CD access Adobe Acrobat Reader Privileges: root access Reference: IBASEC Server Release 3.x, Installation Guide (Solaris 10 or Windows 2008 R2 or Linux (Red Hat))

For technical details, please make use of the Installation Guide



page 82/150

9.3 Case 11: Connect a new HSM with "Premium Rollout" Description: The SafeNet Hardware Security Module (LunaSP HSM) comes from your supplier in an "IBASEC specific state", ready to connect to your server. The HSM is individually prepared according to your HSM order. Prerequisite: LunaSP HSM in "Premium Rollout" state ready and running IBASEC server version 3. x IBASEC Main menu (GUI) running with administrator privileges Instructions from "Premium Rollout" Reference: IBASEC Server Release 3.x, Installation Guide (Solaris 10 or Windows 2008) Compare with Case 13: Change parameters Compare with Case 14: Replace HSM Compare with Case 15: Change passwords Physical connection of the HSM: Your IBASEC server has two ethernet ports. With the first port (e.g. eth0) the IBASEC server is connected to your bank application servers. At the second port (e.g. eth1) a save private LAN is connected. The HSMs are operating in this protected private LAN. The default ip address class of the private LAN is 192.9.200.x. These should be non-public ip addresses. The new HSM has a unique ip address (e.g. 192.9.200.31) according to your order. Connect the new HSM to the private LAN. Use the RJ45 plug at the rear of your HSM that is marked with "1". It's a 10/100Mbit Fast Ethernet Plug-and-Pay Adapter. the second RJ45 plug marked with "2" is not used. It is recommended that your private LAN connection between IBASEC server and the HSM(s) is straight forward without any delaying routers. Connect the HSM to the 220V power. In case of a power loss of less then 20 minutes, the HSM could reboot automatically (without manual interference). An UPS (uninterruptible power supply) could provide you more operational security. Switch on your HSM with the main power switch at the rear of the HSM The second power switch at the rear of your HSM does a proper shut down or cold boot of the HSM. Let the powered HSM two minutes to boot properly. The K5 HSM indicates the ready state on a small LCD display on the front panel. The IT expert might check the proper connection of the HSM with a ping from the IBASEC server: ping 192.9.200.31 Make a SSH-connection from the IBASEC server to the HSM to register the hardware fingerprint. With Windows use the freeware terminal PuTTY (see Case 14 or FAQ at www.bbp.ch).



page 83/150

Connect a Pin Entry Device (PED) to your HSM: The IBASEC specific HSM uses the "Trusted Path Authentication", e.g. authorization is managed by a PED and iKeys (PED Keys). Connect the PED with the adequate cable to the plug in front of the HSM: The PED is powered by this data cable and shows readiness on its LCD display:

After the physical connection of a new HSM, it has to be registered with the IBASEC server, e.g. a new HSM has to be added to the HSM list and its parameters have to be set. The following window shows the default setting of these parameters. Compare also with Case 13: "Change or set parameters" and Case 14: "Replace HSM". Menu Krypto

Menu Krypto Configure

The screenshot of this example shows that already three other HSMs are registered with the IBASEC server. Before you add the first HSM to the list, you should select "Configure Krypto" and check for the right ip-address of your installation in the private LAN environment. With a Windows installation, a new HSM should be connected with PuTTY (use the ip address and not the hostname) to register the fingerprint of the HSM in the Windows Registry.

SCP mode...

Awaiting command...

. < . EXIT . > . LOG



page 84/150

Menu Krypto Configure Add new HSM

HSM (name), Unit Number, IP Address and Description belong together and depend of course from the ordered ip address of your HSM. The Unit Number and therefore the last octet of the ip address is limited to < 100. SubnetMask depends on your HSM private LAN Max. Password Entries: the IBASEC - HSM dialog is password protected. Too many consecutive wrong passwords should lock the connection. The limit is set here. Autostart: Do NOT set the Autostart flag now! Only after a successful first-time opening of a HSM the Autostart flag could be checked to enabling automatic opening after an IBASEC server start. Comm Timeout: 6 s Poll Interval: 30 s Selected Applications: select your applications (NKAPP is not available) The Mode Setting is always "Unattended". The Office Mode, as known from IBASEC 2.x with Gretacoders, is no more available with the Luna SP HSMs

The supplier of your HSM has setup the parameters and secrets of the HSM. If you would like to change the secrets you should apply either "Change and set Passwords" (Case 15) or completely "Reinitialize the HSM" (Case 14). But first finish the HSM connection with the supplied secrets.

Change the Admin and the Partition Password according to your PIN letter (Premium Rollout): The Admin Password gives you and the IBASEC server ssh-access to the HSM. The IBASEC server has to know this password. So we have to save it with the IBASEC server. The partition password is an important secret to control the access to the key partition of the HSM (the save storage of all your public and private keys). The IBASEC server has to know this password. So we have to save it with the IBASEC server. To change the Application password please follow Case 15.



page 85/150

Menu HSM

mark the HSM and select "Set HSM Admin Password on IBASEC Server" and the following warning will show up:

Menu HSM HSM Initialization Set Initial HSM Admin Password

Set Admin Password: This is the new Admin Password from the PIN Letter that comes from the HSM supplier (Premium Rollout).

Press <OK> to set the initial Admin password Extract from PIN_Letter:

HSM-Serial # 012345

Admin-Password 12345-12345 See Note #1 on next page

Partitions-Password 1234-abcd-1234-abcd

IP Address 192.9.200.31

Application-Password It can be set individually without knowing the old Application-Password.

iKeys for PED iKeys have no PIN. Just press the <Enter> button on the PED if

you were asked to enter a PIN. All iKeys of a specific color (i.e blue, black and red) are identical and



page 86/150

may be used irrespective of HSM’s.

Menu HSM HSM Initialization Set Initial HSM Partition Password

Set Partition Password: This is the new Partition Password from the PIN Letter that comes from the HSM supplier (Premium Rollout).

Press <OK> to set the initial Partition password Extract from PIN_Letter:

HSM-Serial # 012345

Admin-Password 12345-12345 See Note #1 on next page

Partitions-Password 1234-abcd-1234-abcd

IP Address 192.9.200.31

Application-Password It can be set individually without knowing the old Application-Password.

iKeys for PED iKeys have no PIN. Just press the <Enter> button on the PED if

you were asked to enter a PIN. All iKeys of a specific color (i.e blue, black and red) are identical and may be used irrespective of HSM’s.



page 87/150

Now your HSM is ready to operate with the IBASEC server version 3.x. The first time and again with each cold boot of the HSM it is recommended to start the web server of the HSM manually. If you open the HSM with a halted web server, the IBASEC server falls into the recovery mode and finally starts the web server itself. You could watch this actions by opening the "Audit" (see main menu). To save time we start the web server manually: Menu HSM HSM Operations Start Web Server

The first time start of the web server (after a cold boot of the HSM) the black partition PED key is needed:

no PED keys are needed if the HSM is not cold booted enter PIN code of PED key (if any) "Premium Rollout" comes without PIN code. Recommendation: Do NOT use PIN codes unless you know the purpose of it.

Now you are free to open the new HSM. Remember, we have not selected the Autostart flag at the beginning. If the new HSM works properly you could set it to Autostart. Check the state of the opened HSM Case 12

SLOT 03: . LOGIN USER/PARTITION. .

Insert a User / Partition Owner

PED Key. Press ENTER.

SLOT 03: . LOGIN USER/PARTITION. .

Enter new PED PIN:



page 88/150

9.4 Case 12: Check the State of the HSM (get status) Description: A successful opening of the HSM to the status "connected ActiveUnattended" indicates that the HSM is in a proper operative state. To get more information about the parameters and configuration of the selected HSM try the Get Status function. Prerequisite: a connected HSM, either open or closed IBASEC Main menu (GUI) running with security privileges Get Status of HSM: Menu Krypto Remote (with selected HSM)

If possible, the HSM should be "connected ActiveUnattended" to get the status.



page 89/150

Press "Export" to export and print the status information of the selected HSM.



page 90/150

For more information about the status of the HSM see also Case 17 about log files or select Menu HSM HSM Operations Download Logs...



page 91/150

9.5 Case 13: Change or set parameters Description: The SafeNet Hardware Security Module (LunaSP HSM) comes from your supplier in an "IBASEC specific state", ready to connect to your server. The HSM is individually prepared according to your HSM order. A few parameters are free to be optimized for your application and workload. Prerequisite: Solaris server (possibly with CD access) Privileges: root access IBASEC Main menu (GUI) running with administrator privileges Change Parameters: Menu Krypto

Menu Krypto Configure

Menu Krypto Configure Add new HSM: After the physical connection of new HSM it has to be registered with the IBASEC server, e.g. a new HSM has to be added to the HSM list and its parameter have to be set. The following window shows the default setting of these parameters.



page 92/150

To modify the parameters do.. Menu Krypto Configure Modify HSM

HSM (name), Unit Number, IP Address and Description belong together SubnetMask depends on your HSM private LAN Max. Password Entries: the IBASEC - HSM dialog is password protected. Too many consecutive wrong passwords should lock the connection. The limit is set here. Autostart: after a successful installation and opening of a HSM the Autostart flag could be checked to enabling an automatic opening after a IBASEC server start. Comm Timeout: 6 s Poll Interval: 36 s Selected Applications (NKAPP is not available, PKI should be selected with SECOM)) The Mode Setting is always "Unattended". The Office Mode, as known from IBASEC 2.x with Gretacoders is no more available with the HSMs Follow-up actions: Restore the keys (key partition) from a backup token Case 38



page 93/150

9.6 Case 14: HSM Initialization Description: A HSM could be replaced with the same IP address or removed and replaced with a new IP address. Let's replace it with the same IP address. If you intend to give away your old HSM you should clean it from all personal data (Main menu HSM HSM Initialization Erase HSM for Transport)

These operations should be done by an IT expert. Please consult your Integrator.

Prerequisite: IBASEC Main menu (GUI) running with administrator privileges New HSM with "Premium Rollout" and the ordered IP address Administration and Partition Password of new HSM PED keys: blue, red and black Reference: SIC/euroSIC User Manual Instructions from "Premium Rollout" Replace HSM:

remove properly your old HSM from the IBASEC installation

close the selected HSM

Menu Krypto

switch off the Autostart flag for the HSM with Menu Krypto Configure Modify HSM

uncheck the "Autostart" to avoid automatic start (opening) of the new HSM

switch off the power of the HSM and disconnect it from the ethernet cable

connect the new HSM and power it.

open a ssh-terminal (with PuTTY from

Windows) and connect to the HSM

Your server has detected that the fingerprint of the new hardware has changed. With Unix you have to delete the concerning line in the file /opt/ibasec/.ssh/known_hosts lets have a look at the new HSM (this is optional):



page 94/150

With Unix do a ssh login:

and lets have a second look by detecting the state of the HSM Case 12 now we create our own secrets (PED keys, partition password) by initializing the HSM: follow Case15 to change the Admin and the Partition password.

ibasec@<srv> % ssh -l admin 192.9.200.35

login as: admin

[email protected]'s password:

Luna Command Line Shell v4.0.0-19 - (c) 2006 SafeNet, Inc. All

rights reserved.

[HSM35] lunash:>

[HSM35] lunash:>hsm show

Appliance Details:

==================

Software Version: 4.0.0-19

HSM Details:

============

HSM Label: HSM35

Serial #: 300002

Firmware: 4.6.0

Hardware Model: Luna K5

Authentication Method: PED keys

HSM Admin login status: Not Logged In

HSM Admin login attempts left: 3 before HSM zeroization!

MofN activation status: M of N not used

Partitions created on HSM:

==========================

Partition: 300002001, Name: keypar

FIPS 140-2 Operation:

=====================

The HSM is NOT in FIPS 140-2 approved operation mode.

Command Result : 0 (Success)

[HSM35] lunash:>



page 95/150

9.7 Case 15: Change and set passwords Description: The IBASEC Server uses three passwords protecting different operations:

Admin Password

Partition Password

Application Password The Admin and the Application Password are set by default. The Partition Password is created by initializing and installing a new LunaSP HSM partition ( Case 14). This partition password has to be saved with the IBASEC server (set new partition password) Prerequisite: IBASEC Main menu (GUI) running with administrator privileges Reference: SIC/euroSIC User Manual User manual IBASEC, section 6.1 and 3.1 STEP 3 Instructions from "Premium Rollout" Set new Partition Password: You have added and setup a new HSM or you have replaced it with an HSM that was already installed with another IBASEC server (Case 14). So the partition password should be known. This partition password has to be saved with the IBASEC server: IBASEC Main Menu

Menu HSM



page 96/150

mark the HSM and then select "Enter Password" and the following warning will show up:

Menu HSM HSM Initialization Set Initial HSM Partition Password...

This is not a password change. The HSM created partition password has to be handed over to the IBASEC server by entering the password with the function "Set Initial HSM Partition Password". Change the Partition Password: If you would like to change the partition password in the HSM and with the IBASEC server you have to enter the old and the new partition password: Menu HSM HSM Initialization Change HSM Partition Password...



page 97/150

Change the Admin Password: The admin password gives ssh access to the HSM with the user "admin". A brand new HSM from SafeNet could be ssh-connected with the user "admin" and the factory password "chrysalis". After the Premium Rollout has initialized the HSM for the IBASEC application the new password is documented in the PIN Letter from the supplier. The admin password could be changed: mark the HSM and Menu HSM HSM Initialization Change HSM Admin Password

and the following warning will show up:

Menu HSM HSM Initialization Change HSM Admin Password...



page 98/150

The new Admin password has to comply with the HSM password requirements. see section 6.1 press <OK> to change the admin password "pass*12345" to "xYz-54321"



page 99/150

Set the Application Password: To further secure the communication between the IBASEC server and the HSM(s) via the secure private LAN an application password is used to scramble the communication. This password is set by default and it could be changed: Stop the Web Server first. Menu HSM HSM Initialization and mark the HSM

mark the HSM and select "Set HSM Application Password" and the following warning will show up:

Menu HSM HSM Initialization Enter Password...

press <OK> to set the new application password. After a "Setting a new Application Password", the web server has to be (stopped and) restarted.



page 100/150

9.8 Case 16: Installation of a new Web Server Application Software Description: The IBASEC Server communicates with the HSM in http (hypertext transfer protocol). It is the well known communication between an internet browser and a web server. The HSM runs an Apache/Tomcat web server. Special Java Code has been developed by SIC to enable the communication between the IBASEC server and the HSM. The Java Code is protected by a signature that will be compared with the SIC certificate on your HSM. All IBASEC specific HSMs have already installed this certificate (ibasec3-dsazert.pem).

A "Premium Rollout" HSM has the newest web server application installed already!

Prerequisite: IBASEC Main menu (GUI) running with administrator privileges "Premium Rollout" HSM with code sign certificate from SIC Copy the new appliance software from the SIC CD to the IBASEC server:

put CD in drive of IBASEC server

mount CD

mkdir $IBA_RELEASE/luna<XXX>

cp <mnt point of cd>/lunaHSM_v<version>/* $IBA_RELEASE/luna<XXX>

Reference: User manual IBASEC, section 3.2 and 5.2.3 . Uninstall the existing web server application first: Before you could install a new web server application (appliance), the old installation has to be undeployed first. Do the following: IBASEC Main Menu

Menu HSM HSM Initialization (with a marked HSM)



page 101/150

Confirm the following "Uninstall Application" button and watch the audit event log. Install a web server application: The web server application is signed by SIC and verified with a already installed ibasec3-dsazert.pem certificate. The latest version of the software comes with the IBASEC CD. If a later version should be distributed by SIC, you have to copy it to the IBASEC server. Follow the instructions coming with the new distribution. Menu HSM HSM Initialization (with a marked HSM)

select "Install Application"

Select the newest software release, and start upload.



page 102/150

Watch the successful installation and deployment with the audit event log. If you forgot to uninstall the present installation you'll get the following message:

After the successful installation, you have to start the web server, and to open the HSM.



page 103/150

9.9 Case 17: Execute maintenance work and use of log files Description: A few files and directories for audit and monitoring of the IBASEC activities have to be maintained because they are constantly growing with the usage of IBASEC.

Some of these operations should be done by an IT expert.

Prerequisite: ssh (putty with Windows) connection to the IBASEC server Reference: User manual IBASEC, section 3.3 and 3.1 STEP 3 see also section 4.5 for details Audit event file EVT: The audit event file that could be displayed with the "Audit" button from the Main menu is saved in the $IBA_DB directory (default: /var/ibasec/prod/db) and copied according the setting in the Audit Config windows (Menu Audit Configure) to the $IBA_LOG directory (/var/ibasec/prod/log)

file: evt20061230094500.dat

drwxr-xr-x 14 ibasec ibasec 512 Oct 11 16:33 ../ -rw-r--r-- 1 ibasec ibasec 39368 Jan 2 13:15 AUDIT -rw-r--r-- 1 ibasec ibasec 10208 Oct 11 16:33 CA -rw-r--r-- 1 ibasec ibasec 1245400 Jan 2 13:28 EVT -rw-r--r-- 1 ibasec ibasec 2084328 Nov 30 09:42 IBASEC -rw-r--r-- 1 ibasec ibasec 1649200 Jan 1 19:11 KRYPTO -rw-r--r-- 1 ibasec ibasec 41913 Jan 2 13:24 SYSMAN HSM Log Files: All the log files from the HSM (there are about 18 different log files!) should be copied in a subdirectory of the $IBA_LOG directory and then be deleted on the HSM: drwxrwxr-x 2 ibasec ibasec 512 Sep 10 02:30 HSM31_20060921/ drwxrwxr-x 2 ibasec ibasec 2048 Sep 22 02:36 HSM31_20060922/ drwxrwxr-x 2 ibasec ibasec 1024 Sep 23 02:32 HSM31_20060923/ The environment varible (or Windows registry entry) IBA_HSM_MAINTENANCE_TIME has to be set for automatic downloading and deleteing HSM Log files. example of .cshrc setenv IBA_HSM_MAINTENANCE_TIME "04:30" # daily download and delete at 04:30

If the environment varibale IBA_HSM_MAINTENANCE_TIME is unset, there will be no downloading and deleteing of HSM log files!



page 104/150

Besides the daily copies you coud trigger an additional set of log files with the function:

Menu HSM HSM operations Download Logs ...

"Download Logs" produces a directory /var/ibasec/prod/log/HSM34_20070102

with a full set of log files that could be read and printed with a text editor. This is an example script to cleanup the cumulating log files from the IBASEC server. It could be executed as cron-job or as Maintenance Script (see sect. 4.5). % /opt/ibasec/prod/scripts/remove_hsm_logs -help This script is commonly called via the crontab facility. To run this script automatically each day at 18:00, type : ibasec% setenv EDITOR vi ibasec% crontab -e <add the following line at the end of file> 00 18 * * * csh -c '/opt/ibasec/prod/scripts/remove_hsm_logs -maxdays 30' >> /var/ibasec/prod/log/cleanup.log

It is recommended that you regularly archive and cleanup the Log directory.



page 105/150

9.10 Case 18: Setup a zeroized HSM (Premium Rollout) Description: The SafeNet Hardware Security Module (LunaSP HSM) comes from your supplier in an "IBASEC specific state", ready to connect to your server. An unprepared or a zeroized HSM could fail at the specific IBASEC operations. If you would like to create all of the HSM/IBASEC secrets (PED keys, passwords) yourself, you also have to setup the HSM from scratch.

These operations should be done by an IT expert. Please consult your Integrator.

9.11 Case 19: Change PIN code on HSM The IBASEC operations with the HSM Luna SP are secured with these three PED keys:

Admin PED Key (blue key) with PIN code

Partition PED Key (black key) with PIN code

Domain PED Key (red key) without PIN code

The PIN code that is requested to apply with a Admin PED key is the same for all Admin PED keys with this HSM. So when you change e.g. a PIN code with the Admin PED key it has changed for all Admin PED keys at this HSM. With another HSM, the same Admin PED key could request another PIN code! But be aware, that the PED key must know whether it should ask for a PIN code. Change PIN code with Admin PED key (blue key) via ssh

connect to the HSM via ssh

enter: hsm changePw

confirm "Reuse Id, Yes/No" with Yes

enter the new PIN code twice

Change PIN code with Partition PED key (black key) via ssh

connect to the HSM via ssh

enter: partition resetPw -par keypar

from the menu select 1. change black PED key data

confirm "Reuse Id, Yes/No" with Yes

enter the new PIN code twice

Make new copies of your PED keys to make sure that you will be asked for the PIN code.

Please note, that the PIN code is bound to the HSM Partition and not to the PED keys. But.. the PED key carries the flag "ask for PIN code. yes/no" !



page 106/150

9.12 Case 32: Generate a local verification key (LOCERT) Description: The first step to set-up an HSM for production mode is to generate a pair of local certificate keys. The keys will be used to secure the transfer of the production public keys from and to the IBASEC server. Prerequisite: IBASEC Main menu (GUI) running with security officer privileges Application password Reference: SIC/euroSIC User Manual User manual IBASEC, section 6.2.1 [UM] Create a LOCERT key pair: Menu Keyman

Menu Keyman HSM Keymanagement

Menu Keyman HSM Keymanagement Create LOCERT Key...



page 107/150

make sure that your Caps-Lock is not switched on! select your first HSM, enter Key size, start and end date and the application password.

verify the "active" status of this key in the Keyman module. If you operate with more then one HSM at your IBASEC server you should backup this LOCERT key pair and restore it to the other HSM's. Case 37, 38.

Considering the key management with SIS see the reference [Cert, SIS]



page 108/150

9.13 Case 33: Create a production key pair Description: All SIC- and euroSIC-participants need a separate key pair per LUD (business partner, logic connection). Such a key pair has to be created. Prerequisite: IBASEC Main menu (GUI) running with security officer privileges Existing LOCERT Existing application "SIC" Existing business partner or LUD "XXX0" created in Bpman (section 4.7) Application Password PED keys: no Reference: SIC/euroSIC User Manual User manual IBASEC, section 6.2.2 [UM] Instructions from SIC key management ([email protected]) To start from IBASEC GUI menu

Menu Krypto

To properly connect a HSM to the IBASEC server see Case 11 and 12



page 109/150

Menu Keyman

Menu Keyman HSM Keymanagement Create RSA Key pair

As Business Partner take XXX0 . Select the first HSM (31). It is recommended that you create all your necessary keys on the first HSM, then backup it and restore the same set of keys to the other HSM(s) Select the Application: SIC, EURO, SECOM In this case your business partner (or LUD) is SICS (ask SIC key management for further details) Select the Key size, the usage and the period of validity table of [UM] 6.2.2 Enter Application Password [UM] 3.1 Create RSA Key pair - Create

Create - Yes (yes/no are displayed in the system language)



page 110/150

To monitor the success (or failure) of the keypair creation you could also open the audit window: Menu Audit

verify the "active" status of this key in the Keyman module. Follow-up actions:

List the active keys to see the success of the key generation

Export a public key to a provider (e.g. to SIC) Case 34

View details of key(pair)

Print fingerprint letter of public key Case 34

Backup the key partition of this first HSM(31) Case 37

Restore the Backup of the first HSM(31) to the other HSM(s) Case 38



page 111/150

9.14 Case 34: Export your public key to the provider (SIC) Description: A locally created keypair ( Case 33) has to be sent as file to the provider. An accompanying fingerprint letter has to be created. Prerequisite: IBASEC Main menu (GUI) running with security officer privileges a created key pair PED keys: no Reference: SIC/euroSIC User Manual User manual IBASEC, section 6.2.2 [UM] Instructions from SIC keymanagemt ([email protected]) To start IBASEC GUI menu

Menu Keyman Find



page 112/150

Menu Keyman Find Free Search ...

Set your criteria (filter) to easily find the public key to export: Menu Keyman Find Free Search Search

Mark the public key for export to your provider. Open the Key pulldown menu and select "Export Key as Self-Signed Certificate..":



page 113/150

Press <OK> and remember where you have placed your certificate file on your system. Together with this file a so called fingerprint letter has to be printed: In your Search Window (Menu Keyman Find Free Search Search) select <Print Letter> to print the fingerprint letter or <Export Letter to File> if you like to print it on another workstation.

Select a printer. If no printer is installed, you could direct the output to a file.



page 114/150

The fingerprint letter has to be signed by an authorized person, and sent by fax to the SIC Operation Center (Fax 058 499 47 41). Moreover, it has to be sent as an e-mail attachment to the SIC Operation Center ([email protected]), together with the self-signed certificate file, which before has to be copied from .crt to .txt and then zipped. Follow-up actions: Backup the first HSM(31) Case 37

for the key management with SIS see the the separate manual: Certificate and certification management for the SECOM application using IBASEC

mailto:[email protected]




page 115/150

9.15 Case 35: Import a public key from SIC Description: Public keys from a foreign system can be imported with two type of files: the IBASEC 2 file format and self-signed certificates. You get the public keys from SIC always as self-signed certificates Prerequisite: IBASEC Main menu (GUI) running with administrator privileges self-signed certificates from SIC Application password (no PED keys) Reference: SIC/euroSIC User Manual User manual IBASEC, section 6.7 [UM] Instructions from SIC keymanagemt ([email protected]) IBASEC GUI main menu

Menu Krypto (select a HSM to activate the Keys menu)

Before you can select a self-signed certificate file you have to place the file from SIC in the foreseen directory ($IBA_IMPORT). The certificates come with the IBASEC CD.

Copy the files from SIC to /var/ibasec/prod/import

(you might find them on the IBASEC CD directory /certs)



page 116/150

Menu Krypto Keys Import Self-Signed Certificate

With Unix, the filenames are case-sensitive, e.g. the files have to end with .crt (not with .CRT) Select the file from the "Filename" combo-box (all files from the /var/ibasec/prod/import directory are shown) and press "Import"

The key was successfully imported from the certificate file. It could be, that the entered application password was wrong and too many consecutive wrong attempts have locked the HSM for further use.

In this case you have to unlock the HSM and that needs the Admin key (blue PED key):



page 117/150

Menu HSM HSM Initialization Unlock HSM

Now you have to do the validation procedure again.

for the key management with SIS see the the separate manual: Certificate and certification management for the SECOM application using IBASEC Certificates are imported with the module Certman.



page 118/150

9.16 Case 36: Verify an imported external public key Description: An asymmetric cryptographic function requires the exchange of public keys of the two communicating sides. Your providers (SIC and SIS) deliver there public keys to to your installation. There keys come with fingerprints to verify the authenticity. To allow you to exchange these keys among your HSMs they have to be validated by your local certificate (LOCERT). Prerequisite: IBASEC Main menu (GUI) running with security privileges Connected (first) HSM A PED (pin entry device) connected the HSM PED keys: blue (Admin), red (Domain), black (Partition) Imported public keys Case 35 Reference: SIC/euroSIC User Manual User manual IBASEC, section 6.5 The keys i.e. the self signed certificate files have to be copied to the $IBA_IMPORT directory of your IBASEC server (default: /var/ibasec/prod/import) Case 35 To start IBASEC GUI menu

Menu Krypto

Menu Krypto Keys Validate Key in HSM



page 119/150

Select the imported key you wish to validate, then enter the application password and the fingerprint of certificate (from SIC) and press "Validate".

Confirm the validation of the key.



page 120/150

9.17 Case 37: Backup key partition Description: With a Key Backup the whole partition is copied to a Backup Token. The Backup Token should be inserted before you launch the backup procedure. Keep a check on the display of the LunaPED for the requested PED key application. If the backup token has been already used with other HSMs that do not belong to the same group, the backup will fail. If you insist to overwrite the used token you have to repeat the procedure 3 times until it accepts the overwriting of the token. Prerequisite: IBASEC Main menu (GUI) running with administration privileges Disconnected (first) HSM A PED (pin entry device) connected the the HSM PED keys: blue (Admin), red (Domain), black (Partition) Backup Token for SafeNet Luna SA Reference: SIC/euroSIC User Manual User manual IBASEC, section 5.6 To start IBASEC GUI menu Case 1

Menu HSM

Select (mark) a HSM. The selected HSM should be "Disconnected" otherwise "Close" it with the <Close> button. Insert a new or already used backup token (SafeNet Luna SA BACKUP TOKEN) into the slot (01) of the selected HSM. Select the "Key Backup" function



page 121/150

Menu HSM Backup and Restore Key Backup

Press "Key Backup" and watch your PED (pin entry device)

(slot 03 means your HSM partition) insert the PED Admin key (blue key) enter the PIN code of your Admin key (empty PIN code is possible) (slot 01 means your backup token) insert the PED Admin key (blue key) enter the PIN code of your Admin key (empty PIN code is possible)

SLOT 03: .


Insert a SO /

HSM Admin

PED Key.

Press ENTER.

SLOT 03: .


Enter PED PIN:

SLOT 01: .


Insert a SO /

HSM Admin

PED Key.

Press ENTER.

.

SLOT 01: .


Enter PED PIN



page 122/150

(slot 01 means your backup token) insert the PED Admin key (blue key) (slot 01 means your backup token) ATTENTION: press: <YES> if you select NO, your inserted PED key will get a new ID and it cannot be used anymore for the other HSMs. enter the PIN code of your Admin key and confirm it. Recommendation: do not use PIN Codes, (an empty PIN code is possible and recommended) or give all keys the same PIN code. (get advice about the usage and purpose of PED PIN codes)

You can copy the PED Keys later: <NO> (slot 01 means your backup token) insert the PED Admin key (blue key)

enter the PIN code of your Admin key (empty PIN code is possible)

SLOT 01: .

INITIALIZE HSM... .

This PED Key has a

valid Identity for

SO / HSM Admin.

Reuse Id? YES/NO

SLOT 01: .

INITIALIZE HSM... .

Enter new PED PIN:

Confirm new PED PIN:

SLOT 01: .

INITIALIZE HSM... .

Copy this PED Key?

YES/NO

SLOT 01: .

INITIALIZE HSM... .

Insert a SO /

HSM Admin

PED Key.

Press ENTER.

.

SLOT 01: .


Insert a SO /

HSM Admin

PED Key.

Press ENTER.

SLOT 01: .


Enter PED PIN:



page 123/150

insert the PED Domain key (red key)

press: <YES> You can copy the PED Keys later: <NO> press: <NO>

insert the PED Partition key (black key) press: <YES> enter the PIN code of your Partition key and confirm (empty PIN code is possible)

SLOT 01: .

SET DOMAIN... .

Insert a SO /

Domain

PED Key.

Press ENTER.

SLOT 01: .

CREATE USER/PARTITION .

Insert a

Partition

PED Key.

Press ENTER.

.

SLOT 01: .

SET DOMAIN... .

Copy this PED Key?

YES/NO

SLOT 01: .


Enter new PED PIN:

Confirm new PED PIN:

.

SLOT 01: .


This PED Key has a

valid Identity for

SO / HSM Admin.

Reuse Id? YES/NO

SLOT 01: .

SET DOMAIN... .

This PED Key has a

valid Identity for

Domain

Reuse Id? YES/NO



page 124/150

You can copy the PED Keys later: <NO> insert the PED Partition key (black key)

enter the PIN code of your Partition key (empty PIN code is possible)

*** Attention: Your time to insert PED keys and enter the PIN codes is LIMITED! *** *** If the handling is to slow a TIMEOUT error will occur *** Watch the Logs by pressing "View Logs"

Lets have a look at the Logs (press "View Logs"). The successful partition backup operation should return: Object "..." (handle ...) cloned to handle .. on target ... Object "..." (handle ...) cloned to handle .. on target 'partition backup' successful.

SLOT 01: .


Copy this PED Key?

YES/NO

SLOT 03: .

LOGIN USER/PARTITION. .

Insert a

Partition

PED Key.

Press ENTER.

SLOT 03: .


Enter PED PIN:



page 125/150

Command Result : 0 (Success)

This looks good. Congrats, you have successfully made a backup of your key partition. If, on the way, one of the messages is like ... Problem cloning object "..." (handle ...) from source to target. (RC_DATA_INVALID) ... then the backup is unusable! In this case, the backup should end with something like ... Error: 'partition backup' failed. (C0000102 : RC_DATA_INVALID) Command Result : 65535 (Luna Shell execution) but we think this might not be reliable. Therefore, we recommend checking not only the last two lines, but also all lines before. Again, be aware that the time for the PED key handling is limited. If you are too slow, the Log could look like this:



page 126/150

This was too slow, see the line "Error: 'partition backup' failed. (300134: LUNA_RET_SP_TIMEOUT)" Wait until the progress bar shows 100% executed. If the backup is correct, then remove the backup token, and keep it at a safe place. Follow-up actions: Restore the Backup of the first HSM(31) to the other HSM(s) Case 38



page 127/150

9.18 Case 38: Restore key partition Description: With a Key Backup the whole partition is copied to a Backup Token. If several HSMs are in use, the backup of the first HSM is restored to the other HSMs so that all have the same keys ready for operation. Prerequisite: IBASEC Main menu (GUI) running with administrator privileges Disonnected HSM (closed) A PED (pin entry device) connected the HSM PED keys: blue (Admin), red (Domain), black (Partition) Backup Token for SafeNet Luna SA Reference: SIC/euroSIC User Manual User manual IBASEC, section 5.6 To start IBASEC GUI menu Case 1

Menu HSM

Insert the Backup Token into the card reader of the HSM (both slots are accepted). A double beep confirms acceptance. press "Key Restore" of selected HSM.

Press "Key Restore" and watch your PED (pin entry device)



page 128/150

with "View Logs" you could watch the progress of the key partition restore

insert the PED Admin key (blue key)

enter the PIN code of your Admin key (empty PIN code is possible) insert the PED Admin key (blue key) enter the PIN code of your Admin key (empty PIN code is possible)

SLOT 03: .


Insert a SO /

HSM Admin

PED Key.

Press ENTER.

SLOT 03: .


Enter PED PIN:

SLOT 01: .


Insert a SO /

HSM Admin

PED Key.

Press ENTER.

SLOT 01: .


Enter PED PIN:



page 129/150

insert the PED Partition key (black key) enter the PIN code of your Partition key (empty PIN code is possible) Check the log. The successful partition restore operation should return:

Object "..." (handle ...) cloned to handle ... on target ... Object "..." (handle ...) cloned to handle ... on target 'partition restore' successful. Command Result : 0 (Success) If, on the way, one of the messages is like ... Problem cloning object "…" (handle …) from source to target. (RC_DATA_INVALID) ... then the backup is unusable! In this case, the backup should end with something like ... Error: 'partition restore' failed. (C0000102 : RC_DATA_INVALID) Command Result : 65535 (Luna Shell execution) but we think this might not be reliable. Therefore, we recommend checking not only the last two lines, but also all lines before. Wait until the progress bar shows 100% executed. If the restore is correct, then remove the backup token and keep it in a safe place again.

SLOT 01: .

LOGIN USER/PARTITION .

Insert a

Partition

PED Key.

Press ENTER.

.

SLOT 01: .


Enter PED PIN:



page 130/150

9.19 Case 39: Distribute public keys to further HSMs Description: With a Key Backup the whole partition is copied to a Backup Token. If several HSMs are in use, the backup of the first HSM is restored to the other HSMs so that all have the same keys ready for operation. Prerequisite: IBASEC Main menu (GUI) running with security privileges Reference: SIC/euroSIC User Manual Main menu

Menu Keyman



page 131/150

Menu Keyman Keys Configure

Distribute Keys Automatically. Remember: you could also backup the first HSM and restore all its keys to the further HSMs Per default: the keys of "High Priority" applications are distributed to "All" HSM. To be more selective: you could distribute the public keys of "Medium Priority" application to two further HSMs Follow-up actions: Restore the Backup of the first HSM to the other HSM(s) Case 37,38



page 132/150

9.20 Case 40: Delete a key (or all keys) Description: All keys are stored in the HSM. The public keys are also stored in the IBASEC server database KTYPTO. To delete a key means removing it from a HSM partition. To purge a key means removing it from the IBASEC server database. Prerequisite: IBASEC Main menu (GUI) running with security privileges at least one HSM is in "connected ActiveUnattended" mode and has loaded keys Reference: SIC/euroSIC User Manual User manual IBASEC, section 6.16, 6.17 Delete a key: Delete a single key or delete all keys differs only in the selection of the key(s). Main menu

Menu Keyman



page 133/150

Menu Keyman Find Free Search...

Search a selection of keys with the "Free Search..." routine. In this case we would like to see all keys of HSM39. For more search criteria (filters) see section 6.20 of this manual. Menu Keyman Find Free Search Search

Mark the key you would like to delete. Select "Details" to make sure to select the right key for deletion. With Ctrl-A you could select all keys in the list.



page 134/150

Menu Keyman Find Free Search Search Key

Delete Key.. deletes keys in HSM but not in the IBASEC server database Purge Key in db.. deletes keys in the IBASEC server database KRYPTO Delete Key...

You could delete the key in one single HSM or in all connected HSMs. Provided that all HSMs are "connected and ActiveUnatended" (see Krypto). A deleted public key that has not been deleted in the database (not purged) is automatically reloaded the next time you open the HSM. To completely get rid of a key means that you also have to "Purge key in db..." Follow-up actions: Purge keys in IBASEC server database KRYPTO



page 135/150

9.21 Case 41: Certification of SECOM Private Keys by SIS Description: These are the steps to get your (Bank's) private keys certified by SIS. Prerequisite: IBASEC Main menu (GUI) running with superuser privileges. For the message exchange with SIS (application SECOM) we need the following certificates.

The SIS certificates are delivered with the IBASEC CD or could be downloaded from the SIS site.

a LOCERT must be present in HSM

Imported ROOT.CRT

Validated ROOT.CRT with fingerprint

Imported SECOM-SECN-5053B310.CRT (automatically validated by the ROOT.CRT) Reference: "IBASEC3: 2Kbit certification of private keys (client's side)" to be downloaded from SIS site [CERT2]. See also chapters 6.8...6.14 of this manual.

Step 1: Profile

Ensure that you have a valid 2Kbit profile for the SECOM application like this:

Step 2: Create Key Pair

Create your RSA key pair for the SECOM application: Keyman - HSM Keymanagement - Create RSA Key Pair. IMPORTANT: Always use the same (Master-) HSM to create new private keys. With backup/restore you could then distribute them to your other HSMs. No partial, only complete backup/restore of HSMs is possible!



page 136/150

Step 3: Create your Certification Request and send it to SIS

Now you have to place a certification request at SIS for your newly created key. With the order form "428" you will receive a reference number and an authorization code from SIS. Enter this information to Certman - SIS CA Operations - Export Certification Request to File >:

To export your certification request, select your key and press <Export>. After the export, carefully check that the certification request corresponds to the right key hash, and to the right reference number:



page 137/150

Also check the audit event log:

If everything is correct, then send your certification request (xy.crt) file via email to SIS [email protected] to get their certification (see next step).

Step 4: Import the Certificate

Generally, you will receive the certificate as zip file via email on the same day. Save the unzipped certificate in the directory $IBA_CERT/SIS CA/FromProxy/ and go to Certman - SIS CA Operations - Import Certificate from File: Select your file and press <Import>.




page 138/150

The next window shows your imported certificate.

Notice that your old certificate must not be deleted before its end of validity. After the successful import, it's time again to make a new backup of the HSM Key Partition, and to distribute it to your other HSMs. Additionally, the certificate has to be imported (as in step 4) on each other HSM. Normally, during the overlapping period (time when both the old and the new certificate are valid), the old certificate is used. Therefore, the new certificate will come into operation the day after the validity end date of the old certificate. However, you can put it into operation earlier by deactivating the key of the old certificate (see Case 42).



page 139/150

9.22 Case 42: Deactivation of a Key Deactivation of a key allows marking on the IBASEC server (not on the HSM) that this key can no longer be used. In contrast to deletion, the key could be reactivated later. Deactivation works only for SECOM, but not for SIC and EURO ! Deactivation can be:

manual

automatic The automatic deactivation is used only by SIS, and is not described here. The manual deactivation can be used by the bank during the overlapping period of its old and new SECOM certificate, to force the use of the new certificate. Here is the procedure: Define an environment variable IBA_HANDLE_DEACTIVATE_KEYS and set it to the value "1". On Unix, this is done by editing the file .cshrc.local in the home directory of the IBASEC user (default: /opt/ibasec), and adding the line: setenv IBA_HANDLE_DEACTIVATE_KEYS 1

On Windows, it is done by editing the registries (Start > Run > regedit) and adding the new key IBA_HANDLE_DEACTIVATE_KEYS with value "1" to: HKEY_LOCAL_MACHINE\Software\bbp\ibasec3

Then restart IBASEC. Now deactivate the old SECOM Private Key (Keyman > Find > Free Search > Key > Deactivate Key):

To see the new key status, refresh the window by leaving and re-entering it:



page 140/150

Finally check the audit event log:



page 141/150

9.23 Case 61: How to report a malfunction of IBASEC and/or the HSM Description: Whenever a malfunction of the IBASEC installation should appear, its in the majority of cases not obvious in which part of the installation the source of the failure lies. Therefore the reporting to the IBASEC support has to be comprehensive. Prerequisite: access to the IBASEC server with user "ibasec" (ssh or PuTTY) Reference: SIC/euroSIC User Manual Access the IBASEC server (ssh or PuTTY): Login as ibasec user and start the ibasecadmin program. Select diag

login as: ibasec

Using keyboard-interactive authentication.

Password:

Last login: Fri Dec 29 14:44:20 2006 from 62.2.194.99

Sun Microsystems Inc. SunOS 5.9 Generic May 2002

ibasec@numenor 31 % ibasecadmin

---------------------------------------------------------

IBASEC ADMINISTRATION TOOLS

---------------------------------------------------------

addtcp add a new interface

deltcp delete an interface

diag generate a report

gui start ibasec GUI (require X11)

kill kill ibasec

patch install ibasec patch

purgekeys purge key database

resetcat reset user category database

start start ibasec in text mode

Choice : [?,??,q]: diag

...

...

...

...file won't be protected.

Password ([enter] to skip password protection) :

12345678

Crypting file using supplied password ...

Don't forget to provide the password to the helpdesk.

14180148 -rw-r--r-- 1 ibasec ibasec 13907365 Dec 29

15:33 /tmp/ibasecdiag-numenor-20061229-153036.tar.gz.crypt

Press 'Enter' to continue.



page 142/150

After a few minutes the procedure has collected enough information to be analysed by the IBASEC support. The information file (/tmp/ibasecdiag-numenor-20061229-153036.tar.gz.crypt) could

be crypted (optional, here with password 12345678), so you could send it by email to your supporter. An even more revealing procedure could be "ibasecdiag". But this program needs more knowledge of the IBASEC installation and is therefore designated to th IT expert. Example of ibasecdiag application: live monitoring in 600 sec (10 min) interval direct output to a text file

ibasec@numenor 46 % cd /opt/ibasec/prod/scripts

ibasec@numenor 47 % ibasecdiag

NAME

ibasecdiag : IBASEC diagnostic utility

SYNOPSIS

ibasecdiag

[ -help | -version | -history |

-short [ -dir full_path_dir -id "id" ] |

-full [ -dir full_path_dir -id "id" ] |

-live [ interval ] [ count ] ]

-help : print full help

-version : print the version of this utility

-history : print history

-short : generate a short report file

-full : generate a full report

-live : live monitor

-dir : change the storage_directory where the report

will be stored (/tmp by default)

-id : specify a diagnostic id(alter report filename)

dir : full path directory

id : report file id

interval : sampling interval in seconds (default is 1)

count : number of times the statistics are repeated

(default is infinite)

ibasec@numenor 48 %

% ibasecdiag -live 600 | tee /tmp/ibasecdiag-live.txt



page 143/150

Set Flags for more Log information: To get more information of the communication between the IBASEC server and the HSM you could switch on three different flags that produce three different text files in the var/log directory: Windows Registry: Start > Run > regedit > HKEY_LOCAL_MACHINE\Software\bbp\ibasec3 IBA_LOG_XML_ERR 1 to log XML requests with errors HSM31_err.txt IBA_LOG_XML_WARN 1 to log XML requests with warnings HSM31_warn.txt IBA_LOG_XML_DATA 1 to log all XML requests HSM31_data.txt The text files will be saved in the directory: c:\Program Files (x86)\Ibasec3\prod\var\Log Solaris environment variables: temporary setting: setenv IBA_LOG_XML _ERR 1 setenv IBA_LOG_XML_WARN 1 setenv IBA_LOG_XML _DATA 1 The text files are saved in the directory $IBA_LOG setenv IBA_SSHCMD_TRACE 1 (/opt/ibasec/sshcmd-<pid>.txt) or set the variables in .cshrc for permanent application



page 144/150

10 Audit Events and their Severities Code Description of the Error Severity Category

00001 Printer error. Printing will be disabled Error System 00002 Printing now again enabled Information System

00003 Maintenance started Information System 00004 Maintenance complete Information System

00005 Entries purges from event database Information System 01000 An IBASEC interface has opened Information System

01001 An IBASEC interface has closed Information System 01002 An IBASEC interface is in the error state Warning System

01003 A session has been opened on an IBASEC interface Information System 01004 A Session has been closed on an IBASEC interface.

This can be for one of the following reasons: A close session request was received from the application user. The server has gone offline. All productive sessions are automatically closed if there are no HSMs currently accessible. (The server state is visible from the ‘SYSMAN Overview’ screen). The session was closed by a user of the IBASEC User Interface.

Information Security

01005 There was an error opening a session on an IBASEC interface. This can be for one of the following reasons: An internal system error occurred. The Server Id in the request message does not match the Id of this server. (see the ‘SYSMAN Overview’ screen). The application requested is unknown (see APPMAN) The User-Id in the request message is unknown (see APPMAN) The requesting User-Id is not allowed to use the application requested (see APPMAN).


01006 A request has been received on the IBASEC interface to use a function which cannot be used with the application of the session.


01007 This feature is not supported Information Security

01008 Data sent to a session which does not exist Information Security 01009 Production command sends over a test session Information Security

01018 A verification request failed because the received and recalculated signatures did not match.

Alarm Security

01019 An EDIFACT message passed on an IBASEC session could not be parsed (i.e. there was a format error in the EDIFACT message).

Error Security

01020 An internal system error occurred in the IBASEC server

Error System

01021 A request to open an IBASEC session has been received from an application user who is not currently enabled.


01022 An algorithm Id in a request message passed on the IBASEC interface is unknown.




page 145/150

01023 A business partner Id (BP-Id) in a request message passed on the IBASEC interface is unknown (i.e. is not configured in BPMAN)


01024 Wrong profile error – one of more of the cryptographic parameters in a message received from a Business Partner does not match the default parameters define for the business partner in his default profile.

Error Security

01025 No Public Key could be found for the Business Partner. This is either a request to encrypt a message, or a request to verify a message.

Error Security

01026 No private key could be found for the Business Partner. This is either a request to sign a message or a request to decrypt a message.

Error Security

01027 No CA Public Key was available to verify a certificate. Error Security

01028 Key not accessible – a key for the requested operation exists but is currently not accessible e.g. because the HSM containing it is not online.

Error Security

01029 IBASEC message error – an invalid filter parameter was passed.


01030 IBASEC message error – an invalid character set parameter was passed.


01031 IBASEC message error – the amount of application data passed was too short.


01032 IBASEC message error – the amount of application data passed was too long


01033 IBASEC message error – an invalid offset parameter was passed.,


01034 IBASEC message error – an invalid length parameter was passed.


01035 IBASEC message error – the length of a signature passed with the message was incorrect.


01036 IBASEC message error – the length of a trailer passed with the message was too long.


01037 IBASEC message error – a date or time field contained a date or time with invalid format or value.


01038 IBASEC message error – the length of an IV passed with the message was incorrect.


01039 IBASEC message error – the length of a session key passed with the message was incorrect.


01040 IBASEC TCP/IP Listener Error. The server is unable to listen for connection requests on an IBASEC interface.

Error System

01041 IBASEC TCP/IP or corba communications error. Error System 01042 IBASEC TCP/IP or corba internal error. Error System

01043 IBASEC Message Parsing error. A message received on an IBASEC interface could not be parsed.

Warning System

01044 Invalid cryptographic mode of operation specified Information Security 01045 Invalid cryptographic algorithm specified Information Security

01050 An application user has been added through the APPMAN module.


01051 An application user has been modified through the APPMAN module.


01052 An application user has been deleted through the APPMAN module.




page 146/150

01053 An application user has been approved through the APPMAN module


01054 An application user has been disabled through the APPMAN module


01055 An application user has been enabled through the APPMAN module


01056 A dummy request has been sent over a production session

Warning Security

01060 Invalid Message Length Information System

01061 Unknown Continuation Flag Information System 01062 Invalid Decimal Information System

01063 Invalid Hex Information System 01080 Error during PEM message parsing Error Security

01082 Missing mandatory fields (PEM, EDIFACT, …) Error Security 01090 Ibasec process listen Error Error System

01091 Ibasec process communication Error Error System 01092 Ibasec process internal error Alarm System

01093 Too many session opened Warning System 01094 System resource exceeded (memory, IPC, socket, …) Alarm System 01095 New connection accepted Information System

01096 IbasecListenerMaxSessionEvent Error System 01097 Ibasec session not available Information System

01098 Unknown ibasec session Information System 01110 New BP added Information Security

01111 BP modified Information Security 01112 BP deleted Information Security

01120 New profile added Information Security 01121 Profile modified Information Security

01122 Profile deleted Information Security 01123 Profile Encrypt defaults IV modified Information Security

01124 Profile Hash defaults IV modified Information Security 01200 Error during internal message parsing Warning System

02000 A startup of the IBASEC server has been requested. Information System 02001 The System -State is now “ready” Information System

02002 The System-State is now “online” Information System 02003 The System-State is now “offline” Information System

02005 The System-State is now “error” Alarm System 02006 Process not found Reserved Reserved

02007 One of the processes of the server failed to start Information System 02008 One of the processes of the server is missing Information System

02009 A shutdown of the server has been requested Information System 02010 Software Update started Reserved Reserved

02011 Software Update ended Reserved Reserved 02012 Software Update failed Reserved Reserved

02013 Backup started Reserved Reserved 02014 Backup ended Reserved Reserved

02015 Backup failed Reserved Reserved 02016 Reload started Reserved Reserved

02017 Reload ended Reserved Reserved 02018 Reload failed Reserved Reserved

03000 KRYPTO Interface (to HSM) closed. Information System 03001 KRYPTO Interface connecting Information System

03002 KRYPTO Interface online Information System



page 147/150

03003 KRYPTO Interface offline Information System

03004 KRYPTO Interface error Warning System 03005 Fetching Keys from HSM Information System

03006 GC Configuration modified Information System 03010 Two HSMs disagree on a verification result (one fails

and the other succeeds). This event belongs to the HSM that failed.

Warning Security

03011 Interface is locked (maybe too many wrong password series)

Alarm Security

03012 Interface is blocked Alarm Security 03013 Interface in backup mode Warning Security

03014 Interface initialized Warning Security 03015 Interface inactive Warning Security

03016 Interface in manufacturer state Warning Security 03017 Interface cache refreshing Information Security

03017 Interface cache refreshed Information Security 03018 Maintenance started Information Security

03019 Maintenance completed Information Security 03020 Maintenance ended with error Warning Security

03021 Appliance Software installation started Information Security 03022 Appliance Software installation completed Information Security

03023 Appliance Software installation ended with error Warning Security 03024 Appliance Software uninstallation started Information Security

03025 Appliance Software uninstallation completed Information Security 03026 Appliance Software uninstallation ended with error Warning Security

03027 Running an HSM Job Information Security 03028 Fail to run an HSM Job Error Security

03029 Luna PED operation required (probably a PED key) Information Security 03101 Key added to KEYMAN database Information Security 03102 Key purged from KEYMAN database Information Security

03103 A private key has been marked as deleted in the KEYMAN database


03104 A Public Key has been marked as deleted in the KEYMAN database


03105 A Public Key has been marked as unloaded in the KEYMAN database


03106 A Public Key has been marked as active (loaded and available for use), in the KEYMAN database


03107 Public key added to Keyman Database Information Security 03108 Public key removed from Keyman Database Information Security

03109 Private key removed from Keyman Database Information Security 03120 A Public Key has been loaded into as HSM Information Security

03121 A Public Key has been deleted from an HSM Information Security 03122 A private key has been deleted from an HSM Information Security

03123 Automatic key distribution has been started Information Security 03124 Automatic key distribution has ended Information Security 03125 Configuration of distribution priority weights has been

corrected Warning System

03126 Public key successfully imported Information System

03127 Importing public key failed Warning System 03128 Public key successfully exported Information System

03129 Not-used BP added Information Security 03130 Not-used BP could not added Error Security



page 148/150

03131 A public key has been activated Information Security

03132 A private key has been activated Information Security 03133 A public key has been deactivated Information Security

03134 A private key has been deactivated Information Security 03135 Test/Not Used change has been completed Information Security

03136 Certificate successfully exported Information System 03137 Cannot open event port Error System

03137 Importing public key failed Warning System 03138 Certificate successfully imported Information System

03139 CA Id unknown Warning System 03140 Certificate not found Warning System

03141 File creation error Warning System 03142 File exists Warning System

03143 Invalid Certificate Warning System 03144 Public Key for that certificate is already loaded Warning System

03145 Root Key not loaded. Try 'Init CA' first Warning System 03146 The certificate is not valid Warning System

03147 The certificate is already in the database Warning System 03148 certificate file not found Warning System

03149 Invalid Certificate file Warning System 03150 Certificate successfully deleted Warning System

03151 No certificate found Warning System 03152 Copy to restore directory failed Warning System

03153 Certificate file could deleted Warning System 03154 Invalid certificate application Warning System

03155 Delete key request performed via the GUI Warning System 03156 Load key request performed via the GUI Warning System

03157 Purge key request performed via the GUI Warning System 03200 A Public Key could not be fetched from an HSM

because no valid Local Certification key exists in the HSM

Warning System

03201 A Public Key could not be loaded into an HSM because no valid Local Certification key exists in the HSM

Warning System

03202 A key has been ignored because the HSM is not configured to use this application

Warning Security

03203 CA certificate not found for the belonging CA Warning Security 03204 CA certificate not in one HSM Warning Security

03205 Certificate will be ignored because of the serial number in bpman

Warning Security

03206 HSM reports error aborted Warning Security 03207 HSM reports invalid certificate Warning Security

03208 HSM reports public memory full Warning Security 03209 HSM reports error exception Warning Security

03210 Certificate imported Information Security 03211 Invalid Certificate Warning Security

03212 Public key already loaded Warning Security 03213 HSM is offline Warning Security

03214 No key for PKI application was found Warning Security 03215 No key for LOCERT application was found Warning Security

03216 Please check if the CA key is loaded in the HSM Warning Security 03217 The key to be certificated was not found Warning Security

03218 The encoding of the certification request info failed Warning Security



page 149/150

03219 The encoding of the certification request ailed Warning Security

03220 Generation of certification request was sucessful Information Security 03221 Private key not found Warning Security

03222 Public key not found Warning Security 03223 Distribution stopped because key is not productive Information Security

03224 Distribution stopped because key is already in all HSMs


03225 Distribution stopped because key is loaded in enough HSM


03226 Distribution stopped because an HSM exception Information Security 03227 Invalid public X509 certificate Information Security

03228 Invalid private X509 certificate Information Security 03229 Missing X509 certificate Information Security

03230 HSM Internal error Information Security 04000 A user has logged into the server Information Security

04001 A user has logged out of the server Information Security 04002 A user login has failed Information Security

04003 A user account has been automatically disabled Information Security 04004 A new user account has been added Information Security

04005 A user account has been modified Information Security 04006 A user account has been deleted Information Security

04007 A user account has been enabled Information Security 04008 A user account has been disabled Information Security

04009 A user account has been approved Information Security 04010 A user’s password has been changed Information Security

04011 A user’s account was auto re-enabled after some seconds


04012 User login failed: user disabled Information Security 04013 User login failed: max days reached Alarm Security 04014 User login failed: max uses reached Alarm Security

09000 CA Scheduler started Information Security 09001 Key certification successful Information Security

09002 Key certification failed Information Security 09003 No LDAP profile defined Information Security

09004 Too many LDAP profile defined Information Security 09006 CAAuditSystemHTMLEvent Information Security

09007 No SOAP profile defined Reserved Security 09008 Too manu SOAP profile defined Reserved Security

09009 CA Access File test successful Information Security 09010 CA Access File test failed Information Security

09011 SOAP ping facility successful Reserved Security 09012 LDAP ping facility successful Reserved Security

09013 CA ping facility successful Information Security 09014 CMP ping facility successful Information Security

09015 KRYPTOAuditSystemSetRemoteEvent Information Security 09016 No private key found for CA certification Information Security

09017 No public key found for CA certification Information Security 09018 Change CA scheduler time Information Security

09019 Corba exception received during CA operations Error Security 09020 Missing certification request Information Security

09021 Cannot connect to web connector Information Security 09022 LDAP ping successful Information Security

09023 LDAP ping failed Error Security



page 150/150

09024 SOAP ping successful Information Security

09025 SOAP ping unsuccessful Information Security 09100 LDAP ping successful Information Security

09101 LDAP ping unsuccessful Information Security 09102 CAAuditSystemSOAPSuccessfulEvent Reserved Reserved

09103 CAAuditSystemSOAPFailedEvent Reserved Reserved 09104 Invalid certification parameters Information Security

09105 New certification request created Information Security 09106 CAAuditSystemExportCertificationEvent Reserved Reserved

09107 Cannot export file : file already exists Information Security 09108 Cannot export file : error during writing Information Security

09109 Unhanded exception during CA operations Error Security 09110 Certification request fetched from SOAP connection Information Security

09111 Cannot send certification request : certificate already exists

Error Security

09112 Invalid Certification format detected Information Security 09113 Missing ‘BeginCertificate’ field on certification request Information Security

09114 Fail to read certification request file Information Security 09115 Line too big in certification request Information Security

09116 Certification request file does not exist Information Security 09117 Attempt to load a key from an invalid certificate Alarm Security

09118 Attempt to use a non existing keyrollover rule Alarm Security 09119 Unhandled exception during certification request

process Information Security

09120 Key loaded from certificate Information Security

09121 Cannot perform this CA operation via file access Information Security 09122 Cannot perform this CA operation via LDAP access Information Security

09123 Missing proxy BP Information Security 09124 SOAP request failed Information Security

09124 Processing of key certificate completed Information Security 09125 Cannot perform a key certification request : all

resources are busy Alarm Security

09126 No such key rollover rules found Error Security 09127 CAInvalidRequestEvent Reserved Reserved

09128 Key successfully loaded Information Security 09129 Unknown BP found during CA operation Information Security

09130 Cannot retrieve certification request Error Security 09131 Too many certification request Error Security

09132 Communication to webconnector failed Error Security 09133 Timeout received during LDAP operation Error Security

09134 Certification parameter displayed on the screen (GUI) Information Security

user manual ibasec - interbank clearing – six · user manual ibasec datum: 14.10.2013 page 8/150...

Documents