Thales payShield 10K PS10-F - User Manual

The Thales payShield 10K PS10-F is a Host Security Module (HSM) designed to provide robust security for various applications, particularly in financial services. It offers a secure environment for cryptographic operations, key management, and data protection.

Function Description:

The payShield 10K serves as a dedicated hardware security module that protects cryptographic keys and performs sensitive operations such as encryption, decryption, digital signing, and key generation. It is designed to meet stringent security requirements, including those for payment card industry (PCI) compliance. The device integrates into a rack-mount environment, offering both local and remote management capabilities.

Key functions include:

• Cryptographic Processing: Executes a wide range of cryptographic algorithms to secure data and transactions.
• Key Management: Securely generates, stores, and manages cryptographic keys throughout their lifecycle. This includes support for various key types and hierarchies.
• Transaction Security: Provides real-time protection for financial transactions, ensuring data integrity and confidentiality.
• Authentication: Supports secure authentication mechanisms for users and systems interacting with the HSM.
• Tamper Detection and Response: Incorporates physical security features to detect and respond to tampering attempts, protecting sensitive data.
• Remote and Local Management: Can be managed via a secure GUI (payShield Manager) over an Ethernet connection or through a local console terminal.

Important Technical Specifications:

• Form Factor: 1U rack-mount unit, designed for standard 19-inch racks.
• Dimensions: 1U rack 19" x 29" x 1.75" (482.6mm x 736.6 mm x 44.5mm).
• Power Consumption: Maximum Operating Power Consumption of 80W.
• Operating Temperature: 0°C to 40°C.
• Storage Temperature: -5°C to 45°C.
• Transportation Temperature: -25°C to 70°C.
• Operating Humidity: 5-85% Relative non-condensing at 30°C.
• Storage Humidity: 5-93% Relative non-condensing at 30°C.
• Transportation Humidity: 5-93% Relative non-condensing at 40°C.
• Altitude: -100m to 2000m AMSL (Above Mean Sea Level).
• FICON Interface: Supports speeds up to 32Gbp/s, with options for 8Gbp/s or 16Gbp/s.
  • Short Wavelength Transceiver:
    • Data Rate: 8.5Gb/s (8GFC), 14.025Gb/s (16GFC), 28.05Gb/s (32GFC) (auto-detected).
    • Optics: Short wave (850 nm) laser.
    • Cable Types: Multimode (OM4 - 50/125 µm, OM3 - 50/125 µm, OM2 - 50/125 µm, OM1 - 62.5/125 µm).
    • Connector Type: LC.
    • Minimum Cable Length: 0.5 meters.
    • Max. Cable Length (dependent on fiber material): OM1 (25M), OM2 (50M for 8.5Gb/s, 35M for 14.025Gb/s, 20M for 28.05Gb/s), OM3 (150M for 8.5Gb/s, 100M for 14.025Gb/s, 70M for 28.05Gb/s), OM4 (190M for 8.5Gb/s, 125M for 14.025Gb/s, 100M for 28.05Gb/s).
  • Long Wavelength Transceiver:
    • Data Rate: 8.5Gb/s (8GFC), 14.025Gb/s (16GFC), 28.05Gb/s (32GFC) (auto-detected).
    • Optics: Long wave (1310 nm) laser.
    • Cable Types: Single Mode (OS2 - 9 µm, OS1 - 9 µm).
    • Connector Type: LC.
    • Minimum Cable Length: 0.5 meters.
    • Max. Cable Length: OS1 & OS2 (10 Km for 8.5Gb/s, 14.025Gb/s, 28.05Gb/s).
• Connectivity:
  • FICON Ports: Two FICON ports (Port 1 shown with dust cover, Port 2 not used).
  • Ethernet Ports: Two Host Ethernet ports (1 & 2), Management & Auxiliary Ethernet ports.
  • USB Ports: USB-C console port, Printer ports (Ethernet & USB A).
  • Serial Port: For service and console access.
• Security Features: Tamper light, Left and Right key locks, Health LED, Smart card reader, Erase button access, Security keys.
• Power Supplies: Two hot-swappable power supplies for redundancy.
• Cooling: Two hot-swappable fans.
• LED Indicators: Tamper light, Service light, Health LED, Fan status LED, Power supply status LED, FICON yellow & green LEDs.

Usage Features:

• Rack Mounting: The device is designed for easy installation into a standard 1U rack. It includes a universal rack mount kit that supports various rack depths and hole types (square hole and unthreaded round hole racks). The installation process involves attaching inner rails to the chassis, installing outer rails into the rack, and then sliding the unit into the rack until safety latches engage.
• Physical Security: The unit is physically locked into the rack using two key locks on the front panel, with each lock having its own key typically held by a security officer. This ensures that the unit remains secured within the rack.
• Initial Setup:
  • Unpacking: Requires checking for tamper-evident bags on the unit and keys, verifying serial numbers, and ensuring all components (HSM, rail kit, power cables, security keys, USB-C to USB-A cable, FICON transceivers, loopback device, documentation) are present.
  • SFP Installation: Short form-factor pluggable (SFP) transceivers are inserted into FICON Port 1. Care must be taken to avoid damaging the transceivers and to observe ESD precautions.
  • Cabling: Connecting Fiber optic cables to FICON Port 1, power cables to the power supplies, and Ethernet cables for management and host connectivity.
  • Console Connection: A USB-C to USB-A cable connects the HSM's USB-C port to a laptop for console access. Windows drivers may need to be installed for the USB-to-serial connection. A terminal emulation program is used with specific settings (Baud Rate: 9600 bps, Word Length: 8 bits, Parity: None, Stop Bits: 1 bit) to test the connection.
  • Power On: The unit is powered on using the switch at the back. A period of time is required for the unit to become operational, indicated by the Health LED turning solid white or red, and FICON interface Power On Self-test completion (indicated by yellow and green LEDs).
• Management:
  • payShield Manager: A secure GUI interface for remote and local management, requiring an Ethernet connection from the Management Port. If DHCP is not used, the console may be needed to set up a static IP address for payShield Manager.
  • Console Terminal: Provides a command-line interface for configuration and troubleshooting.
  • Host Port Configuration: Host ports are configured via the console or payShield Manager to suit system requirements, with parameters varying based on the communication type (e.g., Ethernet, FICON).
• Testing Connections:
  • Console: Pressing on the console/laptop keyboard should elicit a response like "Online>", "Offline>", or "Secure>".
  • Ethernet (Host): PING commands from both the payShield 10K to the Host and vice versa.
  • FICON: The FICNTEST console command can be used, requiring the loopback device provided with the transceiver.

Maintenance Features:

• Hot-Swappable Components: Power supplies and fans are hot-swappable, allowing for replacement without powering down the unit, enhancing availability.
• LED Indicators: Comprehensive LED indicators provide visual status updates for various components (tamper, service, health, fans, power supplies, FICON ports), aiding in quick diagnosis of issues.
• Documentation: User manuals, including the payShield 10K Regulatory User Warnings & Cautions, Installation Quick Start Guide, and Console Guide, are available for download from the Thales CPL support website, providing detailed instructions for installation, configuration, and troubleshooting.
• Security Key Management: The device uses security keys for locking and operational states, which are typically managed by security officers, ensuring controlled access.
• Software Updates: Firmware updates and maintenance procedures are typically managed through the payShield Manager or console, as detailed in the user guides.
• Environmental Monitoring: The device's specifications for operating, storage, and transportation temperatures and humidity, along with airflow considerations, guide proper installation to ensure optimal performance and longevity.