payShield 10K Installation and User GuidepayShield 10K Installation and User Guide
© Thales Group Page 188
All Rights Reserved
9.8.2 Using payShield Manager
9.8.2.1 Installing the LMK
The new LMK is loaded using the Install button in the appropriate payShield Manager tab:
• Operational > LMK Operations > Local Master Keys where the new LMK is to be loaded into LMK Live
storage, or
• Operational > LMK Operations > Key Change Storage where the new LMK is to be loaded into LMK Key
Change storage.
The LMK ID will need to be specified.
9.8.2.2 Checking the LMK
The installed LMK can be checked by viewing the LMK list.
Navigate to either of the following:
• Operational > LMK Operations > Local Master Keys
• Operational > LMK Operations > Key Change Storage
9.9 Loading the old LMK
So far, you have created a set of cards containing the components for the new LMK, and used them to load into the
HSM the “new” LMK that keys and data to be re-encrypted to.
To migrate keys from encryption under an old (current) LMK to encryption under the new LMK, we also need to have
the old LMK loaded in the HSM. The old LMK can be left in LMK Lives storage or loaded into LMK Key Change
Storage, depending on the approach being taken.
If the old LMK is to be loaded into Key Change Storage, this can be done using a Console or payShield Manager.
9.9.1 Using the Console
The old LMK is loaded into Key Change Storage using the LO console command.
Follow this link for additional instruction: Appendix , “Console Commands”
The payShield 10K must be in Secure state. In addition, the HSM must be in Authorized state. If multiple authorized
states are enabled, the activity category is admin (with no sub-category), and the console interface should be
selected.
The use of the LO console command is the same as for the LK console command mentioned previously, except that
no existing LMK needs to be erased and so you will not be prompted to confirm an erasure.
To Next Page
Loading...
