Before an Atalla HSM can work with a DPP Appliance, you must create the security association with at least three security administrator smart cards. This procedure requires a Secure Configuration Assistant-3 (SCA-3) that is connected to an Utimaco Atalla Secure Keypad (ASK), and a set of at least three security administrator smart cards. You can connect the SCA-3 directly to an Atalla HSM, or you can connect it to a Windows computer using the Remote Management Utility for a remote connection to the Atalla HSM.
If you are using the Remote Management Utility on a Windows computer that is on a different network than the Atalla HSM, you might need to open the port used for communication to the SCA-3
(as specified by the PORT_MANAGEMENT= parameter of the config.prm file) on your firewall.
See Chapter 2, “Connect the SCA-3 to an HSM or personal computer” in the Atalla Secure Configuration Assistant-3 Users Guide for details.
After creating the security association, you can create the Master File Key (MFK) using at least two of the security administrator cards.
OpenText recommends creating the MFK using AES encryption. If you have upgraded your Atalla AT1000(s) to version 8.30 or later, you MUST create an AES MFK (AMK) before you can upgrade the Appliance to version 6.8 and later. See Migrate the Appliance (to 7.0.0 and later) With Atalla Software version 8.30 or later.
Detailed instructions for creating the security association and MFK are available in chapters 3 and 4 of the Atalla Secure Configuration Assistant-3 Users Guide. The following steps provide an overview of the sections that you must complete. The name of the step corresponds to the title of the section.
-
Personalize the smart card.
This sub-section is in Chapter 3, “Initialize the HSM.” Follow the instructions in this sub-section to enter a user name and PIN for at least three security administrator smart cards. This step is successfully completed for each card when the PIN is required each time the card is inserted into the Atalla Secure Key Pad.
-
Do one of the following:
Create the security association and define the SCA use policy:
This sub-section is in Chapter 3, “Initialize the HSM.” Follow the instructions in this sub- section if this is the first Atalla HSM being installed in an environment. This step is successfully completed when the SCA-3 displays the following:
Create New Security Association
Transaction Results:
The security administrator smart card was successfully added to the new security association!
The connected HSM was successfully added to the new security association
Add a HSM to a security association:
This sub-section is in Chapter 3, “Initialize the HSM.” Follow the instructions in this sub- section if this is not the first Atalla HSM being installed in the environment. This step is successfully completed when the SCA-3 displays the following:
Add HSM to Security Association
Transaction Results:
The connected HSM was successfully added to the existing security association
The security association cryptographically links security administrator smart cards to the Atalla HSM. The administrators who hold at least two of the administrator smart cards must be present to insert the card and enter the PIN.
-
HSM time adjustment.
This sub-section is in Chapter 4, “Define the HSM security policy.” Follow the instruction in this sub-section to check the clock time on each Atalla HSM and adjust the time, if needed. This step is successfully completed when the HSM system time displays correctly when you tap the HSM status icon on the SCA-3.
-
Define the MFK key components.
This sub-section is in Chapter 3, “Initialize the HSM.” Follow the instructions in this sub-section to define the MFK components and their values on the security administrator smart cards.
The minimum number of key components that can be combined to form a MFK is two. The maximum number is equal to the number of security administrators that create the security association. After you define a component, the Atalla Secure Keypad displays the key component value. Record this value because this is the only time that the value is displayed in cleartext.
This step is successfully completed for each card when the SCA-3 displays the component check digits for the key component.
-
Send a key component to the HSM.
This sub-section is in Chapter 3, “Initialize the HSM.” Follow the instructions in this subsection to push the MFK components from the security administrator smart cards to an Atalla HSM in the security association. Once the Atalla HSM has received the correct number of key components, it creates the MFK and check digits, and stores them in non-volatile memory.
This step is successfully completed when the SCA-3 Current Transaction window displays the following:
Send Key to HSM
Transaction Results:
The key was successfully defined in the HSM!
Key Type: MFK
Key Check Digits: <digit_value>
To ensure that encrypted Appliance master secrets generated on one Atalla HSM can be used on another, all Atalla HSMs in the cluster must contain the same MFK.