Smart Card Activation (SCA)

SCA offers an additional security measure to protect the crypto server slots locally and/or externally using PIN Pads and Smart Cards that are operated by authorized Users.
Register local and/or remote PIN Pads for the individual Users via the PIN Pad Management on the Security page and assign one or up to five Smart Cards to the single PIN Pads.

Prerequisite

An update of the HSM firmware version to 6.0.0.0 is required if you want to use Smart Card-activated slots.

The User who has been assigned a PIN Pad with Smart Card must make sure that:

• if the device is connected locally, that the PIN Pad is correctly connected to the device.

• if the device is connected remotely, that the PIN Pad Daemon and client (Webconf) are correctly configured.

Application example:

E.g.: Slot 1 has SCA enabled with 3 Users

• SCA User 1 will be authenticated by local PIN Pad,

• SCA User 2 will be authenticated by remote PIN Pad from location A,

• SCA User 3 will be authenticated by remote PIN Pad from location B.

Up to 5 Users can be configured.
Each User has the option of generating up to 5 Smart Cards.

All registered PIN Pads are listed on the Security page in the Smart Card Management section.

The SCA configuration can be started:

• during HSM Initialization for Slot 0 only

• during Slot Initialization in the Slot Management for every other slot

• anytime later via Slot Management in Configure SCA.

HSM Guided Setup using SCA

If a slot is configured with SCA Users and the automatic creation of the CryptoWorker is set, the default key must be created manually in order to use the CryptoWorker.

First, the PIN Pad (one or more - at least one) must be configured.

1. Log in to the Next Generation Hardware Appliance.

2. Open the Security page.

3. Go to the PIN Pad Management section.

4. The Remote PIN Pad Locations can be managed here.

5. Click Add Remote PIN Pad to open the corresponding form.

   1. Host: Enter the IPv4/v6 address or the hostname of the PIN Pad.

   2. Port: Enter the port of the remote PIN Pad.

   3. Password: Enter the Password for PIN Pad Daemon.

   4. Set as default: check to set this Remote PIN Pad as default.

   5. Test Connection: click to test if the Hardware Appliance can connect to the PIN Pad Daemon host with the provided port.

6. Click Add to confirm and save the settings.

After all PIN Pads have been configured open the HSM Initialization.

The Next Generation Hardware Appliance is in Factory Reset State and ready to be configured. A red banner indicates this status and features the action button: Initialize HSM.

1. Scroll up to HSM Configuration section.

2. Click on Initialize HSM.

3. The HSM Guided Setup dialog is displayed.

Important: The definition of the Smart Cards affects all Users.

4. Click Preview to verify the settings.

5. The HSM Guided Setup - Summary dialog is displayed with all the information you have entered.

6. Click Start Setup.
   Actions with the PIN Pad are required to go through this process.

7. The HSM setup now begins based on your settings. Refer to HSM initialization for a detailed description of the steps and helpful information.

8. With HSM Guided Setup using SCA, additional steps for the HSM initialization are required at the end.
   Dependent on whether the definition of the Smart Cards is:
   
   Reuse existing Smart Cards:

• Prepare Slot Setup

• Read SCA User

• Store SCA Configuration
  
  Or generate new Smart Cards:

• Prepare Slot Setup

• Create SCA User #1

• Write SCA User #1 - Original

• SCA Cleanup

• Update Slot User …

Configure SCA via Slot Management

1. Log in to the Next Generation Hardware Appliance.

2. Open the Security page.

3. Go to the HSM Configuration section.

4. Scroll down to the Slot Management table.

5. Click Configure SCA in the Actions column in the Slot Management table for an initialized slot to open the corresponding form: Configure Smart Card Activation for Slot #x

   1. In the sub section Slot Authorization:
      Slot PIN: Specify the PIN that should be used to log into the slot.
      Authorization PIN Pad: In the drop-down menu, select the PIN Pad that is to be used to authenticate the administrator during the initialization of the slot.
      All available PIN Pads are listed.

   2. In the sub section Smart Card Activation:
      Smart Card Activation Users: In the drop-down menu, select how many Users should be created. Up to five Users can be selected. (e.g. 3 SCA Users Required)
      Smart Cards: In the drop-down menu, select whether you want to reuse an existing Smart Card and how many Smart Card should be created. (e.g. Generate new with 2 copies).
      SCA User Mapping: In the drop-down menu, select which PIN Pad should be used per User.

6. Click Update to confirm and save the settings.

7. The Guided Setup dialog for Configure SCA for Slot #x is displayed.
   Actions with the PIN Pad are required to go through this process.
   In the dialog, a summary of all the information you have entered is displayed at the top of the window.

8. Click Submit to start the configuration.

9. After completing the process, click Finalize to end the Guided Setup.

Slot 0

Slot 0 contains the Database Protection Token.
It is only activated if Signed Audit Logs is activated during the HSM initialization with Administration Smart Card.

It is possible to configure SCA in Slot 0.
However, the SCA configuration sidebar for Slot 0 differs slightly from that for other slots.
The Slot Pin is required for all slots except for Slot 0.