Create a new Security Domain
A Security Domain is made up of any number of HSMs and a set of Remote Access Cards.
-
Expand Create New Security Domain.
-
Click Start.
The Security Domain Parameters window displays.
-
Enter your parameters.
When determining the total number of security domain shares, carefully contemplate the size of the quorum.
For example, if the security domain is shared over 8 Smart Cards, and the quorum is set to 3, any three security officers out of the eight would need to be present to rebuild the Customer Trust Authority (CTA).
If the security domain is shared over just 3 Smart Cards, for example, there is less flexibility. The same three security officers would need to be readily available.
-
Total Number of Security Domain Shares:
This is the number of Smart Cards onto which the CTA shares will be distributed. Valid values are 3-9.
-
Size of Security Domain Shares Quorum:
This is the number of Smart Cards holding CTA shares that must be present to reassemble a CTA to perform various operations (including commissioning a payShield). The minimum value is 3.
-
Country, State, Locality, Organization, Common Name, Unit, Email:
These are parameters that are included in the X.509 certificate corresponding to the CTA. The Common Name is the only required parameter and should concisely describe the security domain.
-
-
Click Next.
-
Follow the wizard instructions to commission each Smart Card (i.e., assign key shares to each security officer’s Smart Card).
Each Smart Card will hold a share of the CTA.
-
Click Next.
-
Follow the prompt and insert your Smart Card into the card reader.
The wizard continues:
If your Smart Card is brand new, continue to Step ‘e’ below.
-
If the system detects that you have already commissioned the Smart Card, you are alerted:
If you click OK, information on the card will be lost but the original PIN remains. Clicking OK does not erase the PIN.
-
Click OK.
The system prompts for the original PIN.
-
Enter the original PIN.
-
Press OK on the card reader.
The system prompts for a new PIN.
-
Enter a new PIN (for example, a 6-digit PIN).
-
Press OK on the card reader.
-
Enter the new PIN again to confirm.
-
Press OK on the card reader.
The wizard continues:
The system will display the message “Security domain share received (card may be removed)”.
-
Click Next.
-
Remove the card and repeat the process for each card (i.e., for each security officer).
-
After the final security officer has confirmed a PIN, click Finish.
At this point, a set of security domain credentials, i.e., a Customer Trust Authority (CTA), has been created and split into some number of Smart Cards with each trusted officer holding one share.
Once created, this CTA can be loaded into any uncommissioned payShield 10K.
It is important to note that these cards are critical in the remote management process. They are required each time an HSM or a Smart Card is added to the security domain.
It is a best practice to back up these cards and store the backups in a secure off-site location.
-