IBM HSM modes

The subsequent sections describe each of these modes in more detail. Refer to the TKE documentation for information about how to use the TKE to change modes.

Normal Mode

All domains of the IBM HSM are in Normal Mode when the IBM HSM is first manufactured, or when it is reinitialized. Normal Mode is the legacy mode in which PCI-HSM requirements are not enforced. All modes have a sub-mode called Warn Mode, but it is particularly useful when in Normal Mode. Warn Mode is a feature provided to make it easier for customers to transition from their current non-compliant systems to systems that comply with PCI-HSM requirements. In Warn Mode, all applications run normally, but the IBM HSM provides warnings when non-compliant keys or operations are used. In this way, the customer can see what needs to be changed in the way their application uses the IBM HSM in order to achieve PCI-HSM compliance.

Imprint Mode

Imprint Mode is a transitional state between the non-compliant Normal Mode and the PCI-HSM 2016 compliance mode. The Imprint Mode initializes a chain of trust that protects all cryptographic keys that are PCI-HSM compliant. It creates a special administrative environment that enforces controls to ensure that administrators are configured to match the requirements of PCI-HSM compliance. The TKE is used to change from Normal Mode to Imprint Mode using a dual-control process. It is possible to return directly from Imprint Mode to Normal Mode using a single-control command to the IBM HSM.

The administrators used in the Normal Mode are IBM HSM-scope administrators. They can perform administrative functions on any of the domains (virtual IBM HSMs) in the IBM HSM. In Imprint mode, in preparation for PCI-HSM compliant operation, domain-scope administrators must be defined by the security officers from the TKE.

Domain-scope administrators only have the authority to perform administrative operations on a single domain. It is possible to install identical domain-scope administrators for multiple domains, if desired. This can simplify administration of related domains as a group.

While there is a single default domain-scope administrator defined when Imprint Mode is entered, the default domain-scope administrator is locked:

• The default public key associated with the default user profile is not allowed to be loaded for any other users.
• The capabilities of the role assigned to the default user cannot be changed.
• The default user cannot be used to load Master Key parts or as part of a dual control operation to enter Compliance Mode.

Non-default domain-scope administrators with the appropriate capabilities can be used to load Master Key parts and to set the Master Key while in imprint mode.

While in Imprint Mode, application programs can continue to operate as if the IBM HSM were in Normal Mode. All keys and API functions that worked in Normal Mode will work in Imprint Mode.

The secure audit log is enabled as part of the transition to Imprint Mode, and is forced to the non-wrapping mode of operation. See Section 11 for details on the secure log.

Compliance Mode

Compliance Mode, also called PCI-HSM 2016 compliance mode, provides a fully PCI-HSM compliant environment. The transition from Imprint Mode to Compliance Mode is performed with a TKE using a dual-control process.

The IBM HSM does not permit the use of any default (initial) administrative keys while in compliance mode, even if such keys have not been replaced or deleted.

The final state transition shown in Figure 1 is a transition from Compliance Mode to Normal Mode. This is done using a dual-control operation performed using the TKE, and the transition takes the IBM HSM domain out of PCI-HSM compliant operation. Once in Normal Mode, the derived master key that was used to wrap the compliance-tagged CCA keys is unavailable, and thus none of the compliance-tagged keys for that domain can be used in Normal Mode. The operations that completely reinitialize a domain (Zeroize domain) or the entire IBM HSM (Zeroize crypto module) also return it to Normal Mode after clearing all sensitive data. The Zeroize - operations can be performed either with the TKE or using the support element (SE) on the IBM Z® server.

The scope of an instance of PCI-HSM 2016 compliance mode is one domain of the IBM HSM. Domains are logically separate, and one domain can be in PCI-HSM 2016 compliance mode, while another domain is not. The two domains cannot share any keys or sensitive data, and cannot influence each other in any way.

While in Compliance Mode, PIN operations are restricted to those allowed under ISO 9564, including restrictions on translations between different PIN block formats.