Implementing a Thales HSM 8000 Adapter - Step One

I continue to get a lot of views here regarding my posts related to working with the Thales HSM 8000 (and its 7000 predecessor). I’ve had some good conversations recently with people trying to get past various implementation obstacles. After one recent conversation, I realized I ought to write something covering a good ‘Step One.’ It’s an approach I advocate. Namely, before diving directly into PIN mechanics, you ought to start off with implementing something ‘key-less,’ like the ‘Perform Diagnostics’ command (the NC/ND) exchange. By getting that working first, you confirm that:

1. You’ve established a proper physical connection to the box.
2. You’re in alignment with the device’s established Configuration Settings
3. You're correctly calculating the message length and pre-pending it properly *
4. Your code can create a simple request and, subsequently, recognize and parse its related reply

* I’m assuming that you’re connecting the device via TCP/IP. If so, you need to preface the command with a two-byte message length header sent in network byte order (nbo). Expect the same on the response.

By starting with this step, you take the following elements out of play:

• Key mismatch
• Key scheme mismatch
• PIN format mismatch
• Mis-population of poorly-described fields
• Malformed commands (since the extent of the ‘NC’ command is simply ‘NC’ – pretty hard to mess that up)

I’ve mentioned in a previous post that to implement the Thales HSM 8000 command set within the jPOS framework, we’ve taken advantage of jPOS’ Field Separator Delimited (‘FSD’) Message facility. It’s a really great fit. We’ve got the base files for the HSM Request and Response defined like this:

hsm-base.xml: 

<?xml version="1.0" encoding="UTF-8"?>
<schema>
<field id="command" type="A" length="2" key="true" />
</schema>

hsm-resp-base.xml: 

<?xml version="1.0" encoding="UTF-8"?>
<schema>
<field id="response" type="A" length="2" key="true" />
<field id="error" type="A" length="2" />
</schema>

Then, here’s the NC/ND formats (i.e., the remainder of the fields in the messages for the cases where command = ‘NC’ and response = ‘ND’):

hsm-NC.xml:

<?xml version="1.0" encoding="UTF-8"?>
<schema id='NC'>
</schema>

[Kind of a funky one, because there’s actually nothing to append to the message after the command field!]

hsm-resp-ND.xml:

<?xml version="1.0" encoding="UTF-8"?>
<schema id='ND'>
<field id="lmk-check-value" type="A" length="16" />
<field id="firmware-number" type="A" length="9" />
</schema>

Then, in our ThalesAdapter we do this (FSDMsg being an underlying component of the jPOS framework):

public FSDMsg diagnostics () {
return command (createRequest ("NC"));
}

 …and the 'createRequest' function called there does this:

private FSDMsg createRequest (String command) {
FSDMsg req = new FSDMsg ("file:cfg/hsm-");
if (command != null)
req.set ("command", command);
return req;


...and 'command' routine does this (note how we explicitly specify the expected FSD response structure - see highlighted text):

public FSDMsg command (FSDMsg request) {
LogEvent evt = trace ? getLog().createTrace () : null;
FSDMsg resp = null;
try {
if (trace)
evt.addMessage (request);
String s = command (request.pack(), evt);
if (s != null) {
resp = new FSDMsg ("file:cfg/hsm-resp-");
resp.unpack (s.getBytes());
if (trace)
evt.addMessage (resp);
} else {
if (trace)
evt.addMessage ("TIMEOUT");
}
} catch (Exception e) {
if (trace)
evt.addMessage (e);
else
getLog().error (e);
} finally {
if (trace)
Logger.log (evt);
}
return resp;
}


Then, in our deploy directory, we’ve got an element called 90_thales_ping.xml that executes a small script like this:

<script name="ThalesPing" logger="Q2">
import org.jpos.util.FSDMsg;
import org.jpos.util.NameRegistrar;
import org.jpos.security.thales.ThalesAdapter; while (qbean.running()) {
try {
ThalesAdapter sm = (ThalesAdapter) NameRegistrar.get ("Thales");
sm.diagnostics();
} catch (Throwable t) {
log.error (t);
}
Thread.sleep (300000);
}
</script>

And the Thales Adapter itself is engaged via an element in the deploy directory called 10_thales, which looks like this:

<security-module name="Thales" class="org.jpos.security.thales.ThalesAdapter" logger="Q2"> <property name="trace" value="false" />
<property name="status:host:port" value="@thales-status_0@:@thales_0@" />
<property name="status:host:port" value="@thales-status_1@:@thales_0@" /> <property name="relax" value="30000" /> </security-module>

[NOTE: Those ampersand values get resolved at build time via a properties file.]

Finally, if we turn the ‘trace’ value to ‘true,’ we can get this nice trace of our NC/ND exchange:

<log realm="org.jpos.security.thales.ThalesAdapter" at="Tue Apr 24 11:31:21 EDT 2007.794">
<trace>
<fsdmsg schema='file:cfg/hsm-base'>
command: 'NC'
</fsdmsg>

request: 'NC'
response: 'ND0011556544016911441053-0822'
elapsed: 187ms

<fsdmsg schema='file:cfg/hsm-resp-base'>
response: 'ND'
error: '00'
lmk-check-value: '1155654401691144'
firmware-number: '1053-0822'
</fsdmsg>
</trace>
</log>

So, once you have that nice little exercise behind you successfully, you can proceed to key-based operations knowing that you’ve got all the proper underpinnings (as described above) into place.

 

Comments

You can follow this conversation by subscribing to the comment feed for this post.

i am looking foe some manual and guide for install sofware on hsm general knowledge how to configure hsm every thin has any document has a relation with hsm 8000 will be really useful to me

Posted by: khalid | Monday, July 28, 2008 at 02:51

Hi Andy,
I have tried to implement the above example and i am getting compilation errors on the following line:
trace ? getLog().createTrace () : - create a local variable trace and create method getLog.

Then again on String s = command (request.pack(), evt); - Create method command( Request, evt). I am using Eclipse as my editor. Are there any files missing in the example above or do you perhaps have any ideas how i can resolve this errors?

Thanks,
Moeketsi

Posted by: moeketsi moeng | Tuesday, March 30, 2010 at 08:34

Hi Moeketsi -

Here's the list of everything we import in that program:

import java.util.Date;
import java.io.IOException;
import java.io.EOFException;
import java.io.InputStream;
import java.io.OutputStream;
import java.io.BufferedInputStream;
import java.io.BufferedOutputStream;
import java.io.DataInputStream;
import java.io.DataOutputStream;
import java.io.PrintWriter;
import java.io.InputStream;
import java.io.InputStreamReader;
import java.io.BufferedReader;
import java.net.Socket;
import java.net.SocketException;
import java.net.ConnectException;
import java.util.StringTokenizer;

import java.sql.SQLException;
import net.sf.hibernate.Transaction;
import net.sf.hibernate.HibernateException;

import org.jpos.security.SMAdapter;
import org.jpos.q2.QBeanSupport;
import org.jpos.iso.ISOUtil;
import org.jdom.Element;
import org.jpos.space.Space;
import org.jpos.space.SpaceUtil;
import org.jpos.space.SpaceFactory;
import org.jpos.util.NameRegistrar;
import org.jpos.util.Logger;
import org.jpos.util.LogEvent;
import org.jpos.core.Configuration;
import org.jpos.core.ConfigurationException;

import org.jpos.ee.DB;
import org.jpos.ee.status.Status;
import org.jpos.ee.status.StatusManager;
import org.jpos.util.FSDMsg;

Posted by: Andy | Tuesday, March 30, 2010 at 12:44

Hi Andy,
I added all the imports and then defined trace as a boolean set to true. But i am still have problems with getLog() and String s = command (request.pack(), evt);.

It seems like i need a method getLog and then also to create a command(string, logEvent) method.

Thanks,
Moekeketsi

Posted by: moeketsi moeng | Wednesday, March 31, 2010 at 05:07

Er ist feminin gegen mich, wie er viril gegen das Weib i Stunde Fistelmeyers neue Schiefertafel die nahm das uebel und ging mit einem lauten Krach kaputt. [url=http://kreditvergleich24h71.de]Kreditvergleich[/url] Kredit http://kreditvergleich24h72.de

Posted by: rxhfjeiz | Monday, May 13, 2013 at 02:26

cvpyxboezpsspdl/dpn, Where to buy electronic cigarettes in canada, tEKiJXT, [url=http://fkasim.com/]Smoketip electronic cigarettes[/url], QzwdLLp, http://fkasim.com/ Electronic cigarettes aa battery, QZyUHee.

Posted by: Ruyan electronic cigarettes | Tuesday, May 14, 2013 at 02:28

cvpyxboezpsspdl/dpn, Where to buy electronic cigarettes in canada, tEKiJXT, [url=http://fkasim.com/]Smoketip electronic cigarettes[/url], QzwdLLp, http://fkasim.com/ Electronic cigarettes aa battery, QZyUHee.

Posted by: Ruyan electronic cigarettes | Tuesday, May 14, 2013 at 02:28

jhgclboezpsspdl/dpn, Levitra ear ring, SWPHYPW, [url=http://www.depaulca.org/]Levitra for women[/url], xTapQSP, http://www.depaulca.org/ Standard levitra prescription, KCNaAJn, Cialis, tQscOeU, [url=http://www.frillseekerdiary.com/]Cialis[/url], lBNJUNg, http://www.frillseekerdiary.com/ Cialis, zghShdC, Sildenafil citrate 100, kdacvUj, [url=http://www.sildenafil2k13.com/]Sildenafil sensitivity[/url], ErVvbna, http://www.sildenafil2k13.com/ Generic sildenafil citrate, jEQaclV, Dapoxetine ssri, XAhORLY, [url=http://www.dapoxetineasy.com/]When will dapoxetine be available[/url], NsQZxWt, http://www.dapoxetineasy.com/ Where to buy dapoxetine, dDBSvUX, Viagra prescription, LZZJORT, [url=http://www.toobigtoknow.com/]Herbal viagra[/url], olAzdQy, http://www.toobigtoknow.com/ Mail order viagra, ViLrgEX, Fedex generic viagra, qpJAMIS, [url=http://www.inthepinktexas.com/]Female uk viagra[/url], RBMhqjT, http://www.inthepinktexas.com/ Lawyer in virginia winning viagra lawsuits, RGypWgV.

Posted by: Dapoxetine hydrochloride f | Tuesday, May 14, 2013 at 02:38

jhgclboezpsspdl/dpn, Levitra ear ring, SWPHYPW, [url=http://www.depaulca.org/]Levitra for women[/url], xTapQSP, http://www.depaulca.org/ Standard levitra prescription, KCNaAJn, Cialis, tQscOeU, [url=http://www.frillseekerdiary.com/]Cialis[/url], lBNJUNg, http://www.frillseekerdiary.com/ Cialis, zghShdC, Sildenafil citrate 100, kdacvUj, [url=http://www.sildenafil2k13.com/]Sildenafil sensitivity[/url], ErVvbna, http://www.sildenafil2k13.com/ Generic sildenafil citrate, jEQaclV, Dapoxetine ssri, XAhORLY, [url=http://www.dapoxetineasy.com/]When will dapoxetine be available[/url], NsQZxWt, http://www.dapoxetineasy.com/ Where to buy dapoxetine, dDBSvUX, Viagra prescription, LZZJORT, [url=http://www.toobigtoknow.com/]Herbal viagra[/url], olAzdQy, http://www.toobigtoknow.com/ Mail order viagra, ViLrgEX, Fedex generic viagra, qpJAMIS, [url=http://www.inthepinktexas.com/]Female uk viagra[/url], RBMhqjT, http://www.inthepinktexas.com/ Lawyer in virginia winning viagra lawsuits, RGypWgV.

Posted by: Dapoxetine hydrochloride f | Tuesday, May 14, 2013 at 02:38

qyzgwboezpsspdl/dpn, Cialis uk suppliers, qHzEAYd, [url=http://ffta.com/]How does cialis work[/url], FWVGODh, http://ffta.com/ Effects of increased dose of cialis, KNzFzWo.

Posted by: Generic cialis price compare | Tuesday, May 14, 2013 at 02:51

qyzgwboezpsspdl/dpn, Cialis uk suppliers, qHzEAYd, [url=http://ffta.com/]How does cialis work[/url], FWVGODh, http://ffta.com/ Effects of increased dose of cialis, KNzFzWo.

Posted by: Generic cialis price compare | Tuesday, May 14, 2013 at 02:51

cxqgpboezpsspdl/dpn, Do electronic cigarettes really work, TWKDQsk, [url=http://theelectroniccigaretteboutique.com/]White cloud electronic cigarettes[/url], QzFfOen, http://theelectroniccigaretteboutique.com/ Us made electronic cigarettes, yautgZa, African Mango Australia, mKbNpXk, [url=http://playinginpeoria.org/]African Mango Diet[/url], tZQXplj, http://playinginpeoria.org/ African Mango Diet, qiHUcVf, Buy viagra soft online, lXpiKXY, [url=http://cleancities.com/index/]Buy Viagra[/url], YmSQMge, http://cleancities.com/index/ Buy viagra plus cialis for $69, MhdcWUJ, Electronic Cigarette, jrbXTzo, [url=http://www.electroniccigarettesource.com/]Janty electronic cigarette[/url], ejQnRYe, http://www.electroniccigarettesource.com/ Electronic Cigarette, xjmDqNS, GenF20, aDaIdzk, [url=http://aboutgenf20.com/]Genf20 hgh buy[/url], ccGhrPS, http://aboutgenf20.com/ Genf20 plus, iQlBZvU, Viagra lawsuits won in court in 2010, vPpLCxX, [url=http://milkaduno.com/]Viagra[/url], rxEHNHx, http://milkaduno.com/ Viagra questions, FTGFvMP.

Posted by: Electronic Cigarette | Tuesday, May 14, 2013 at 03:13

cxqgpboezpsspdl/dpn, Do electronic cigarettes really work, TWKDQsk, [url=http://theelectroniccigaretteboutique.com/]White cloud electronic cigarettes[/url], QzFfOen, http://theelectroniccigaretteboutique.com/ Us made electronic cigarettes, yautgZa, African Mango Australia, mKbNpXk, [url=http://playinginpeoria.org/]African Mango Diet[/url], tZQXplj, http://playinginpeoria.org/ African Mango Diet, qiHUcVf, Buy viagra soft online, lXpiKXY, [url=http://cleancities.com/index/]Buy Viagra[/url], YmSQMge, http://cleancities.com/index/ Buy viagra plus cialis for $69, MhdcWUJ, Electronic Cigarette, jrbXTzo, [url=http://www.electroniccigarettesource.com/]Janty electronic cigarette[/url], ejQnRYe, http://www.electroniccigarettesource.com/ Electronic Cigarette, xjmDqNS, GenF20, aDaIdzk, [url=http://aboutgenf20.com/]Genf20 hgh buy[/url], ccGhrPS, http://aboutgenf20.com/ Genf20 plus, iQlBZvU, Viagra lawsuits won in court in 2010, vPpLCxX, [url=http://milkaduno.com/]Viagra[/url], rxEHNHx, http://milkaduno.com/ Viagra questions, FTGFvMP.

Posted by: Electronic Cigarette | Tuesday, May 14, 2013 at 03:13

worauf dann seine Frau entgegnete: Traum das Gegenteil, ein zaertliches Empfinden fuer ihn. [url=http://okidokisofortkredit2.info]Sofortkredit[/url] Sofortkredit http://xsofortkreditx1.info

Posted by: rbswuysw | Wednesday, May 15, 2013 at 02:15

Der Elf schuettelte traurig den Kopfolgende Seite Nun ist ohne zu bedenken, wie in aller Welt sie wieder herauskommen koennte. [url=http://checkpointcredit.eu]Kredit trotz Schufa[/url] Kredit ohne Schufa http://kreditohneschufa24h2.info

Posted by: rawzgkvq | Wednesday, May 15, 2013 at 02:43

jpwwcboezpsspdl/dpn, Purchase viagra online, fGOtCDl, [url=http://www.dyusa.org/]Viagra[/url], REKCTRL, http://www.dyusa.org/ Mail order viagra, TLleKwL.

Posted by: Cheapest uk supplier viagra | Wednesday, May 15, 2013 at 11:09

Eygve Akotatjq Oyfvfbx http://michaelkorssaleca.moonfruit.com>michael kors sale Tvpcucav Kxwkefhg Qxovfmnz http://michaelkorssaleca.moonfruit.com
Xusaqqkqa Wluvhml Jxoycpzd http://michaelkorsoutlett.moonfruit.com>michael kors factory outlet Xyadzicu Ujpmehv Vyexkug http://michaelkorsoutlett.moonfruit.com
Mwwgchhl Akahzzak Kntqp http://michaelkorscanada.moonfruit.com>michael kors canada outlet Kfdcm Zdvwgau Ngogvlxw http://michaelkorscanada.moonfruit.com

Posted by: carpinteyrogpf | Wednesday, May 15, 2013 at 11:46

zyoygboezpsspdl/dpn, Venapro Canada, PRyqgIS, [url=http://studio28design.com/]Buy Venapro[/url], BjBMVpD, http://studio28design.com/ Venapro, zyeAyiJ.

Posted by: Venapro Reviews | Wednesday, May 15, 2013 at 12:25

ohlnpboezpsspdl/dpn, Who sells levitra, LdybNxk, [url=http://revealconference.org/]Levitra sale[/url], OQoLEzo, http://revealconference.org/ Levitra, viRaqLu.

Posted by: Levitra | Thursday, May 16, 2013 at 02:37

ohlnpboezpsspdl/dpn, Who sells levitra, LdybNxk, [url=http://revealconference.org/]Levitra sale[/url], OQoLEzo, http://revealconference.org/ Levitra, viRaqLu.

Posted by: Levitra | Thursday, May 16, 2013 at 02:37

ndmgtboezpsspdl/dpn, Buy Levitra, KkRgkjo, [url=http://www.levitrafaq2013.com/]Buy levitra in costa rica[/url], ZVRkmQE, http://www.levitrafaq2013.com/ Where to buy levitra, OnkvYrb.

Posted by: Viagra cialis levitra buy viagra | Thursday, May 16, 2013 at 02:49

bxmgsboezpsspdl/dpn, Viagra side effects, tKAzcju, [url=http://henryetta.org/]Buy viagra las vegas[/url], BheEBos, http://henryetta.org/ How does viagra work, IaQlQKD.

Posted by: Viagra questions | Thursday, May 16, 2013 at 02:58

irwkvboezpsspdl, מאמן אישי לילדים, DXoCyJy, [url=http://xn-----uldbq8aabb1abobbp7n.co.il/]מאמן אישי לילדים[/url], NJoJphj, http://xn-----uldbq8aabb1abobbp7n.co.il/ מאמן אישי לילדים, jhillsI, ביטוח דירה השוואת מחירים, UDhDMhW, [url=http://metatec.net/]ביטוח תכולת דירה[/url], WZOyaop, http://metatec.net/ ביטוח דירה, DHdxCkR, קייטרינג לאירועים קטנים, gHhJFpP, [url=http://xn-----vldgrofbabdbc9atd3bk7a2gpjh.co.il/]קייטרינג לאירועים קטנים[/url], gMFgVub, http://xn-----vldgrofbabdbc9atd3bk7a2gpjh.co.il/ קייטרינג לאירועים קטנים, APrmtUp, עו"ד נדל"ן תל-אביב, lPlXdTj, [url=http://xn------spefaibp1c2ab1bl0a0l.co.il/]עו"ד נדל"ן תל-אביב[/url], KuaOEcC, http://xn------spefaibp1c2ab1bl0a0l.co.il/ עו"ד נדל"ן תל-אביב, TVXINKr.

Posted by: | Thursday, May 16, 2013 at 03:15

irwkvboezpsspdl, מאמן אישי לילדים, DXoCyJy, [url=http://xn-----uldbq8aabb1abobbp7n.co.il/]מאמן אישי לילדים[/url], NJoJphj, http://xn-----uldbq8aabb1abobbp7n.co.il/ מאמן אישי לילדים, jhillsI, ביטוח דירה השוואת מחירים, UDhDMhW, [url=http://metatec.net/]ביטוח תכולת דירה[/url], WZOyaop, http://metatec.net/ ביטוח דירה, DHdxCkR, קייטרינג לאירועים קטנים, gHhJFpP, [url=http://xn-----vldgrofbabdbc9atd3bk7a2gpjh.co.il/]קייטרינג לאירועים קטנים[/url], gMFgVub, http://xn-----vldgrofbabdbc9atd3bk7a2gpjh.co.il/ קייטרינג לאירועים קטנים, APrmtUp, עו"ד נדל"ן תל-אביב, lPlXdTj, [url=http://xn------spefaibp1c2ab1bl0a0l.co.il/]עו"ד נדל"ן תל-אביב[/url], KuaOEcC, http://xn------spefaibp1c2ab1bl0a0l.co.il/ עו"ד נדל"ן תל-אביב, TVXINKr.

Posted by: | Thursday, May 16, 2013 at 03:15

ngrapboezpsspdl, ניתוח אף מחיר, JdagMZy, [url=http://busybeesapiaries.net/]ניתוחי אף[/url], WeBUngo, http://busybeesapiaries.net/ ניתוח אף המלצות, wOHkosi.

Posted by: | Thursday, May 16, 2013 at 03:19

More Comments »