Managed SO-PIN
The SO-PIN (aka Initialization Code) is an 8-byte password that protects the SmartCard-HSM from involuntary re-initialization and unblocking or resetting the User-PINs retry counter.
Beside setting a secure User-PIN, choosing a proper SO-PIN is crucial for the overall security of keys on your SmartCard-HSM.
For testing purpose we recommend to stick with the test value 3537363231383830 to not accidentally brick the device. The SO-PIN has a retry counter of 15, but if blocked, the device becomes a useless piece of hardware.
In the Key Manager you can either choose your own SO-PIN or have the Key Manager generate a random value. You can then save the SO-PIN in a profile on the local machine.
While manually choosing a secure SO-PIN is suitable for a single device, managing a larger SmartCard-HSM base, like in a corporate environment, requires a better approach.
This is where a Managed SO-PIN comes to play. With a Managed SO-PIN, the individual SO-PIN is derived from an centrally kept AES key. Such a token management key can be generated on a SmartCard-HSM set aside as dedicated token to initialize, re-initialize SmartCard-HSMs or unblock or reset User-PINs.
Generating a Token Management Key
A Token Management Key is an AES key, with 128, 196 or 256 bit. Ideally the key is created in a key domain, so a backup of the key can be created.
Make sure the key allows the CMAC algorithm and can be wrapped for backup (WRAP).
Management Token
A SmartCard-HSM can be used as Management Token, which means, that the token is placed in the background of the Smart Card Shell to act as a secure key store. You can then attach additional cards or token and perform operations on them with keys on the management token.
You need to login before the device can be put in the background. Select Use as Management Token from the context menu of the SmartCard-HSM node.
The outline is now cleared and you are prompted, if you want to access a newly attached SmartCard-HSM automatically. Choose Yes.
You can now see, that the AES key is identified as Token Management Key. If you have more than one suitable AES keys on the management token, you are prompted to select one.
You can now attach an additional SmartCard-HSM. The Key Manager will show the normal outline.
If you now want to initialize a new device or re-initialized an existing device, you will see, that instead of the default SO-PIN, a generated SO-PIN is shown.
If this is the first initialization of the SmartCard-HSM, then this SO-PIN will be set. The same SO-PIN will be shown on subsequent initialization attempts.
Switch to a Managed SO-PIN
If you already initialized the SmartCard-HSM with the test or a user chosen SO-PIN, then you can switch to the Managed SO-PIN during initialization.
First overwrite the proposed SO-PIN value with the currently used value. If that is the test value, just clear the input field.
You are then prompted to select from four options.
With Keep current SO-PIN nothing changes.
Set a new managed SO-PIN will either switch to a Managed SO-PIN or replace an existing Managed SO-PIN with a new value. The replacement SO-PIN value is created by changing the salt that goes into the SO-PIN derivation.
Set a user selected SO-PIN allows to enter an user defined SO-PIN, potentially replacing the Managed SO-PIN.
Set the Default SO-PIN is a shortcut for Set a user selected SO-PIN, setting the test value 3537363231383830.
As we want to change to a Managed SO-PIN, we select the second option. You then provided the normal parameter for SmartCard-HSM initialization, e.g. label, URL, User-PIN and Key Domains.
Finally you are prompted to save the new SO-PIN to profile. As we are using a Managed SO-PIN now, we don't want that and answer No.
When you remove and reinsert the SmartCard-HSM, you can see the reference to the Token Management Key printed with other device information.
The first value E534.. is the key identifier for the Token Management Key. This allows you to find the matching key.
The second value in parentheses is the salt value.
Switch to a User SO-PIN
If you want to switch from a Managed SO-PIN to a User SO-PIN, use the above procedure and select Set a user selected SO-PIN or Set the Default SO-PIN.
The reference to the Token Management Key in the device information should then disappear.