Atalla HSM AT1000

Release Notes

Software Version 8.46.0.0

Imprint

Copyright 2020 Utimaco Inc.

900 E Hamilton Ave., Suite 400
Campbell, CA 95008
USA

Phone +1 844 UTIMACO

Support AMERICAS +1 844-UTIMACO (+1 844-884-6226), EMEA +49 800-627-3081,

APAC +81 800-919-1301

Internet https://support.hsm.utimaco.com

E-mail hsm@utimaco.com

Document Version 1.0

Date January 28, 2022

Document Status Final

Part Number Part Number: C9B60-9001T

All Rights reserved No part of this documentation may be reproduced in any form (printing, photocopy or
according to any other process) without the written approval of Utimaco IS GmbH or be
processed, reproduced or distributed using electronic systems.

Utimaco IS GmbH reserves the right to modify or amend the documentation at any time
without prior notice. Utimaco IS GmbH assumes no liability for typographical errors and
damages incurred due to them.

All trademarks and registered trademarks are the property of their respective owners.
Product Description

Product Description 12

Atalla Hardware Security Module (HSM) is a payments hardware security module designed to protect
customer sensitive data, perform cardholder authentication, and manage the cryptographic keys used in
ecommerce retail payment transactions.

Atalla HSM provides superior hardware security to deliver maximum privacy, integrity and performance for
host applications. It supports cryptographic operations to perform PIN translation and verification, card
verification, card production and personalization, electronic funds interchange (EFTPOS, ATM), cash-card
reloading, EMV transaction processing, and key generation and injection.

Product models

There is one physical hardware model: Atalla Hardware Security Module AT1000.

Languages

International English

Product Features

This section provides information on the Atalla HSM AT1000 hardware and software features.

Hardware features
The Atalla HSM AT1000 includes the following hardware features.

Hardware Feature Description

High performance Atalla Cryptographic System The ACS provides industry leading cryptographic
(ACS) command performance. All cryptographic
command processing is performed within its
security boundary. For more information about the
ACS, see section 2 of the Atalla HSM AT1000
Installation and Operations Guide.

1U form factor The Atalla HSM AT1000 is 1.7 inches (4.3 cm) high.
It is based on the HPE Proliant DL360 Gen9, and
includes dual hard disk drives, dual power load
balancing supplies, dual locking front bezel, and
redundant cooling. See section 2 of the Atalla HSM
AT1000 Installation and Operations Guide.

Part Number: C9B60-9001T Software Version 8.46.0.0 Page 3 of 12


Hardware Feature
Four Network Interface Connectors
Front panel display with keypad
USB 3.0 port and USB device
Software features
The Atalla HSM AT1000 includes the following software features.
Software Feature
AES and 3DES Master File Keys (MFK)
Categorized Event Reporting
Page 4 of 12
Product Features
Description
The Atalla HSM AT1000 supports connections to
two separate networks. The Active-Backup mode
of NIC bonding provides redundancy. For
configuration information, see section 4 of the
Atalla HSM AT1000 Installation and Operations
Guide.
The Atalla HSM AT1000’s front panel display
provides status information. You can use the
display with keypad to assign the NIC1 network
settings. The keypad is protected behind the dual
locking bezel. For information on usage, see
section 3 of the Atalla HSM AT1000 Installation and
Operations Guide.
The USB port and USB device provide the ability to
install software updates and configuration files into
the Atalla HSM AT1000. The USB port is protected
behind the dual locking bezel. For information on
usage, see section 3 of the Atalla HSM AT1000
Installation and Operations Guide.
Description
The Atalla HSM AT1000 can be configured to
support both an AES and 3DES MFK. For
information on how to initialize the Atalla HSM
AT1000, see section 3 of the Atalla Secure
Configuration Assistant-3 User Guide, or section 3 of
the Atalla Secure Configuration Assistant for
Windows User Guide.
The Atalla HSM AT1000 maintains three separate
logs. The System Log records system events,
including startup, status and configuration events.
The Activity Log records connection events,
including when a connection opens and closes.
The Security Audit Log records all Security
Administrator transactions. For information on the
logs and how to configure the logging level, see
sections 1 and 4 of the Atalla HSM AT1000
Installation and Operations Guide.
Software Version 8.46.0.0 Part Number: C9B60-9001T
Product Features

Software Feature Description

HSM Health Monitoring The Atalla HSM AT1000 monitors the CPU busy
percentage of the ACS. When the specified percent
value is maintained for one minute, an event record
is created in the System Log. The ACS, hard disk
drives, power supplies, and fans are continuously
monitored. Any failure generates a record in the
System Log. For information on HSM health
monitoring, see section 2 of the Atalla HSM AT1000
Installation and Operations Guide.

Remote Monitoring The Atalla HSM AT1000 supports connections to

both Remote Syslog and Simple Network
Management Protocol (SNMP) servers. Events
recorded in the Atalla HSM AT1000’s system and
activity logs can be sent to these servers. SNMP
versions 1, 2 and 3 are supported. For easy
integration with remote monitoring systems, event
records are formatted in the Common Event
Format (CEF). An Atalla HSM AT1000 specific
Enterprise MIB file is provided. For information on
remote monitoring, see section 4 and 6 of the Atalla
HSM AT1000 Installation and Operations Guide.

Remote Management Installation of configuration files and software

updates can be performed remotely. In addition,
cryptographic key loading, cryptogram generation,
and modifying the Atalla HSM AT1000’s security
policy can also be performed remotely. For
information on how to perform these tasks, see
sections 3 and 8 of the Atalla Secure Configuration
Assistant-3 User Guide, or sections 3 and 9 of the
Atalla Secure Configuration Assistant for Windows
User Guide.

Network Time Protocol The Network Time Protocol (NTP) can be used to
synchronize the system clock on the Atalla HSM
AT1000. For information on system time
synchronization, see section 4 of the Atalla HSM
AT1000 Installation and Operations Guide.

Atalla Key Block (AKB), PCI-HSM, and Variant key
management methods
The Atalla HSM AT1000 comes preloaded with the
Atalla Key Block, key management method,
switching methods takes approximately 4 minutes,
no additional software must be installed on the
Atalla HSM AT1000. For information on the
supported commands, see the Atalla HSM AT1000
Command Reference Manual. For information on
switching key management methods, see section 4
of the Atalla HSM AT1000 Installation and
Operations Guide.

Part Number: C9B60-9001T Software Version 8.46.0.0 Page 5 of 12

 Product Features

Software Feature Description

Multiple Domains A Domain is a separate section in the Atalla HSM

AT1000 which can have its own unique Security
Association, Master File Key, and Security Policy.
Domains provide the ability to support separate
host applications in the same physical Atalla HSM
AT1000. To insure separation, each Domain has a
unique set of port numbers. The Atalla HSM
AT1000 can be configured to support a maximum
of ten domains. By default, the Atalla HSM AT1000
supports two domains. Supporting additional
domains requires licensing. For information on
configuring multiple Domains, see section 4 of the
Atalla HSM AT1000 Installation and Operations
Guide.

NIC Bonding The Active-Backup mode provides redundancy for

network connections. The Atalla HSM AT1000
binds two network interfaces together to work as a
pair. They both have the same network settings. In
the event of a failure, the other network interface in
the pair becomes active and continues to receive
host application commands and send back
responses. For information on configuring NIC
Bonding, see section 4 of the Atalla HSM AT1000
Installation and Operations Guide.

Supports most Ax160 HSM version 1.60, 1.61, 1.62,
and 2.30 commands.
The vast majority of commands which are
available in versions 1.60, 1.61, 1.62 and 2.30 of the
Atalla Ax160 HSM are supported in the Atalla HSM
AT1000.
Most of the printing commands in version 2.30 of
the Atalla Ax160 HSM are supported in the Atalla
Key Block version 8.34 and above.
For information on the supported commands refer
to the Atalla HSM AT1000 Command Reference
Manual.
All non-customer specific premium value
commands and options from the Atalla Ax160
HSM v2.30 and v1.60 are included in the Atalla
HSM AT1000 v8.00 and newer, they no longer
require a separate license.

Payment Emulation Command Set An emulator which supports payment commands

which are not in the standard Atalla command
format. A license is required to enable this feature.
Refer to the Atalla HSM AT1000 Installation and
Operations Guide, and also the Atalla HSM AT1000
Payment Emulator Command Reference Manual.

REST API An Application Programming Interface which

supports the JSON format. A license is required to
enable this feature. Refer to the Atalla HSM AT1000
Installation and Operations Guide, and also the
Atalla HSM AT1000 Communicating with the AT1000
using the REST API.

Page 6 of 12 Software Version 8.46.0.0 Part Number: C9B60-9001T

Software installation instructions

Software installation instructions

To install software version 8.46 perform these steps:

1. Download software version 8.46 files from the following website:

https:/ support.hsm.utimaco.com

Refer to the Atalla HSM AT1000 Read Me First card for download instructions.

2. Copy the AT1000 HSM_8.46.img file to the HSM’s USB device.

3. Follow the steps 5 through 13 which are specified in “Send configuration files from the USB device to
the HSM” which is located in section 3 of the Atalla HSM AT1000 Installation and Operations Guide.

Compatibility/interoperability
Required products
The Atalla HSM AT1000 requires these Atalla products. For more information on these products, see the
Secure Configuration Assistant-3 User Guide or the Secure Configuration Assistant for Windows User Guide.

Product Version

Secure Configuration Assistant-3 (SCA-3) 3.0, 3.1, 3.2, 3.3, 3.4

Note: 3.2 or newer is required for PCI-HSM mode
or of operation
Secure Configuration Assistant for Windows (SCA-W) 1.0, 1.1, 1.3

Remote Management Utility 3.0, 3.1

(Only required for use with the SCA-3)

Atalla Security Administrator smart cards 3.0

Atalla Backup Operator smart cards (optional) 3.0

Compatible products
The Atalla HSM AT1000 is compatible with these Atalla products.

Product Version

Atalla Secure Resource Manager T0398AAD

Boxcar (T0409) T0409AAA - AAQ

NSPDIAG T5860AAF

Part Number: C9B60-9001T Software Version 8.46.0.0 Page 7 of 12

 New and Changed Content

New and Changed Content

This version supports the AKB, PCI-HSM, and Variant personalities.

New command
 3AA - Proprietary Key Derivation. This is a customer specific command.

Modification to existing commands

 Commands 119 and 11A now support using legacy Key Exchange Keys in TR-31 key blocks.

 Command 11B now supports a Key Exchange Key compatible with INTERPAY key derivation.

 Commands 136 and 139 - support for AKBv3 has been improved.

 Customer specific commands 13E, 183, 18D, and 38D have been modified.

 Command 185 now supports all security levels for SCP02 and SCP03.

 Command 354 now supports additional KEK types.

 Command 357 no longer checks specific values for the dCVV2 service code.

 Command 359 now supports personalization and cloud based payments.

 Command 38E now supports AES DUKPT in a host-to-host environment.

System software
 Support for 802.1Q has been added. The config.prm file now contains these two new keywords:
VLAN_1, and VLAN_2. Refer to section 4, Software configuration in the Atalla HSM AT1000 Installation
and Operations Guide for more information.

 The manufacturing process for the AT1000 HSM v2 now sets the system clock to Universal
Coordinated Time (UTC).

Unsupported Ax160 HSM features

The Atalla HSM AT1000 does not support the following Atalla Ax160 HSM features.

Atalla Ax160 HSM feature Atalla HSM AT1000 comment

Websafe personality Not supported.

Security Administrator V2.0 smart cards Security Administrator V3.0 smart cards are
required.

Shareholder smart cards Backup Operator V3.0 smart cards are used to
backup and restore the HSM.

Atalla Ax160 HSM config.prm file A new config.prm file is required.

Page 8 of 12 Software Version 8.46.0.0 Part Number: C9B60-9001T

Determining the software version

Atalla Ax160 HSM feature Atalla HSM AT1000 comment

Command 103 Command 1113 has been enhanced, it now

supports a much longer test period, and
immediately returns a response for the previous
time period. The SCA-3 version 3.0 does not
support the CPU Busy feature.

Option 87 The HSM supports two networks, therefore this

option has been removed.

Reading configuration files from the USB device at At startup the HSM does not read configuration
startup. files from the USB device. Configuration files
must be transferred to the HSM via the front
panel menu, or sent to the HSM via version 3.0 of
the SCA-3 and the Remote Management Unit.

Determining the software version

There are multiple ways to obtain the software version in your Atalla HSM AT1000:

 Send either of these commands to the HSM:

<1101#> or <1100#>

The response from the Atalla HSM AT1000 will be its software version.

 Power on the HSM, wait approximately 3 minutes, and then observe the front panel status screens.

 View the HSM’s system log, it contains a record with the response to the command <1101#>.

 When a SCA-3 or SCA-W is communicating with the HSM, you can tap the HSM status icon located in the
upper left corner of the screen.

Open source files

This product includes code licensed under the GNU General Public License, the GNU Lesser General Public
License, and/or certain other open source licenses. A complete machine readable copy of the source code
corresponding to such code, is available upon request.

This offer is valid to anyone in receipt of this information and shall expire three years following the date of
the final distribution of this product version by Utimaco.

freertos (9.0.0)

License File: FreeRTOS-Licencse.txt

License Link: http://www.freertos.org/license.txt

Distribution File: FreeRTOSv9.0.0.zip

Part Number: C9B60-9001T Software Version 8.46.0.0 Page 9 of 12

 Open source files

python (2.7)

License File: Python-License.txt

License Link: http://spdx.org/licenses/Python-2.0

Distribution File: Python-2.7.5.tgz

smartmontools (6.2)

License File: GPL-2.0+License.txt

License Link: https://spdx.org/licenses/GPL-2.0+

Distribution File: smartmontools-6.5.tar.gz

ipmitools (1.8.13)

License File: BSD-3-License.txt

License Link: http://spdx.org/licenses/BSD-3-Clause

Distribution File: ipmitool-1.8.18.tar.bz2

openipmi (2.0.19)

License File: GPL-2.0+License.txt

License Link: https://spdx.org/licenses/GPL-2.0+

Distribution File: OpenIPMI-2.0.24.tar.gz

cavium-cnnic-pci-driver (1.0)

License File: BSD-3-License.txt

License Link: http://spdx.org/licenses/BSD-3-Clause

Distribution File: CNNNIC-SDK-SRC-3.1.2-48.i386.rpm

uboot (2013.070.24)

License File: GPL-2.0-License.txt

License Link: https://spdx.org/licenses/GPL-2.0

Distribution File: Cavium-Uboot.tgz

Page 10 of 12 Software Version 8.46.0.0 Part Number: C9B60-9001T

Open source files

rsyslog (7.4.7)

License File: GPL-3.0+License.txt

License Link: https://spdx.org/licenses/GPL-3.0+

Distribution File: rsyslog-7.4.7.tar.gz

centos-os (7.2)

License File: Included in SrcRPMS for individual modules

License Link:

Distribution File: CentOS-7.2-SrcRPMS.gz

net-snmp (5.7.3)

License File: net-snmp-License.txt

License Link: http://www.net-snmp.org/about/license.html

Distribution File: net-snmp-5.7.3.zip

lcdproc (0.5.7)

License File: GPL-2.0-License.txt

License Link: https://spdx.org/licenses/GPL-2.0

Distribution File: lcdproc-0.5.7.zip

openssl (1.0.1j)

License File: OpenSSL-License.txt

License Link: https://spdx.org/licenses/OpenSSL

Distribution File: openssl-1.0.1j.tar.gz

openssl (1.0.2d)

License File: OpenSSL-License.txt

License Link: https://spdx.org/licenses/OpenSSL

Distribution File: openssl-1.0.2d.tar.gz

Part Number: C9B60-9001T Software Version 8.46.0.0 Page 11 of 12

 Utimaco technical support

Utimaco technical support

For technical questions, please contact Utimaco technical support:

 E-mail: support@utimaco.com

 Toll Free Phone:

 AMERICAS
+1 844-UTIMACO (+1 844-884-6226)

 EMEA
+49 800-627-3081

 APAC
+81 800-919-1301

 Create a ticket via the support portal: https://support.hsm.utimaco.com

Before contacting Utimaco, collect the following information:

 Product model names and numbers

 Utimaco Support Contract Number

 Product serial numbers

 Error messages

 Software version number

 Detailed questions

24-hour support
24-hour emergency support is available to those customers who have valid service contracts. Use this
service for product and system emergencies that occur after normal working hours or on weekends and
U.S. holidays. Questions about product installation and setup are supported during normal working hours.

For 24-hour emergency support call one of the toll-free phone numbers listed above. Select Option 4 for
Atalla Support to open a critical support ticket.

Download portal
You can obtain software/documentation from: https://support.hsm.utimaco.com.

Page 12 of 12 Software Version 8.46.0.0 Part Number: C9B60-9001T