Affina User's Guide

Affina® Issuance Software
User’s Guide
December 2014
Part No. 539655-001, Rev. L

Notice
This publication and the accompanying software are proprietary to Entrust Datacard
Corporation and are protected under U.S. patent and copyright laws as well as various
international laws and treaties. This publication may not be copied, translated, sold, or
otherwise transferred to a third party, in whole or in part, without the express written
permission of Entrust Datacard Corporation.
Information in this publication is subject to change without notice. Entrust Datacard

assumes no responsibility for any errors that may appear in this publication. Companies,
names, and data used in examples herein are fictitious. No association with any real
company or person is intended and none should be inferred.
This product includes software developed by the Apache Software Foundation

(www.apache.org). Copyright © 2000 The Apache Software Foundation. All rights
reserved.
This product includes software developed by the JDOM Project (www.jdom.org).
This product includes Tagish JAAS Login Modules and is covered under the GNU Lesser
General Public License, which can be found at www.gnu.org/copyleft/lesser.html.
This product includes software developed by IAIK of Graz University of Technology.

Copyright (c) 2002 Graz University of Technology. All rights reserved.
This product includes software developed by the jTDS Project (jtds.sourceforge.net) and
is made available under the terms of the GNU Lesser General Public LIcense which can be
found at www.gnu.org/copyleft/lesser.html.
This product includes software developed by the Eclipse Project (www.eclipse.org).
This product includes software developed by Mozilla as part of the Rhino project. The
Rhino code included with the Program includes no modifications and is provided under
the terms of the Mozilla Public License version 1.1 or later (www.mozilla.org/MPL/MPL‐
1.1.html) and the GNU General Public License version 2.0 or later (www.gnu.org/
licenses/gpl2.html).
Datacard Group
11111 Bren Road West
Minnetonka, MN 55343‐9015
Phone: 952‐933‐1223
Fax: 952‐933‐7971
www.datacard.com
Copyright © 2014 Entrust Datacard Corporation. All rights reserved.
ii
Trademark Acknowledgments
Affina and Maxsys are registered trademarks and Datacard is a registered trademark and
service mark of Entrust Datacard Corporation in the United States and other countries.
MasterCard is a registered trademark of MasterCard International Incorporated.
Visa is a registered trademark of Visa International Service Association.
Adobe and Reader are registered trademarks of Adobe Systems Incorporated.
Crystal Reports is a trademark or registered trademark of Crystal Decisions, Inc. in the

U.S. and/or other countries.
Windows is a registered trademark of Microsoft Corporation.
All other product names are the property of their respective owners.
Proprietary Notice
The design and information contained in these materials are protected by US and
international copyright laws.
All drawings and information herein are the property of Entrust Datacard Corporation. All
unauthorized use and reproduction is prohibited.
iii
Revision Log
Affina Data Preparation, Affina One Step Issuance, and
Affina Profiles and Scripting User’s Guide
Revision Date Description of Changes
A April 2006 First release of this document.
B November Added information for the 1.0.1 release.

2006
C February 2007 Added information for the 1.1 release.
D July 2007 Added information for the 1.2 release.
E December Added information for the 1.3 release.

2007
F June 2009 Added information for the 1.5 release.
G November Added information for the 1.6 release. Incorporated

2010 Help topics.
H June 2012 Added information for the 1.7 release. Documented

delimiter‐separated value parser.
J February 2013 Added information for the 1.7.1 release. Documented

SafeNet firmware installation feature.
K December Added information for 1.8 release.

2013
L December Added information for the 1.8.1 release.

2014
Conventions Used in this Document
Notes remind or inform you of something you should know before proceeding.
Names of menus, dialog box options, and buttons display in bold type. File names also display in
bold type, and the variable part of the file name is in bold italics (for example, profile name.xml
indicates that you supply the profile name while xml remains constant).
User entries are shown in code typeface.
Blue text indicates a jump (link) to the referenced topic for online reading.
iv
Related Manuals
Manual Title Part Number
Datacard Affina Personalization Manager MULTOS Issuance Software 539112‐003

Data Format and Operation
Datacard Syntera Customization Suite Installation and Configuration 539768‐001

Guide
Data Security Standards Implementation Guide 527227‐001

Datacard® Syntera® Customization Suite
Data Security Standards Implementation Guide 527226‐001

Datacard® Affina® Issuance Platform Software
v
Contents
Chapter 1: System Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1
Data Flow . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3
Affina DP Data Flow . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3
Affina OSI Data Flow . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4
Chapter 2: Installation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5
Minimum PC Requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5
Install Prerequisite Software . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7
Install Affina Software . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11
Upgrade Instructions. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13
Windows Firewall Exceptions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13
Configure Affina Software . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14
License the Software. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16
Affina Software Licensable Features. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16
Affina OSI Software . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17
Affina Data Processing Software. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18
License Administrator Components . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18
License Server ID . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18
Product Keys . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18
Activation Keys . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18
Default User Groups . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19
User Access Rights . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19
Key Management System . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19
Affina Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19
Configuration Management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19
Batch Applications . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19
Chapter 3: Data Format . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21

Sample Data Files . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21
Magnetic Stripe Data . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22
Track 1 Data Format . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23
Track 2 Data Format . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24
EMV Tags . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24
Smart Card Applications . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25
Smart Card Data . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25
Smart Card Data Format . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26
SCPM Format . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27
PIX Format. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27
DSV Format. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28
Magnetic Stripe and DSV Data Example . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28
DSV Data Only Example. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29
vi
Parser Configuration Parameters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29
Smart Card Output Data Parameters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29
Smart Card Input Data Parameters. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 30
System Configuration Parameter . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 30
MULTOS Data Parameters. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31
Input Data Fields . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31
InputSC . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31
InputMag . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 32
Input Data Examples . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 32
Data Generation - Magnetic Stripe and Job OID Only . . . . . . . . . . . . . . . . . . . . . . . . . . . 32
InputSC and InputMag — Affina DP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 32
InputSC — Affina OSI . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33
Data Generation — Magnetic Stripe and/or Smart Card Input Data . . . . . . . . . . . . . . . 33
InputMag and InputSC — Affina DP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33
InputSC — Affina OSI . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 34
Personalization - Smart Card Data . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 35
DGI Format. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 36
TLV Output Data Key Format . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 37
DES Key Example . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 38
RSA Key Example . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 38
Chapter 4: Key Management System . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 39

Introduction to the KMS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 39
PKCS #11: Cryptographic Token Interface Standard . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 39
Slots and Tokens. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 40
Roles . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 40
Sessions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 41
Key Usage. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 42
Key Attributes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 43
Configuring HSMs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 44
Using the SafeNet HSM . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 44
Token Initialization Procedures . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 44
Administrative Functions. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 46
Import and Restore Sample Keys . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 50
Key Management System Tasks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 52
Creation Tasks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 52
Importing Tasks. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 57
Exporting Tasks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 61
Certificate Tasks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 62
Application-Specific KMS Tasks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 71
vii
Chapter 5: Configuration Manager . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 79
Overview of Application and Script Setup . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 79
Profile Descriptions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 80
GP Profiles . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 80
Application Profile. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 80
Card Profile . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 80
Key Profile. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 80
Loadfile Profile . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 80
Datacard Profiles . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 81
Application Data Template (ADT) Profile . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 81
Application Profile Input Mapping (APIM) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 81
Application Profile Output Mapping (APOM) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 81
DataSet Profile . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 81
Job Profile. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 81
Product Profile . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 82
ADT Associations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 82
Visa Personalization Assistant (VPA) Output File . . . . . . . . . . . . . . . . . . . . . . . . . . . 82
MULTOS ALU Templates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 82
Profile Associations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 82
Scripting Language and Profile Specifications . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 83
Import the Release and Sample Profiles. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 84
Configuration Manager Tasks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 85
General Tasks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 85
Profile Management Tasks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 86
Profile Creation Tasks. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 90
Application-Specific Configuration Manager Tasks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 95
Chapter 6: One Step Personalization Setup . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 97

Creating an Affina Profiles and Scripting Application Configuration . . . . . . . . . . . . . . . . . . . 97
Configuring the Personalization Equipment . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 97
Configuring Maxsys Compatible Systems. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 97
Configuring 9000 Series Systems. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 99
Configuring the Syntera CS Simulator . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 102
Configuring a Datacard Desktop Printer . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 105
Using Affina One Step Software in Production . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 105
Chapter 7: Affina DP (Batch) Setup . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 107

Overview of Batch Processing. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 107
Production Setup . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 107
Batch Production. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 108
Batch Tracking . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 108
Reserved Words for Input Fields. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 109
Install and Test Sample Affina DP Setups . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 110
Restore and Test Production Setups . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 110
viii
Affina DP Batch Application Tasks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 113
Setup Tasks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 113
Production Setup Tasks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 116
Monitoring Tasks. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 122
Maintenance Tasks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 123
Using Affina DP Software in Production. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 124
Reset the SQL User Password for Batch Applications . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 124
Chapter 8: Maintenance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 127

Databases . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 127
Event Logs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 127
Windows Event Logging . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 127
Application Logs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 128
Batch Application Logs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 128
Chapter 9: Troubleshooting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 129

Problems Reported by Batch Applications . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 129
Configuration Manager Problems. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 134
KMS Problems . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 135
Affina Profiles and Scripting Problems . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 136
Affina One Step Issuance Problems . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 137
Affina Configuration Problems. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 138
HSM Battery-Related Issues . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 138
SafeNet HSM ProtectServer Gold . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 138
General Information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 138
Determining the Condition of the Battery . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 139
Appendix A: Abbreviations and Definitions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . A-1
Appendix B: Configuration Parameters and Initialization Settings . . . . . . . . . . . . . . . B-1

Configuration Parameters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . B-1
Affina PS JDBC SQL Server Connection String . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . B-1
Affina PS Logging Parameters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . B-1
AffinaPKCS11 Slot and Token Parameters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . B-2
Configuration Manager Parameters. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . B-3
DSV Properties . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . B-3
Batch Properties. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . B-3
Runtime Properties. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . B-3
JVM Initialization Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . B-4
Debug . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . B-4
JVM Location . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . B-4
ix
x
Chapter 1: System Overview
Datacard® Affina® issuance software provides data generation capability
for smart card applications. It includes a set of applications that are
combined in different ways to form three configurations:
 Datacard® Affina® data preparation (DP) software
 Datacard® Affina® profiles and scripting (PS) software

 Datacard® Affina® one step issuance (OSI) software
Affina DP is a file‐based batch process system that monitors an input directory for files containing
cardholder records. Affina DP uses the magnetic stripe data in the records and data generation
profiles to generate an output file containing smart card application data.
Affina PS uses GlobalPlatform and Datacard‐defined profiles to provide instructions for using an
input file with smart card application data to personalize applications on smart cards.
Affina OSI combines the data generation functionality of Affina DP and the personalization
functionality of Affina PS. It uses an input file containing cardholder magnetic stripe data to
create personalized smart cards in one step.
Most Affina software components are used in multiple configurations.
Component Description Used In
Configuration Manager The user interface for viewing GlobalPlatform profiles and Affina OSI
creating and editing Datacard profiles. Profiles create Affina PS
configurations for generating data and personalizing cards. Affina DP
Profiles & Scripting The Java‐based Global Platform scripting engine (Affina Affina OSI
Interpreter JVM). Runs data generation procedures defined in profiles. Affina PS
It is invoked from Batch Engine (using DTE.dll Affina DP
software) or from a Datacard® Syntera® Customization
Suite (CS) software application (Affina OSI software). It uses
standard interfaces provided by the PKCS#11 for
cryptographic functions.
Key Management System Provides the user interface through which you manage Affina OSI
(KMS) cryptographic keys. Affina PS
Affina DP
Hardware (or Host) The hardware device that provides secure cryptographic Affina OSI
Security Module (HSM) functions. Affina PS
Affina DP
Affina Issuance Platform User’s Guide 1

Component Description Used In
Crypto Provider Accesses the HSM directly to implement requests from Affina OSI
PKCS#11 components. It also provides information about Affina PS
HSM availability. Affina DP
Batch Applications Gathers necessary information from input data and invokes Affina DP
the Affina PS software interpreter for data generation.
There are four Batch applications:
 Batch Import monitors a directory for new input files
and automatically associates a production setup to
change input data into output data. You can also import
data files manually.
 Batch Engine performs the processing required to
change input data into output data by calling Affina PS
using the DTE.dll.
 Batch Administrator is the user interface through which
you define how input data is changed to output data.
 Batch Tracking lets you monitor the processing of input
files. You can also track individual records and view any
errors that may occur.
MX/Maxsys Production Manages the personalization process. It parses input data Affina OSI
Control into records and sends required data to the various
modules of the personalization system. For smart card
operation, Production Control initiates the operation based
on a setup and sends data necessary for personalization to
Syntera CS.
Syntera Customization Provides the environment for developing and running Affina OSI
Suite (CS) server‐based personalization applications. In Affina OSI,
Syntera CS instantiates the personalization process for each
card and calls the Syntera CS application, Affina Profiles and
Scripting, or Datacard® Affina® MULTOS™ Issuance
Software loader for data generation and personalization.
Affina MULTOS Issuance A Syntera CS application for personalizing applications on Affina OSI
MULTOS cards. In Affina OSI, it invokes Affina PS for Affina
generating an application load unit (ALU) and then loads MULTOS
the ALU onto the MULTOS card. Loader
Profiles Affina release and sample data generation profiles. Affina OSI
Affina DP
In addition, Affina DP includes several Application profiles, each with sample data and setups that
you can adapt to your unique environment.
2 System Overview
Data Flow
Data follows different paths depending on whether you are using Affina DP or Affina OSI.
Affina DP Data Flow

When a production setup is created, the Application profile (previously loaded by Configuration
Manager) and a DLL are specified for parsing input data.
When the Batch Import application is started, it begins to monitor the input directory. As host
files are delivered to the input directory, the Batch Engine begins parsing the data file into records
and fields and calls Affina Profiles and Scripting using the DTE.dll. Affina PS retrieves the keys,
profiles, and scripts and generates the smart card data for each record as specified in the
Application profile.

The output file is ready to become an input file for a high‐speed personalization system such as
the Datacard® Maxsys® card issuance system.
Affina OSI Data Flow

In the Affina OSI solution, smart card data is prepared during personalization. Standard
cardholder data containing magnetic stripe information is fed to the production control software
of a Datacard personalization equipment (such as a Maxsys card issuance system). When a card
reaches the Smart Card module, control and data is passed to Syntera CS. Syntera CS then calls
Affina Profiles and Scripting using the AffinaPS.dll. Affina Profiles and Scripting retrieves the
required keys, profiles, and scripts and generates the smart card data for the current record as
specified in the Application profile. This data is then immediately personalized on the card as
specified by the personalization scripts. After completion, the card is ready to move to the next
module.
4 System Overview
Chapter 2: Installation
This chapter gives information about installing and configuring Affina

issuance software, licensing the software, and setting up user groups.
Minimum PC Requirements
It is strongly recommended that you purchase your PC from Datacard. However, if you choose to
use your own PC, the following minimum requirements must be met:
 2.0‐GHz Pentium® 4 processor
 1 GB RAM
 Minimum screen resolution of 1024 x 768

 A minimum of 20 GB free hard drive space is required for the installation of the program and
initial database files, and running the program. You must assess the need for any additional
hard drive capacity requirements based on how you will use the software.

The following table lists the database products and the operating systems that Affina issuance
software supports.
Windows 7
Windows Windows 8.1 Windows Professional Windows Windows XP
Server 2012 (32 and 64 Server 2008 (32 and 64 Server 2003 Professional
R2 bit) R2 bit) (32 bit) (32 bit)
SQL Server Supported Supported Supported Supported Not Not

2012 Supported Supported
SQL Server Supported Supported Supported Supported Not Not

2012 Express Supported Supported
SQL Server Supported Supported Supported Supported Supported Supported

2008 R2
SQL Server Supported Supported Supported Supported Supported Supported

2008 R2
Express
SQL Server Not Not Supported Supported Supported Supported

2005 Supported Supported
SQL Server Not Not Supported Supported Supported Supported

2005 Express Supported Supported
6 Installation
Install Prerequisite Software
Apply all critical Windows updates before installing and running Affina issuance software.
The following software must be installed before installing Affina software:

 .NET Framework 4.0 or above. The installation disc Third Party Software folder contains .NET
Framework 3.5 SP1 (required for SQL Server Management Studio and SafeNet software),
.NET Framework 4.0, and .NET Framework 4.5 SP2. (Refer to “Install the .NET Framework” on
page 8 for more information.)
 SQL Server. SQL Server 2008 R2 SP2 Express with Tools and SQL Server 2012 SP2 with Tools
are included in the Third Party Software folder of the installation disc. (Refer to “Install SQL
Server 2008 R2 Express” on page 9 or “Install SQL Server” on page 9 for more information.)
SQL Server 2008 requires Windows Installer v4.5 or above.
SQL Server Express, which is included with Affina software, is adequate for environments
where jobs are small to medium in size. Because a SQL Server Express database is limited in
size, high‐volume installations or installations that need to store a large amount of data for
each record may need to purchase SQL Server.
Affina One Step applications use Windows Authentication to communicate with SQL
Server.
Affina Batch applications use SQL Authentication to communicate with SQL Server.
If you are installing Batch applications and your SQL Server is not running in Mixed
Mode, the Affina installation program will enable Mixed Mode on SQL Server, but
you will not be able to run Batch applications until you restart SQL Server or restart
the computer.
The SQL Server user name for Batch applications is ‘adp’ and the default password is
‘Datacard2010’. The SQL Server connection string file for Batch applications is
encrypted. To reset the password, refer to “Reset the SQL User Password for Batch
Applications” on page 124.
 Datacard Software Licensing System 1.1.0.36 or above on one server in your configuration.
Version 1.2 is included on the installation disc. (Refer to “Install the Datacard Software
Licensing System” on page 11 for more information.)
 Datacard Syntera Customization Suite (CS) software is required for Affina one step issuance
(OSI) software. (Refer to the Datacard Syntera Customization Suite Installation and
Configuration Guide for step‐by‐step instructions.)
 Runtime Crystal Reports 11 if you want to view reports in Affina DP software. (Refer to
“Install Runtime Crystal Reports 11” on page 10 for more information.)
Cryptographic software from your HSM manufacturer must be installed to perform certain
functions not available through the Key Management System. Datacard recommends installing
cryptographic software before Affina software.

Install the .NET Framework
.NET Framework 4.x is required to install and run Affina Issuance Software. .NET Framework 3.5
SP1 is required to install SQL Server 2008 R2 Express with Tools, SQL Server 2012 with Tools, and
the SafeNet software.
1. Insert the Affina issuance software installation disc into your drive. The installation program
starts automatically. (If the installation program does not start, use Windows Explorer to
browse to the root directory of the disc and double‐click AffinaIssuance.exe.)
2. Click Install Prerequisite Software.
3. Click Microsoft .NET Frameworks. Depending on your operating system, one or more
versions of the .NET Framework display as available for installation.
4. Click an available version to install it.
If the .NET Framework version 3 is already installed, you will see a message asking
whether you want to repair or uninstall it. Select Repair and then Next or select
Cancel.
Install Windows Installer
Windows Installer 4.5 or above is required to install SQL Server 2008 R2 Express on Windows XP
or Windows 2003.
3. Click Server 2008 R2 Express.
4. Click Windows Installer 4.5.
Install Windows PowerShell
Windows PowerShell 1.0 is required to install SQL Server 2008 R2 Express on Windows XP or
Windows 2003.
3. Click Server 2008 R2 Express.
4. Click Windows PowerShell 1.0.
8 Installation
Install SQL Server 2012
3. Click SQL Server.
4. Click SQL Server 2012 SP2 Express with Tools. The installation begins.
Install SQL Server 2008 R2 Express

3. Click SQL Server.
4. Click SQL Server 2008 R2 Express with Tools. The installation begins.
Install SQL Server

starts automatically. (If the installation program does not start, skip to step 3.)
2. Click Exit.
3. Using a text editor such as Notepad, open the file that is appropriate for your installation
 X:\Third Party Software\SQL Server 2012\SQLServer 2012 Unattended Install.bat
 X:\Third Party Software\SQL Server 2008 R2\SQLServer 2008 R2 Unattended Install.bat
(where X is the drive letter of the disc).
4. Follow the instructions in the echo statements at the beginning of the file.
5. Save the file to a temporary location on your hard drive.
6. Using Windows Explorer, double‐click the file you just saved.
7. Delete the SQLServer BAT file from your hard drive.

Install Runtime Crystal Reports 11
Runtime Crystal Reports is required for running reports with the Batch Administrator application.
3. Click Crystal Reports Run‐time.
4. Follow the prompts on the screen.
SafeNet HSM
Install the software before you install the coprocessor board in your computer. You will
ignore an error message at the end of the software installation.
It is not necessary to install any SafeNet software included with the SafeNet board. The
SafeNet software required for Affina software is included on the Affina installation disc.
If you are connecting remotely to the SafeNet crypto board it is not necessary to install
any SafeNet software from the Affina installation disc on the client (remote) PC.
Follow these steps to install software and hardware on the PC that is hosting the SafeNet
coprocessor board:

3. Do one of the following:
 Choose SafeNet PCI HSM Access Provider to install the software on the PC where the
SafeNet HSM will be installed.
 Choose SafeNet HSM Net Server if the crypto board will be shared across a network or
you are using a 64‐bit operating system.
4. Follow the prompts on the screen. When the installation is complete, the following message
displays:
10 Installation
5. Click OK. (The software was successfully installed.)
6. Turn off the computer and install the coprocessor board, following the installation
instructions provided with the coprocessor board.
7. Start the computer. The Found New Hardware wizard starts.
8. Select No, not this time on the Welcome page.
9. Select Install automatically on the next page. Follow the prompts on the screen to finish the
wizard.
Install the Datacard Software Licensing System
The Datacard Software Licensing System must be installed to use Affina issuance software.
Perform the following procedure to install the licensing system.
It is highly recommended that the License Server be installed on a server on a network

shared by all computers that require licenses.
1. Insert the Affina issuance software installation disc into the drive. The installation program
2. Select Install Prerequisite Software.
3. Select License Server.
4. Follow the prompts, clicking Next and/or OK as necessary.
Install Affina Software

Follow these steps to install Affina software:
2. Click Install Affina Issuance Software.

3. Follow the prompts until you get to the Setup Type page.

4. Select One Step Issuance, Data Preparation (Batch), or Custom (Full).
 If you select One Step Issuance or Data Preparation, follow the prompts to install the
software.
 If you select Custom, you will be prompted to select the components that you want to
install.
Click the icon to the left of any component that you do not want to install and then click
This feature will not be available.
5. Click Install. The program will install.
6. Click Finished. At the end of the installation, one of the following message boxes opens. Click
OK to go to the Affina Configuration application (refer to page 14).
If you installed all components:
12 Installation
If you installed only MULTOS or only the KMS:
7. If prompted, restart the computer.
Upgrade Instructions
Perform the following procedure to upgrade from a previous version of Affina DP and Affina OSI
software.
1. Uninstall Affina DP or Affina OSI and then restart the computer.
2. Install Affina DP or Affina OSI as described in “Install Affina Software” on page 11.
3. Delete any ADTs associated with the current Application profiles, the profiles themselves, and
the associated Product profiles. Then, load the new Application profile(s), reload or recreate
the ADT(s), and then reload or recreate the Product profile(s).
If you do not want to run the Samples provided with Affina DP or update the Release
Application profiles, no further action is necessary.
4. If prompted, restart the computer.

5. Load the new Release and Sample profiles and overwrite any existing profiles. Refer to
“Import the Release and Sample Profiles” on page 84.
Windows Firewall Exceptions

The Affina software installation program creates the following exceptions in Windows firewall if
the firewall is enabled at the time of installation:
Name Description Sample Path
SQL Server SQL Server …\Microsoft SQL Server\MSSQL10_50.AFFINA\

MSSQL\Binn\sqlservr.exe
SQL Browser SQL Browser Service EXE …\Microsoft SQL Server\90\Shared\ sqlbrowser.exe

If you have installed a SafeNet HSM in your system that is shared with other computers on your
network, you will also need to create a firewall for the SafeNet HSM Net Server program:
Name Description Sample Path
etnetserver HSM Message Dispatcher …\SafeNet\Net Server\etnetserver.exe

Server
Configure Affina Software

Affina Configuration is a tool for configuration of Affina issuance software. The configuration tool
is presented at the end of the Affina software installation process. To access Affina Configuration
at other times, select Start > Programs > Datacard > Affina Issuance Software > Affina
Configuration.
If you installed only MULTOS or only the KMS, it is necessary to configure only hardware
security modules. The dialog box you see will contain only the relevant information.
14 Installation
Configure License Server
If your License Server is not installed on the same computer as your Affina software, use the
following steps to specify the License Server’s location.
1. In the License Server area of the Affina Configuration dialog box, select On a remote
computer with this IP address and enter the IP address of the License Server computer.
2. Click Test to verify the connection.
3. Click Save.
Configure Database
To create the Affina database on the computer you are using:
1. In the Database area, click Local. The application will attempt to detect local SQL Server
instances.
2. Select the Server name from the list. The application will attempt to connect to the SQL
Server instance selected and a dialog box will indicate whether or not a database was found.
Click OK.
3. If a connection could not be made, enter the SQL Server instance name and then click
Connect. The application will attempt to connect to the SQL Server instance selected and a
dialog box will indicate whether or not a database was found. Click OK.
If a database was not found, click Create Database and then click Connect after the database
has been created.
4. Click Apply at the bottom of the Affina Configuration dialog box.
5. Click OK at the bottom of the Affina Configuration dialog box to close it.
To connect to a database on another computer on your network:

1. In the Database area, click Remote. The application will attempt to detect remote SQL Server
instances.
2. Select the Server name from the list. The application will attempt to connect to the SQL
Server instance selected and a dialog box will indicate whether or not a database was found.
Click OK.
3. If a connection could not be made, enter your SQL Server instance name and then click
Connect. The application will attempt to connect to the SQL Server instance selected and a
dialog box will indicate whether or not a database was found. Click OK.
4. Click OK in the confirmation message.

Configure Hardware Security Modules

1. In the Hardware Security Modules area, click in the SafeNet Hostname(s) or IP Address(es)
text box and do one or both of the following:
a. To delete the name of the computer you are using (the default value), press BACKSPACE
until the name is erased.
b. To add a computer that contains a SafeNet HSM, press the space bar and then type either
the computer name or the computer’s IP address.
4. Restart Object Communicator or Batch Production for your changes to take effect.
If you are using Windows XP or Windows Server 2003 and the Datacard Syntera CS
Communicator Controller service or Datacard Affina PM Object Communicator
Controller service is running under the Local System account, you will need to restart
the computer.
License the Software

In Affina software, product features are licensed, and the license is tied to a specific License
Server as identified through the server hardware. License Server and License Administrator (the
License Server GUI) are stand‐alone products that are used in conjunction with Affina software.
No license is required for installation of Affina software but the license must be installed and
activated before Affina software will run.
This section explains components of License Administrator that are required to license and
activate Affina software for production use. Additional information relating to the functionality of
License Administrator can be found in the License Administrator Help.
This section also tells how to configure your installation if your License Server is not on the same
computer as Affina DP.
Affina Software Licensable Features

Depending on your needs, you may not require all of the features available in Affina software. For
that reason, the features are licensed by feature and you purchase only those licenses required
by your configuration.
16 Installation
Affina OSI Software
The table below shows the licensable features required for an Affina OSI software configuration.
Feature Required License Configuration Limitations
Card Syntera CS One license (n) for No more than (n) smart cards can
Personalization Connection each programming be personalized at the same time.
(SCPMConn) station connection
—or—
Site License
One Step Process Syntera CS One license (n) for No more than (n) programming
Connection One each programming stations can use the data
Step (ADPScrpt) station connection generation capability at the same
—or— time.
Site License
Key Management Affina DP Site License None

System and Generation
Configuration (ADPGen)
Manager
Profiles and Affina Profiles and One license (n) for No more than (n) smart cards can
Scripting Software Scripting each programming be personalized using Profiles and
Connection (APS) station connection Scripting software at the same
—or— —or— time.
Affina Profiles and Unlimited number of
Scripting Site programming station
License (GP) connections
and/or
MULTOS Issuance MULTOS Issuance One license (n) for No more than (n) smart cards can
Software Connection (AMI) each programming be personalized using MULTOS
—or— station connection Issuance software at the same
MULTOS Issuance —or— time.
Site License Unlimited number of
(MULTOS) programming station
connections

Affina Data Processing Software
The table below shows the licensable features required for an Affina DP software configuration.
Feature Required License Configuration Limitations
Batch Application Affina DP Batch One license Can only run Batch applications from
for Smart Card (ADPBatch) one PC at a time. Additional licenses
Data Preparation are required to allow more instances to
run at the same time.
Key Management Affina DP Site License None

System and Generation
Configuration (ADPGen)
Manager
License Administrator Components

This section gives a brief overview of some of the License Administrator components you will use
to license the features of Affina software needed for your environment. For a more detailed
explanation of License Administrator, please refer to the License Administrator Help.
License Server ID
The License Server ID is a unique ID tag derived from the PC that License Server is installed on.
The License Server ID is generated using License Administrator.
Product Keys
A product key is a unique alphanumeric identifier of a feature license. When feature licenses are
ordered, the product keys are printed on a label affixed to the envelope containing the
installation disc and on a sheet of paper inside the envelope. Each Affina software licensable
feature (refer to the table above) requires one or more product keys. A single product key can be
used on a single license server.
Activation Keys
Activation keys are the final piece required to activate your Affina software feature license(s).
After the License Server ID is sent to Datacard and your license is verified, an activation key will
be sent for each product key. Activation keys authenticate the product key for a particular license
server. Affina software will operate only when each feature license has a product key and
corresponding activation key entered into License Administrator.
You can use the Remote Product Activation utility to activate the licenses. Refer to the
Licence Administrator Help topic “Using Remote Product Activation” for more details.
18 Installation
Default User Groups
The Affina installation program automatically creates three default user groups: ADP_
Administrator, ADP_Supervisor, and ADP_User. Each has different access rights.
You use the user and group management tools of your Windows operating system to add users to
groups. All Affina users should be members of an ADP user group. Members of the ADP_
Administrator group should also belong to the Windows Administrator group.
User Access Rights

In Affina DP software, user access rights to the Batch applications are granted through access to
menus and commands in the various applications. Group access rights for Key Management
System and Configuration Manager are as specified in the following sections and cannot be
changed. The ADP_Administrator group has access to all menus and commands in all
applications.
Key Management System

Those who are not logged into the KMS can only view object details.
The Security Officer role can perform administrative functions, including setting the usage of a
key to Export, while the User role can perform most other functions, including creating Private
keys, as described in the PKCS#11 documentation.
Affina Configuration
Members of the ADP_Operator and ADP_Supervisor groups can view data and perform test
functions.
Members of the ADP_Administrator group have full access to all features.
Configuration Management
Members of the ADP_Operator group can view profiles.
Members of the ADP_Supervisor group can view, import (but not replace), and export profiles.
Members of the ADP_Administrator group have full access to all features.
Batch Applications
In the Batch applications the ADP_Administrator and ADP_Supervisor groups have access to all
commands and the ADP_Operator group can run the Batch Engine and Batch Input applications.
Use the procedure “Review and change access to Affina DP Batch applications” to grant access
rights to your ADP_Operator group.

Review and change access to Affina DP Batch applications
Access to Affina DP Batch applications is controlled via the Batch Administrator module.
1. Log on to the computer with a user name that has ADP_Administrator user privileges and
start the Affina Data Preparation Launcher (Start > Programs > Datacard > Affina Data
Preparation & One Step> Affina Data Preparation Launcher). On the Launcher, click Batch
Administration.
2. From the menu bar select System > Access Control.
3. Select the ADP group whose access you want to review, and then expand the listings for each
module and menu as necessary.
4. Remove access by double‐clicking on a module, menu, or command that has a green check
mark next to it. Grant access by double‐clicking on a module, menu, or command that has a
red “no” symbol next to it.
Removing or granting access affects that level and any subordinate levels.
20 Installation
Chapter 3: Data Format
This chapter describes the input data format required to use the default
data parser supplied with Affina issuance software. It also describes the
output data format created by Affina DP using the default magnetic
stripe and smart card data parser.
The output data from Affina DP is usually used as input to a card issuance system. The output of
Affina OSI and Affina PS is not data but cards.
In Datacard issuance systems, input data contains fields that will be used to personalize cards.
Each field can be identified by a character or group of characters called a Start Code. For example,
the $ character might be used to identify the Primary Account Number (PAN) that will be
embossed on the card by the Emboss module, and the " character might identify the magnetic
stripe data that will be encoded on the card by the Magnetic Stripe module. There is also often a
six digit ASCII search code at the beginning of a record that identifies the record number in the
input file, and a record separator, which may be up to seven bytes long, at the end of a record.
The Data setup on Datacard issuance systems identifies the fields in the input data, and the
Product or Card setup specifies which operations each module will execute on a card.
Sample Data Files

Affina DP includes sample input data files that use the following conventions:
Field Start Code
Search Code nnnnnn
PAN $
Expiration Date )
Cardholder Name #
Magnetic Stripe “
Record Separator #END#

Here is the content of the sample input data file named 1_VSDC.dat:
000001$4247 7758 6985 7153)12/15#VSDC SAMPLE"%B4247775869857153^SAMPLE/
VSDC^1512201123456789012345678901234?;4247775869857153=15122011234567890123?#END#
Smart card applications such as Visa Smart Debit Credit (VSDC) and M/Chip 4 include data
elements that are included in legacy magnetic stripe data fields. Therefore, Affina DP and Affina
OSI use magnetic stripe data fields for data generation (Affina DP) and for data generation and
personalization in one step (Affina OSI).
Magnetic Stripe Data

Magnetic stripe data is organized in Tracks and may contain up to three tracks of data. Affina
software uses only Track 1 and Track 2 for smart card data generation. To use the default data
parser, Track 1 and Track 2 data must be in the format described in the following tables.
Other data formats may be handled by using a Custom DataSet profile, in which case the
information in this chapter does not apply.
22 Data Format
Track 1 Data Format
Length
(Alphanumeric
Field Characters) Value/Description
Start Sentinel 1 %
Format Code 1 B
PAN Up to 19 Primary Account Number
Separator 1 ^
Cardholder Name 26 max
Surname Variable
Surname Separator 1 /
First Name or Initial Variable
Space 1 (When followed by more data)
Middle Name or Initial Variable (If used)
Period 1 (When followed by a Title)
Title Variable (If used)
Separator 1 ^
Expiration Date 4 YYMM
Service Code 3
Discretionary Data Variable Up to 76 characters from the Format Code to the

end of the Discretionary Data
End Sentinel 1 ?

Track 2 Data Format
Length
(Numeric
Field Characters) Value / Description
Start Sentinel 1 ;
PAN* Up to 19 digits Primary Account Number
Separator* 1 =
Expiration Date* 4 (YYMM)
Service Code* 3
Discretionary Data* Variable Up to 37 numeric data characters from the PAN to the
end of the Discretionary Data
End Sentinel 1 ?
* These fields together, in binary format, comprise Track 2 Equivalent data used in EMV tags.
EMV Tags
A consortium of the financial companies Europay, MasterCard, and Visa (together referred to as
EMV) has defined a common set of standards for financial card issuance. EMV defines a format
for smart card data that uses a Basic Encoding Rules Tag, Length, Value (BER‐TLV) format. The
EMV BER‐TLV encoding rules can be found in EMV Integrated Circuit Card Specifications for
Payment Systems Book 3 Application Specification Annex B, Rules for BER‐TLV Data Objects.
The Affina default parser extracts the following fields from the magnetic stripe data and creates
TLV data for each data element using the Tags listed.
Name Tag Name Tag
PAN 5A Expiration Date 5F24
Cardholder Name 5F20 Track 1 Discretionary Data 9F1F
Service Code 5F30 Track 2 Equivalent Data 57
24 Data Format
Smart Card Applications
A distinction should be made between personalization applications for the smart card
management software (such as Affina PS), which are used to load and personalize applications on
a smart card, and smart card applications themselves, which reside on the smart card. Examples
of smart card applications include Visa® Smart Debit/Credit (VSDC) and M/Chip 4 from
MasterCard®.
Smart card applications are written and provided by application providers. Each smart card
application is identified by an Application Identifier (AID). The AID includes a Registered
Application Provider Identifier (RID) to identify the provider and a Proprietary Application
Identifier Extension (PIX) to identify the application. The RID is 5 bytes in length, and the PIX is
variable in length up to 11 bytes.
Each smart card application requires the smart card data field to include specific personalization
data and also requires that data be formatted in a specific way, which is referred to as a data
format.
Smart Card Data

The output data from Affina DP is called smart card data. It may include either TLVs or groups of
TLVs called Data Grouping Identifiers (DGIs). A list of DGIs used for financial issuance can be found
in the EMV Card Personalization Specification Annex A, Common EMV Data Groupings.
Smart card data can be used as input data for data generation by Affina DP or Affina OSI. For
example, some issuer parameters, such as the Personal Identification Number (PIN), may vary
from cardholder to cardholder. In that case, issuer parameters in TLV format may be included in
the input smart card data. Individual TLVs inside a DGI are not parsed when DGI format data is
used as input data; therefore DGI format data cannot be used as input data for data generation.
Smart card data generated by Affina DP can be in PIX format or it can include a format identifier
and the name of the personalization application, which is called SCPM format.

Smart Card Data Format
Length and Sample
Field Name* Encoding† Value Description
MIC Variable ASCII { Smart Card field start code
Embedded Length 7 ASCII characters 0000782 Length of all smart card data as a
decimal number (excluding this
field).
Format Identifier‡ 4 Bytes Optional; smart card module

instructions
FFFFFFFA Reset card; use 2‐byte lengths
FFFFFFFB Reset card; use 4‐byte lengths
FFFFFFEB Do not reset card; use 4‐byte
lengths
Total Length‡ 2 or 4 Bytes ‐ Length of all of the following data.
Application Name 2 Bytes 0008 Optional; size of the application

Length‡ name.
Application Name‡ Variable ASCII AffinaPS Optional; application name.
Application Data Length‡ 2 or 4 Bytes Length of all of the following data.
Application Data
Job OID** Variable ASCII [2B…0501] The OID of the job to be executed.
PIX 4 Bytes Proprietary application identifier;

the second part of the AID
described on page 25. If the PIX is
less than four bytes, it is padded
with 00 bytes.
Data Length 2 Bytes Length of all of the following data.
BIN†† 4 Bytes 424777FF Bank Identification Number. Padded

with ‘F’ if less than 4 bytes.
KEK Extension†† 3 Bytes 000000 Reserved.
TLV Format†† 1 Byte 00 00 for EMV TLV and FF for DGI TLV.
KEK Version†† 4 Bytes 00000001 Version of the KEK to use for

encrypting sensitive data.
26 Data Format
Length and Sample
Field Name* Encoding† Value Description
Data Length 2 Bytes Length of all of the data under this

application’s PIX.
DF 1 Byte Optional; to support legacy

products. If present, the data that
follows is wrapped in the tag DF.
Data Length 2 Bytes Conditional upon existence of DF

tag. If a DF tag is present, this is the
length of all of the following
application data.
Data Variable Smart card data in TLV or DGI

format.
* Color coding in this column relates to samples that follow.

† Data is in hexadecimal encoding unless otherwise noted.
‡ This data is present only when using SCPM format.
**Affina DP requires input data in SCPM format to generate this field.
††These bytes have a different meaning for MULTOS data using ALUs. Refer to the MULTOS Data Format and Operation
manual.
SCPM Format
SCPM format smart data includes the format identifier and application name. This example also
includes the Job OID.
00000000 7B30 3030 3037 3832 FFFF FFFA 0308 0008 {0000782........
00000010 4166 6669 6E61 5053 02FC 5B32 4230 3630 AffinaPS..[2B060
00000020 3130 3430 3138 3139 3030 4438 3830 3630 1040181900D88060
00000030 3530 315D 1010 0000 02DC 4247 77FF 0000 501]......BGw...
00000040 0000 0000 0001 02CE 9F45 02DA C19F 3602 .........E....6.
PIX Format
PIX format smart card data excludes the format identifier, application name, and Job OID. When
using PIX format data on a Datacard issuance system or simulator, the smart card data must be
concatenated to the Job OID using the Data Setup as described in “One Step Personalization
Setup” on page 97.
00000000 7B30 3030 3037 3338 1010 0000 02DC 4247 {0000738......BG
00000010 77FF 0000 0000 0000 0001 02CE 500B 5649 w...........P.VI
00000020 5341 2043 5245 4449 549F 4502 DAC1 9F36 SA CREDIT.E....6

DSV Format
Delimiter‐separated value (DSV) data can be passed into the parser following the magnetic stripe
data or on its own. The format is:
<Delimiter> <Name or Tag> <Delimiter> <Value>
The default delimiter is the # character. For data elements in the Application profile that have a
Name but not a Tag or when multiple data elements reference the same data element, the Name
must be used. Otherwise, either the Name or the Tag may be used. Tags must be prepended with
the characters 0x. In all cases, the Value must contain the hexadecimal representation of the
data.
For example, for the data element named LanguagePreference (Tag 0x5F2D) with a value of en
(hexadecimal 656E), either of the following representations could be used for the DSV data:
 #LanguagePreference#656E
 #0x5F2D#656E
You can override the default delimiter in the com.datacard.properties file. Refer to “DSV
Properties” on page 3.
To use DSV data as input data without magnetic stripe data, the data block must begin with
either the characters #DSV# or a custom string of characters defined by the DSV.marker property
in the com.datacard.properties file. Refer to “DSV Properties” on page 3.
If a DSV.marker is defined, a DSV.delimeter must also be defined.

Magnetic Stripe and DSV Data Example
In the following example, the data elements ReferencePIN and PEK_VER and the Tag 0x9F58 are
appended to the magnetic stripe data as DSV data. Here is the content of the input data (with a
record separator of #END#):
000001$4247 7758 6985 7153)12/15#VSDC SAMPLE"%
B4247775869857153^SAMPLE/VSDC^1512201123456789012345678901234?
;4247775869857153=15122011234567890123?
#ReferencePIN#81D1670EED69181A#PEK_VER#01#0x9F58#04#END#
This is parsed as:

Default DSV & Magstripe Parser
Magstripe_1: %B4247775869857153^SAMPLE/
VSDC^1512201123456789012345678901234?;4247775869857153=151220
11234567890123?
Tag[0x005A]: 0x4247775869857153
Tag[0x5F20]: SAMPLE/VSDC
Tag[0x5F30]: 0x0201
Tag[0x5F24]: 151231
Tag[0x9F1F]: 123456789012345678901234
Tag[0x0057]: 0x4247775869857153D15122011234567890123F
DataElement[ReferencePIN]: 81D1670EED69181A
DataElement[PEK_VER]: 01
Tag[0x9F58]: 04
28 Data Format
DSV Data Only Example
In the following example, all of the data elements for data generation are included in the input
data using a DSV.marker of *START* and a DSV.delimiter of >. Here is the content of the input
data (with a record separator of #END#):
*START*>PAN>4247775869857153>CardholderName>53414D504C452F4453562054455354>ServiceCode>
0201>ApplicationExpirationDate>141231>Track1DiscretionaryData>123456789012345678901234>
Track2EquivalentData>4247775869857153D15122011234567890123F>ReferencePIN>81D1670E6981A0
0#END#
This is parsed as:

Default DSV & Magstripe Parser
DataElement[PAN]: 4247775869857153
DataElement[CardholderName]: 53414D504C452F4453562054455354
DataElement[ServiceCode]: 0201
DataElement[ApplicationExpirationDate]: 141231
DataElement[Track1DiscretionaryData]: 123456789012345678901234
DataElement[Track2EquivalentData]: 4247775869857153D15122011234567890123F
DataElement[ReferencePIN]: 81D1670E69181A00
Parser Configuration Parameters

By default the Affina parser reads magnetic stripe and/or smart card data and writes smart card
data in the format described in the previous sections. You can customize the behavior of the
default parser in Configuration Manager using the following Job or Product level parameters.
Product level parameters take precedence over Job level parameters.
Smart Card Output Data Parameters

The parameters below correspond to Field Names in the “Smart Card Data Format” table that
starts on page 26. They determine the content of the smart card data generated by Affina DP.
Parameter Name* Encoding Description Default Value
MIC ASCII Adds a Start Code and an Embedded Length. ‐
FORMAT_ID† HEX Specifies the smart card module format identifier. FFFFFFFA
(Format Identifier)
APM_DLL† ASCII Specifies the name of a personalization AffinaPS

(Application application.
Name)
JOB_OID‡ ASCII Adds a Job OID (must be entered without square ‐

brackets, as the brackets are added by the parser)
USE_DGI HEX Defines TLV Format; 00 for EMV TLV and any 00
(TLV Format) other value for DGI TLV.

Parameter Name* Encoding Description Default Value
USE_TAG_DF HEX Wraps application data in Tag DF when set to any 00

(DF) value other than 00. For support of legacy
applications only.
KEK_NAME ASCII Sets the name of the Key Encryption Key (KEK) to KEK
use for encrypting sensitive data.
* The name of the corresponding field in the Smart Card Data Format table is given in parentheses if it differs from this
parameter name.
† Must be used together to create SCPM format.
‡ Using this field will cause fields marked with † to be generated using default values if not otherwise specified.
Smart Card Input Data Parameters

The parameters below change how input smart card data is read by the default parser.
Parameter Name Encoding Description
PIX_OFFSET HEX Changes the offset in the AID (the length of the RID) used
to extract the PIX for mapping by the default parser. Must
be 1 byte in length.
PIX_DATA HEX Sets the value of the PIX to use for mapping by the default
parser. Must be 4 bytes in length.
System Configuration Parameter

The following parameter affects the entire system and can be set only at the Job level.
Parameter Name Encoding Description
COMPLIANT_BER HEX Enables the Job to enforce BER‐TLV compliance when set to
any value other than 00.
30 Data Format
MULTOS Data Parameters
The MULTOS data format is described in the MULTOS Issuance Software Data Format and
Operation manual. For Affina DP, the parameters below apply to MULTOS output data, which can
be in either PIX or SCPM format. For Affina OSI, only the MULTOS parameter can be specified.
Parameter Name Encoding Description Value
MIC ASCII Adds a Start Code and an Embedded Length. ‐
MULTOS HEX MUTLOS ALU format. 01 for MULTOS or

02 for step/one
FORMAT_ID* HEX Adds a Smart Card module format identifier. FFFFFFFA
APM_DLL* ASCII Adds the name of a personalization Multos

application.
* Must be used together to create SCPM format.
Input Data Fields

The default Affina parser parses smart card data and/or magnetic stripe data. It supports two
input data fields: a smart card input data field (InputSC) and a magnetic stripe input data field
(InputMag).
InputSC
InputSC is used by:
 Affina DP for smart card data
 Affina OSI for smart card data and magnetic stripe data
 Affina PS for smart card data
 Affina DP or Affina OSI for smart card data and magnetic stripe data in smart card (TLV)
format
InputSC must contain the OID of the Job profile in square brackets at the beginning of the InputSC
field ([2B0601040181900D88060501]). In the case of Affina DP, the Job OID may be the only data
that InputSC contains; for Affina OSI and Affina PS, InputSC will typically contain magnetic stripe
data and/or smart card data in PIX or SCPM format.
Magnetic stripe data in InputSC is detected by the presence of the characters %B immediately
following the Job OID. If these characters are not found, the input data must be in smart card
format or an error will be returned.

Using Affina DP, smart card data is provided to the parser using the Production Setup Input Data
Field inputSmartcard.
InputMag
InputMag is only available in Affina DP for magnetic stripe data. It is provided to the parser using
the Production Setup Input Data Field inputMagstripe.
Input Data Examples

The following sections show the input data received by the default parser when running Affina
DP and Affina OSI using the sample file 1_VSDC.dat in debug mode. (Refer to “Configuration
Parameters and Initialization Settings” on page 1 for information about how to enable debug
mode). The debug log file shows the input data received in hexadecimal and ASCII format.
Data Generation - Magnetic Stripe and Job OID Only

The following examples show how magnetic stripe data and the Job OID only are used for data
generation.
InputSC and InputMag — Affina DP
Affina DP can use both the InputSC and InputMag fields.

$inputSC
0000: 5B 32 42 30 36 30 31 30 34 30 31 38 31 39 30 30 > [2B0601040181900
0010: 44 38 38 30 36 30 35 30 31 5D > D88060501]
$inputMag
0000: 25 42 34 32 34 37 37 37 35 38 36 39 38 35 37 31 > %B42477758698571
0010: 35 33 5E 53 41 4D 50 4C 45 2F 56 53 44 43 5E 31 > 53^SAMPLE/VSDC^1
0020: 35 31 32 32 30 31 31 32 33 34 35 36 37 38 39 30 > 5122011234567890
0030: 31 32 33 34 35 36 37 38 39 30 31 32 33 34 3F 3B > 12345678901234?;
0040: 34 32 34 37 37 37 35 38 36 39 38 35 37 31 35 33 > 4247775869857153
0050: 3D 31 35 31 32 32 30 31 31 32 33 34 35 36 37 38 > =151220112345678
0060: 39 30 31 32 33 3F > 90123?
32 Data Format
InputSC — Affina OSI
Affina OSI only has access to the InputSC field, so the magnetic stripe data must be concatenated
to the smart card data (the Job OID in this case), and the InputMag field is empty. For PIX format
data, this can done in the Data Setup on the Datacard issuance system as described in “One Step
Personalization Setup” on page 97.
$inputSC
0000: 5B 32 42 30 36 30 31 30 34 30 31 38 31 39 30 30 > [2B0601040181900
0010: 44 38 38 30 36 30 35 30 31 5D 25 42 34 32 34 37 > D88060501]%B4247
0020: 37 37 35 38 36 39 38 35 37 31 35 33 5E 53 41 4D > 775869857153^SAM
0030: 50 4C 45 2F 56 53 44 43 5E 31 35 31 32 32 30 31 > PLE/VSDC^1512201
0040: 31 32 33 34 35 36 37 38 39 30 31 32 33 34 35 36 > 1234567890123456
0050: 37 38 39 30 31 32 33 34 3F 3B 34 32 34 37 37 37 > 78901234?;424777
0060: 35 38 36 39 38 35 37 31 35 33 3D 31 35 31 32 32 > 5869857153=15122
0070: 30 31 31 32 33 34 35 36 37 38 39 30 31 32 33 3F > 011234567890123?
$inputMag
Data Generation — Magnetic Stripe and/or Smart Card

Input Data
The following examples show how the magnetic stripe data and smart card data in addition to the
Job OID can be used for data generation. In this case, issuer parameters can be passed in to data
generation in TLV format as part of part of a smart card data block following the Job OID. For
example, the issuer may wish to pass in an encrypted PIN block using the Tag DF01 for the PIN
block.
If the first tag in the smart card application data begins with the tag DF, such as DF01, then the
smart card data must be wrapped in the tag DF. Otherwise, it is not necessary to wrap the data in
the DF tag.
InputMag and InputSC — Affina DP
For Affina DP, the magnetic stripe data can be supplied to InputMag and the smart card data
block can be appended to the Job OID and supplied to InputSC in the Production Setup. In this
example, the Tag DF is used to wrap the Tag DF01.
$inputSC
0000: 5B 32 42 30 36 30 31 30 34 30 31 38 31 39 30 30 > [2B0601040181900
0010: 44 38 38 30 36 30 35 30 31 5D 10 10 00 00 00 1C > D88060501]......
0020: 42 47 77 FF 00 00 00 00 00 00 00 01 00 0E DF 00 > BGw.............
0030: 0B DF 01 08 81 D1 67 0E ED 69 18 1A > ......g..i..
$inputMag
0000: 25 42 34 32 34 37 37 37 35 38 36 39 38 35 37 31 > %B42477758698571
0010: 35 33 5E 53 41 4D 50 4C 45 2F 56 53 44 43 5E 31 > 53^SAMPLE/VSDC^1
0020: 35 31 32 32 30 31 31 32 33 34 35 36 37 38 39 30 > 5122011234567890
0030: 31 32 33 34 35 36 37 38 39 30 31 32 33 34 3F 3B > 12345678901234?;
0040: 34 32 34 37 37 37 35 38 36 39 38 35 37 31 35 33 > 4247775869857153
0050: 3D 31 35 31 32 32 30 31 31 32 33 34 35 36 37 38 > =151220112345678
0060: 39 30 31 32 33 3F > 90123?
$inputUser
. . .

Parse DCC Smartcard data
Application Pix : 0x10 10 00 00

Bin : 0x42 47 77
keyVerEx: 0x00 00 00 00
keyVer : 0x00 00 00 01
Tag[0xDF01]
0000: 81 D1 67 0E ED 69 18 1A > ..g..i..
InputSC — Affina OSI
For Affina OSI, which only has access to InputSC, the magnetic stripe data must be included in the
smart card data in TLV format in order to pass in additional issuer parameters (because the
default parser will not parse smart card data if it detects magnetic stripe data in InputSC). In this
example, DF01 is not the first tag in the smart card block, so the block is not wrapped in the tag
DF.
Here is the content of a file in which a smart card field has been added to the file 1_VSDC.dat. In
this file, the magnetic stripe data identified in Table 4: TLVs Created from Magnetic Stripe Data
has been included in TLV format in the smart card input data and the tag DF01 appears at the end
of the data.
00000000 3030 3030 3031 2434 3234 3720 3737 3538 000001$4247 7758
00000010 2036 3938 3520 3731 3533 2931 322F 3135 6985 7153)12/15
00000020 2356 5344 4320 5341 4D50 4C45 2225 4234 #VSDC SAMPLE"%B4
00000030 3234 3737 3735 3836 3938 3537 3135 335E 247775869857153^
00000040 5341 4D50 4C45 2F56 5344 435E 3135 3132 SAMPLE/VSDC^1512
00000050 3230 3131 3233 3435 3637 3839 3031 3233 2011234567890123
00000060 3435 3637 3839 3031 3233 343F 3B34 3234 45678901234?;424
00000070 3737 3735 3836 3938 3537 3135 333D 3135 7775869857153=15
00000080 3132 3230 3131 3233 3435 3637 3839 3031 1220112345678901
00000090 3233 3F7B 3030 3030 3135 37FF FFFF FA00 23?{0000157.....
000000A0 9700 0841 6666 696E 6150 5300 8B5B 3242 ...AffinaPS..[2B
000000B0 3036 3031 3034 3031 3831 3930 3044 3838 0601040181900D88
000000C0 3036 3035 3031 5D10 1000 0000 6B42 4777 060501].....kBGw
000000D0 FF00 0000 0000 0000 0100 5D5A 0842 4777 ..........]Z.BGw
000000E0 5869 8571 535F 200B 5341 4D50 4C45 2F56 Xi.qS_ .SAMPLE/V
000000F0 5344 435F 3002 0201 5F24 0315 1231 9F1F SDC_0..._$...1..
00000100 1831 3233 3435 3637 3839 3031 3233 3435 .123456789012345
00000110 3637 3839 3031 3233 3457 1342 4777 5869 678901234W.BGwXi
00000120 8571 53D1 5122 0112 3456 7890 123F DF01 .qS.Q"..4Vx..?..
00000130 0881 D167 0E69 181A 2345 4E44 23 ...g.i..#END#
34 Data Format
Here is how the data is parsed.
$inputSC
0000: 5B 32 42 30 36 30 31 30 34 30 31 38 31 39 30 30 | [2B0601040181900
0010: 44 38 38 30 36 30 35 30 31 5D 10 10 00 00 00 6B | D88060501].....k
0020: 42 47 77 FF 00 00 00 00 00 00 00 01 00 5D 5A 08 | BGw..........]Z.
0030: 42 47 77 58 69 85 71 53 5F 20 0B 53 41 4D 50 4C | BGwXi.qS_ .SAMPL
0040: 45 2F 56 53 44 43 5F 30 02 02 01 5F 24 03 15 12 | E/VSDC_0..._$...
0050: 31 9F 1F 18 31 32 33 34 35 36 37 38 39 30 31 32 | 1...123456789012
0060: 33 34 35 36 37 38 39 30 31 32 33 34 57 13 42 47 | 345678901234W.BG
0070: 77 58 69 85 71 53 D1 51 22 01 12 34 56 78 90 12 | wXi.qS.Q"..4Vx..
0080: 3F DF 01 08 81 D1 67 0E 69 18 1A | ?.....g.i..
$inputMag
. . .
No MagStripe data
. . .

Bin : 0x42 47 77
keyVerEx: 0x00 00 00 00
keyVer : 0x00 00 00 01
Tag[0x005A]
0000: 42 47 77 58 69 85 71 53 | BGwXi.qS
Tag[0x5F20]
0000: 53 41 4D 50 4C 45 2F 56 53 44 43 | SAMPLE/VSDC
Tag[0x5F30]
0000: 02 01 | ..
Tag[0x5F24]
0000: 15 12 31 | ..1
Tag[0x9F1F]
0000: 31 32 33 34 35 36 37 38 39 30 31 32 33 34 35 36 | 1234567890123456
0010: 37 38 39 30 31 32 33 34 | 78901234
Tag[0x0057]
0000: 42 47 77 58 69 85 71 53 D1 51 22 01 12 34 56 78 | BGwXi.qS.Q"..4Vx
0010: 90 12 3F | ..?
Tag[0xDF01]
0000: 81 D1 67 0E 69 18 1A 00 | ..g.i...
Personalization - Smart Card Data

The input data used for personalization by Affina PS is the smart card data generated by Affina DP.
This data may be in SCPM or PIX format, and in either TLV or DGI format.

DGI Format
This example shows how data in DGI format is parsed. This data was generated using Affina DP in
SCPM format with the USE_DGI parameter set to 0x01. Here is the first portion of the file
including the first DGI in the data, 0D01, which contains the tags 9F58, 9F59, 9F53, and 9F54.
00000000 3030 3030 3031 2434 3234 3720 3737 3538 000001$4247 7758
00000010 2036 3938 3520 3731 3533 2931 322F 3135 6985 7153)12/15
00000020 2356 5344 4320 5341 4D50 4C45 2225 4234 #VSDC SAMPLE"%B4
00000030 3234 3737 3735 3836 3938 3537 3135 335E 247775869857153^
00000040 5341 4D50 4C45 2F56 5344 435E 3135 3132 SAMPLE/VSDC^1512
00000050 3230 3131 3233 3435 3637 3839 3031 3233 2011234567890123
00000060 3435 3637 3839 3031 3233 343F 3B34 3234 45678901234?;424
00000070 3737 3735 3836 3938 3537 3135 333D 3135 7775869857153=15
00000080 3132 3230 3131 3233 3435 3637 3839 3031 1220112345678901
00000090 3233 3F7B 3030 3030 3738 39FF FFFF FA03 23?{0000789.....
000000A0 0F00 0841 6666 696E 6150 5303 035B 3242 ...AffinaPS..[2B
000000B0 3036 3031 3034 3031 3831 3930 3044 3838 0601040181900D88
000000C0 3036 3035 3031 5D10 1000 0002 E342 4777 060501]......BGw
000000D0 FF00 0000 FF00 0000 0102 D50D 0115 9F58 ...............X
000000E0 0103 9F59 0107 9F53 0105 9F54 0600 0000 ...Y...S...T....
000000F0 1000 0080 0030 D6C2 891A E395 3C05 FE6A .....0......<..j
Here is a portion of how the data is parsed, with InputSC truncated to show only the first 40
bytes. Notice that the TLV Format byte has a value of 0xFF, indicating DGI format. Only the first
DGI in the input file, 0D01, is included here.
$inputSC
0000: 5B 32 42 30 36 30 31 30 34 30 31 38 31 39 30 30 | [2B0601040181900
0010: 44 38 38 30 36 30 35 30 31 5D 10 10 00 00 02 E3 | D88060501]......
0020: 42 47 77 FF 00 00 00 FF 00 00 00 01 02 D5 0D 01 | BGw.............
0030: 15 9F 58 01 03 9F 59 01 07 9F 53 01 05 9F 54 06 | ..X...Y...S...T.
0040: 00 00 00 10 00 00 80 00 30 D6 C2 89 1A E3 95 3C | ........0......<
. . .
$inputMag
$inputUser
. . .
No MagStripe data

Bin : 0x42 47 77
keyVerEx: 0x00 00 00 FF
keyVer : 0x00 00 00 01
Tag[0x0D01]
0000: 9F 58 01 03 9F 59 01 07 9F 53 01 05 9F 54 06 00 | .X...Y...S...T..
0010: 00 00 10 00 00 | .....
. . .
36 Data Format
TLV Output Data Key Format
When TLV format is used in Affina DP for output data, keys are output as a TLV object in the
format defined in the GlobalPlatform Card Specification Version 2.1.1 (March 2003) as Format 1
(section 9.8.2.3.1):
Field Length Description
1 byte Key Type Description
0x00 ‐ 0x7F Reserved for private use
0x80 DES ‐ mode (EBC/CBC) implicitly known
0x81 ‐ 0x9F RFU (symmetric algorithms)
0xA0 RSA Public Key ‐ public exponent e component (clear text)
0xA1 RSA Public Key ‐ modulus n component (clear text)
0xA2 RSA Private Key ‐ modulus n component
0xA3 RSA Private Key ‐ private exponent d component
0xA4 RSA Private Key ‐ Chinese Remainder Theorem (CRT) P

component
0xA5 RSA Private Key ‐ CRT Q component
0xA6 RSA Private Key ‐ CRT PQ component
0xA7 RSA Private Key ‐ CRT DP1 component
0xA8 RSA Private Key ‐ CRT DQ1 component
0xA9 ‐ 0xFE RFU (asymmetric algorithms)
0xFF Not Available
1 byte Length of key or key component
Variable Key or key component data value

(1 – n bytes)
1 byte Length of key check value
Variable Key check value (if present; that is, if key check value length is not 0x00)
(1 – n bytes)

DES Key Example
When Affina DP is used to generate VSDC data in TLV format, the Unique Derived Key (UDK) is
encrypted with a Key Exchange Key (KEK) and stored in the data element UDK_KEK, tag DF63, as
shown below. The key tag 80 identifies the key as a DES key; the length of the key is 10 bytes,
followed by the length of the key check value, 3 bytes, and the key check value itself.
00000000 DF63 1680 1029 6E7D 10AB 6C9A 9DBB 3EE3 .c...)n}..l...>.
00000010 AA3F F32C 4A03 BA0B 06 .?.,J....
RSA Key Example

When Affina DP is used to generate VSDC data in TLV format for Dynamic Data Authentication
(DDA), the ICC public key is stored in the data element ICC_PK, tag DF67, as shown below. The key
tag A1 identifies the public key modulus, followed by the modulus length, 80 bytes, and value.
The tag A0 identifies the public key exponent, followed by the exponent length, 1 byte, and value
(03).
00000000 DF67 8187 A180 BEBA 8F6C 38E1 B1DD DA89 .g.......l8.....
00000010 3504 29C2 20FD 980B 3174 5A3E 5909 DC80 5.). ...1tZ>Y...
00000020 3271 CB99 A035 51F4 F9F8 4302 396B DCFC 2q...5Q...C.9k..
00000030 CAA9 0963 5FCD 8089 B561 91E3 6B90 78E5 ...c_....a..k.x.
00000040 DF70 D0FD 442B C699 2C18 B1CF 4C1C 5404 .p..D+..,...L.T.
00000050 BDC6 B6D0 B5C0 57FA B1F9 9D8D 083A 941C ......W......:..
00000060 9CF4 F1F1 73AF 1E46 3858 9310 AA19 5AF8 ....s..F8X....Z.
00000070 480F 2A68 BE70 504B FC28 D66F CF67 A0A2 H.*h.pPK.(.o.g..
00000080 A415 6629 5C2D 00A0 0103 ..f)\‐....
38 Data Format
Chapter 4: Key Management
System
This chapter gives an overview of the tasks necessary to set up and

manage cryptographic keys for smart card data generation using the
Affina Key Management System (KMS).
Introduction to the KMS

The KMS is a PC‐based system with a graphical user interface. It uses a Hardware Security Module
(HSM) that is responsible for the creation, storage, distribution, and receipt of sensitive
cryptographic information.
KMS Key Management

GUI System
File
HSM
Dumb Terminal
Sensitive key management tasks must be performed in the presence of a Security Officer who is
logged on to the HSM.
PKCS #11: Cryptographic Token Interface

Standard
PKCS #11 is one of the Public‐Key Cryptography Standards (PKCS) published by RSA Laboratories.
It defines a platform‐independent application programming interface (API) to cryptographic
tokens (such as HSMs) called Cryptoki. Cryptoki is short for cryptographic token interface.
Cryptoki is an abstraction layer for generic cryptographic tokens. The PKCS #11 API defines most
commonly used cryptographic object types (RSA keys, DES/Triple DES keys, etc.), along with

attributes and usages, and all the functions needed to use, create/generate, modify, and delete
those objects.
In addition, Datacard has extended PKCS #11 to define and support specific objects needed for
financial issuance. For SafeNet HSMs, this is implemented in the Datacard Affina PKCS#11
firmware.
Slots and Tokens

Cryptoki provides an interface to cryptographic devices through the use of “slots”. Each slot may
contain a “cryptographic token.” Each token is a separate entity that contains its own
authentication scheme and key storage. SafeNet HSMs support multiple slots per HSM.
Roles
Cryptoki defines two token user types: Security Officer (SO) and User. An SO is repsonsible for
initializing a token and can set some attributes on public objects that a User cannot. A User, on
the other hand, can create Private objects which an SO cannot access, but only after the User has
been authenticated and granted access to the token.
Datacard has extended the Cryptoki user types to allow multiple individuals to share a role and
also to allow setting a minimum number of users in that role to be required for authentication.
For example, it is possible to create three Users for a token and require that two of them log on in
order to access the token.
Here are some differences between a User and an SO.
User
 Can create, modify, and destroy Private objects
 Cannot set the Trusted attribute

 Can perform Administrative functions except “Load Firmware Certificate”
SO
 Can Log In to an uninitialized token
 Cannot access Private objects
 Can set the Export usage
 Can set the Trusted attribute
 Can “Load Firmware Certificate” but not do other Administrative functions
40 Key Management System

Sessions
A session provides a logical connection between an application and a token. A session is required
to gain access to the token’s objects and functions. Token objects are objects that are stored on
the token and are persistent. Objects may also be created during a session, and these session
objects are destroyed when the session is closed.
A session can be a read‐only session or a read/write session. In a read‐only session, token objects
cannot be created, modified, or destroyed. In a read/write session, modifiable objects can be
created, modified, and destroyed. Although Cryptoki defines a read/write public (non‐
authenticated) session, Datacard’s implementation does not allow read/write public sessions.
In Datacard’s implementation, read/write sessions require authentication. Authenticated User

sessions have access to private objects, while authenticated SO sessions do not.
Affina data preparation and personalization software, with the obvious exception of the Affina
KMS, accesses tokens using read‐only sessions.
The following sections describe usages and attributes common to key objects.

Key Usage
Keys can have the following usages. Usages shown in italics are extensions to the PKCS #11
specification and are shown in italics in the KMS user interface.
Usage Description
Encrypt The key may be used for encryption.
Decrypt The key may be used for decryption.
Sign The key may be used for signing.
Verify The key may be used for verifying signatures or MAC values.
Wrap The key may be used to wrap (that is, extract) other keys.
Unwrap The key may be used to unwrap keys.
Export The key may be used to export other keys. Can be set only by members
of the SO role.
Import The key may be used to import other keys.
Derive The key can be used in key derivation functions.

Key Attributes
Keys may have the following attributes. Attributes shown in italics are extensions to the PKCS #11
specification and are shown in italics in the KMS user interface. Attributes shown in boldface can
be changed only once and are shown in boldface in the KMS user interface.
Attribute Description
Sensitive The key's value cannot be revealed in plain text. After a key becomes
sensitive it cannot be modified to be non‐sensitive. Cannot be changed
after it is set to True.
Trusted The key can be trusted for the application for which it was created. Can
be set only by members of the SO role.
Modifiable The object can be modified; that is, the object's attributes can be
changed after creation. This attribute can be set only when an object is
created.
Wrap w/ Trusted The created key can only be wrapped or backed up by a trusted key.
Cannot be changed after it is set to True.
Private The key is visible only after the user is authenticated to the token
where that object is stored. This attribute can be set only when an
object is created. Private object can be created only by members of the
User role.
Unwrap Mask If a key has the usage Unwrap, an Unwrap Mask may also be defined.
When this key unwraps a key, the key that is unwrapped can be used
only to encrypt other keys.
Extractable An extractable key can be wrapped (encrypted with another key) and
then extracted from the HSM. Cannot be changed after it is set to
False.
Derive Mask If a key has the usage Derive, a Derive Mask can be defined. The Derive
Mask can define specific usages for up to five levels of derivation. In
this case, each of the intermediate keys can be used only to derive
another key.
Exportable The key may be backed up (encrypted with another key) but only with
keys marked with the Export usage. Cannot be changed after it is set to
True.
Deletable The key can be deleted. If this is not selected, the adapter must be
tampered to remove the key.

Configuring HSMs
Using the SafeNet HSM
Token Initialization Procedures
There are two token initialization procedures: “Initialize the AdminToken” and “Initialize a key
token”.
Initialize the AdminToken
A key token must also be initialized. Keys must be stored in a key token.
1. Open the KMS (refer to “Open the KMS” on page 52).

2. Right‐click the AdminToken and then select Login.
3. In the Login dialog box, select Security Officer and then enter the PIN 9999.
4. From the Administration menu, select Init Token.

5. In the Token Initialization dialog box, select AdminToken from the Slot list.
6. For Certificate, click Browse and then navigate to the CRT file on the Affina PKCS#11
Firmware disc.
7. For Firmware, click Browse and then navigate to the FM file on the Affina PKCS#11 Firmware
disc.
8. Set the minimum PIN length (default is four). The minimum PIN length is the smallest PIN
length allowed when specifying PINs for the token. The maximum PIN length is 31.
9. For both the Security Officer (SO) and User login modes, select the appropriate mode for the
token that you are initializing.
For PKCS#11:
a. Enter a user name. You can use up to 31 UTF‐8 characters with the exception of the #
character.
b. Enter and then confirm the PIN. You can use up to 31 UTF‐8 characters.
For N of M:
a. Choose the Number in Role (users, a minimum of two and a maximum of ten) and the
number of users required in order to log in (Number for Login).
b. Enter a user name. Use up to 31 UTF‐8 characters with the exception of the # character.

c. Enter and then confirm the PIN. You can use up to 31 UTF‐8 characters.
You cannot change the user name without reinitializing the token.
10. Click OK to save the token. The firmware will update.
The update process can take some time to complete. Do not perform any other
actions until the update process is finished.
Initialize a key token
A key token must be initialized. Keys must be stored in a key token.
2. Right‐click the AdminToken and then select Login.
3. In the Login dialog box, select User and then enter the PIN(s) defined when you initialized the
AdminToken.
4. From the Administration menu, select Init Token.

5. In the Token Initialization dialog box, from the Slot list select the appropriate slot for the
token you are initializing. Enter a descriptive label if needed.
6. Set the minimum PIN length (default is four). The minimum PIN length is the smallest PIN
length allowed when specifying PINs for the token. The maximum PIN length is 31.
7. For both the Security Officer (SO) and User login modes, select the appropriate mode for the
token that you are initializing.
For PKCS#11:
a. Enter a user name. You can use up to 31 UTF‐8 characters with the exception of the #
character.
b. Enter and then confirm the PIN. You can use up to 31 UTF‐8 characters.
For N of M:
a. Choose the Number in Role (users, a minimum of two and a maximum of ten) and the
number of users required in order to log in (Number for Login).
b. Enter a user name. Use up to 31 UTF‐8 characters with the exception of the # character.
c. Enter and then confirm the PIN. You can use up to 31 UTF‐8 characters.
You cannot change the user name without reinitializing the token.

8. Click OK. After the token is initialized, you will be logged out of the AdminToken.
Administrative Functions
Create slots
You must be logged into the AdminToken as a User in order to perform this task.
2. Right‐click the AdminToken, and then select Login.
3. In the Login dialog box, select User and then enter the PIN.
4. From the menu bar, select Administration > SafeNet > Create Slots.
5. In the dialog box, enter the number of slots you want to create and then click OK. The slots
will display in the token navigator.
After a slot has been created, it must be initialized to be used.
Delete slots
3. In the Login dialog box, select User and then enter the PIN(s).
4. In the Token Explorer, select the Slot(s) you want to delete and then click Delete (in the
toolbar).
5. Click OK. The Slots will be removed from the Token Navigator.

Download Affina firmware
Perform the following procedure to download updated Affina firmware to the SafeNet HSM.
1. From the menu bar select Administration > SafeNet > Download.
2. In the Download Affina Firmware dialog box, browse to and then select the FM file on the
Affina PKCS#11 Firmware disc.
3. Click Open. The path displays in the dialog box.
4. Click OK.
The firmware will update automatically. The process can take some time to complete. Do not
perform any other actions until the update process is finished.
Install SafeNet firmware
Perform the following procedure to install updated SafeNet firmware on the SafeNet HSM.
1. From the menu bar select Administration > SafeNet > Install SafeNet Firmware.
2. In the Install SafeNet Firmware dialog box, browse to and then select the SafeNet FW file that
contains the SafeNet Firmware.
4. Click OK.
The firmware will update automatically. The process can take some time to complete. Do not
perform any other actions until the update process is finished.

Configure the adapter
Perform the following procedure to configure the adapter’s clock and transport mode.
1. From the menu bar select Administration > SafeNet > Adapter Configuration.
2. In the Adapter Configuration dialog box:
a. For Clock, the current adapter clock date and time is displayed. To change the date and
time, select one of the following:
 Manual—To use the keyboard to enter the date and time in their respective boxes.
 Computer Clock—To synchronize the adapter clock with the computer’s clock.
Click Set when finished.

b. For Transport Mode, choose how the adapter will behave when it is removed from the
PCI bus on the PC. The board is designed to tamper (all data is erased) in order to prevent
secure information from being moved to another PC.
 Disabled—The adapter cannot be removed without being tampered.
 Single Shot—The adapter can be removed and replaced once without being
tampered.
 Continuous —The adapter can be removed and replaced unlimited times without
being tampered.

c. For Security Mode, select the security options required for your installation. Refer to the
SafeNet ProtectToolkit C Administration Manual for descriptions of these options.
3. Click Close.

Load a firmware certificate
Perform the following procedure to load a firmware certificate on the SafeNet HSM.
You must be logged into the AdminToken as a Security Officer to load a certificate.
1. Open the KMS.

3. In the Login dialog box, select Security Officer and then enter the PIN(s).
4. From the menu bar select Administration > SafeNet > Load Firmware Certificate.
5. In the Download Affina Firmware dialog box, browse to and select the CRT file on the Affina
PKCS#11 Firmware disc.
7. Click OK.
Tamper the adapter
Tampering the adapter wipes out all data and returns the adapter to its factory state. Any
firmware updates will remain.
1. From the menu bar select Administration > SafeNet > Tamper Adapter.
2. Confirm that you want to tamper the adapter in the confirmation dialog box. The adapter will
be tampered.
Set (Modify) PIN
Perform the following procedure to set or modify the PIN.
You must be logged into a token as User(s) to change a User PIN or Security Officer(s) to
change a Security Officer PIN.
1. In the Token Navigator, right‐click the token you are logged into that contains the User or
Security Officer whose PIN you want to change.
2. Select Set Pin.
3. In the PIN Modification dialog box, select the User Name if there is more than one individual
in the Role, enter the current PIN, and then enter and confirm the new PIN.
4. Click OK.

Import and Restore Sample Keys
You must initialize a PKCS token before you can import keys into the KMS. Refer to “Token
Initialization Procedures” on page 44.
1. Start the KMS and Log In as a User.
2. Create an Import Key.
a. From the menu, select Create > Create Secret Key from Clear Components.
b. For Label, type a descriptive Name, Owner, and Version. For example, type ZMK,
Datacard, 01 (refer to the figure below).
c. For Key Type, select CKK_DES2.
d. For Usage, select at least Import.
e. Select the appropriate Attributes for the key.
f. Click Next.
g. For Component 1, enter 10101010101010102020202020202020 and then click OK and

then Next.
h. For Component #2, enter 20202020202020204040404040404040 and then click OK and

then Next.

i. For Component #3, enter 40404040404040408080808080808080 and then click OK and
then Next.
j. Click Finish.
k. In the Import Key dialog box, confirm that the KCV is 3A 36 37 and then click Yes.
3. Import the Backup‐Restore key.
a. From the menu, select Import > Restore Object.
b. Under Import Key:
i. For Key, select the key created in the previous step, for example, ZMK.Datacard.01
ii. For Folder, click Browse, navigate to \Program Files (x86)\Datacard\ ADP\Samples\
KMS, select Backup‐Restore.Datacard.01, and then click Open.
c. Click OK.
4. Restore keys.
a. From the menu, select Import > Restore Object.
b. Under Import Key:
i. For Key, select the key created in the previous step, for example, Backup‐
Restore.Datacard.01.
ii. Select From a zip file.
iii. For Folder, click Browse, navigate to \Program Files (x86)\Datacard\ ADP\Samples\
KMS, select Backup‐Restore.Datacard.01.zip, and then click Open.
iv. Click OK.

Key Management System Tasks
Open the KMS
From the Start button select Programs > Datacard > Affina Issuance Software > Affina KMS.
Creation Tasks
Generate a secret key
This procedure generates a selected number of components to create a key.
1. From the menu bar select Create > Generate Secret Key.
2. Under Label, enter the Name, Owner, and Version in their respective text boxes.
The Owner, Name, and Version fields must all be completed or they must all be left
blank. In addition, the combination of Owner, Name, and Version must be unique
within the database.
3. Select the key Type from the list. The key’s size (in bits) displays in the Size box.
4. Select the key usage from the available options. (Refer to “Key Usage” on page 42.)
5. Select the key attributes from the available options. (Refer to “Key Attributes” on page 43.)
6. Click Finish.
Generate a key pair
This procedure creates a public and private key pair.
1. From the menu bar select Create > Generate Key Pair.
2. For the Public Key, under Label, enter the Name, Owner, and Version in their respective text
boxes. The combination of Name, Owner, and Version must be unique within the database.
3. Under Key Type, select the key Type from the list, and then enter the Key Size (in bits) and the
Public Exponent.
4. Select the key pair usage from the available options. (Refer to “Key Usage” on page 42.)

5. Select the key pair attributes from the available options. (Refer to “Key Attributes” on
page 43.)
If the Derive or Unwrap usages are selected, the Derive Mask and/or Unwrap Mask
attributes will be available. If these attributes are then selected, the Derive Mask
and/or Unwrap Mask options become available. Refer to “Create a derive mask” on
page 56 and “Create an unwrap mask” on page 56.
6. Click Next.
7. For the Private Key, enter the Name, Attribute, and Usage parameters as above. (The name
must be different.)
8. Click Finish to generate the key pair.
Generate a secret key in components
This procedure creates a secret key from a selected number of generated components. Each
component can be recorded individually for transport purposes.
1. From the menu bar select Create > Create Secret Key From Clear Components.
The Owner, Name, and Version fields must all be completed or they must all be left
blank. In addition, the combination of Owner, Name, and Version must be unique
within the database.
3. Under Key Type, select the key Type from the list.
6. Enter the number of components.
7. Select whether the components will be entered using the keyboard or via a terminal. If you
will be using the terminal, enter the timeout value (in seconds). This value indicates how long
the KMS will wait to receive a Key Component from a terminal before aborting the operation.
Click Next.
8. If you selected Keyboard/Screen in the previous step, on the number of components entered
in step 6, you will be given a corresponding number of screens with which to view the
components. Click Next at each screen.

9. On the final screen click Next.
10. Click Finish. The key is loaded in the database and displayed in the Token Explorer.
11. Click Generate and Export. The Key Component dialog box opens, showing the key check
value of the first encrypted key component.
12. Click Save.
13. In the Key dialog box, navigate to the location where you want the key component saved,
enter a file name (a .bin extension will be added), and click Select. The Key Component dialog
box opens as many times as the number of components you selected in step 1. When you
have saved the last component, the key is stored in the database and displays in the Keys
table.
Create a secret key from clear components
This procedure creates a secret key from a selected number of clear components. Each
component can be recorded individually for transport purposes.
1. From the menu bar select Create > Create Secret Key From Clear Components.
2. Under Label, enter the Name, Owner, and Version in their respective text boxes. The
combination of Name, Owner, and Version must be unique within the database.
3. Under Key Type, select the key Type from the list. The key’s size (in bits) displays in the Size
box.
6. Enter the number of components.
7. Select whether the components will be entered using the keyboard or via a terminal. If you
will be using the terminal, enter the timeout value (in seconds). This value indicates how long
the KMS will wait to receive a Key Component from a terminal before aborting the operation.
Click Next.
8. If you selected Keyboard/Screen in the previous step, based on the number of components
entered in step 6, you will be given a corresponding number of screens with which to view
the components. Click Next at each screen after the information is entered.
9. Repeat step 8 until all components have been imported.

10. Click Finish. A complete key is constructed, loaded in the database, and displayed in the
Token Explorer.
Create a backup/restore key
This procedure generates a key that can be used to back up and restore an object.
A backup/restore key must have the Import and Export usages. Only a Security Officer
can set the Export usage on an existing key. There are two methods for creating a
backup/restore key.
 The Security Officer(s) can log on, create the key, and set the Import and Export
usages. A key created by the Security Officer(s) cannot be Private.
 The User(s) can log on, create the key, and then set the Import usage (the key must
also be Modifiable). The Security Officer(s) can then log on and set the Export usage.
1. Follow the steps in “Generate a secret key” on page 52.

 Set the usage to Import and Export.
 Select at least the Sensitive and Exportable attributes. Do not select Private.
Create a backup/restore key from components
This procedure generates a key that can be used to backup and restore a backup key and/or other
objects.
A backup/restore key must have the Import and Export usages. Only a Security Officer
can set the Export usage. There are two methods for creating a backup/restore key from
components.
 The Security Officer(s) can log on, create the key, and set the Import and Export
usages.
 The User(s) can log on, create the key, and set the Import usage (the key must also be
Modifiable). The Security Officer(s) can then log on and set the Export usage.
1. Follow the steps in “Generate a secret key in components” on page 53.
2. Set the usage. (Refer to “Key Usage” on page 42.)
The key should be Sensitive and should not be Exportable.
4. Click Finish.

Create a wrap/unwrap key from components
This procedure generates a key that can be used to wrap and/or unwrap a key.
1. Follow the steps in “Generate a secret key in components” on page 53.
The key should at least be Sensitive, Modifiable, and Exportable.
3. Set the usage to Wrap and Unwrap.
4. Click Finish.
Create a derive mask
You can use a derive mask to precisely control what a key derived by that key (and so on for each
successive level) is allowed to do.
This function is enabled only if the key has a usage of Derive and an attribute of Derive Mask.
1. For Level1, select the key usage from the available options. If Derive is selected, then Level2
is enabled.
2. Click Finish.
Create an unwrap mask
You can use an unwrap mask to precisely control what a key unwrapped by that key is allowed to
do. This function is only enabled if a key has a usage of Unwrap and an attribute of Unwrap Mask.
1. Select Unwrap and then select Unwrap Mask.
2. Under Unwrap Template, select the appropriate usage(s) for keys unwrapped by this key.
If you are unwrapping a key with this key or modifying a key unwrapped by this key
and set a usage not allowed by the Unwrap Mask, you will receive the error:
CKR_ERROR: 0x000000D1 ‐ CKR_TEMPLATE_INCONSISTENT.
3. Click Finish.

Importing Tasks
Restore an object
This procedure restores an object from a file or zip file.
1. From the menu bar select Import > Restore Object. The Restore Object dialog box opens.
2. Select the import key from the Key list.
3. Select whether the object(s) are in individual files or are contained within a zip file.
4. Browse to and select the file(s) you want to import. Click Open.
5. The objects are displayed in the dialog box. Select those you want to restore and then click
OK.
Unwrap a key
This procedure unwraps an encrypted key.

1. From the menu bar, select Import > Unwrap Key.
2. Under Key Encryption Key, select the Mode and the KEK from their respective lists.
3. Under Encrypted Key, select the Key Type from the list and then select whether the encrypted
key will be imported from a file, entered using the keyboard, or entered via a terminal.
If loading from a file, click Browse and then navigate to the file you want to import. Click
Open.
4. Under Label (or Private Key Label if you selected CKM_TR31_RSA_PKCS1 for the encryption
mode), enter the Name, Owner, and Version in their respective text boxes. The combination
of Name, Owner, and Version must be unique within the database.
page 56 and “Create an unwrap mask” on page 56.)
7. If you selected CKM_TR31_RSA_PKCS1 for the encryption mode, click Next and then, under
Public Key Label, enter the Name.
8. Click Finish.

Import a public key
This procedure imports a public key from a file.
1. From the menu bar select Import > Import Public Key. The Import dialog box opens.
2. Under Key, select the CKK_RSA key from the Type list.
3. Under File Name, click Browse and then navigate to the key file that you want to import.
5. Select the key pair attributes from the available options. (Refer to “Key Attributes” on
page 43.)
6. Select the key pair usage from the available options. (Refer to “Key Usage” on page 42.)
7. Click OK.
Import a key pair
Perform the following steps to import a key pair from a file in which the secret key is encrypted in
ASN.1 format and the public key is not encrypted.
1. Unwrap the Secret Key:
a. From the menu bar select Import > Unwrap Key. The Import dialog box opens.
b. Under Key Encryption Key, select CKM_DES3_CBC_RSA_CRT_BITSTRING for Encryption

Mode and the appropriate unwrap key for KEK.
c. Under Encrypted Key, select CKK_RSA for the Key Type from the list.
d. Click Browse and then navigate to the file containing the key pair. Click Open.
e. Under Label, enter the Name, Owner, and Version in their respective text boxes. For RSA
key pairs, the combination of the Owner and Version must be unique within the
database.
f. Select the key usage from the available options. (Refer to “Key Usage” on page 42.)
g. Select the key attributes from the available options. (Refer to “Key Attributes” on
page 43.)
If the Derive or Unwrap usages are selected, the Derive Mask and/or Unwrap
Mask attributes will be enabled. If these attributes are then selected the Derive
Template and/or Unwrap Template options are enabled. Refer to “Create a
derive mask” on page 56 and “Create an unwrap mask” on page 56.)
h. Click Finish.

2. Import the Public Key:
a. From the menu bar select Import > Import Public Key. The Import dialog box opens.
b. Under Key, select CKK_RSA from the key Type list.
c. Under File Name, click Browse and then navigate to the folder containing the key pair.
d. Under Label, enter the Name, Owner, and Version in their respective text boxes. For RSA
key pairs, the Owner and Version entered must match the Owner and Version entered in
step 1E above.
e. Select the key pair attributes from the available options. (Refer to “Key Attributes” on
page 43.)
f. Select the key pair usage from the available options. (Refer to “Key Usage” on page 42.)
g. Click OK.
Link an unwrapped RSA key pair

1. Unwrap the RSA Private Key. (Refer to “Unwrap a key” on page 57.)
2. Import the Public Key:
a. From the menu bar select Import > Import Public Key. The Import dialog box opens.
b. Under Key, select CKK_RSA from the key Type list.
c. Under File Name, click Browse and then navigate to the folder containing the key pair.
d. Under Label, enter the Name, Owner, and Version in their respective text boxes.
e. Select the key pair attributes from the available options. (Refer to “Key Attributes” on
page 43.)
f. Select the key pair usage from the available options. (Refer to “Key Usage” on page 42.)
g. Click OK.
If a matching RSA Private key is found, its label will be listed in the Paired Private Key field.

Import the MULTOS Hash Modulus and TKCK
This procedure imports a MULTOS Hash Modulus or a Transport Key Certifying Key (TKCK).
The imported key must be a public key with the Trusted attribute enabled. This attribute
can only be set by a Security Officer and only a Security Officer can modify a Trusted key.
There are two methods for changing the key attribute to Trusted.
 The Security Officer can log on, import the key, and then set the Trusted attribute.
 A User can log on and then import the key (the key must be modifiable). The Security
Officer must then log on and then set the key attribute to Trusted.
1. Log in to the KMS as a Security Officer.
2. From the menu bar select Import > Import Public Key. The Import dialog box opens.
3. Under Key, select CKK_RSA from the key Type list.
4. Under File Name, click Browse and then navigate to the key file that you want to import.
Both keys must be Trusted.
6. Select the key usage from the available options. (Refer to “Key Usage” on page 42.) The Hash
Modulus must have Encrypt and the TKCK must have Derive usage.
7. Click OK.

Exporting Tasks
Back up an object
This procedure creates a backup of an object, including its value and all of its attributes.
1. In the Token Explorer, select one or more objects to back up.

2. From the menu bar select Export > Backup Object. The dialog box opens.
3. Select the key from the Key list.
4. Select whether the object(s) will be exported as individual files or will be contained within a
zip file.
5. Browse to and select the destination folder for the object(s). Click OK.
6. The objects to back up are displayed in the dialog box. Click OK.
Wrap a key
This procedure wraps the value of an extractable secret key or a private key.
1. From the menu bar select Export > Wrap Key.
2. Select an Encryption Mode from the list. Only keys with a usage of Wrap will display in the
list.
3. Select the key from the Key list.

4. Select whether the key(s) will be exported as individual files or contained in a zip file.
5. Browse to and then select the destination folder for the key(s). Click OK.
6. The key(s) to export are displayed in the dialog box. Click OK.
Extract a public key

1. Select the public key you want to export from the Token Explorer. The key must have the
attribute Extractable.
2. From the menu bar select Export > Extract Public Key.
3. In the Extract Public Key dialog box, browse to the location where you want the key saved and
then click OK.

Export a MULTOS public key
1. Select the public key you want to export from the Token Explorer.
2. From the menu bar select Export > Export MULTOS Public Key.
3. In the Export MULTOS Public Key dialog box, browse to the location where you want the key
saved and then click OK.
Certificate Tasks
Generate an American Express certificate request

1. From the menu bar select Certificates > Create Certificate Request. The Create Certificate
Request dialog box opens.
2. From the toolbar, select the American Express icon.
3. From the Private Key list, select a key.
4. Enter a Tracking Number of up to five digits.
5. Enter a Service ID (the four most significant bytes of the PIX portion of the AID, padded on
the right with \x00 if less than four bytes long). Example: 02020000
6. Select the month and year in which you want the certificate to expire.
7. Browse to and select the folder in which you want the certificate request stored. Click OK.
8. (Optional) Select the Test Certificate check box to create a test certificate as specified by
American Express.
9. Click Finish. The certificate request will be generated with the .dat extension. Test certificate
requests begin with T. Regular requests begin with P. The request and hash file are saved in
the folder you specified.
Generate a Discover certificate request

2. From the toolbar, select the Discover icon.
4. Based on the key selected in step 3, the Public Key Index (hex) and BIN fields will contain
information.

7. Click Finish. The certificate request will be generated with the .bin extension.
Generate an Interac certificate request

2. From the toolbar, Select the Interac icon.

4. Enter a Tracking Number of up to six digits.
5. Enter a Service ID (the four most significant bytes of the PIX portion of the AID, padded on the
right with \x00 if less than four bytes long). Example: 02020000
8. (Optional) Select the Test Certificate check box to create a test certificate as specified by
Interac.
9. Click Finish. The certificate request will be generated with the .BIN extension.
Generate a JCB certificate request

1. From the menu bar, select Certificates > Create Certificate Request. The Create Certificate
2. From the toolbar, select the JCB icon.
information.
6. Enter a request number of up to six digits.
8. Click Finish. The certificate request will be generated without an extension.
Generate a Jetco certificate request

2. From the toolbar, select the Jetco icon.

4. Based on the key selected in step 3, the BIN field will contain information.
9. Click Finish. The certificate request will be generated without the INP extension.
Generate a MasterCard certificate request

2. From the toolbar, select the MasterCard icon.

information.
7. Click Finish. The certificate request will be generated with the SIP extension. The request and
the hash file (with the HIP extension) are saved in the folder you specified.
8. Follow the procedure defined by the MasterCard CA to send the request to MasterCard.
Generate a UnionPay certificate request

2. From the toolbar, select the UnionPay icon.
3. Select a version.


10. Click Finish. The certificate request will be generated with the INP extension. The request and
the hash file are saved in the folder you specified.
Generate a VISA certificate request

2. From the toolbar, select the VISA icon.


6. Enter a Service ID (the four most significant bytes of the PIX portion of the AID, padded on the
right with \x00 if less than four bytes long). Example: 02020000
9. Click Finish. The certificate request will be generated with the INP extension. The file is saved
in the folder you specified.
Import an American Express CA certificate

1. From the menu bar, select Certificates > Import CA Certificate. The Import CA Certificate
dialog box opens.
3. In the Import CA Certificate dialog box, browse to and select the certificate you want to
import.
4. Click Open. The certificate’s information displays in the Registered ID and AMEX PK index
fields.
5. Click Finish.
Import an American Express Issuer certificate
You must import the CA certificate before importing the Issuer certificate.
1. From the menu bar, select Certificates > Import Issuer Certificate. The Import Issuer
Certificate dialog box opens.

3. In the Import Issuer Certificate dialog box, browse to and select the certificate you want to
import.
4. Click Open. The certificate’s information displays in the Registered ID, PK Index, and Service
Identifier fields.
5. Click Finish.
Import a Discover CA certificate

dialog box opens.
import.
4. Click Open. The certificate’s information displays in the Registered ID and Discover PK index
fields.
5. Click Finish.
Import a Discover Issuer certificate
3. Enter a Discover CA RID.
import.
5. Click Open.
6. For BIN, enter the Owner of the Issuer Key that has been certified.
7. For Public Key Index (hex), enter the Version of the Issuer Key that has been certified Public
Key Index.
8. For CA PK Index, enter the version in hexadecimal notation of the CA Public Key used to sign
the issuer key.
9. Click Finish.

Import an Interac CA certificate
dialog box opens.
2. From the toolbar, select the Interac.

import.
4. Click Open. The certificate’s information displays in the Registered ID and Interac PK index
fields.
5. Click Finish.
Import an Interac Issuer certificate
2. From the toolbar, select the Interac icon.
3. Enter an Interac CA RID.

4. For Public Key Index (hex), enter the version of the CA Certificate that signed the certificate
to be imported.
import.
6. Click Open. The certificate’s information displays in the BIN, PK Index, and Serial Number
fields.
7. Click Finish.
Import a JCB CA certificate

dialog box opens.
3. In the Import CA Certificate dialog box, browse to and select the JCB CA Public Key File you
want to import.
4. Click Open. The JCB CA Certificate File field becomes enabled.

5. In the Import CA Certificate dialog box, browse to and select the JCB Certificate File you want
to import.

6. Click Open. The certificate’s information displays in the Registered ID, Certificate Serial No.,
and CA PK index fields.
7. Click Finish.
Import a JCB Issuer certificate
3. Enter a JCB Registered ID.
import.
5. Click Open. The certificate’s information displays in the Certificate Serial No., Public Key
Index, and CA PK Index fields.
6. Click Finish.
Import a Jetco CA certificate

dialog box opens.
import.
4. Click Open. The certificate’s information displays in the Registered ID and Jetco PK index
fields.
5. Click Finish.
Import a Jetco Issuer certificate
import.

Identifier fields.
5. Click Finish.
Import a MasterCard CA certificate

dialog box opens.

3. Enter a MasterCard CA RID.
import.
5. Click Open. The certificate’s information displays in the BIN, Public Key Index, and CA PK
Index fields.
6. Click Finish.
Import a MasterCard Issuer certificate

3. Enter a MasterCard CA RID.
import.
5. Click Open. The certificate’s information displays in the BIN, Public Key Index, and CA PK
Index fields.
6. Click Finish.
Import a UnionPay CA certificate

dialog box opens.
import.

5. Click Open. The certificate’s information displays in the Registered ID and PBOC PK index
fields.
6. Click Finish.
Import a UnionPay Issuer certificate
import.
Identifier fields.
6. Click Finish.
Import a VISA CA certificate

dialog box opens.
import.
4. Click Open. The certificate’s information displays in the Registered ID and Visa PK index fields.
5. Click Finish.
Import a VISA Issuer certificate
3. Enter a VISA CA RID.
import.

Identifier fields.
6. Click Finish.
Application-Specific KMS Tasks

Key Management System tasks for Amex
1. Generate the following Issuer keys (refer to “Generate a key pair” on page 52 for step‐by‐step
instructions). The key Owner must match the BIN derived from the PAN in the magnetic
stripe data and the key Version entered must also be defined in the ADT as the value for the
Data Element IssuerPublicKeyIndex.
Name Owner Version Class Type Attribute Usage
Issuer_ BIN IssuerPublicKeyIndex CKO_PRIVATE_ CKK_RSA Sensitive SIGN

SK KEY and
Exportable
Issuer_ BIN IssuerPublicKeyIndex CKO_PUBLIC_ CKK_RSA Exportable VERIFY

PK KEY
2. Use the Issuer public key (Issuer_PK) to generate the certificate request (refer to “Generate
an American Express certificate request” on page 62 for step‐by‐step instructions).
3. Generate or import the following Issuer application keys (refer to “Generate a secret key” on
page 52 for step‐by‐step instructions). The key Owner must match the BIN derived from the
PAN in the magnetic stripe data. The key Version for the Derivation Master Keys (DMKs) must
match the value defined in the ADT for the Data Element DerivationKeyIndex and the key
Version for the KEK must match the value defined in the ADT for the Data Element KEK_VER.
Name Owner Version Class Type Attribute Usage(s)
DMKac BIN DKI CKO_SECRET_KEY CKK_DES2 Sensitive DERIVE

and
Exportable
DMKmac BIN DKI CKO_SECRET_KEY CKK_DES2 Sensitive DERIVE

and
Exportable

DMK BIN DKI CKO_SECRET_KEY CKK_DES2 Sensitive DERIVE

and
Exportable
KEK BIN KEK_VER CKO_SECRET_KEY CKK_DES2 Sensitive WRAP

and
Exportable
4. Import the Amex CA and Issuer Certificates (refer to “Import an American Express CA
certificate ” on page 65 and “Import an American Express Issuer certificate” on page 65 for
step‐by‐step instructions).
Always import the CA Certificate before importing the Issuer Certificate.
5. If you are using Affina One Step Issuance software, you must also import the zone master key
(ZMK) and card master key (KMC) into the Key Management System. They come from your
card supplier. Refer to “Create a secret key from clear components” on page 54 for step‐by‐
step instructions.
Key Management System tasks for VSDC, VSDC R2, and VSDC R3
Issuer_ BIN IssuerPublicKeyIndex CKO_PRIVATE_ CKK_RSA Sensitive SIGN

SK KEY and
Exportable
Issuer_ BIN IssuerPublicKeyIndex CKO_PUBLIC_ CKK_RSA Exportable VERIFY

PK KEY
2. Use the Issuer public key (Issuer_PK) to generate the certificate request (refer to “Generate a
VISA certificate request” on page 65 for step‐by‐step instructions).

PAN in the magnetic stripe data. The key Version for the Derivation Master Keys (DMKs) must
match the 2nd byte of the value defined in the ADT for the Data Element
“IssuerApplicationData” (for VSDC, this is the DerivationKeyIndex (DKI)). The key Version for
the KEK must match the value defined in the ADT for the Data Element KEK_VER.
DMKac BIN DKI CKO_SECRET_KEY CKK_DES2 Sensitive DERIVE

and
Exportable
DMKmac BIN DKI CKO_SECRET_KEY CKK_DES2 Sensitive DERIVE

and
Exportable
DMKenc BIN DKI CKO_SECRET_KEY CKK_DES2 Sensitive DERIVE

and
Exportable

and
Exportable
4. Import the VSDC CA and Issuer Certificates (refer to “Import a VISA CA certificate” on page 70
and “Import a VISA Issuer certificate” on page 70 for step‐by‐step instructions).
step instructions.

Key Management System tasks for M/Chip4, MICA, MCAM, and D-PAS
Issuer_SK BIN IssuerPublicKeyIndex CKO_PRIVATE_ CKK_RSA Sensitive SIGN

KEY and
Exportable
Issuer_PK BIN IssuerPublicKeyIndex CKO_PUBLIC_ CKK_RSA Exportable VERIFY

KEY
2. Use the Issuer public key (Issuer_PK) to generate the certificate request (refer to “Generate a
MasterCard certificate request” on page 64 for step‐by‐step instructions).
PAN in the magnetic stripe data. The key Version for the Issuer Master Keys (IMKs) must
match the value defined in the ADT for the Data Element “KeyDerivationIndex” and the key
Version for the KEK must match the value defined in the ADT for the Data Element “KEK_
VER”.
IMKac BIN DKI CKO_SECRET_KEY CKK_DES2 Sensitive DERIVE

and
Exportable
IMKsmi BIN DKI CKO_SECRET_KEY CKK_DES2 Sensitive DERIVE

and
Exportable
IMKsmc BIN DKI CKO_SECRET_KEY CKK_DES2 Sensitive DERIVE

and
Exportable
IMKidn* BIN DKI CKO_SECRET_KEY CKK_DES2 Sensitive DERIVE

and
Exportable
IMKdac* BIN DKI CKO_SECRET_KEY CKK_DES2 Sensitive ENCRYPT

and
Exportable


and
Exportable
* D‐PAS does not use this key.
4. Import the MasterCard CA and Issuer Certificates (refer to “Import a MasterCard CA

certificate” on page 69 and “Import a MasterCard Issuer certificate” on page 69 for step‐by‐
step instructions).
step instructions.
Key Management System Tasks for MULTOS
The data generation keys described in “Key Management System tasks for VSDC, VSDC R2, and
VSDC R3” on page 72 and “Key Management System tasks for M/Chip4, MICA, MCAM, and D‐
PAS” on page 74 are required along with the following keys.
For MULTOS, the KEK must also have the usage Encrypt.
1. Generate the Application Provider Keyset (refer to “Generate a key pair” on page 52 for step‐
by‐step instructions). The APK version must match the “Application Provider Keyset ID” in the
ALU template that is listed in the ADT in the Data Element APK_VER. The key Owner must
match the BIN derived from the PAN in the magnetic stripe data or the value of the APK_
OWNER in the ADT.
AP_SK BIN APK_VER CKO_PRIVATE_KEY CKK_RSA Sensitive SIGN

and
Exportable
AP_PK BIN APK_VER CKO_PUBLIC_KEY CKK_RSA Exportable VERIFY
2. Import the MULTOS Hash Modulus and, if using Affina One Step Issuance software, the
Transport Key Certifying Key (TKCK). Refer to “Import the MULTOS Hash Modulus and TKCK”
on page 60 for step‐by‐step instructions.

3. If you have defined an encrypted PIN in your ALU template, create or Import a PIN Encryption
Key (PEK). The Version of the PEK must match the value defined in the ADT for the Data
Element PEK_VER. The key Owner must match the BIN derived from the PAN in the magnetic
stripe data and the key version.
PEK BIN PEK_VER CKO_SECRET_KEY CKK_DES2 Sensitive WRAP

and
Exportable
4. If you are using MICA with PayPass, create or import the Issuer Master Key for CVC3
(IMKcvc3). The key Owner must match the BIN derived from the PAN in the magnetic stripe
data. The key Version for the Issuer Master Keys (IMKs) must match the value defined in the
ADT for the Data Element “KeyDerivationIndex”. The IMKcvc3 must have the usage Derive for
Dynamic CVC3 and Sign for Static CVC3.
IMKcvc3 BIN DKI CKO_SECRET_KEY CKK_DES2 Sensitive DERIVE

and SIGN
Exportable
Key Management System Tasks for step/one
The data generation keys described in “Key Management System tasks for VSDC, VSDC R2, and
VSDC R3” on page 72 and “Key Management System tasks for M/Chip4, MICA, MCAM, and D‐
PAS” on page 74 are required along with the following keys.
For step/one, the KEK must also have the usage Encrypt.
1. Import the step/one IMK_KE and IMK_AS. The Owner for both keys must match the value
defined for the Data Element MCD_IssuerID in the ADT and the Version must match the value
defined for the Data Element StepOneIMK_ID. The key Owner must match the BIN derived
from the PAN in the magnetic stripe data.
IMK_KE MCD_IssuerID StepOneIMK_ID CKO_SECRET_ CKK_DES2 Sensitive ENCRYPT

KEY and
Exportable
IMK_AS MCD_IssuerID StepOneIMK_ID CKO_SECRET_ CKK_DES2 Sensitive SIGN

KEY and
Exportable

2. If you are using MICA with PayPass, create or import the Issuer Master Key for CVC3
(IMKcvc3). The key Owner must match the BIN derived from the PAN in the magnetic stripe
data. The key Version for the Issuer Master Keys (IMKs) must match the value defined in the
ADT for the Data Element “KeyDerivationIndex”. The IMKcvc3 must have the usage Derive for
Dynamic CVC3 and Sign for Static CVC3.
IMKcvc3 BIN DKI CKO_SECRET_KEY CKK_DES2 Sensitive DERIVE

and SIGN
Exportable

Chapter 5: Configuration
Manager
This chapter explains using the Configuration Manager tool to manage

both Datacard and Global Platform (GP) profiles for use in Affina issuance
software.
Overview of Application and Script Setup

The diagram shown below illustrates how Configuration Manager interacts with other
components within Affina issuance software.
GP Profiles Datacard Visa VPA MasterCard XML

Profiles CU Schemas
Configuration
Manager
Database
Batch Applications
Affina Profiles & Scripting

Interpreter
Syntera CS/Affina PM
KMS
Cryptographic Device

Profile Descriptions
Configuration Manager manages both Datacard and GlobalPlatform (GP) profiles. All profiles can
have an alias, an easy‐to‐remember name. You can assign and change aliases for Datacard
profiles but not for GP profiles. Only one profile of each type can have the same alias, but profiles
of different types (for example Product and Job) can have the same alias.
A brief description for each type of profile is outlined below.
GP Profiles
There are four types of GP profiles: Application, Card, Key, and Loadfile. GP profiles are read only.
Application Profile
The Application profile serves as a container of information about the smart card application and
its requirements. It defines the external data and key requirements of the application and its
individual scripts. Application profiles contain one to many script fragments that are used for card
customization. Within the context of the Affina Data Preparation (DP) system, only script
fragments that do not use the GP Card object can be used. Generally this is the DataPrep script
fragment.
Card Profile
The Card profile describes a smart card. This card could be a singularly unique card or a card that
shares common characteristics, as defined in the Card profile, with other cards. Depending on
how it is used, it either acts as a base template for a smart card or represents a single smart card
by itself.
Key Profile
The Key profile that describes a cryptographic key, independent of any particular instance of the
key. It acts as a template for creating the actual key.
Loadfile Profile
The Loadfile profile describes the physical file that contains the on‐card executable application
code.
80 Configuration Manager
Datacard Profiles
There are six types of Datacard profiles: Application Data Template (ADT), Application Profile
Input Mapping (APIM), Application Profile Output Mapping (APOM), DataSet, Job, and Product.
Users create or modify Datacard profiles using Configuration Manager.
Application Data Template (ADT) Profile
The ADT profile defines static values for data elements declared in a GP Application profile. The
most common use of the ADT is to define EMV static risk parameters for either the M/Chip or
VSDC financial applications.
Application Profile Input Mapping (APIM)
The APIM profile allows users to “map” data from the output of a DataSet profile to an external
data element of a script fragment defined in an Application profile. In other words, variables
within a script fragment can be dynamically set at runtime by using the APIM to map the input
data.
Application Profile Output Mapping (APOM)
The APOM profile allows users to define data element values of a script fragment to be stored in
the Output DataSet. In the Affina One Step environment, the APOM can be used to select Data
Elements to be listed in the Audit data.
DataSet Profile
The DataSet profile acts as a parser for either input or output data within the context of an
application script fragment.
The input DataSet profile serves as a parser for incoming cardholder data. It is responsible for
creating a common issuer set of ECMAScript variables or objects that can be used later by the
APIM.
The output DataSet profile serves as a formatting tool for cardholder data. It is responsible for
collecting data generated by the APOM after script fragment execution and for formatting the
cardholder data for the output.
A Default embedded DataSet is provided that does not require an APIM or APOM. However, you
can use an APOM to selectively return data to an output file in the Affina DP environment or to
the Audit trail in the One Step environment.
Job Profile
The Job profile defines the highest level of configuration within the Configuration Manager tool.
It specifies which input and output DataSets will be used at runtime as well as which product to
execute.

Product Profile
At runtime, when Syntera CS or a Batch production setup sends a request to the Affina Profiles
and Scripting Interpreter with cardholder data, one or more script fragments will be executed.
The Product profile allows a user to choose which Application profiles will be used at runtime
and, more specifically, which script fragments defined in those Application profiles will be run.
Because the order of script execution is important, the Product profile lets you specify the
ordering of the process steps (AID/Script Fragment pair). You can also define which static values
to use for each script fragment by assigning an ADT to each Application instance within the
Product profile.
ADT Associations
An ADT may be associated with a MULTOS Template or with a Visa Personalization Assistant (VPA)
Output File. After an ADT is associated with a template or an output file, the associated elements
of the template or output file can be viewed in the ADT Tool Association tab. An associated ADT
can be exported from one system and imported into another system as long as the same
template or output file is also provided.
Visa Personalization Assistant (VPA) Output File
VPA Output Files in XML format may be imported into Configuration Manager and associated
with an ADT. After the ADT is associated with the output file, all Data Element values defined in
the VPA file become Read‐only values in the ADT.
MULTOS ALU Templates
ALU templates (.alt files) may be imported into Configuration Manager and associated with an
ADT. After the ADT is associated with the template, all Data Element values for which
Personalization has been set to Not Allowed in the template become Read‐only values in the
ADT. Data Element values for which Personalization is Allowed are editable in the ADT. Values for
associated Data Elements may not be deleted, and all Data Elements defined in the template are
considered to be Mandatory and to be provided by the ALU Generation System. The values in the
template, including which Data Elements are Read‐Only, can be viewed in the ADT Tool
Association tab.
Profile Associations
The following illustration is a graphical representation of profile interaction within the
Configuration Manager tool. To avoid errors, create profiles in the order specified in “Create a
new job using release profiles” on page 95.
Loadfile
Key Application Card
ADT
Product
APIM APOM
Included with Affina releases
Included with Affina samples DataSet Job
Needed for custom data set
Scripting Language and Profile Specifications

GlobalPlatform specifications can be found at www.globalplatform.org.
The GlobalPlatform Systems Scripting Language Specification, version 1.0, redefined the script
language used to personalize cards to be ECMAScript, which is popularly known as JavaScript.
ECMAScript itself is defined in the ECMAScript Language Specification (Standard ECMA‐262, 3rd
Edition). The GlobalPlatform Scripting Specification, version 1.1, provides standardized JavaScript
functions for communicating with smart cards and describes how to use these functions to
communicate with cards.
The GlobalPlatform Systems Profiles Specification, version 1.1, defines the Card, Application, Load
File, and Key Profiles that contain the script fragments from which the card personalization script
is built. These profiles are written in the language defined by the W3C working group as
Extensible Markup Language (XML) 1.0 in the W3C Recommendation February 10, 1998.

The GlobalPlatform Card Specifications define the requirements that cards must meet in order to
be considered GP 2.0.1 or 2.1 cards. GP cards have a JavaCard™ API and also a GP layer that
interprets GP‐specific card commands. This implementation of the Datacard GP Interpreter
supports the use of cards that comply with the GlobalPlatform card specifications.
As defined in the ECMA specification, all variables with “$” as the first character are
reserved for computer‐generated variables.
Import the Release and Sample Profiles

1. Open Configuration Manager (refer to “Start Configuration Manager” on page 85).
2. Import all of the profiles located in the ...\ADP\Profiles directory.
3. Import all of the profiles located in the ...\ADP\Samples\Profiles directory.

4. If you are running MULTOS or MULTOS step/one:
a. In Configuration Manager, select Import; in the Open dialog box, use the Files of Type list
to select ALU Templates (*.alt), and then navigate to the location where the ALU
template file you will be using is stored, select the file, and then click Open.
Refer to the Customisation_Audit.txt file or Customisation_Utility.txt file in the \

Program Files\Datacard\ADP\Samples\Profiles directory to see the contents of a
sample template.
b. Associate the Template with the appropriate Sample ADT as described in “Create an ADT
association” on page 89.
c. Edit the Sample ADT to specify the PersonalizerID (for M/Chip4) and any other required
values (as described in the application release notes).
Configuration Manager Tasks
The tasks you may need to perform can be grouped into general tasks, profile creation tasks, and
profile management tasks. This section also includes a procedure for adapting the release profiles
included with Affina issuance software to your environment.
General Tasks
Start Configuration Manager
Use this procedure to start Configuration Manager.
1. Log on to the computer with a user name that has ADP_Administrator, ADP_Operator, or
ADP_User user privileges and start the Affina Data Preparation Launcher (Start > Programs >
Datacard > Affina Data Preparation > Affina Data Preparation Launcher).
2. On the Launcher, click Configuration Manager.
Filtering objects
You can control which objects are displayed in the Token Explorer by using the filter tool.
1. From the toolbar, click the Filter icon.
2. In the Browser Filter, enter the name, Owner, and/or Version of the object(s) you want to
display. You can also select the check box based on the class of object you want displayed.
3. Click OK.
Set the base OID
You can select the base object identifier (OID) for objects created in Configuration Manager.
1. From the Configuration Manager menu bar, select Configuration > Configuration Manager
OID. The Configuration Manager Base OID dialog box opens.
2. If you have been issued a base OID, replace the default OID (which was generated for the
computer on which Affina DP is installed) with the OID you have been issued.
3. Select whether you want to input OIDs in Hexadecimal or Decimal notation, and then click
OK.

Set OID viewing preferences
You can choose whether to view OIDs (object identifiers) in decimal notation or hexadecimal
notation. In addition, you can choose whether to see an alias that may be more understandable
to you.
1. To view OIDs in decimal notation, from the Configuration Manager menu bar, select Options
> OID > View As Decimal.
—or—
To view OIDs in hexadecimal notation, from the menu bar, select Options > OID > View As
Hexadecimal.
2. To see an alias next to the OID, from the menu bar, select Options > OID > Show Alias.
Disassociate a MULTOS Template or VPA from an ADT

1. In Configuration Manager, select an ADT from the left pane. Information about the selected
ADT displays in the right pane.
2. In the right pane, select the Tool Association tab.
3. Click Edit.
4. Under Choose ADT/Tool Association, click Disassociate.
5. Click Apply Changes or Apply to New Revision.
Profile Management Tasks
Import a profile
You can import a profile that was created elsewhere for use in your system.
1. From the Configuration Manager menu bar, select Configuration > Profiles and Tool Outputs
> Import.
2. In the import Files dialog box, click Browse.

3. In the Open dialog box, browse to and select the profile file or files that you want to import,
and then click Open. Information about the files you selected fills the dialog box.
4. If any row has a check mark in the Exists column, you must either select Overwrite existing
file(s) or click Cancel and start the process over, taking care not to select files that already
exist.
5. If any row shows an error in the Status column, the Error Details button becomes available.
You can use this information to correct the error before starting this process again.
6. Click Import All.
Export a profile
You can export a profile you created for use in another system.
1. Select the profile you want to export.

2. From the menu bar, select Configuration > Profiles > Export.
3. Browse to the folder where you want the profile saved or create a new folder.
4. Select Export all child profiles and/or Overwrite existing files as appropriate.
5. Click Export. A Results dialog box opens, showing the name of the file created.
Delete a profile
You can delete a profile that is no longer needed in your system.
1. Select the profile you want to delete.
> Delete.
3. Confirm that you want to delete the profile.
Edit a profile
You can edit an existing Datacard profile.
1. In the left pane, select the profile you want to change.
2. In the right pane, click Edit.

3. Make the necessary changes. (Refer to the procedure for creating a profile of the type you
selected for specific information.)
4. Click Apply Changes to save your work or click Apply to New Revision to save your changes in
a new revision of the profile, leaving the profile you selected in step 1 unchanged.

Import a VPA output file
You can import a VPA output file for use in your system.
> Import.
2. From the Import Files dialog box, click Browse.
3. Browse to and select the file or files that you want to import, and then click Open.
Information about the files you selected fills the dialog box.
exist.
7. If necessary, associate the VPA with an ADT. (Refer to “Create an ADT association” on
page 89.)
Import an ALU template
You can import an Application Load Unit template for use in your system.
> Import.
2. In the Import Files dialog box, click Browse.

3. In the Open dialog box, from the Files of type list, select ALU Templates (*.alt).
4. Browse to and select the template file or files that you want to import, and then click Open.
Information about the files you selected fills the dialog box.
exist.
8. If necessary, associate the ALU Template with an ADT. (Refer to “Create an ADT association”
on page 89.)
Create an ADT association
An Application Data Template may be associated with a MULTOS Template or with a Visa
Personalization Assistant (VPA) Output File. After an ADT is associated with a template or an
output file, the contents of the template or output file can be viewed in the ADT Tool Association
tab. An associated ADT can be exported from one system and imported into another system as
long as the same template or output file is also provided.
 VPA Output Files in XML format can be imported into Configuration Manager and associated
with an ADT. After the ADT is associated with the output file, all Data Element values defined
in the VPA file become Read‐only values in the ADT.
 M/Chip4 ALU templates (.alt files) can be imported into Configuration Manager and
associated with an ADT. After the ADT is associated with the template, all Data Element
values for which Personalization has been set to “Not Allowed” in the template become
Read‐only values in the ADT. Data Element values for which Personalization is “Allowed” are
editable in the ADT. Values for associated Data Elements may not be deleted, and all Data
Elements defined in the template are considered to be Mandatory and to be provided by the
ALU Generation System. The values in the template, including which Data Elements are Read‐
only, can be viewed in the ADT tab named Tool Association.
1. In Configuration Manager, select an ADT from the left pane. Information about the selected
ADT displays in the right pane.
2. In the right pane, select the Tool Association tab.
3. Click Edit.
4. Select the appropriate template type in the Tool Association tab.

5. In the Associate Tool Output dialog box, select the ALU Template/VPA from the list and then
click Associate.
6. Click OK at the confirmation dialog box.
To exit without creating an association, click Undo Changes.
7. Click Apply Changes.

Profile Creation Tasks
Create an ADT profile
An Application Data Template can save work and reduce opportunity for errors if certain
parameters for a product change from time to time—or even from card to card.
> Create > ADT.
2. In the Create New ‘ADT’ Profile dialog box enter an Alias (a short name for the profile that will
help you identify it) and a longer Description.
3. (Optional) Change the OID and choose whether you want to enter the OID in decimal or
hexadecimal notation.
4. Select the associated Application profile from the list.
5. Select the parent ADT from the list or select <none>.
6. Click OK. The Data Elements tab opens in the right pane. It lists all the data elements defined
in the associated Application profile. Data elements defined in parent ADTs are in the top
pane and those available for definition are in the bottom pane. You can select the encoding
method and specify the value for any data element in the bottom pane. If a data element is
marked Read Only, the value you enter here will override what you specify in the APIM.
Mandatory data elements for which you do not specify a value here must be defined in the
APIM (refer to “Create an APIM profile” on page 91). Data elements in the list that are
optional may be empty and will not be included in the output.
7. Click Edit to begin making changes. You can click Apply Changes or Undo Changes at any
time. After you click Apply Changes, you cannot undo any changes you applied. The Edit,
Undo Changes, and Apply Changes buttons apply to all editable tabs for the profile.
8. The Key Elements tab lists all the cryptographic keys defined in the associated Application
profile. Select a key in the left column and then make changes necessary in the lower‐right
pane.
9. The Tool Association tab lets you select and use output tools.
a. Select the type of tool you want to use.
b. From the Associate Tool Output dialog box, select the specific tool from the list of those
previously imported into Configuration Manager.
The ADT Profile Summary displays details about the ADT in the Profile Details area and all
information for the ADT profile in XML format in the Profile Xml area. This tab is read‐only.
Create an APIM profile
An Application Profile Input Mapping profile lets you “map” data from the output of a DataSet
profile to a specified script fragment defined in an Application profile.
> Create > APIM.
2. In the Create New ‘APIM’ Profile dialog box enter an Alias (a short name for the profile that
will help you identify it) and a longer Description.
3. (Optional) Change the OID and choose whether you want the OID displayed in decimal or
4. Select the associated Application profile and DataSet from the lists.
in the associated Application profile. You can select any data element and supply a value for it
as a JavaScript expression, such as $dataSet.cardholderName.
time. After you click Apply Changes, you cannot undo any changes you applied.
The APIM Profile Summary displays details about the APIM in the Profile Details area and all
information for the APIM profile in XML format in the Profile Xml area. This tab is read‐only.
Create an APOM profile
An Application Profile Output Mapping profile lets you “map” data from the output of a DataSet
profile to an associated cardholder data field.
> Create > APOM.
2. In the Create New ‘APOM’ Profile dialog box enter an Alias (a short name for the profile that
4. Select the associated Application profile and DataSet from the lists.
If you are using Affina One Step Issuance, you can associate an APOM with the
default DataSet. In that case data elements added to the APOM for the
personalization script fragment are sent to the personalization system’s Audit record.
in the associated Application profile. You can select any data element and add it to the data
output.

a. Click Edit to begin making changes. You can click Apply Changes or Undo Changes at any
time. After you click Apply Changes, you cannot undo any changes you applied and you
must click Edit again to make additional changes. The Edit, Undo Changes, and Apply
Changes buttons apply to all editable tabs for the profile.
b. Select a data element.
c. Click Add to ‘Data Output Elements’.

6. The Key Elements tab lists all the cryptographic keys defined in the associated Application
profile.
a. Select a key from the Available Key(s) list and then click Add to ‘Output Key(s)’.
b. To remove a key from the Output Key(s) list, select it and then click Remove Selected
Key(s).
7. The Element Order tab lets you arrange the Data elements and Output Keys you have
selected. Select an object from the list and then click either Move Up or Move Down.
The APOM Profile Summary displays details about the APOM in the Profile Details area and all
information for the APOM profile in XML format in the Profile Xml area. This tab is read‐only.
Create a DataSet profile
A DataSet profile acts as a parser for either input or output data.

> Create > DataSet.
2. In the Create New ‘DataSet’ Profile dialog box enter an Alias (a short name for the profile that
4. Click OK. The DataSet Definition tab opens in the right pane. It lets you write two scripts: read
and write.
5. Choose which script you want to work on, and then click Edit.
6. To write the script, enter JavaScript commands. You can click Apply Changes or Undo
Changes at any time. After you click Apply Changes, you cannot undo any changes you
applied and you must click Edit again to make additional changes. The Edit, Undo Changes,
and Apply Changes buttons apply to all editable tabs for the profile.
The DataSet Profile Summary displays details about the DataSet in the Profile Details area and all
information for the DataSet profile (read script, write script, and identifying information) in XML
format in the Profile Xml area. This tab is read‐only.
Create a Job profile
The Job profile specifies which input and output DataSets will be used at runtime as well as which
product to execute.
> Create > Job.
2. In the Create New ‘Job’ Profile dialog box enter an Alias (a short name for the profile that will
help you identify it) and a longer Description.
4. Click OK. The Job Settings tab opens in the right pane.
6. Select the Input DataSet, Output DataSet, and Product to Execute from the lists. If you do not
select a DataSet, the default DataSet will be used.
7. (Optional) Click Edit Product Selections Script. A Script Editor dialog box opens, in which you
can enter JavaScript commands. For example, you might specify circumstances when a
product other than the one you selected for Product to Execute would be used.
8. The Job Parameters tab lets you add or delete your own user‐defined parameters.
a. To add a parameter, click Add New Parameter, enter a name, choose an encoding type,
and enter a default value.
b. To delete a parameter that was previously added, select it and then click Delete Selected
Parameter.
The Job Profile Summary displays details about the Job in the Profile Details area and all
information for the Job profile (input and output DataSets, the Product, and any Job Parameters
you specified) in XML format in the Profile Xml area. This tab is read‐only.

Create a Product profile
The Product profile lets you choose which script fragments in which Application profiles will be
executed. It also lets you specify the ordering of the process steps and control the input data for
each script fragment.
> Create > Product.
2. In the Create New ‘Product’ Profile dialog box enter an Alias (a short name for the profile that
4. Click OK. The Product Applications tab opens in the right pane.
6. To add an Application Instance, click Add Application Instance.

a. In the Create New Application Instance dialog box select an Application Profile from the
list.
b. Enter the AID (Application Instance ID) published for the application.
c. (Optional) Enter the Security Domain.
d. Click OK.
7. Select from the list the ADT you want to use for this application instance.
8. To delete an Application Instance, select the instance you want to delete and click Remove
Selected Application Instance.
9. The Product Process Steps tab lets you select which script fragments should be executed and
the order in which they are executed.
a. Select an application instance from the Step 1 pane. The script fragments in that
application instance display in the Step 2 pane.
b. Select a script fragment from the Step 2 pane and then click Add to ‘Current Process
Steps’.
c. When all the required steps are listed in the bottom pane, place them in the order to be
executed. To change the order, select a step and click Move Up or Move Down.
d. To view a script, select the process step and then click View Scripts. In the Script Editor
dialog box, choose the script you want to view. Click OK or Cancel to close the Script
Editor dialog box.
e. To change a script, select the process step and then click Edit Scripts. In the Script Editor
dialog box, choose the script you want to edit and then change or enter JavaScript
commands. Click OK to save your changes or Cancel to close the Script Editor dialog box.
10. The Product Parameters tab lets you add your own parameters to the product.
a. To add a parameter, click Add New Parameter, enter a name, choose an encoding type,
and enter a default value.
b. To delete a parameter that was previously added, select it and then click Delete Selected
Parameter.
11. The Card Profiles tab lets you specify input and output card profiles by selecting from lists.
The Product Profile Summary displays details about the Product in the Profile Details area and all
information for the Product profile in XML format in the Profile Xml area. This tab is read‐only.
Application-Specific Configuration Manager

Tasks
Create a new job using release profiles
Use the following generalized procedure to adapt the release profiles included with Affina
issuance software to your environment.
1. Start Configuration Manager (refer to “Start Configuration Manager” on page 85).
2. If necessary, import the appropriate application profile from the Program Files\Datacard\
ADP\ Profiles\Release folder. (Refer to “Import a profile” on page 86 for step‐by‐step
instructions.)
3. If necessary, Import all of the key profiles from the same directory.
4. VSDC and M/Chip4 only: Import the Security Domain Application profile for your card (most
likely this will be the Card Manager application). Datacard does not supply a Security Domain
application profile.
5. Create an ADT profile (refer to “Create an APIM profile” on page 91 for step‐by‐step
instructions). Under Select Associated Application Profile, select the appropriate application
profile and then click OK.
6. MULTOS and step/one only: Define the appropriate Issuer risk parameters and application
parameters in the ADT.
7. MULTOS and step/one only: Import the template file that you will be using.
8. Associate the template file with the ADT.
9. Create a Product profile (refer to “Create a Product profile” on page 94 for step‐by‐step
instructions).

If you are using Affina DP software:
a. In the Product Applications tab of the Product profile, click Edit and then select Add
Application Instance.
b. In the Create New Application Instance dialog box, for Application Profile select the
appropriate application and for AID enter the AID of the application instance (refer to the
appropriate MasterCard or Visa specification for the value to use). Click OK.
c. In the Product Applications tab, for Select ADT for Application Instance, select the ADT
you created in step 5.
d. In the Product Process Steps tab, under Select Available Process Step, select the
appropriate DataPrep script fragment and then click Add to ‘Current Process Steps’.
e. Click Apply Changes to save the Product profile.
VSDC and M/Chip4 only: If you are using Affina OSI software:
a. In the Product Applications tab of the Product profile, click Edit and then select Add
Application Instance.
b. In the Create New Application Instance dialog box, for Application Profile select the
appropriate application and for AID enter the AID of the Security Domain (refer to
documentation from your card supplier for the value to use). Click OK.
c. In the Product Applications tab, select Add Application Instance again.
d. In the Create New Application Instance dialog box, for Application Profile select the
Security Domain application profile and for AID and Security Domain enter the AID of the
Security Domain instance. Click OK.
e. In the Product Applications tab, for Select ADT for Application Instance, select the ADT
you created in step step 5.
f. In the Product Process Steps tab, under Select Available Process Step, select the
appropriate DataPrep script fragment and then click Add to ‘Current Process Steps’.
g. Click Apply Changes to save the Product profile.
10. If necessary, add any Product‐level configuration parameters.
11. Create a Job profile (refer to “Create a Job profile” on page 93 for step‐by‐step instructions).
a. In the Job Settings tab, for Product to Execute, select the Product you created in step 9.
b. Select Apply Changes to save the Job profile.
12. If necessary, add any Job‐level configuration parameters.
13. Exit Configuration Manager.
Chapter 6: One Step
Personalization Setup
This chapter describes creating the setups required to print cards with
Affina OSI software.
Creating an Affina Profiles and Scripting

Application Configuration
Use Syntera CS Application Manager to register your Affina PS application.
Step‐by‐step instructions for this topic can be found in Help for Syntera CS Application
Manager.
Configuring the Personalization Equipment

Because only the Data Setup is unique to Affina OSI, only the Data Setup is included in this
document.
Configuring Maxsys Compatible Systems

Use the following procedure to create a Data Setup for Affina PS.
1. From the Applications menu, select System Configuration > Data Setup.
2. Click the New icon in the Maxsys toolbar.
3. On the General tab, enter a Description for the data setup.
4. In the Product and Encoding area:
a. Select a Product Type:
 Card Only if data contains only card data.
 Card and Form if data contains both card and forms data.
b. Select an Encoding Type from the list. (Contact the person responsible for generating the
data file and ask what encoding type was used to generate it.)
5. Under Form Information, select the appropriate form Type, Data Field, and Data Field
Location.

6. If the input file includes a File Identification Record (FIR), select the File Identification Record
check box.
a. For the Identifier, enter the hexadecimal values of the identifier characters or click the ^
button to the right of the field, select each character by highlighting it, and then click OK
until you have six Identifier characters.
b. For the Number of Stops, select the appropriate value.
7. Under Record Separation, select the method used to separate records in the file.
 If the file uses a fixed length, select Fixed Length and then enter the length of a record.
 If it uses a character sequence, select Character Sequence and then enter the sequence.
You must preface hexadecimal characters (such as 0D) with \x. For example, if it is
#END#, enter #END#; if it is 0D 0A 0D 0A, enter \x0D\x0A\x0D\x0A.
8. Click on the Data Fields tab at the upper left area of the window to display the Data Fields
tab.
9. Click New.
a. For Name, enter a descriptive name such as Magstripe.
b. For the Field Type, select Binary.

c. For the Start of Field, verify that String is selected.
d. For the String, enter the character used to identify the magnetic stripe data. For example,
enter “ (quotation mark).
e. For the End of Field, select the appropriate value from the list.
10. Click Composite Fields, and then click New.
11. For the Name, enter a descriptive name such as SC.
12. Under Composite Field Properties, for Source, select Concatenate.
For Affina PS under Concatenate Properties:

a. In the first Source field, right‐click in the Source box and select Value, and then enter the
Job OID, for example: [2B0601040181900D88060501].
b. In the second Source field, select Magstripe from the list.
c. Click OK.
For MULTOS:
a. In the first Source field, right‐click in the Source box, select Value, and then enter the
MULTOS data and the Job OID, for example:
<ONESTEP><JOBOID>2B0601040181900D88100503</ JOBOID><MAG>.
b. In the second Source field, select Magstripe from the list and then click the + button.
98 One Step Personalization Setup

c. In the third Source field, if the application PIX is not 10100000, you must include the PIX.
For example, if the PIX is 30100000, right‐click in the Source box, select Value, and then
enter </MAG><PIX>30100000</PIX></ONESTEP>; otherwise, enter </MAG></ONESTEP>
and then click OK.
13. Click the Save icon in the Maxsys toolbar. The Save Document As dialog box opens.
a. For File Name, enter a name for the specification.
b. Click Save. Your setup displays in the left‐hand pane and the name you specified displays
at the top of the right‐hand pane of the window.
c. Click Close to close the Data Setup Configuration window.
Configuring 9000 Series Systems

Use the following procedure to create a Data Setup for Affina PS named APSsample. Replace
APSsample with the name of your application setup.
1. Select the CIS Setup menu and then select Data Setup. The Data Setup ‐ [Untitled] window
opens.
2. Select File, Save As, type APSsample in the Save As Filename field, and then select Save As.
3. In the Data Setup ‐ APSsample window, select Actions > Append Field. The Append New Data
Setup Field window opens.
4. Select Data, and then select OK. The Data Setup‐Data Field window opens.
a. (Optional) For Setup Field Name type SEARCH, and then select Next.
b. For Setup Field Name type Magstripe.
c. Select Start Code and enter “ (quotation mark).
d. For End of Field, select the appropriate value.
e. Select Exit. The Data Setup ‐ APSsample window is displayed.
5. Select Actions > Append Field. The Append New Data Setup Field window opens.

6. Select Constant, and then select OK. The Data Setup‐Constant Field window opens.
a. Select one of the following options:
For Affina PS
 For Setup Field Name, type SCRIPT.
 In the Value field, type the Format ID, application Name (including the delimiters <
>), and the Job OID (including the delimiters [ ] ):
\xFF\xFF\xFF\xFC<AffinaPS>[JobOID]
For example, if the Job OID is 2B0601040181900D876A0501, enter:

\xFF\xFF\xFF\xFC<AffinaPS>[2B0601040181900D876A0501]
The OID must be in hexadecimal format.
For MULTOS
 For Setup Field Name, type SCRIPT.
 In the Value field, type the Format ID and application Name (including the delimiters
< >).
\xFF\xFF\xFF\xFC<Multos>
 Click Next.
 For Setup Field Name, type JobOID.
 In the Value field, type the Job OID (without delimiters). For example, type
2B0601040181900D88100503.
b. Select Exit. The Data Setup ‐ APSsample window is displayed.

a. Select Composite, and then select OK. The Data Setup‐Composite Field window opens.
b. For Setup Field Name, type SMARTCRD.

c. Select one of the following options:
For Affina PS
 In Defined Fields, double‐click the SCRIPT field and then the P3DATA data field. In the
Field Contents field you will see the following:
{SCRIPT}{Magstripe}

For MULTOS
i. Under Defined Fields, double‐click the Script field and then:
– In the String field, enter <ONESTEP> and then click Insert.
– In the String field, enter <JOBOID> and then click Insert.
– Under Defined Fields, double‐click JobOID.

– In the String field, enter </JOBOID> and then click Insert.
– In the String field, enter <MAG> and then click Insert.
ii. Under Defined Fields, double‐click Magstripe.

– In the String field, enter </MAG> and then click Insert.
– If the application PIX is not 10100000, you must include the PIX. For example, if
the PIX is 30100000, enter <PIX>30100000</PIX></ONESTEP> and then click
Insert. In the Field Contents field you will see the following:
{Script}"<ONESTEP>""<JOBOID>"{JobOID}"
</JOBOID>""<MAG>"{MAGSTRIPE}"<MAG>""<PIX>30100000</PIX></ONESTEP>"
d. Select Exit. The Data Setup window displays.

9. Select Module Feedback, and then select OK. The Data Setup‐Module Feedback Field
window displays.
a. Enter the Feedback fields listed below (select Next after entering each feedback field):
ACCEPTCODE
DLLERROR
TIME
AUDIT_1
AUDIT_2
AUDIT_3
AUDIT_4
AUDIT_5
AUDIT_6
AUDIT_7
AUDIT_8
b. For the final field, type AUDIT_9 and then select Exit. The Data Setup ‐ APSsample
window displays.
10. Select File, Save, and then select File, Exit to close the Data Setup ‐ APSsample window.

Configuring the Syntera CS Simulator
Use the following procedure to create a Data Setup to use Affina PS on the Syntera CS Simulator.
1. From the Start menu, select Programs > Datacard > Syntera Customization Suite > HostedSC
SDK v1.0 > Simulator.
2. From the Setup menu, select Data Setup. The Data Setup dialog box opens.
3. Click Add. The Add Data Setup dialog box opens.
4. For Setup Name, type APS and then click OK. The NK Simulator Data Setup ‐ APS dialog box
opens.
5. Click Append Field. The Select Data Setup Field dialog box opens.
a. (Optional) For Data Type, verify Input Data is selected and then click OK. The Data Setup ‐
Data Field dialog box opens.
i. For Field Name, type Search.
ii. For Field Type, select Other.
iii. For Start of Field, select None.

iv. For End of Field, select None.
v. Click OK.
b. For Data Type, verify Input Data is selected and then click OK. The Data Setup ‐ Data Field
dialog box opens.
i. For Field Name, type Magstripe.

iii. For Start of Field, select Start Code and enter “ (quotation mark).
iv. For End of Field, select the appropriate value.
v. Click OK.
c. For Data Type, select Constant and then click OK. The Data Setup ‐ Constant Field dialog
box opens.
i. For Field Name, type Script.

iii. Perform one of the following:
For Affina PS
In the Value field, type the Format ID, application Name (including the delimiters <
>), and Job OID (including the delimiters [ ]). For example:

\xFF\xFF\xFF\xFC<AffinaPS>[2B0601040181900D876A0501]
For MULTOS
In the Value field, type the Format ID and application Name (including the delimiters
< >).
\xFF\xFF\xFF\xFC<Multos>
iv. Click OK.
 For Affina PS, perform step d, and then skip to step 6.

 For MULTOS, perform step e and step f, and then proceed to step 6.
d. (Affina PS only) For Data Type, select Composite and then click OK. The Data Setup ‐
Composite Field dialog box opens.
i. For Field Name, type Smartcard.
ii. For Field Type, select Smartcard.
iii. Under Defined fields, double‐click the Script field
iv. Under Defined Fields, double‐click Magstripe.
v. When complete, the Smartcard field value will be [Script][Magstripe].
vi. Click OK.

e. (MULTOS only) For Data Type, select Composite and then click OK. The Data Setup ‐
i. For Field Name, type 1Step.
iii. For Value:

– In the String field, enter <JOBOID> and the JobOID and then click Insert.
– In the String field, enter </JOBOID> and then click Insert.
– In the String field, enter <MAG> and then click Insert.

iv. Under Defined Fields, double‐click Magstripe.
– If the application PIX is not 10100000, you must include the PIX. For example, if
the PIX is 30100000, in the String field, enter <PIX>30100000</PIX> and then
click Insert. When complete, the following string will be created:
"<JOBOID> 2B0601040181900D88100503""</ JOBOID>"
"<MAG>"{Mag}"</MAG><PIX>30100000</PIX>"
– Otherwise, in the String field, enter </MAG> and click Insert. When complete,
the following string will be created:
"<JOBOID> 2B0601040181900D88100503""</ JOBOID>"
"<MAG>"{Mag}"</MAG>"
f. (MULTOS only) For Data Type, select Composite and then click OK. The Data Setup ‐
i. For Field Name, type Smartcard.

ii. For Field Type, select Smartcard.
iii. Under Defined fields, double‐click the Script field
iv. In the String field, enter <ONESTEP> and then click Insert.
v. Under Defined Fields, double‐click 1Step.
vi. In the String field, enter </ONESTEP> and then click Insert.
vii. When complete, the following string will be created:

{Script}"<ONESTEP>"{1Step}"</ONESTEP>"
viii. Click OK.
6. Click OK to close the NK Simulator Data Setup ‐ APS dialog box.

7. Click Exit to close the Data Setup dialog box.

Configuring a Datacard Desktop Printer
To configure the Datacard Data Parser to use Affina PS, use the following procedure.
1. From the Start menu, select Programs > Datacard > Affina Personalization Manager >
Desktop Utility > Datacard Data Parser.
2. In the Datacard Data Parser dialog box, click Configure. The Configure Data File dialog box
opens.
3. For Record Separator, select Character Sequence and enter the appropriate string. For
example, enter #END#.
4. In the Configure Data File dialog box, under field settings: For Field Name, type APS.
a. For Field Type, select AFFINA_PS_FIELD.
b. For Script Data, enter the Job OID in square brackets. For example, enter
[2B0601040181900D876A0501].
c. For Start of Field, select Start Code and enter “ (quotation mark).
d. For End of Field, select the appropriate value.
e. Click Append Field.
5. Click Save. The Save As dialog box opens.
6. Navigate to the appropriate directory, type a name for the configuration, and then click Save.
Using Affina One Step Software in Production

After you have completed the appropriate procedures in“One Step Personalization Setup” on
page 97, producing cards with Affina One Step software follows the same process as making non‐
smart card cards on your personalization equipment.

Chapter 7: Affina DP (Batch)
Setup
This chapter gives an overview of the tasks necessary to set up your

Affina Data Preparation (DP) software to process batches of data.
Overview of Batch Processing

Affina DP software monitors one or more input directories for a data file coming from a
mainframe computer. When a file arrives, the Batch Engine reads the file, processes all records as
defined by the production setup (for example, creates EMV smart card data from magnetic stripe
data), and delivers the file to an output directory.
The setup tasks you need to perform are:
 Create a production setup for each product you produce.
 Back up your production setups.

 Set up the Batch Engine.
 Set up Batch Import.
Production Setup
You will use the Batch Administrator application to create a production setup for each distinct
smart card product you produce. The production setup specifies the directory in which input files
will be placed, the DLL to use in parsing the information in the input file, the fields contained in
each input record, additional fields to be generated during data preparation, the order in which
processes are to be performed, and how the output file is to be stored.

Batch Administrator also has facilities for maintenance tasks, such as purging log files and
printing reports.
Batch Production
During card production, Batch Engine and Batch Import must be running on your Affina DP
computer. If you have created any production setups, Batch Engine and Batch Import will start
automatically when you start your computer. You can minimize the windows.
Batch Tracking
While you are setting up and testing your Affina DP environment, it may be useful to run the
Batch Tracking application. Batch Tracking shows the progress and results of each job you run. If
any errors occur, you can view them by clicking the input file in Batch Tracking.
108 Affina DP (Batch) Setup

To view general information about a job, such as when the input file was received and when the
job was completed, click the input file. To see additional job information, such as the number of
records in the job, click the output file name. When the output file is selected, click the Job Data
tab to view the data for each record, including each field in the output that is Loaded and not
Hidden.
Reserved Words for Input Fields

The following SQL reserved words cannot be used for production setup field names.
ACCESS ADD ALL ALTER
ANALYZE ANY AS ASC
AUDIT AUTOINCREMENT BETWEEN BINARY
BINARYVARCHAR BIT BITBYBYTE BLOB
BOOLEAN BYTE BYTEINTEGER2 CHAR
CHARACTER COLUMN COMMENT COMMIT
CONSTRAINT COUNT COUNTER CREATE
CURRENCY DATABASE DATE DATETIME
DELETE DESC DISALLOW DISTINCT
DISTINCTROW DOUBLE DOUBLEIEEE DROP
EQV EXISTS EXPLAIN FLOAT
FLOAT4 FLOAT8 FOREIGN FROM
GENERAL GRANT GROUP GUID
HAVING IEEEDOUBLE IEEESINGLE IN
INDEX INNER INSERT INT
INTEGER INTEGER4 JOIN KEY
LEFT LOCK LOGICAL LOGICAL1
LONG LONGBINARY LONGINTEGER1 LONGTEXT
MAX MEMO MIN MOD
MONEY NAMES NOAUDIT NOT

NULL NUMBER NUMERIC OLEOBJECT
OPTION ORDER OWNER PARAMETERS
PERCENT PIVOT PRIMARY PROCEDURE
RAW REAL REFERENCES RENAME
REVOKE RIGHT ROLE ROLLBACK
SAVEPOINT SELECT SET SHORT
SHORTINT SINGLE SMALLINT SOME
STRING TABLE TEXT TEXTALTER
TIME TIMESTAMP TRANSACTION TRANSFORM
TRUNCATE UNION UNIQUE UPDATE
VALUE VALUES VAR VARBINARY
WHERE WITH YESNO
Install and Test Sample Affina DP Setups

Affina DP software includes release profiles, sample profiles, and sample Production Setups.* The
following optional section describes how to install and test these samples. A successful test of the
sample indicates that your system is correctly installed. Also, performing these steps provides a
good way to learn the steps you will need to do when setting up your own solution.
Refer to MChip4_ReleaseNote.rtf, MICA_MChip4_PayPass_ReleaseNote.rtf, or VSDC_

ReleaseNote.rtf in the ...\Profiles\Release directory for important information about
configuring the Application Profile you are using.
Restore and Test Production Setups

It is unlikely that your input files will match the expected input format exactly. The following
procedure describes in general terms the actions you must take to use the solutions provided in
your environment as well as changes you might need to make. Use the following table to
determine the file name and input directory to use for the sample that best fits your needs.
* Sample data and scripts included in this product are intended only as a supplement to the documentation. THIS MATERIAL
AND INFORMATION ARE PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING
BUT NOT LIMITED TO THE IMPLIED WARRANTIES OF MERCHANTABILITY AND/OR FITNESS FOR A PARTICULAR PURPOSE.

Single Record Input
Production Setup Name File Names Input Directory
D‐PAS MULTOS Sample 1_DPAS_MULTOS.dat …\Batch\Input\DPAS\MULTOS
D‐PAS step1 Sample 1_DPAS_step1.dat …\Batch\Input\DPAS\step1
MCAM MULTOS Sample 1_MCAM_MULTOS.date ...\Batch\Input\MCAM\MULTOS
MCAM step1 Sample 1_MCAM_step1.dat …\Batch\Input\MCAM\step1
MChip4 MULTOS Sample 1_MChip4_MULTOS.dat …\Batch\Input\MChip4\MULTOS
MChip4 Sample 1_MChip4.dat …\Batch\Input\MChip4
MChip4 step1 Sample 1_MChip4_step1.dat …\Batch\Input\MChip4\step1
MICA MULTOS Sample 1_MICA_MULTOS.dat …\Batch\Input\MICA\MULTOS
MICA step1 Sample 1_MCA_step1.dat …\Batch\Input\MICA\step1
VSDC MULTOS Sample 1_VSDC_MULTOS.dat …\Batch\Input\VSDC\MULTOS
VSDC Sample 1_VSDC.dat ...\Batch\Input\VSDC
VSDC step1 Sample 1_VSDC_step1.dat …\Batch\Input\VSDC\step1
VSDC R2 MULTOS Sample 1_VSDCR2_MULTOS.dat …\Batch\Input\VSDC_R2\MULTOS
VSDC R2 step1 Sample 1_VSDCR2_step1.dat …\Batch\Input\VSDC_R2\step1
VSDC R3 MULTOS Sample 1_VSDCR3_MULTOS.dat …\Batch\Input\VSDC_R3\MULTOS
VSDC R3 step1 Sample 1_VSDCR3_step1.dat …\Batch\Input\VSDC_R3\step1
1. Start the Batch Administrator (on the Launcher, click Batch Administrator).
2. From the menu bar select Setup > Production Setup. The Select Production dialog box opens.
3. Click Restore. The Restore Production Setup dialog box opens.
4. Navigate to \Program Files\Datacard\ADP\Samples\Batch, select the BATCH file for the

production setup you want to use (for example, VSDC Sample.BATCH), and then click Open.

5. Under Identifier, change the Production Label to an appropriate name (for example, “VSDC
Sample”), click Save, and then click Exit two times. Exit Batch Administrator.
6. Start Batch Engine and Batch Import (on the Launcher, click Batch Production).
7. Using Windows Explorer, go to \Program Files\Datacard\ADP\Batch, copy the single‐record

input file for the production setup you are using (1_VSDC.dat in the example), and paste it
into Program Files\Datacard\ ADP\Batch\Input\VSDC.
8. Start Batch Tracking (on the Launcher, click Batch Tracking).

9. Expand the Sample folder for the production setup you are using (VSDC Sample in the
illustration). The single‐record input file (1_VSDC.dat) should be green. If it is still blue, click
Refresh. If it is any other color, there is a problem with your installation.
10. To view the data produced, click the lowest branch of the job name and then click the Job
Data tab.
Affina DP Batch Application Tasks

Setup Tasks
Set up Batch Import (Optional Task)
You can specify the label that will display in dialog boxes referring to Batch Import.
1. In the Batch Administrator menu bar, select Modules > Batch Import > Batch Import.
—or—
In the Batch Import menu bar, select Setup > Setup Batch Import.
2. To change the label for Batch Import, in the Application Information area, type the label you
want displayed to users.
3. Click Save twice and then click Exit.
Set up the Batch Engine (Optional Task)
You can specify the label of the Batch Engine that will display in dialog boxes referring to the
Engine, view information about the server where the Engine is installed, and specify directories
to be used during processing.
1. In the Batch Administrator menu bar, select Modules > Batch Engine > Batch Engine.
—or—
In the Batch Engine menu bar, select Setup > Setup Batch Engine.
2. To change the label of the Batch Engine, in the Application Information area, type the label
you want displayed to users.
3. To view the name of the server, click Refresh next to the Host Name text box.
4. To change the Listen Port Service, type the new port number in the text box.
5. To change the maximum number of processes that can be run simultaneously, type the new
number in the text box.

6. To change directories used during processing, click Browse next to the directory you want to
change, navigate to the directory you want to use, and click OK.
The Input Shared, Input Temp, and Output Temp directories are purged automatically after
processing the input file. Input files with errors will be stored in the Error Directory.
7. Click Save and then click Exit.
Set up Job Mnemonics (Optional Task)
The Job Mnemonics dialog box displays all the constants in the File Identification Records (FIRs)
recognized by the system when processing input files. The standard CSM mnemonics are loaded
during installation. If a mnemonic is not defined in the list, it will be added automatically by the
Batch Engine when processing a file containing the new mnemonic.
To add a mnemonic manually
1. In the Batch Administrator menu bar, select System > Job Mnemonic Setup.
2. Click the Add button. A new row becomes available.

3. Type the mnemonic, press the TAB key, and type a description.
To delete a mnemonic
1. Click anywhere in the row and click Delete.

To back up the list of mnemonics
1. Click Backup.
2. In the Backup File dialog box, browse to the location where you want the backup stored.
3. Change the suggested file name if necessary.
4. Click Open.
To restore the list of mnemonics
1. Click Restore.
2. In the Restore File dialog box, browse to the location where the backup is stored and select it.
3. Click Open.

Set up job status colors (Optional Task)
You can define the display colors for the various states of each file processing step visible in the
Batch Tracking application.
To access the Status Color Setup dialog box
In the Batch Administrator menu bar, select System > Status Color Setup.
Status Definitions
Status Description
Not made Not performed.
Started Started.
Hold Temporarily suspended by the user.
Done Completed.
ReStarted Restarted following a temporary suspension.
Rejected Rejected because an error occurred.
ReAffected Re‐made (for a job or a card that is reproduced following an error).
Aborted Canceled due to a production obstacle.
To select a new color to illustrate a step

1. Double‐click the colored area. The Color dialog box opens.
2. Click the color you want displayed and then click OK.
Select a language
You can choose the language of the Batch application user interfaces.
1. From the Batch Administrator menu bar select Utilities > Setup Language.
2. Select the language for the user interface and then click Save.

Production Setup Tasks
Create a production setup
You will create a production setup for each distinct smart card product you produce.
1. From the Batch Administrator menu bar select Setup > Production Setup.
2. Click Add. The Production Setup dialog box opens.
3. In the General tab:
a. (Recommended) Change the text in the Production Label edit box to something
meaningful.
b. (Optional) Type additional information in the Comments area.
c. If you want whole records displayed in tracking reports, select Display Full Input Record.
If you do not select this check box, only the fields defined in Input Data Fields which are
loaded and not Hidden will be displayed in Batch Tracking.
d. To document the creation date, click Add in the History area. Your user name and the
date are added; you can supply a Step Label and Description.
4. In the Input Files tab:
a. Click Add in the Import Directories area and browse to the directory where input files will
be located (by default a subdirectory of C:\Program Files\Datacard\ADP\Batch\Input).
Select the directory and click OK.
b. You can enter selection criteria for files to be imported from the directory. The default
value, *.*, processes all files in the directory. An entry of *.txt would process only files
with a TXT extension in the file name. You can specify several filters separated by |
characters (pipes). Example: *.txt|*.dat
c. Under Interval you can specify the number of seconds between scans of this Import
Directory.
d. Choose the Priority for this input file source: Low, Normal, or High.
e. Save the production setup before adding a second import directory.

f. In the Input Process area, select the input DLL to use to process input files. By default,
there are five input DLLs available: In_Ref.dll, In_Ref_DTE.dll, In_Ref_MC4.dll, In_Ref_
VSDC.dll, and In_Ref_Xml.dll (for use if the imported file is in XML format).
An input DLL can be used for multiple product setups that use the same record
separator. In_Ref_DTE.dll, In_Ref_MC4.dll, and In_Ref_VSDC.dll are copies of In_
Ref.dll with different record separator specifications. (Refer to “Change the input
DLL record separator” on page 122.)

g. In the Max Consecutive Errors field, select the maximum number of consecutive input
data errors that can occur before the job is rejected.
h. To have the system check for and reject duplicate input files, select Check Duplicated
Files. The method for checking for duplicates is based on the file contents, not just on the
file name. Thus, any file whose size or checksum is identical to an existing file in the
database will be rejected if Check Duplicated Files is selected.
i. To save rejected files in an error folder, select Archive Error File. Each time a file fails, a
sequentially‐numbered folder will be created in the Program Files\Datacard\ADP\File
Handler\Files\Error directory. Within that folder, the input file will be stored with the
name
input file name_yyyymmdd_hhmmss.ext
where input file name is the original input file name; yyyymmdd is the year, month, and
day the file processing job was started; hhmmss is the hour, minute, second when the file
processing job was started; and ext is the extension of the input file.
j. In the Input Processing area, select the name of the Batch Engine processing module
from the list. (If only one module is installed, there will be no list.)
k. To allow the engine to activate the import process, select Enabled. (If only one module is
installed, the check box will be selected.)
l. In the Time Out column, enter the number of seconds after which the processing will be
considered as failed for taking too much time. If a process times out, it will be interrupted
and the data saved in the ADP database will be erased. A 0 (zero) in the Time Out column
means processing can continue indefinitely.
m. In the Max Error column, enter the maximum number of consecutively rejected files after
which processing will be stopped. If this number is reached, you must restart the engine
to continue processing. A 0 (zero) in the Max Error column means processing can
continue indefinitely.
n. In the Max Proc column, enter the maximum number of files that can be processed
simultaneously. Simultaneous processing optimizes file processing time by running tasks
in parallel. The number of tasks run in parallel depends on the available CPU time on the
machine hosting the program.

o. To archive processed input files, select Enabled in the Archive Input File area. Browse to
the directory where you want the files archived and then click OK.
Archived input files will be stored in the Program Files\Datacard\ADP\Batch

directory. Within that folder, the input file will be stored with the name
input file name_yyyymmdd_hhmmss.ext
where input file name is the original input file name; yyyymmdd is the year,
month, and day the file processing job was started; hhmmss is the hour, minute,
second when the file processing job was started; and ext is the extension of the
input file.
5. In the Input Data Fields tab:
a. Click Add. The New Field dialog box opens.
b. Select the kind of field you want to add:
Data Field resulting from the input file.
Formula Field calculated in the Batch Engine using JavaScript expressions.
Generated Field generated by the Data Transformation Engine DLL.
Generated Data Field generated directly by the Input DLL (for example, a security
field).
c. Click OK. A field named Field_1 is added to the FieldName list.
d. Change the name of the new field to something meaningful (do not use any of the words
listed in “Reserved Words for Input Fields” on page 109) and then press the ENTER key.
The name you entered displays in the Data Field Name text box.
e. Select the appropriate check boxes:
O (Optional) Select if the field is not always present in the file (not available for
Formula fields).
H (Hidden) Select to make the field invisible in the Batch Tracking module.
L (Loaded) Select for fields that should be loaded into the database. Loading
data may be useful for troubleshooting. Conversely, not loading
data will prevent the database from filling up as quickly. Your
system will operate correctly without loading fields in the
database.
f. (Optional) Enter a longer description of the field.

g. For Data fields, select the Start and End Definitions:
Position Enter the start/end position of the field, where the first position of
the record is set to 1.
Code Enter the code (delimiter) to identify the start or end of the field.
Do not use the \ character; it is used to specify binary values.
Example: % and &
Length Enter the total length of the field (as a number).
Embedded Select if a length is embedded in the field. Enter the number of

characters that indicate the data length.
Example: [SCM]0000013ZONESMARTCARD
Start Code: [SCM]
Embedded Value Length: 7
Field Length: 13 characters
Field Value: ZONESMARTCARD
End of Record Select if the field continues to the end of the record.
You can use a file containing a sample record to determine start and end positions for
fields. Click Sample Record and browse to a file that contains a single record with the
structure of the records in your data file. The sample file should not have a header (FIR),
so you can find the positions of the various fields directly from the start of the file. When
you select the field in the window, the field’s Start Position, Length, and End Position are
displayed in the Sample Data area to the right. Right‐click and select a command (Add or
Modify) and a Start and End Definition method. A new record is added to the list of fields
or, if you chose Modify, the record that was highlighted is changed to reflect your
selections.
For Formula fields, click Expression. The Formula Field dialog box opens.
h. (Data Fields only) For Output, if the start definition is a code, you have the option of
copying the start code and/or end code field definitions to the output field. Select Use
field definitions in output to copy the start code to the output field. In addition, you can
select Copy field end code in output to copy the end code to the output field.
i. Select the appropriate field format, which determines how the field will be stored in the
database and what kind of type checking will be done against the data. (If the data read
does not match its declared type, an error occurs and the file is rejected.)
Binary Data No checks.
Char Data Any printable ASCII character is allowed.

Digit 0 to 9 allowed.
Hexadecimal 0 to 9 and A to F allowed.
6. On the Chained Process tab, you can specify how processes are linked together: sequentially
or in parallel.
a. To add a process to the list, click Add. The Select Process dialog box opens.
b. Choose one of the process types, DLL or Formula, and then select from the list of
available processes. After you click OK, the process displays in the Process list. (For DLLs,
the Input DLL you specified on the Input Files tab is the process that displays in the list.)
c. To move a DLL or formula up or down the production chain, select it and then click the up
or down arrow buttons.
d. To have two processes run in parallel, place them one after the other in the Processes list
and then select Parallel for each one.
7. On the Dispatching tab:
a. To change the Job File Name that will be created:
i. Click Expression. The Formula Field dialog box opens.

ii. Select from the list of fields, unique indexes (for the production job, IDX_JOB, and
the input file, IDX_IN_FILE), and functions defined in the system or enter a valid
string at the keyboard.
The file name must not contain the following characters: \ / : * ? " < > >
iii. To confirm the formula and close the Field Formula dialog box, click Save Script. The
formula is updated in the Job File Name field.
b. To add a header record to the production file, select Add FIR and then, in the FIR
Definition area, enter the file header ID string and the field separator that will be used for
header information.
c. Specify the record delimiter. You can mix ASCII and binary characters. For example,
[END]\x0D\x0A means [END] followed by a carriage return‐line feed.
d. Specify the directory where all production files will be created by entering the full path or
browsing to the directory. If your input data has multiple FIRs, you can merge the output
data into a single file by selecting Merge Job.
e. In the Error Output Directory area, select whether you want the program to save the
error records and, if so, enter the full path or browse to the directory where you want the
error records saved.

f. In the Error Handling area:
i. Select Skip Record to prevent the inclusion of bad records in the output file.
ii. Select Copy Input Record to Output File to copy the original input record (without
any smart card data) to the output file.
iii. Select Add Template to Output File to use a bad record template to format the
output file. Create a bad record template (the format will depend on the
requirements of your system), and then click From File to browse to the location of
the template file. Click Clear to remove the template information.
g. In the Production Record area, select those fields from the left column (the ones you
defined in the Input Data Fields tab) that should be in the record used for card
production. You must select one field at a time and then click Add. After fields are copied
to the right column, you can re‐order them by selecting a field and clicking the up or
down arrow button.
h. In the Record Order area you define how the output file records will be sorted:
i. Click Add. A “Char” field displays.
ii. Click Add again and select a different “Char” field from the list. Repeat this step until
all relevant fields have been selected.
iii. Select the field that will have the highest precedence and, if necessary, click the up
arrow until it is at the top of the list. Repeat until the fields are in the correct order.
iv. For each field, select ASC if it should be sorted in ascending order or select DESC if it
should be sorted in descending order.
8. Click Save to save your setup or click Cancel to delete it.
Back up a production setup
Datacard recommends that you back up your production setups to removable media.
2. In the Select Production dialog box select a setup from the Production List and then click
Backup.
3. Browse to the location where you want the backup stored and then click Open.

Delete a production setup
You can delete a production setup that is no longer used.
1. Purge input files associated with the production setup. (Refer to “Purge input files” on
page 124.)
3. In the Select Production Setup dialog box, select the production setup you want to delete
and then click Delete.
Change the input DLL record separator
You can change the record separator specified by the input DLL if your environment requires it.
1. Use Windows Explorer to copy In_Ref.dll under a different name and In_Ref.ini under a
corresponding name. The In_Ref.dll and In_Ref.ini files are stored in the \Program Files\
Datacard\ADP\File Handler\DLL\Input directory.
2. From the Batch Administrator menu, select DLL > Input DLL.
3. In the Setup DLL dialog box, select the DLL you want to change and then click Setting.
4. In the Display Ini dialog box, expand RECORD and then click Rec_Mark.
5. In the Rec_Mark area, change the record separator as required and then click Save.
6. Click Exit in the Display Ini dialog box and again in the Setup DLL dialog box.
Monitoring Tasks
View event logs
You can view Batch Application event logs if your user name belongs to a group with that
privilege.
1. From the Batch Administrator menu bar select Utilities > View Log.
2. Select the log you want to view. Log entries display with the most recent at the top of the list.
View user actions
You can view a list of all user actions on the Affina DP server if your user name belongs to a group
with that privilege.
1. From the Batch Administrator menu bar select Utilities > View User Action.
2. Select the module for which you want to review user actions. Actions display with the most
recent at the top of the list.

Create a File Error report
Run‐time Crystal Reports must be installed to perform this task.
You can create a report explaining the file errors encountered when preparing data.
1. From the Batch Administrator menu bar select Report > File Error or A4 File Error. The
BATCH_Report (File Error) dialog box opens.
2. Enter or select the start and end dates for the report, and then click Preview.
3. To print the report, click the Print Report button in the left‐most position of the toolbar.
Create a File Summary report
You can create a report summarizing the files processed with a specified Production Setup.
1. From the Batch Administrator menu bar select Report > File Summary or A4 File Summary.
The BATCH_Report (File Summary) dialog box opens.
2. Select a Production Setup from the list, and then click Preview.
3. To print the report, click the Print Report button in the left‐most position of the toolbar.
Create a User Access report
You can create a report that lists all user access events in a specified period.
1. From the Batch Administrator menu bar select Report > User Access or A4 User Access. The
BATCH_Report (User Access) dialog box opens.
2. Enter or select the start and end dates for the report, and then click Preview.
3. To print the report, click Print Report in the left‐most position of the toolbar.
Maintenance Tasks
Purge user actions
You can remove user actions from the database, reducing disk space required, if your user name
belongs to a group with that privilege.
1. From the Batch Administrator menu bar select Utilities > Purge User Action.
2. Select or type the date of the oldest user action you want to retain.
3. Click Clean.

Purge input files
You can remove input files from the database, reducing disk space required, if your user name
belongs to a group with that privilege.
1. From the Batch Administrator menu bar select Utilities > Purge Input File.
2. Select the production setup for which you want to remove input files.
3. Select or type the date of the oldest input file you want to retain.
4. Click Clean.
Using Affina DP Software in Production

To use Affina DP software to generate data for card production, log on to the system with a user
name that belongs to the ADP_Operator, ADP_Administrator, or ADP_Supervisor group. If you
have any production setups loaded, the Batch Engine and Batch Import applications will start
automatically. You can minimize the Batch Engine and Batch Import windows. As data files arrive
in the Input directory, they are automatically processed and the results are added to the Output
directory. You must move them from the Output directory to your high‐speed personalization
system (the Datacard Maxsys card issuance system, for example).
Reset the SQL User Password for Batch

Applications
For the SQL user for Batch applications, the Enforce Password Complexity setting is enabled by
default.
When password complexity policy is enforced, new passwords must meet the following
guidelines:
 Must not contain all or part of the account name of the user. Part of an account name is
defined as three or more consecutive alphanumeric characters delimited on both ends by
white space (space, tab, or return) or any of the following characters: comma (,), period (.),
hyphen (‐), underscore (_), or number sign (#).
 Must be at least eight characters long.
 Must contain characters from three of the following four groups:

 Latin uppercase letters (A through Z)
 Latin lowercase letters (a through z)
 Base 10 digits (0 through 9)

 Non‐alphanumeric characters such as: exclamation point (!), dollar sign ($), number
sign (#), or percent (%).

Reset the SQL user for Batch applications password
1. Close any Batch applications that are running.
2. Use SQL Server Management Studio to change the adp user password:
a. From the Start menu, select All Programs > Microsoft SQL Server 20xx > SQL Server
Management Studio.
b. If necessary, select the Server name and Authentication method, and then click Connect.
c. In the Object Explorer pane, double‐click Security and then double‐click Logins.
d. Under Logins, double‐click adp.
e. In the Login Properties –adp dialog box, enter the new password in the Password and
Confirm Password fields and then click OK.
3. Open the file …\Datacard\ADP\File Handler\Batch_Admin.ini and delete the following line
from the file:
BATCH=DB_LINK
4. Save the file.

5. Double‐click the program …\Datacard\ADP\File Handler\ Batch_Admin.exe.
a. In the Connection String dialog box click Build.
b. In the Data Link Properties dialog box, for Provider select Microsoft OLE DB Provider for
SQL Server and then click Next.
c. Click Connection.
d. Click the arrow under server name and select your SQL Server instance name.
e. For User name, enter adp.
f. For Password, enter your password. The default password is Datacard2010. Be sure to
use a complex password.
g. Click Allow saving password.
h. For database, select ADP.
i. Click Test Connection. If the Test Connection Succeeded dialog box opens, click OK.
Otherwise, correct your settings and try again.
j. Click OK.
k. Click OK. The connection string shown in the dialog box will be saved in the …\Datacard\
ADP\File Handler\DB_LINK file and will be immediately encrypted by the Batch_
Admin.exe application.

l. If the Batch Admin application reports a login failure for user adp, repeat the steps above
until you are able to log in successfully.

Chapter 8: Maintenance
This chapter offers suggestions for on‐going maintenance and trouble‐

shooting.
Depending on how your products are set up and your production volume, you may accumulate
large amounts of historical data in your Affina system. Periodic purging of unnecessary data can
reduce the amount of disk space required.
Datacard recommends that you establish a regular schedule for backing up your Databases and
for backing up, archiving, or purging your Event Logs. The frequency of your backups will vary
depending on your production volume. High volume users may need to back up as often as once
a month.
Databases
The Affina installation program installs the ADP database. Use your SQL Server product to back up
and maintain your database.
Event Logs
Affina DP uses two types of event logs: Windows Event Logging and Application Logs.
Windows Event Logging

Affina Configuration Management and Affina Profiles and Scripting events are logged using the
Windows event logging facility to a custom log named Datacard Affina.
You view the Datacard Affina event log with the Windows Event Viewer. To start the Event Viewer,
right‐click the My Computer icon on your desktop, select Manage, expand System Tools, expand
Event Viewer, and then select Datacard Affina. The event log is not removed when you uninstall
Affina software. When it has grown to the maximum size, new events replace the oldest ones.
The default maximum size is 16 MB. Both the maximum size and the action taken when the log
reaches maximum size can be changed through the log’s Properties dialog box.

Application Logs
The Affina DP Batch Applications and Affina Key Management System keep logs of activity and
errors. If you call Datacard Smart Card Support for help in resolving a problem, you may be asked
to send copies of your logs to assist in troubleshooting.
Batch Application Logs
Each of the Batch Applications keeps an event log in the Program Files\Datacard\ADP\File
Handler\Log directory. You can view these logs through the Batch Administration application.
Refer to “View event logs” on page 122 for step‐by‐step instructions.
When a Batch Application log file reaches 385 KB, it is copied to a file called logname.bak and
purged. You can move backup files to removable storage or delete them if your security policies
allow. Or you can move or delete the log files on a regular basis (before they reach the maximum
size). A new log file will be created automatically when needed.
128 Maintenance
Chapter 9: Troubleshooting
This chapter lists problems you may encounter when setting up your
Affina Data Preparation or Affina One Step Issuance environment, along
with possible solutions.
This chapter is not meant to be read from beginning to end. Instead, use the Find
function in Adobe Reader to search for your error.
Problems Reported by Batch Applications

This section lists problems reported by the Batch Administrator, Batch Engine, Batch Input, and
Batch Tracking applications.
Database connection error
Investigation: Possible errors are:
 Cannot open database “Database_EP3R” requested by the login. The login failed. (DB_LINK
not found)
 SQL Network Interfaces: Error Locating Server/Instance Specified [xFFFFFFFF] (server/

instance specified in DB_LINK was not found)
 Multiple‐step OLE DB operation generated errors. Check each OLE DB status value, if
available. No work was done. (Incorrect connection string in DB_LINK. )
Possible Solution: Recreate the data link for all Batch applications as described in “Reset the SQL
User Password for Batch Applications” on page 124.
Running reports from Batch Administrator gives an error message: Class not registered.
Probable Cause: Crystal Report Run‐time is not installed.
Solution: Install the Crystal Reports Run‐time from the installation disc. Refer to “Install Runtime
Crystal Reports 11” on page 10.

GPError: DataElement [ ... ] is ReadOnly
Investigation: Check the Windows Event Viewer under Datacard Affina for an error message
similar to the following:
ERROR [Thread‐5] (PSRuntime.java:606) ‐ GPError: MagStripe mapping:

org.mozilla.javascript.EcmaError: GPError: DataElement [CardholderName] is readOnly (_
2B0601040181900D88060401#15)
Probable Cause: A Data Element in the APIM or ADT has been set as ReadOnly and data had been
passed in the input data file or parsed from the magnetic stripe data by the default parser which
does not match the value defined in the ADT or APIM.
Possible Solution: Uncheck Read‐Only in the ADT or APIM. To change a value typically parsed from
the magnetic stripe data, change the value in the input file.
Tracking returns an error “Script Failed” and “Error returned by the function Compute
File”
Investigation: Check the Windows Event Viewer under Datacard Affina for errors.
Possible Solutions: If the message in Event Viewer is: Failed to Load Object <nnnnnnnn>, then
Object <nnnnnnnn> is missing from Configuration Manager or specified incorrectly in the Batch
Administrator Production Setup.
1. Verify that field definitions in the Production Setup match objects loaded in Configuration
Manager.
a. Start the Configuration Manager.
b. Start the Batch Administrator application, edit the Production Setup, and click the Input
Data Fields tab.
c. Check that all field definitions in the Fields Definition area match the corresponding
objects in Configuration Manager. For example, the Job OID in the Production Setup
Input Data fields tab must match the Job OID in Configuration Manager, as in the
following illustration. If it does not, change the Production Setup to match Configuration
Manager.
130 Troubleshooting
2. Verify that Rec_Mark specified in your input DLL matches the end of record identifier in your
input file.
a. Start the Batch Administrator application, edit the Production Setup, and click the Input
Files tab. Note the Input DLL specified in the Input Process area.
b. Click the Input Data Fields tab, click Sample Record, navigate to a data file that contains a
single record, and click Open. Note the end of record identifier. Common values are
#END# and [END]\x0D\x0A.
c. Close the Production Setup and, from the menu bar, select DLL > Input DLL.
d. In the Setup DLL dialog box select the Input DLL you noted in step A, and then click
Setting.
e. In the Display Ini dialog box, expand RECORD.
f. If the value does not match what you noted in step B above, do one of the following:
 If no other Production Setups use the DLL, use the Display Ini dialog box to change
the Rec_Mark value.
 Select a DLL that has the correct Rec_Mark value. Change the Input DLL specification
in the Production Setup.
 If other Production Setups use the DLL, use Windows Explorer to save copies of the
DLL and its associated INI file under a different file name. Use the Display Ini dialog
box to change the Rec_Mark value in the copied INI file. Change the Input DLL
specification in the Production Setup.
 Change the end of record identifier in your input file.

3. Verify that all necessary keys exist in the Key Management System.
Tracking returns an error: Error Loading DLL
Investigation: Verify that the Input DLL and/or its associated INI file specified in the Production
Setup Input Files tab exists in the Program Files\Datacard\ ADP\File Handler\DLL\Input
directory.
Possible Solution: If the Input DLL and/or its associated INI file does not exist, use Windows
Explorer to save copies of In_Ref.dll and In_Ref.ini under the file name specified in the Production
Setup Input Files tab. If necessary, use the Display Ini dialog box (from the menu bar, select DLL >
Input DLL) to change the Rec_Mark value in the copied INI file.
132 Troubleshooting
Tracking reports an error: Error in opening Table Card request
Investigation: Drilling down on the item displays a message: SELECT permission denied on object
‘TB_CARD_RQT_2’ database ‘ADP’.
Probable Cause: This may happen if the user is not logged in as an Administrator.
Possible Solution: Log in as an Administrator, go to the Program Files\Datacard\ ADP\Database

folder and run RunPatchForRQT2AccessDenied.cmd to update the access permission for this
dynamically created table.
Tracking reports an error: Field <field name> not found
Probable Cause: The Production Setup for the job has a field defined on the Input Data Fields tab
that was not found in the input data.
Possible Solution: Change your Production Setup to match your input data.
Batch Import reports an error: No productions are defined
Probable Cause: No production setups have been created or restored.
Possible Solution: Use the Batch Administrator program to create or restore a Production Setup. If
Batch Engine is running, close it, and then start Batch Production.
Batch Administrator reports an error: Login failed for user ‘adp’
Probable Cause: Affina issuance software has just been installed and SQL Server was not in Mixed
Mode.
Possible Solution: Restart SQL Server or the computer so that SQL Server will be running in Mixed
Mode.

Configuration Manager Problems
This section lists problems that may occur when using the Affina Configuration Manager.
When attempting to import a script, the error “Error occurred during insert/update of
profile” displays and/or when attempting to create a profile, Blank or Database error
Investigation: If the error occurs when importing a script, the Windows Event Viewer under
Datacard Affina shows: Unexpected error occurred: System.Exception: Error occurred during
insert/update of profile: Profile:
profile oid: Oid: 0x2B0601040181900D88100501
profile type: Key
Probable Cause: TCP/IP is not enabled in Protocols for SQL Server 2005 Network Configuration
and Client Protocols.
Possible Solution: Enable TCP/IP:
1. Select Start > Programs > Microsoft SQL Server 2005 > Configuration Tools > SQL Server
Configuration Manager.
2. Expand SQL Server 2005 Network Configuration and Protocols for <your SQL instance>.
3. Right‐click TCP/IP and select Enabled.
4. Expand SQL Native Client Configuration, enable TCP/IP, and make it first in Order.
5. Restart the SQL Server 2005 services. Make sure SQL Server and the SQL Server Browser
service is running.
134 Troubleshooting
When attempting to start Configuration Manager, the error message “Unauthorized
Access – You are not authorized to run ‘Configuration Manager’” displays.
Probable Cause: You must be a member of the ADP_Administrator, ADP_Supervisor, or ADP_

Operator group, or running “as Administrator” to run Configuration Manager.
Possible Solution: Add the user to one of the groups listed above.
When attempting to import files, the following error message is returned:

“java.SQLException: Unable to get information from SQL Server: ComputerName”
Possible Cause: You are using a named instance of SQL Server and the SQL Server Browser service
is not running. For example, your SQL Server instance name is ComputerName\SQLEXPRESS.
Possible Solution: Enable and start the SQL Server Browser service as described in the Affina
Issuance Release Notes under the Limitations section.
KMS Problems
After starting the KMS, the Token Navigator is empty or displays an error
Probable Cause: The Crypto Server name is not correct.
Possible Solution: Run Affina Issuance Setup (Start > Programs > Datacard > Affina Issuance
Software > Affina Issuance Setup), verify that the Name of the Server containing the Crypto
board is entered correctly, and then click Close. Restart the KMS.
0x000000B6 - CKR_SESSION_EXISTS
Possible Cause: An exclusive session is required for this action and other sessions exist.
Possible Solution: Shut down the KMS and then reset the HSM. From the Command Prompt
running As Administrator, enter hsmreset and then enter y to reset the HSM.

0x00000101 - CKR_USER_NOT_LOGGED_IN
Possible Cause: The User(s) must be logged in to perform the requested action.
Possible Solution: Log in to the token as User(s).
0x80000106 - CKR_SO_NOT_LOGGED_IN
Possible Cause: The Security Officer(s) must be logged in to perform the requested action.
Possible Solution: Log in to the token as Security Officer(s).
0x00000110 - CKR_WRAPPED_KEY_INVALID
Possible Cause: The import or unwrap key being used for the requested action is the wrong one
or the wrong type.
Possible Solution: Select the appropriate key and try the function again.
0x000000D1 - CKR_TEMPLATE_INCONSISTENT
Possible Cause: A usage has been defined that is not allowed by a Template such as one defined
by an Unwrap mask.
Possible Solution: Unwrap the key using an unwrap key with a mask that will allow the required
action to be performed.
Saving Problems – Unable to store workbench state.
Probable Cause: You must be a member of the Administrators, ADP_Administrator, ADP_

Supervisor, or ADP_Operator group, or running ‘As Administrator’ to run Affina KMS.
Affina Profiles and Scripting Problems

Fail to locate Key[Issuer_PK, 424777, 01]
Possible Cause: The key Name, Owner, or Version was entered incorrectly in the KMS.
Possible Solution: Verify that the key Name, Owner, and Version match the expected values. If
not, edit them so that they match.
Possible Cause: The key does not exist in the requested token.
Possible Solution: Create the key.
136 Troubleshooting
com.datacard.pkcs.pkcs11.wrapper.PKCS11Exception: 0x00000068 - CKR_KEY_
FUNCTION_NOT_PERMITTED
Possible Cause: The key usage in the KMS may not allow the requested action to be performed.
Possible Solution: If the key is modifiable, edit the key usage in the KMS. If not, recreate the key
with the required usage.
com.datacard.pkcs.pkcs11.wrapper.PKCS11Exception: 0x00000013 - CKR_ATTRIBUTE_

VALUE_INVALID
Possible Cause: The GP key profile for a key may not allow the requested action to be performed.
Possible Solution: Modify the key profile to allow the required usage and reload the key profile
using Configuration Manager.
Communicator returned D1 Personalization Application DLL failed load properly.
Possible Cause: Affina Issuance Software has just been installed or re‐installed.
Possible Solution: Restart the computer.
Affina One Step Issuance Problems

Card fails
Investigation: If using the Syntera CS Simulator, an error message displays. If using a high‐capacity
personalization system, an error dialog box will display if your system is so configured. Check the
Windows Event Viewer under Datacard Affina for errors.
Probable Cause: If the message in Event Viewer is: Failed to Load Object <nnnnnnnn>, then
Object <nnnnnnnn> is missing from Configuration Manager or specified incorrectly in the Data
Setup Script constant.
Possible Solution: Correct the Data Setup Script constant.
Job fails to run
Investigation: Check the Windows Event Viewer under Datacard Affina for errors.
Probable Cause: If the message in Event Viewer is: Failed to locate Key (Key name), then the (Key
name) listed is not in the KMS.
Possible Solution: Add the missing key to the KMS. Refer to procedures for importing and
generating keys in “Key Management System Tasks” on page 52 for step‐by‐step instructions.

Affina Configuration Problems
Error saving HSM settings. Some or all of the settings may not have been saved.
Requested registry access is not allowed. (mscorlib)

Only the Test button is enabled.

After changing HSM settings, the new settings do not seem to take effect or the
personalization system returns an error similar to: 0x000000E0 - CKR_TOKEN_NOT_
PRESENT.
Possible Cause: The Datacard SCS Communicator Controller service or Datacard Affina PM Object
Communicator Controller service is running under the Local System account.
Possible Solution: Restart the computer.
HSM Battery-Related Issues

SafeNet HSM ProtectServer Gold
General Information
The adapter is fitted with a 3.6 volt Lithium battery which is used to maintain keys and on‐board
Real Time Clock (RTC) on the adapter when there is no PCI power (that is, when the host
computer is shut down).
For reasons of safety and reliability do not attempt to replace the battery in the field.
Follow formal board replacement procedures if you determine that the Lithium battery
needs to be replaced.
The expected life of the battery is ten years, therefore it should not require replacement in the
normal lifetime of the adapter.
The PC specifications determine whether power is applied to the PCI slot/adapter when the PC is
powered down but still connected to an active electrical source. Do not assume all PCs have
powered PCI slots.
138 Troubleshooting
If the battery loses power and then afterwards the PC is powered down and no power is available
to the PCI slot, the on‐board RTC and any keys will be lost.
If the battery loses power while the adapter is in a powered computer, the RTC keeps its setting
and keys survive (keys are not protected against intentional power‐off, power outage, or removal
of the adapter from its slot).
If the PC and PCI slot lose all power, a fully charged Lithium battery in good condition will be able
to sustain keys and RTC for up to 6 months. (Apply power for 24 hours to completely recharge the
battery.)
If the Lithium battery is dead, the tamper resistant setting (Never, Move once, Move many) is
irrelevant; the keys and RTC are lost immediately when the board is not powered.
Even if the Lithium battery is dead and PCI power is completely removed, the PC can be powered
up and all keys on the adapter can be re‐installed from backup or manually generated.
Determining the Condition of the Battery
The adapter has a built in battery voltage sensor that will give a Yes/No indication of the battery
state. You can use the utilities provided with the adapter to query the state of the battery. For
example, if Protect Toolkit C is being used then the ctconf utility will display the sate of the
battery.
If you have a voltage meter (that is, a digital multi‐meter) you can measure the voltage from the
battery. You can do this with the adapter installed in the PCI slot or removed from the slot. It does
not matter if the PCI bus power is applied or not. Most operators power down the host computer
before removing its covers to access the PCI bus bay where the adapter is installed. The battery is
nominally 3.6 volts but a level of 3.68 is normal. If the battery reads 3.52 volts or lower then it is
considered to have a low charge and should be replaced.

140 Troubleshooting
Appendix A: Abbreviations
and Definitions
This appendix lists and defines abbreviations and key terms used in this
document.
ADT. Application Data Template
AID . Application Identifier; composed of the RID and the PIX
ALU. Application Load Unit
APIM. Application Profile Input Mapping
APOM. Application Profile Output Mapping
BER‐TLV. Basic Encoding Rules‐Tag Length Value
BIN. Bank Identification Number
CM. Configuration Manager
CU. Customization Utility (MasterCard)
DDA. Dynamic Data Authentication
DES. Data Encryption Standard
DGI. Data Grouping Identifier
DP. Datacard Affina Data Preparation software
DTE. Data Transformation Engine
ECMAScript. A standard scripting language defined by the European Computer Manufacturers

Association
EMV. Europay MasterCard Visa smart card standard
GP. GlobalPlatform
HSM. Host (or Hardware) Security Module
KCV. Key Check Value, a way of distinguishing cryptographic keys from each other without
revealing plain text values
Affina Issuance Platform User’s Guide A-1

KMS. Key Management System, part of ADP
M/Chip. The MasterCard implementation of the EMV specifications
M/Chip 4 for MULTOS. The MasterCard implementation of the EMV specifications for use on
smart cards that use the MULTOS operating system
MC/CU. MasterCard Customization Utility
MAC. Message Authentication Code
MICA. MasterCard Integrated Card Application
OID. Universal Object Identifier
PAN. Primary Account Number
PIX. Proprietary Identifier; freely assigned by the RID owner
PKCS. Public Key Cryptography Standards
RID. Registered Identifier (of the application provider)
RSA. Encryption algorithm developed by Rivest, Shamir, and Adelman
SDA. Static Data Authentication
VPA. VSDC Personalization Assistant
VSDC. Visa Smart Debit Credit, the Visa implementation of the EMV2000 specification
XML. Extensible Markup Language, defined by W3C
A-2
Appendix B: Configuration
Parameters and Initialization
Settings
Affina DP and Affina OSI software behavior can be controlled by the
following Configuration Parameters and Java Virtual Machine (JVM)
initialization settings.
Configuration Parameters
Configuration parameters are stored in the com.datacard.properties file which is installed in the
...\Program Files\Datacard\ADP\Java directory. Parameters preceded by a # character are
ignored. In One Step mode, Object Communicator must be restarted after changes are made to
configuration parameters.
Affina PS JDBC SQL Server Connection String

The Affina PS SQL Server driver must be installed in the ...\Program Files\Datacard\ADP\Java
directory. The default driver is the JTDS driver. The connection string syntax can be found in the
JTDS documentation at http://jtds.sourceforge.net/faq.html.
Example:
sql.driver=net.sourceforge.jtds.jdbc.Driver
sql.connectionString=jdbc:jtds:sqlserver://ADP‐XP/ADP;instance=AFFINA
Affina PS Logging Parameters

Affina PS uses the Apache lob4j logging utility. The Affina PS logging parameters control the
current log type and target output for the logged data. The root category may be either error only
or debug which includes informational messages. Logged data may be sent to:
stdout Data may be viewed in a DOS window. Refer to “JVM Initialization Settings” on
page 4.
eventViewer Data is written to the AffinaPS log in the Windows Event Viewer.
timed Starts a new log using a pre‐defined time interval.
ps Data is written to a file.
A detailed description of how to set the format of the data returned in debug mode can be found
at: http://logging.apache.org/log4j/1.2/apidocs/org/appache/log4j/PatternLayout.html
Affina Issuance Platform User’s Guide B-1

Example:
[log]
#log4j.rootCategory=debug, stdout, ps
#log4j.rootCategory=debug, stdout, timed
log4j.rootCategory=error, stdout, eventViewer
log4j.appender.ps=org.apache.log4j.RollingFileAppender
log4j.appender.ps.File=C:/Program Files/Datacard/ADP/Affina.data/adp_ps.log
log4j.appender.ps.layout=org.apache.log4j.PatternLayout
#Conversion pattern controls log content ‐ %d is date and {ISO8601} is date format
log4j.appender.ps.layout.ConversionPattern=%d{ISO8601} %5p [%t] (%F:%L) ‐ %m%n
#File size at which a new log will be created ‐ default size is 10 MB
#log4j.appender.ps.MaxFileSize=5MB
#Number of logs to keep ‐ default number is 1
#log4j.appender.ps.MaxBackupIndex=99
#Time‐based rolling can be monthly, daily, hourly etc.

log4j.appender.timed=org.apache.log4j.rolling.RollingFileAppender
log4j.appender.timed.rollingPolicy=org.apache.log4j.rolling.TimeBasedRollingPolicy
#FileNamePattern controls when to start a new log ‐ .%d{yyyy‐MM‐dd_HH} is hourly
log4j.appender.timed.rollingPolicy.FileNamePattern=C:/Program Files (x86)/Datacard/ADP/
Affina.data/apd_ps.%d{yyyy‐MM‐dd_HH}.log
log4j.appender.timed.layout=org.apache.log4j.PatternLayout
log4j.appender.timed.layout.ConversionPattern=%d{ISO8601} %5p [%t] (%F:%L) ‐ %m%n
log4j.appender.stdout=org.apache.log4j.ConsoleAppender
log4j.appender.stdout.layout=org.apache.log4j.PatternLayout
log4j.appender.stdout.layout.ConversionPattern=%m%n
log4j.appender.eventViewer=com.datacard.ps.EventLogAppender
log4j.appender.eventViewer.layout=org.apache.log4j.PatternLayout
log4j.appender.eventViewer.layout.ConversionPattern=%5p [%t] (%F:%L) ‐ %m%n
AffinaPKCS11 Slot and Token Parameters

The following AffinaPKCS11 parameters identify the slotId of the key token by number or the
token by name. The token parameter takes precedence over the slotID parameter.
Example:
AffinaPKCS11.slotId=0 AffinaPKCS11.token=AffinaToken
B-2
Configuration Manager Parameters
Configuration Manager parameters include the SQL Server provider type and connection string as
well as OID parameters which may be set in the Configuration Manager user interface by
selecting the appropriate submenus from the Configuration and Options menus.
Example:
configMgr.connectionString=Data Source=ADP‐XP\AFFINA;Initial
Catalog=ADP;Integrated Security=True
configMgr.dbProviderType=SqlClient
configMgr.baseOid=
configMgr.viewOidAsHex=1
configMgr.showAlias=1
configMgr.testMode=0
configMgr.lastImportDir=C:\Program Files\Datacard\ADP\Profiles
configMgr.lastExportDir=C:\Program Files\Datacard\ADP\Samples
DSV Properties
Delimiter‐separated value (DSV) data parameters include the data block marker and the delimiter
character. If you define a DSV marker, you must also define a DSV delimiter.
Example:
DSV.marker=*START*
DSV.delimiter=>
Batch Properties
If you will be running Affina DP in an unattended mode, you may wish to disable the batch system
tray job status icon.
Example:
batch.disableTray=true
Runtime Properties
When the COMPLIANT_BER parameter is set to True, the system will enforce BER‐TLV compliance
for all Jobs running on the system. As a result, any TLV that is not BER‐TLV compliant will generate
a TLV exception.
Example:
COMPLIANT_BER=true
Affina Issuance Platform User’s Guide B-3

JVM Initialization Settings
JVM initialization settings are stored in the jvm.ini file in the ...\Datacard\ADP\Java directory.
Initialization settings preceded by a semicolon (;) are ignored.
Debug
When the debug value is set to 1 (debug=1), stdout debug data will be written to a DOS window.
Example:
debug=1
JVM Location
The location of the jvm.dll that Affina uses.
Example:
location=C:\Program Files (x86)\Datacard\ADP\jre7\bin\client\jvm.dll
B-4

Affina User's Guide

Uploaded by

Copyright:

Available Formats

Affina User's Guide

Uploaded by

Document Information

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Affina User's Guide

Uploaded by

Copyright:

Available Formats

Affina® Issuance Software

Part No. 539655-001, Rev. L

Information in this publication is subject to change without notice. Entrust Datacard

This product includes software developed by the Apache Software Foundation

This product includes software developed by the JDOM Project (www.jdom.org).

This product includes software developed by IAIK of Graz University of Technology.

This product includes software developed by the Eclipse Project (www.eclipse.org).

Copyright © 2014 Entrust Datacard Corporation. All rights reserved.

MasterCard is a registered trademark of MasterCard International Incorporated.

Visa is a registered trademark of Visa International Service Association.

Adobe and Reader are registered trademarks of Adobe Systems Incorporated.

Crystal Reports is a trademark or registered trademark of Crystal Decisions, Inc. in the

Windows is a registered trademark of Microsoft Corporation.

Revision Date Description of Changes

A April 2006 First release of this document.

B November Added information for the 1.0.1 release.

C February 2007 Added information for the 1.1 release.

D July 2007 Added information for the 1.2 release.

E December Added information for the 1.3 release.

F June 2009 Added information for the 1.5 release.

G November Added information for the 1.6 release. Incorporated

H June 2012 Added information for the 1.7 release. Documented

J February 2013 Added information for the 1.7.1 release. Documented

K December Added information for 1.8 release.

L December Added information for the 1.8.1 release.

Conventions Used in this Document

User entries are shown in code typeface.

Manual Title Part Number

Datacard Affina Personalization Manager MULTOS Issuance Software 539112‐003

Datacard Syntera Customization Suite Installation and Configuration 539768‐001

Data Security Standards Implementation Guide 527227‐001

Data Security Standards Implementation Guide 527226‐001

Chapter 3: Data Format . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21

Chapter 4: Key Management System . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 39

Chapter 6: One Step Personalization Setup . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 97

Chapter 7: Affina DP (Batch) Setup . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 107

Chapter 8: Maintenance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 127

Chapter 9: Troubleshooting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 129

Appendix A: Abbreviations and Definitions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . A-1

Appendix B: Configuration Parameters and Initialization Settings . . . . . . . . . . . . . . . B-1

 Datacard® Affina® data preparation (DP) software

 Datacard® Affina® profiles and scripting (PS) software

Most Affina software components are used in multiple configurations.

Component Description Used In

Affina Issuance Platform User’s Guide 1

Affina DP Data Flow

Affina Issuance Platform User’s Guide 3

Affina OSI Data Flow

This chapter gives information about installing and configuring Affina

 Minimum screen resolution of 1024 x 768

Affina Issuance Platform User’s Guide 5

SQL Server Supported Supported Supported Supported Not Not

SQL Server Supported Supported Supported Supported Not Not

SQL Server Supported Supported Supported Supported Supported Supported

SQL Server Supported Supported Supported Supported Supported Supported

SQL Server Not Not Supported Supported Supported Supported

SQL Server Not Not Supported Supported Supported Supported

The following software must be installed before installing Affina software:

Affina Issuance Platform User’s Guide 7

2. Click Install Prerequisite Software.