payShield 9000

Software & License Update Procedure

(Issue 8)

www.thales-esecurity.com
 payShield 9000 – Software & License Update Procedure

>> Introduction

This document describes the process of updating the software and license files of
the payShield 9000 Hardware Security Module. Please ensure that you always use:
the instructions in the PPIF0542-XXX payShield 9000 Software & License
Update Procedure document that accompanies the relevant software and
license files (software v1.x); or
the instructions at Appendix C of the 1270A543-XXX payShield 9000
Installation Manual (software v2.0a onwards)
to ensure that you have the latest version.
Note for HSM Manager users: both the Local and Remote HSM Manager
products include a feature to load firmware and licenses onto the payShield 9000.
It is recommended that HSM Manager users use that capability: instructions are
provided in the Local or Remote HSM Manager manual. Local HSM Manager is
provided as part of the standard payShield 9000 product, and the manual is
included in the payShield 9000 manual set.

Thales e-Security
payShield 9000 – Software & License Update Procedure

>> Update Procedure

The payShield 9000 software and/or license can be updated using an FTP
connection over TCP/IP on the HSM's Management Ethernet port. The
Management port's configuration can be viewed and changed via the Console's
CM (Configure Management) command, or the HSM Manager's
Edit/Management Port screen.
In order to update the HSM's software or license, you must use an FTP client,
which is typically either:
A command line utility (often included with a PC's Operating System)
A graphical utility (generally available)
Although they employ different user interfaces, they both require the same
information:

Parameter Value
HSM's Management port's IP address xxx.xxx.xxx.xxx
FTP account name anonymous
FTP account password <blank>
Software file xxxxx.tkp or xxxxx.tki
License file xxxxx.licence

Additionally, the HSM must be in the Secure state before the FTP process starts.
Once the transfer is complete, the HSM processes the uploaded file (and flashes
the front panel Management LED various colours to indicate progress). Valid license
files are applied immediately. Valid software files result in the HSM automatically
restarting in order to complete the update process.
Note that software updates can take several minutes to complete: please wait for
the HSM to restart before using.

Thales e-Security
 payShield 9000 – Software & License Update Procedure

>> Example - Command Line FTP Client

1. Start the FTP client in the folder
containing the files to be uploaded, and
specify the HSM's management port's
IP address as a parameter.
C:\>ftp 192.168.100.200 <Return>
Connected to 192.168.100.200.
220 192.168.100.200 FTP server (QNXNTO-ftpd 20081216) ready.
User (192.168.100.200:(none)): anonymous <Return>
331 Guest login ok, type your name as password.
Password: <Return>
230 Guest login ok, access restrictions apply.
ftp> bin <Return>
200 Type set to I.
ftp> put B4665271226O-3.licence <Return>

E.g. "ftp <address>" 200 PORT command successful.

150 Opening BINARY mode data connection for 'B4665271226O-3.licence'.
226 Transfer complete.
2. Use "anonymous" as the username, and ftp: 1124 bytes sent in 0.05Seconds 23.91Kbytes/sec.
ftp> quit <Return>

leave the password blank. 221-

Data traffic for this session was 1124 bytes in 1 file.
Total traffic for this session was 1591 bytes in 1 transfer.
3. Type "bin" to switch to binary transfer 221 Thank you for using the FTP service on 192.168.100.200.

mode. C:\>

4. Type "put" followed by the name of the

file to be transferred. You should use The example above shows a licence file
the delivered file with an extension of (B4665271226O-3.licence) being uploaded
“.tkp” or “.tki” if loading software, or into an HSM at address 192.168.100.200.
with an extension of .licence” if loading a
license.
5. Type "quit" to exit the utility when the
transfer is complete.

>> Example - Graphical FTP Client

1. Start the graphical FTP client, and

(depending on specific client) enter
details to identify the host (i.e. the
HSM's Management port's IP address).
2. Use "anonymous" as the username,
leave the password blank.
3. Select the folder containing the file(s) to
be uploaded.
4. Select the file(s) to be uploaded, and
start the upload process.
5. Exit the application when the transfer is
complete.
The example above shows a licence file
(B4665271226O-3.licence) being uploaded
into an HSM at address 192.168.100.200.

Note: The HSM immediately moves any uploaded file(s), so they will not appear on
the HSM after the transfer is complete.

Thales e-Security
payShield 9000 – Software & License Update Procedure

>> Alternative Update Procedure

If the standard (FTP) update procedure fails, or the payShield 9000 becomes
unresponsive (even after power cycling), customers may use the following
alternative method of loading new firmware into the unit.
Caution: This method will cause all sensitive data to be erased, including (if
present) LMK(s) and remote management data.
This alternative method uses a regular USB flash drive to transfer the new firmware
file into the payShield 9000. However, please note the following:
Firmware files loaded via USB are different to firmware files loaded via FTP. The
USB method uses a firmware file with extension ".psp".
This alternative method cannot be used to load licenses into the payShield 9000
unit. All licence files must be loaded into the unit via the FTP procedure,
described in the previous section.
Standard single-purpose USB memory sticks should be used rather than
multifunctional devices with USB memory capability.
1. Locate the appropriate firmware
 Local Bus Controller v. 1.4
file from the distribution media Bootstrap
Boot Manager
v. 1.10.2
v. 1.16.8

(either CD or ZIP file). This should  Hit any key to interrupt the load process and enter the
boot manager:
be a single file, with extension 0__10___20___30___40___50___60___70___80___90__100%

".psp". Copy this file onto the root 

##################
>

of the USB flash drive.

A:\> update 11100202.psp
Reading (11903292 bytes) from USB drive ... DONE (2 sec)

 Verifying signature ... DONE (8 sec)

2. Establish a terminal connection to

Erasing FLASH ... DONE (32 sec)
Programming FLASH ... DONE (25 sec)

the payShield 9000 (using the  A:\>

>

supplied console cable). Irrespective of the settings for the console port on the
HSM, set the communications parameters on your console or terminal emulator
to 115200 baud, 8 data bits, 1 stop bit, no parity.
3. Push the (recessed) "Erase" button on the back panel of the payShield 9000.
This will automatically cause the HSM to reboot: do not turn the electrical power
off/on to cause a reboot.
4. When the prompt "Hit any key to interrupt the load process and enter
the boot manager:" appears, quickly press, while the extending row of #
symbols is being displayed, the " " (or Enter or Return) key, and you should
observe a ">" prompt.
5. Insert the flash drive into one of the payShield 9000's USB sockets. The console
prompt should change to "A:\>".
6. Type "update <filename.ext>" specifying the name of the firmware file on the
flash drive.
7. The console will display the following output while the firmware is being updated:
a. Reading (XXXX bytes) from USB drive
b. Verifying signature
c. Erasing FLASH
d. Programming FLASH

Thales e-Security
 payShield 9000 – Software & License Update Procedure

8. Once the console prompt returns, remove the flash drive and power-cycle the
unit. The new firmware is now installed.
Note: If you changed your console or terminal emulator settings at step 2, will need to return
them to those appropriate for the HSM console connection (default: 9600 baud, 8 data bits,
1 stop bit, no parity).

Thales e-Security
V V V
Americas Asia Pacific Europe, Middle East, Africa

THALES e-SECURITY, INC. THALES TRANSPORT & SECURITY THALES e-SECURITY LTD.
900 South Pine Island Road (HONG KONG) LTD. Meadow View House
Suite 710 Unit 4101, 41/F Long Crendon
Plantation 248 Queen's Road East Aylesbury
Florida Wanchai Buckinghamshire
33324. USA Hong Kong, PRC HP18 9EQ. UK

T: +1 888 744 4976

or +1 954 888 6200 T: +852 2815 8633 T: +44 (0)1844 201800
F: +1 954 888 6211 F: +852 2815 8141 F: +44 (0)1844 208550

E: [email protected] E: [email protected] E: [email protected]

© Copyright 1987 - 2012 THALES e-SECURITY LTD

This document is issued by Thales e-Security Limited (hereinafter referred to as Thales) in confidence and is not to be reproduced in
whole or in part without the prior written approval of Thales. The information contained herein is the property of Thales and is to be
used only for the purpose for which it is submitted and is not to be released in whole or in part without the prior written p ermission
of Thales.