Different behaviour of actual hsm

Oct 8, 2010 at 9:41 AM

Hi guys! First of all congratulations on your work. It has been very helpful. I have been using your simulator to develop my application. Now I run my application using an actual HOST SECURITY MODULE 8000. I have the following problem. When I submit the following command to the simulator it works fine:

Command code:     CM
BDK (encrypted under LMK 28-29):  U87802D092ABFCB93F4BE7539BDE448E0
PVK (encrypted under LMK 14-15): U0878CB006D7402F820E0526271E2FE9A
KSN Descriptor:    A55
KSN:     FFFF1701000000200000
Source encrypted:   34282BF885C8F977
Account Number:    000000010002
PVKI:     0
PVV:     9948

Entire command:    CMU87802D092ABFCB93F4BE7539BDE448E0U0878CB006D7402F820E0526271E2FE9AA55FFFF170100000020000034282BF885C8F97700000001000209948

The above command works fine on your simulator. When I submit it to the actual HSM I get error code 15 Invalid input data (invalid format, invalid characters, or not enough data provided). I would expect to receive any other error, but not this. What am I doing wrong?

Oct 8, 2010 at 11:29 AM

I suspected for a long time that we were more lenient than a real HSM as far as errors are concerned. In this particular case...I've no idea what the discrepancy could be (although it's the first time I've seen a PVKI equal to 0 but that might not mean something). Let us have a look and we'll post back.

Oct 8, 2010 at 6:55 PM

I don't see any obvious reason for getting 15 back from the HSM. I think it's safe to say that it's not the BDK or PVK keys, you'd get an error code of 10 or 11 if something was wrong with those. Lengths and attributes of parameters also appear correct. I can't see how the KSN would produce an error. The only other thing that might give out an error in a real world scenario is the key derivation but I don't really believe that you'd get an error code of 15 back from that.

I know it's probably something you already checked but can you confirm that the HSM doesn't expect a message trailer as well as a message header?

Oct 26, 2010 at 2:31 PM

Hi guys. Everything was fine with the simulator actaully. The problem is that with the actual HSM I was not using the KSN descriptor used by the actual PIN PAD when generating encrypted pin block. That's why pin verification would fail. Sorry for the inconvinience and thank you again.

Oct 26, 2010 at 2:36 PM

No problem, thanks for posting back to clear it up.

Jan 24, 2011 at 12:53 PM


Dear All,

first of all let me introduce myself, my name is Fernando and I'm currently working as system technician on a spanisch Bank.

Doubt that I currently have, is that I am reconfiguratin our HSM8000, due that I would like to share it with two or three HOST (Mainframe Fujitsu MSP), with diferent LMKs.

Having a look at the Host Security Manual to select between diferrent LMKs, I must add a parameter to the command or inference from TCP port used. Regardin asigining TCP port to an LMK,doubt is that I haven't seen on the manual, where must we set the TCP/Port  when we create a new LMK set with the "GK" command, and after that at the load procedure "LK".

Any thoughts/opinions will be greatly appreciated,

With Best Regards,


Jan 24, 2011 at 2:52 PM

The simulator doesn't currently support using a different LMK set.

Jan 25, 2011 at 10:16 AM

Many thanks for your answer. Regards, Fernando