About the ActivID Key Management System

The ActivID Key Management System (KMS) is a stand-alone application, included in the ActivID CMS distribution, which manages the smart card keying material in the Hardware Security Module (HSM). KMS provides a menu-based, command-line interface you can use for initializing, cloning, and updating HSMs.

KMS is used for generating and importing master keys into the HSM that are used to derive the individual card keys for each smart card. KMS generates and uses 3DES triple-length keys as well as AES 128/256-bits keys for HSMs. You must initialize three HSMs before you can begin using ActivID CMS:

One Principal HSM The first or main HSM. If you require multiple HSMs with the same master keys, use HSM manufacturer tools to duplicate the keys in the other HSM. (considered being the Master HSM connected to the ActivID CMS production system).
Two back-up HSMs (these act as copies of the principal HSM for replacement in case of failure).

Important: HID Global cautions against deploying ActivID CMS without an HSM for either pilot or production systems, as this represents a clear security risk. Deploy it without an HSM ONLY for evaluation purposes, or when using with PKCS#11-based smart cards. For more information, refer to .

Using ActivID KMS you can:

Initialize a test HSM to check for successful installation of ActivID KMS.
Initialize a Principal HSM for production.
Update a Principal HSM.
Import or generate new transport keys.
Generate master keys according to a predefined HSM configuration.
Manually inject new master keys.
List the content of an HSM.
Set up and change the Security Officer and Operator PINs (only available for FIPS Federal Information Processing Standard 140-2 L2-compliant HSMs)

Important: You must restart the ActivID CMS server after each use of ActivID KMS.

For details about installing KMS, refer to Installing and Using ActivID KMS .