Administrator

Provision Secure Element Keys for DIRECT Mode

Each new secure element that is issued by the SAP Mobile Platform operator can be identified by a unique ID, and requires a specific keyset. The secure element unique ID is stored in a structure called Card Production Life Cycle (CPLC) data, which uniquely identifies each secure element and is stored into each secure element prior to configuration.

The association between the secure element and the unique keyset is usually provided by the secure element manufacturer, and is generally required by the secure element issuer, to maximize security. The card issuer would be taking a large risk if all secure element accesses were based on a single keyset.

To deploy the MER on secure element in DIRECT mode, on device charging needs the CPLC/keyset pair for each secure element. Each pair is stored in the on device charging table ODC_DIRECT_SE_INFO.

The secure element manufacturer generally includes an additional CSV file that contains all secure element information (CPLC/keyset pair) with each secure element batch. On device charging registers the CSV files using:
### CPLC_data;  keyVersionNumber;  keyIdentifier;  key1_type;  key1_value ; key2_type;  key2_value; key3_type; key3_value ###
CPLC_data: a string containing hexadecimal numbers.
keyVersionNumber: integer, a technical number provided by the party who performs the keys installation at personalization phase.
keyIdentifier: integer, a technical number provided by the party who performs the keys installation at personalization phase.
keyX_type: one of the following strings (“senc”, “smac”, “dek”).
keyX_value: a string containing hexadecimal numbers.

Example of line:
2A4790502116716320431790159B5EE10C6646479262421673625716746272000000000000000000000000,42,0,senc,25C69649A518622044BF1915BF65F7AB7737CF11B26EA506F5DE6163B08CB876E1ED5DE0D3BF457F6418D321BAD62AEDEA6220423A7FC87C08C0F71748CFF2CA20EDC29AEEC6879C951D26861305F37FE218288DA46A11D28B28603A8B0A6263686DDD19E4B894F31E2758E8EA53EBC0EE7703A8565F87A5C90DE6B8201471AB3287B5A0477A9326A66CA390182BF794D6877D49283C168CC9EB2D44D63A8D5328D418F9BAADA7F5AA88E04665990927411AAFE13A84290783DC2C21BDED9751BB512592014C42C4E0CFFDD552D41E1493E013D1F7C7DA03BA70E799D80A8CF9A4AA13DF1A31173330B4F20FC8BCBB5D311FD5A9B7C9F418B0E81A591DD37229,smac,62ED9BAC8A66493F89B6BB6C5079A2ED1F69646B98FCC49AEECFF76119C323AAD200C1BFAD210E7E0EBFD4D0BCC5E86BB26F5092942AD3E2004AA87632776D27DF3AC71E5C944E423982C5B8541E0B1E62EDC94D391E8FE1D31F226A450F9556F806DDDDC6FEE4E2B9EE6DD9F96A822348F537417451C9B235D3B8E369D81B01C8DEDBCB96380603B5E976468878B6EFF1C33D67E5323578B592ABEACBFC30E956E1233ABCA608B6A0EF09861D2BB6943DA615ECCEFC95CCE2F423706C9F5FBAFA206377C589D57F2D01C66CBE6D1065365A14170BC25B56E4C45D930D623D82AFFB57F20B7A7CEDA0E47318829382C492949FFB1454A12060F2AB467B0F349D,dek,55E2A101A100F498ECB7C72563FE712CDD00682F174CA0C0BD4214FBAE9AA949A1FDF807AD78CBF6F887C61320729FC7FF3CBBEC696E32BBAE28B43830B9883E108D04DFFE359D8152151D38E94CECA041C14C1C91D5C77850CD18EC753BF49C326ACAAF024D34D5F9979CF8BC37D1EE3BDBD4EAE66C9BF8022A8CD78C5E73B2BF2C04764C86203B989E90BCB7C1C8CD2F78F8B6580C3C669B4D544D4367C6D465AC0D456F106654942E75BF216746284ACC3A14C6F60ABB721814AA6DBA9B4F2BCC772379EB02EEB83DADC899182EC825CC8F0FA1932E235AAA3979D54C0721DF9A3837B7AB0DFAB6AA1A4C864F1FF566758F22CEA42F2B6FF94016F21AF2B3

To guarantee the security, all the key values will have to be ciphered by the secure element manufacturer with the public key stored in the mobiliser_odc.crt file.

The ciphering algorithm that must be used by the secure element manufacturer is RSA/ECB/PKCS1Padding.

To install this file into the ODC_DIRECT_SE_INFO table:
  1. Uncompress the <SMP_HOME>\Server\tools\mobiliser\com.sap.odc.tool.security.odckeytool-1.0.0.RC7-dist.zip file.
  2. Change directory to com.sap.odc.tool.security.odckeytool-1.0.0.RC7\com.sap.odc.tool.security.odckeytool-1.0.0.RC7.jar.
  3. Execute:
    java -jar com.sap.odc.tool.security.odckeytool-1.0.0.RELEASE.jar populate_se_info -url < smp_server_url> -login <mobiliser_user_login> -passwd <passwd> –csv <csvFilePath>] 
where <mobiliser_user_login> and <passwd> authenticates the user against Mobiliser after having successfully passed the SAP Mobile Platform HTTP gateway.