HSM renewal – Experience 2

Every institution running SWIFT connectivity, utilising HSM boxes, is required to perform a mandatory action by September 2015. Either;

  • renew existing HSM boxes or
  • migrate to Alliance Remote Gateway

I have performed the HSM box renewal process and would like to share my experience.


In order to succeed without any major interruptions, it is important to understand what is required and ensure your environment is stable.
The following criter
ia are recommended for a successful renewal:

  • experience troubleshooting HSM box issues, specifically HSM renewal (the new renewal follows similar processes to precious HSM replacements)
  • failover of live traffic to contingency site during HSM boxes renewal on Production site
  • ensure the current HSM boxes are at the latest Firmware and patch levels
  • all HSM users passwords and PINs are known and valid
  • use ITIL Change Management processes (testing in UAT, approval, backup plans, rollback plans)

The following are the available Documentation sources on the Swift website:

  • FAQ (KB tip) (UPDATE – list with links was updated)
  • presentation – overall picture
  • high level guide
  • HSM Box Hardware Refresh Guide – it’s actually step by step Howto
  • HSM Box Operations Guide (IS6) – new guide

And as usual it’s not easy to find it 🙂 here is the link for Refresh Campaign page,

Link to FAQ (KB tip)

Most useful Refresh Guide is missing there! Link is here


In my case it took 6 weeks to receive the new HSM boxes after submitting the e-order. The order arrived in 4 large big boxes of which I recommend storing at least one for future needs such as sending defected box to SafeNet. Also with each box you will receive a Remote PED and empty tokens, which is great. Previously you had to order Remote PED for 1500 USD.

What’s new (available features) with comments:

Information copied from the HSM refresh materials:

  • New hardware with enterprise class server-grade componentspeddetail
  • Redundancy for critical components
  • Contains two hot-swappable power supply – Do you have second independent power source in your rack?
  • Field replaceable cooling fans – no fans would be better
  • New PED can be used locally or remotely – finally
  • New decommission button on back of box, mainly used in the unlikely event of returning boxes to factory (unlikely event, huh?)
  • USB to serial adapter packaged along with the box
  • Visual indicator (led) on back of HSM box and an audio alarm helps monitor power supplies ( I’m wearing hearing protectors in server rooms anyway and in such noise it would be barely hearable)

New box is backward compatible. It can be interoperate with old boxes so software upgrade or certificate migration is not needed. – Cool

According SWIFT the lifetime is around 6-7 years for HSM boxes Version 6 and SWIFT will provide end of support notice 24 months in advance.

The old PED is not compatible with new HSM boxes. The new PED is backwards compatible, so use the new PED on existing HSMs to verify their functionality (even spare PEDs).


Carry out all tasks which do not require online connectivity in advance, these tasks can be carried out remotely.

  • check that BOX is not broken
  • test both power supplies
  • set up LAN interface (bonding must be set up later)
  • set up HSM admin password
  • write down serial numbers
  • if possible update SNL to latest version and upgrade HSM Software and Firmware

Also, I strongly recommend assigning the Orange RemotePED key to the new HSM boxes before registering the boxes with the SNL. It means that in server room you are only required to:

  • unmount the old boxes
  • mount the new boxes
  • assign the RemotePED key to each HSM box

The remainder of the tasks can be done remotely from the office except the network bonding as to test its functionality you will need someone who at the box to pull the cable (commands for bonding setup can be executed remotely).

High level steps for 2 box cluster:

If the exact same configuration is required then I recommend veering from SWIFT detailed plan and promoting the replica box to primary. Following SWIFTs plan will swap the physical locations of HSM boxes (in 2 box setup).

My plan for renewal (2 box cluster):
Lets use the following names as an example for HSM boxes


  • Replace HSM_OLD_REPLICA in the cluster with HSM_NEW_REPLICA
  • Promote HSM_NEW_REPLICA as Primary
  • Promote HSM_NEW_PRIMARY as primary

Additional comments

  • Renewal of each HSM box took about 20 minutes. 10 of PED key exchanges were required.
  • The renewal was successful first time.
  • In the instructions, it is required to shutdown SAG/SNL during HSM box renewal. Why? This is exactly the point where you can stress the environment a little to ensure the boxes are stable and exchange boxes with defects. Instead of stopping the SNL and doing the change outside business hours, I recommend failing traffic over to the contingency site and doing change in normal office hours.
  • I would recommend restarting the SNL after the renewal although it is not mandatory.
  • It’s not documented in refresh guide but if you have more SNLs registered to HSM cluster (usually TEST SNL instance) you have to deregister and re-register HSM cluster again.
  • In the refresh guide there is the possibility to set up cluster compatibility to required version by omitting existing values. However I do recommend to do the standard HSM box firmware and software upgrade before renewal. This might require an update to the SNL version.

Post installation tasks

  • use the HSM selftest utility to verify the new cluster.
  • you may need to create additional admin accounts and setup HSM internal backup routine.
  • you may create additional PED keys duplicates (this doesn’t require HSM connectivity, it can be done via RemotePED only, verify keys, if possible)
  • you should factory reset the old HSM boxes. Follow your organisation procedures for HW decomission.


As you might already see, Swift didn’t include all the steps which might be required. Mostly operational prerequisites and post installation tasks are missing.
So what will the renewal costs? For what I believe will be the most typical setup; 4 HSM Low throughput boxes, SWIFT will give you a 50% discount! However, you will still have to pay approximately 10 000 EUR. Also there is an increase to the annual fees.

Our offer to you

We are offering the HSM Box renewal onsite intervention for a very affordable price compared to Swift Consulting services. If you want to do it in house but would like someone to double check your approach, we can help to create step-by-step instructions which tailored to your environment for 500 EUR. Please contact us at info@swiftexperts.com

UPDATE: We can also assist with recent HSM boxes HOT FIX security patching either as onsite intervention or prepare step-by-step guide for your specific configuration.

If you found this post useful, please comment or put a like. Thank you.

Leave a comment

Your email address will not be published.

2 thoughts on “HSM renewal – Experience