HSM Commander


The EFTtools set consist of applications supporting payment transaction service development, testing and benchmarking. It currently consists of following components: Cryptographic Calculator and HSM Commander.

In recent versions there were also EMV Tool, now part of Cryptographic Calculator, and P3 Card Edit Tool, which development was stopped and its latest release is part of the 20.04 release.

This tutorial focuses on HSM Commander’s functionality for Thales, Gemalto (SafeNet) and MicroFocus (HPE Atalla) devices.

HSM Commander (BP-HCmd)

BP-HCMD and provides tools to any development related Thales, Gemalto (SafeNet) and MicroFocus (HPE Atalla) HSM devices and contains following features: Command console and Load tester.

Command console

Command console is a tool for testing HSM responsiveness by sending various HSM commands and parsing the response. In current version it supports three main HSM providers on the market (Thales, Gemalto (SafeNet) and MicroFocus (HPE Atalla)).

  • Thales HSM supports range of commands of the RG8XXX with compatibility overlap to RG9XXX.
  • Gemalto (SafeNet) supports range of commands of the SafeNet Luna Mk. II.
  • MicroFocus (HPE Atalla)

Output for Thales RG8XXX ‘A0’ – Generate a key command:

[2014-09-08 11:20:34 AM] Command ‘A0’ sent to HSM.

[2014-09-08 11:20:34 AM] Response received from HSM.
[None an 008 M] : ‘Message Header’ = [00000000]
[None an 002 M] : ‘Response Code’ = [A1]
[None an 002 M] : ‘Error Code’ = [00]
[16H/1A+32H/1A+48H M] : ‘Key under LMK’ = [UE4709A3EC6EAA50CD383C5DC10E50A85]
[16H/1A+32H/1A+48H M] : ‘Key under ZMK’ = [U1BC846294725464467F3710419312DE6]
[VAR:..0x19 Hex 016 M] : ‘Key Check Value’ = [014C20]

As the list of supported commands still grows see the actual state in our knowledge base page Thales HSM command support

Load tester

Through the EFTlab’s track of experience we discovered a need to measure HSM’s performance for a local and remote service. Use case for its development what to benchmark the secondary HSM dedicated to the DR processing and located in a geographically separated DR server room, in case of primary HSM not being available. This case focused on the network bandwidth and resulting HSM latency.

HSM Load Tester measures Cryptographic performance by stream of following commands:

  • “GW” (Generate/Verify a MAC using a Triple-DES DUKPT MAC Key) for Thales RG8XXX simulation,
  • “00” for the SafeNet Luna Mk. II simulation;

to the HSM in several parallel threads. Result from this test gives a good overview on HSM performance from all aspects.

Output from benchmarking operation should read like this:

[2014-09-08 10:35:38 AM] Test finished.
Response timed out:          1
Test duration [s]:           10
Average processing [trx/s]:  59.400002
DES ciphers done:            19569
DES ciphers average [DES/s]: 1841.599976
Data streams:                1
Successful:                  593
Failed:                      1
Total:                       594


In this article, we went through the functionality of HSM Commander.

HSM Commander and other tools covered in EFTtools suite were designed to help and assist payment industry people in their day to day tasks and make their work the most effective. Our team would be grateful if you would suggest any improvements to our applications or report completely new functionality needed. Feedback from our users like this is exactly what drives the development of its and helps us to share our experience to wide public.