Merge pull request #216282 from msmbaldwin/phsm-ga

Payment HSM GA: 10/31

Author: v-regandowner

articles/payment-hsm/access-payshield-manager.md

@@ -0,0 +1,202 @@
+---
+title: Access the payShield manager for your Azure Payment HSM
+description: Access the payShield manager for your Azure Payment HSM
+services: payment-hsm
+ms.service: payment-hsm
+author: msmbaldwin
+ms.author: mbaldwin
+ms.topic: quickstart
+ms.devlang: azurecli
+ms.date: 09/12/2022
+---
+
+# Tutorial: Access the payShield manager for your payment HSM
+
+After you have [Created an Azure Payment HSM](create-payment-hsm.md), you can create a virtual machine on the same virtual network and use it to access the Thales payShield manager.
+
+In this tutorial, you learn how to:
+
+> [!div class="checklist"]
+> * Create a subnet for your virtual machine
+> * Create a virtual machine
+> * Test Connectivity to your VM, and from the VM to your payment HSM
+> * Log into the VM to access the payShield manager
+
+To complete this tutorial, you will need:
+
+- The name of your payment HSM's virtual network. This tutorial assumes the name used in the previous tutorial: "myVNet".
+- The address space of your virtual network. This tutorial assumes the address space used in the previous tutorial: "10.0.0.0/16".
+
+## Create a VM subnet
+
+# [Azure CLI](#tab/azure-cli)
+
+Create a subnet for your virtual machine, on the same virtual network as your payment HSM, using the Azure CLI [az network vnet subnet create](/cli/azure/network/vnet/subnet#az-network-vnet-subnet-create) command. You must provide a value to the--address-prefixes argument that falls within the VNet's address space, but differs from the payment HSM subnet addresses.
+
+```azurecli-interactive
+az network vnet subnet create -g "myResourceGroup" --vnet-name "myVNet" -n "myVMSubnet" --address-prefixes "10.0.1.0/24"
+```
+
+The Azure CLI [az network vnet show](/cli/azure/network/vnet/subnet#az-network-vnet-subnet-create) command will list two subnets associated with your VNet: the subnet with your payment HSM ("mySubnet"), and the newly created "myVMSubnet" subnet.
+
+```azurecli-interactive
+az network vnet show -n "myVNet" -g "myResourceGroup"
+```
+
+# [Azure PowerShell](#tab/azure-powershell)
+
+First, save the details of your VNet to a variable using the Azure PowerShell [Get-AzVirtualNetwork](/powershell/module/az.network/get-azvirtualnetwork) cmdlet:
+
+```azurepowershell-interactive
+$vnet = Get-AzVirtualNetwork -Name "myVNet" -ResourceGroupName "myResourceGroup"
+```
+
+Next, configure a subnet for your virtual machine, on the same virtual network as your payment HSM, using the Azure PowerShell [New-AzVirtualNetworkSubnetConfig](/powershell/module/az.network/new-azvirtualnetworksubnetconfig) command. You must provide a value to the `--address-prefixes` argument that falls within the VNet's address space, but differs from the payment HSM subnet addresses.
+
+```azurepowershell-interactive
+$vmSubnet = New-AzVirtualNetworkSubnetConfig -Name "myVMSubnet" -AddressPrefix "10.0.1.0/24"  
+```
+
+Lastly, add the subnet configuration to your VNet variable, and then pass the variable to the Azure PowerShell [Set-AzVirtualNetwork](/powershell/module/az.network/set-azvirtualnetwork) cmdlet:
+
+```azurepowershell-interactive
+$vnet.Subnets.Add($vmSubnet)
+                   
+Set-AzVirtualNetwork -VirtualNetwork $vnet
+```
+
+The Azure PowerShell [Get-AzVirtualNetwork](/powershell/module/az.network/get-azvirtualnetwork) cmdlet will now list two subnets associated with your VNet: the subnet with your payment HSM ("mySubnet"), and the newly created "myVMSubnet" subnet.
+
+```azurepowershell-interactive
+Get-AzVirtualNetwork -Name "myVNet" -ResourceGroupName "myResourceGroup"
+```
+
+# [Portal](#tab/azure-portal)
+
+---
+
+## Create a VM
+
+# [Azure CLI](#tab/azure-cli)
+
+Create a VM on your new subnet, using the Azure CLI [az vm create](/cli/azure/vm#az-vm-create) command. (In this example we will create a Linux VM, but you could also create a Windows VM by augmenting the instructions found at [Create a Windows virtual machine with the Azure CLI](../virtual-machines/windows/quick-create-cli.md) with the details below.)  
+
+```azurecli-interactive
+az vm create \
+  --resource-group "myResourceGroup" \
+  --name "myVM" \
+  --image "UbuntuLTS" \
+  --vnet-name "myVNet" \
+  --subnet "myVMSubnet" \
+  --admin-username "azureuser" \
+  --generate-ssh-keys
+```
+
+Make a note of where the public SSH key is saved, and the value for "publicIpAddress".
+
+# [Azure PowerShell](#tab/azure-powershell)
+
+To create a VM on your new subnet, first set your credentials with the [Get-Credential](/powershell/module/microsoft.powershell.security/get-credential) cmdlet. Provide a username of "azureuser" and a password of your choice, saving the object as $cred.
+
+```azurepowershell-interactive
+$cred = Get-Credential
+```
+
+Now create your VM using the Azure PowerShell [New-AzVm](/powershell/module/az.compute/new-azvm) command. (In this example we will create a Linux VM, but you could also create a Windows VM by augmenting the instructions found at [Create a Windows virtual machine with the Azure PowerShell](../virtual-machines/windows/quick-create-powershell.md) with the details below.)  
+
+```azurepowershell-interactive
+New-AzVm `
+    -ResourceGroupName "myResourceGroup" `
+    -Name "myVM" `
+    -Location "eastus" `
+    -Image "UbuntuLTS" `
+    -PublicIpAddressName "myPubIP" `
+    -VirtualNetworkName "myVNet" `
+    -SubnetName "myVMSubnet" `
+    -OpenPorts 22 `
+    -Credential $cred `
+    -GenerateSshKey `
+    -SshKeyName "myVM_key"
+```
+
+Make a note of where the private SSH key is saved, and the value for "FullyQualifiedDomainName".
+
+# [Portal](#tab/azure-portal)
+
+To create a VM on your new subnet:
+
+1. select "Virtual machines" from the "Create a Resource" screen of the Azure portal:
+  :::image type="content" source="./media/portal-create-vm-1.png" alt-text="Screenshot of the portal resource picker.":::
+1. On the "Basics" tab of the creation screen, select the resource group that contains your payment HSM ("myResourceGroup"):
+  :::image type="content" source="./media/portal-create-vm-2.png" alt-text="Screenshot of the portal main VM creation screen.":::
+1. On the "Networking" tab of the creation screen, select the VNet that contains your payment HSM ("myVNet"), and the subnet you created above ("myVMSubnet"):
+  :::image type="content" source="./media/portal-create-vm-3.png" alt-text="Screenshot of the portal networking VM creation screen.":::
+1. At the bottom of the networking tab, select "Review and create".
+1. Review the details of your VM, and select "Create".
+1. Select "Download private key and create resource", and save your VM's private key to a location where you can access it later.
+
+---
+
+## Test connectivity
+
+To access connectivity to your virtual machine, and from your VM to the management NIC IP (10.0.0.4) and host NIC IP, SSH into your VM.  Connect to either the public IP address (for example, [email protected]) or the fully qualified domain name (for example, [email protected])
+
+> [!NOTE]
+> If created your VM using Azure PowerShell, the Azure portal, or if you did not ask Azure CLI to auto-generate ssh keys when you created the VM, you will need to supply the private key to the ssh command using the "-i" flag (for example, `ssh -i "path/to/sshkey" azureuser@<publicIpAddress-or-FullyQualifiedDomainName>`). Note that the private key **must** be protected ("chmod 400 myVM_key.pem").
+
+```bash
+ssh azureuser@<publicIpAddress-or-FullyQualifiedDomainName>
+```
+
+If ssh hangs or refuses the connection, review your NSG rules to ensure that you are able to connect to your VM.
+
+If the connection is successful, you should be able to ping both the management NIC IP (10.0.0.4) and the host NIC IP (10.0.0.5) from your VM:
+
+```bash
+azureuser@myVM:~$ ping 10.0.0.4
+PING 10.0.0.4 (10.0.0.4) 56(84) bytes of data.
+64 bytes from 10.0.0.4: icmp_seq=1 ttl=63 time=1.34 ms
+64 bytes from 10.0.0.4: icmp_seq=2 ttl=63 time=1.53 ms
+64 bytes from 10.0.0.4: icmp_seq=3 ttl=63 time=1.40 ms
+64 bytes from 10.0.0.4: icmp_seq=4 ttl=63 time=1.26 ms
+^C
+--- 10.0.0.4 ping statistics ---
+4 packets transmitted, 4 received, 0% packet loss, time 3005ms
+rtt min/avg/max/mdev = 1.263/1.382/1.531/0.098 ms
+
+azureuser@myVM:~$ ping 10.0.0.5
+PING 10.0.0.5 (10.0.0.5) 56(84) bytes of data.
+64 bytes from 10.0.0.5: icmp_seq=1 ttl=63 time=1.33 ms
+64 bytes from 10.0.0.5: icmp_seq=2 ttl=63 time=1.25 ms
+64 bytes from 10.0.0.5: icmp_seq=3 ttl=63 time=1.15 ms
+64 bytes from 10.0.0.5: icmp_seq=4 ttl=63 time=1.37 ms
+```
+
+## Access the payShield manager
+
+To access the payShield manager associated with your payment HSM, SSH into your VM using the -L (local) option. If you needed to use the -i option in the [test connectivity](#test-connectivity), you will need it again here.
+
+The -L option will bind your localhost to the HSM resource. Pass to the -L flag the string "44300:`<MGMT-IP-of-payment-HSM>`:443", where `<MGMT-IP-of-HSM-resource>` represents the Management IP of your payment HSM.
+
+```bash
+ssh -L 44300:<MGMT-IP-of-payment-HSM>:443 azureuser@<publicIpAddress-or-FullyQualifiedDomainName>
+```
+
+For example, if you used "10.0.0.0" as the address prefix for your Payment HSM subnet, the Management IP will be "10.0.0.5" and your command would be:
+
+```bash
+ssh -L 44300:10.0.0.5:443 azureuser@<publicIpAddress-or-FullyQualifiedDomainName>
+```
+
+Now go to a browser on your local machine and open <https://localhost:44300> to access the payShield manager. Here you can commission the device, install or generate LMKs, test the API, and so on. Follow payShield documentation, and contact Thales support if any issues related to payShield commission, setup, and API testing.
+
+## Next steps
+
+Advance to the next article to learn how to remove a commissioned payment HSM through the payShield manager.
+> [!div class="nextstepaction"]
+> [Remove a commissioned payment HSM](remove-payment-hsm.md)
+
+More resources:
+- Read an [Overview of Payment HSM](overview.md)
+- Find out how to [get started with Azure Payment HSM](getting-started.md)
+- [Create a payment HSM](create-payment-hsm.md)

articles/payment-hsm/certification-compliance.md

@@ -14,12 +14,11 @@ ms.author: mbaldwin
 
 # Certification and compliance
 
-The Azure Payment HSM service is PCI DSS and PCI 3DS compliant.
+The Azure Payment HSM service is PCI PIN, PCI DSS, and PCI 3DS compliant.
 
-- [Azure - PCI DSS - 2022 Package](https://servicetrust.microsoft.com/ViewPage/MSComplianceGuideV3?command=Download&downloadType=Document&downloadId=b9cc20e0-38db-4953-aa58-9fb5cce26cc2&tab=7027ead0-3d6b-11e9-b9e1-290b1eb4cdeb&docTab=7027ead0-3d6b-11e9-b9e1-290b1eb4cdeb_PCI_DSS) – Contains the official PCI DSS certification reports and shared responsibility matrices. The PCI DSS AOC includes the full list of PCI DSS certified Azure offerings and regions. Customers can leverage Azure’s PCI DSS AOC during their PCI DSS assessment.
-- [Azure - PCI 3DS - 2022 Package](https://servicetrust.microsoft.com/ViewPage/MSComplianceGuideV3?command=Download&downloadType=Document&downloadId=45ade37c-753c-4392-8321-adc49ecad12c&tab=7027ead0-3d6b-11e9-b9e1-290b1eb4cdeb&docTab=7027ead0-3d6b-11e9-b9e1-290b1eb4cdeb_PCI_DSS) – Contains the official PCI 3DS certification report, shared responsibility matrix, and whitepaper. The PCI 3DS AOC includes the full list of PCI 3DS certified Azure offerings and regions. Customers can leverage Azure’s PCI 3DS AOC during their PCI 3DS assessment.
-
-Azure Payment HSMs can be deployed as part of a validated PCI P2PE and PCI PIN component or solution. Microsoft can provide evidence of proof for customer to meet their P2PE and PIN certification requirements.
+- [Azure - PCI PIN - 2022 Package](https://servicetrust.microsoft.com/ViewPage/MSComplianceGuideV3?command=Download&downloadType=Document&downloadId=52eb9daa-f254-4914-aec6-46d40287a106) – Microsoft Azure PCI PIN Attestation of Compliance (AOC) report for Azure Payment HSM.
+- [Azure - PCI DSS - 2022 Package](https://servicetrust.microsoft.com/ViewPage/MSComplianceGuideV3?command=Download&downloadType=Document&downloadId=b9cc20e0-38db-4953-aa58-9fb5cce26cc2&tab=7027ead0-3d6b-11e9-b9e1-290b1eb4cdeb&docTab=7027ead0-3d6b-11e9-b9e1-290b1eb4cdeb_PCI_DSS) – Contains the official PCI DSS certification reports and shared responsibility matrices. The PCI DSS AOC includes the full list of PCI DSS certified Azure offerings and regions. Customers can use Azure's PCI DSS AOC during their PCI DSS assessment.
+- [Azure - PCI 3DS - 2022 Package](https://servicetrust.microsoft.com/ViewPage/MSComplianceGuideV3?command=Download&downloadType=Document&downloadId=45ade37c-753c-4392-8321-adc49ecad12c&tab=7027ead0-3d6b-11e9-b9e1-290b1eb4cdeb&docTab=7027ead0-3d6b-11e9-b9e1-290b1eb4cdeb_PCI_DSS) – Contains the official PCI 3DS certification report, shared responsibility matrix, and whitepaper. The PCI 3DS AOC includes the full list of PCI 3DS certified Azure offerings and regions. Customers can use Azure’s PCI 3DS AOC during their PCI 3DS assessment.
 
 Thales payShield 10K HSMs are certified to FIPS 140-2 Level 3 and PCI HSM v3.
 

articles/payment-hsm/change-performance-level.md

@@ -0,0 +1,58 @@
+---
+title: How to change the performance level of an Azure Payment HSM
+description: How to change the performance level of an Azure Payment HSM
+services: payment-hsm
+author: msmbaldwin
+ms.service: payment-hsm
+ms.topic: overview
+ms.date: 09/12/2022
+ms.author: mbaldwin
+
+---
+# How to change the performance level of a payment HSM
+
+Azure Payment HSM supports several SKUs; for a list, see [Azure Payment HSM overview: supported SKUs](overview.md#supported-skus). The performance license level of your payment HSM is initially determined by the SKU you specify during the creation process.
+
+You can change performance level of an existing payment HSM by changing its SKU. There will be no interruption in your production payment HSMs while performance level is being updated.
+
+The SKU of a payment HSM can be updated through ARMClient and PowerShell.
+
+## Updating the SKU via ARMClient
+
+You can update the SKU of your payment HSM using the [Azure Resource Manager client tool](https://github.com/projectkudu/ARMClient), which is a simple command line tool that calls the Azure Resource Manager API.  Installation instructions are at <https://github.com/projectkudu/ARMClient>.
+
+Once installed, you can use the following command:
+
+```bash
+armclient PATCH <resource-id>?api-version=2021-11-30 "{ 'sku': { 'name': '<sku>' } }" 
+```
+
+For example:
+
+```bash
+armclient PATCH /subscriptions/6cc6a46d-fc29-46c4-bd82-6afaf0e61b92/resourceGroups/myResourceGroup/providers/Microsoft.HardwareSecurityModules/dedicatedHSMs/myPaymentHSM?api-version=2021-11-30 "{ 'sku': { 'name': 'payShield10K_LMK1_CPS60' } }"
+```
+
+## Updating the SKU directly via PowerShell
+
+You can update the SKU of your payment HSM using the Azure PowerShell [Invoke-RestMethod](/powershell/module/microsoft.powershell.utility/invoke-restmethod) cmdlet:
+
+```azurepowershell-interactive
+$sku="<sku>" 
+$resourceId="<resource-id>" 
+Invoke-RestMethod -Headers @{Authorization = "Bearer $((Get-AzAccessToken).Token)"} -Method PATCH -Uri "https://management.azure.com$($resourceId)?api-version=2021-11-30" -ContentType application/json -Body "{ 'sku': { 'name': '$sku' } }" 
+```
+
+For example:
+
+```azurepowershell-interactive
+$sku="payShield10K_LMK1_CPS60" 
+$resourceId="/subscriptions/6cc6a46d-fc29-46c4-bd82-6afaf0e61b92/resourceGroups/myResourceGroup/providers/Microsoft.HardwareSecurityModules/dedicatedHSMs/myPaymentHSM" 
+Invoke-RestMethod -Headers @{Authorization = "Bearer $((Get-AzAccessToken).Token)"} -Method PATCH -Uri "https://management.azure.com$($resourceId)?api-version=2021-11-30" -ContentType application/json -Body "{ 'sku': { 'name': '$sku' } }" 
+```
+
+## Next steps
+
+- Read an [Overview of Payment HSM](overview.md)
+- Find out how to [get started with Azure Payment HSM](getting-started.md)
+- See the [Azure Payment HSM frequently asked questions](faq.yml)