Merge pull request #2238 from MicrosoftDocs/main

12/12 11:00 AM PST Publish

Author: Saisang

articles/payment-hsm/known-issues.md

@@ -12,39 +12,57 @@ ms.author: mbaldwin
 
 # Azure Payment HSM known issues
 
-This article describes some known issues with Azure Payment HSM.
+This article describes some known issues with Azure Payment HSM. Before deploying Azure Payment HSM, review the [deployment scenarios](deployment-scenarios.md) and [solution design](solution-design.md) to ensure proper configuration.
 
 ## The PayShield fan is running too fast
 
-Sporadic problems have been observed with the PS10K HSM, where the error log indicates that one of the fans is running too fast. Once this error occurs, it's replicated once every 24 hours to the unit's error log. The error is benign and doesn't affect the HSMs operational functionalities. Clearing the specific error entry from the HSM involves a hard-reboot to the unit. The fan error problem will be fixed with Thales payShield firmware release version v1.8a and 1.6a.  
+Sporadic problems occur with the PS10K HSM, where the error log indicates that one of the fans is running too fast. Once this error occurs, the unit's error log replicates it once every 24 hours. The error is benign and doesn't affect the HSM's operational functionalities. Clearing the specific error entry from the HSM involves a hard-reboot to the unit. The fan error problem is fixed with Thales payShield firmware release versions v1.8a and 1.6a.  
 
-If Azure Payment HSM customers observe the fan too fast error and want to do a hard-reboot to the unit, contact Microsoft support.
+If Azure Payment HSM customers observe the fan too fast error and want to do a hard-reboot to the unit, contact [Microsoft support](support-guide.md#microsoft-support). For more information on rebooting HSMs, see [Lifecycle management: Managing unresponsive HSM devices](lifecycle-management.md#managing-unresponsive-hsm-devices).
 
 See details in [Thales support portal KB0026952](https://supportportal.thalesgroup.com/csm?sys_kb_id=6fe423cec319259063ec26359901310c&id=kb_article_view&sysparm_rank=1&sysparm_tsqueryId=18143570dba96d544f917828f496190c&sysparm_article=KB0026952). 
 
 ## Shared memory error logged in Hosted HSM after reboot
 
-After a reboot, either manual or as a result of a firmware upgrade, some Hosted HSMs have experienced the following shared memory permission errors:
+After a reboot, either manual or as a result of a firmware upgrade, some Hosted HSMs experience the following shared memory permission errors:
 
 ```bash
 ,bullsharkprod,ntfn:,mem.c:81,Failed to open/create shared memory because Permission denied
 ,bullsharkprod,ntfn:,misc.c:356,Unable to create shared pConsoleDisabledByGUI because No such file or directory
 ,bullsharkprod,ntfn:,mem.c:81,Failed to open/create shared memory because Permission denied
 ```
 
-These errors are logged under several circumstances: when accessing the payShield manager landing page, during sign-in or sign-out of payShield manager, and when using the JK host command. In the case of the JK host command, the error will repeat after each attempt until a workaround is applied.
+These errors occur under several circumstances: when accessing the payShield manager landing page, during sign-in or sign-out of payShield manager, and when using the JK host command. In the case of the JK host command, the error repeats after each attempt until a workaround is applied.
 
-It's important to note that this issue is limited in scope. The problem only affects HSMs in a HOSTED HSM environment, and specifically those using SNMP or the JK host command. Hosted HSMs with SNMP disabled or those not utilizing the JK command will not experience these errors or related issues.
+This issue is limited in scope. The problem only affects HSMs in a HOSTED HSM environment, and specifically those HSMs that use SNMP or the JK host command. Hosted HSMs with SNMP disabled or those not utilizing the JK command don't experience these errors or related problems.
 
-The impact of this problem is minimal. While it does cause entries to appear in the payShield error log, it does not affect the operation of the payShield 10k in any way. Essentially, the issue is confined to log entries and does not compromise the functionality or performance of the system.
+The impact of this problem is minimal. While it does cause entries to appear in the payShield error log, it doesn't affect the operation of the payShield 10k in any way. Essentially, the issue is confined to log entries and doesn't compromise the functionality or performance of the system.
 
 A fix is currently being worked on and will be released in a future payShield firmware.
 
 For more information and a workaround, see [Thales support portal KB0028943](https://supportportal.thalesgroup.com/csm?id=kb_article_view&sys_kb_id=ae8f0d9283b41a10fc177e126daad306&sysparm_article=KB0028943) (sign-in required). If you have questions regarding the issue or workaround, open a support ticket with Thales.
 
+## TLS certificates aren't removed during HSM release
+
+In payShield HSM firmware versions earlier than 2.1a (1.15.0), executing the RELEASE function from payShield Manager to fully zeroize the payShield Cloud HSM to factory state removes all HSM settings except loaded TLS certificates. For more information, see [Thales support portal KB0030122](https://supportportal.thalesgroup.com/csm?sys_kb_id=cce73e702b39ba14cdc1f87df291bfcc&id=kb_article_view&sysparm_rank=1&sysparm_tsqueryId=2d58b23c3bf1ba10381ecfaf55e45abe&sysparm_article=KB0030122) (sign-in required).
+
+> [!NOTE]
+> The residual TLS certificates after the RELEASE/RECLAIM operation are public certificates and pose no security risk.
+
+**Resolution**: Thales fixed this issue in payShield HSM firmware version 2.1a (1.15.0) and later. For devices where certificates aren't manually removed before release, an automated mitigation cleans residual certificates as part of the payment HSM resource deletion process.
+
+**Recommended actions**:
+- For firmware versions earlier than 2.1a (1.15.0), run the `SV` command on the virtual console to view certificates, and then use the `SD` command to delete any remaining certificate data.
+- Remove all certificate data before releasing or returning the HSM. For detailed steps, see [Tutorial: Remove a commissioned payment HSM](remove-payment-hsm.md).
+- Plan a firmware upgrade to version 2.1a (1.15.0) or later.
+
+For more information, see the Thales Support Portal KB Article (sign-in required). If you need assistance, contact Thales Support.
+
 ## Next steps
 
-- Learn more about [Azure Payment HSM](overview.md)
-- See some common [deployment scenarios](deployment-scenarios.md)
-- Learn about [Certification and compliance](certification-compliance.md)
-- Read the [frequently asked questions](faq.yml)
+- Learn more about [Azure Payment HSM](overview.md).
+- See some common [deployment scenarios](deployment-scenarios.md).
+- Review [Azure Payment HSM lifecycle management](lifecycle-management.md).
+- Learn about [Certification and compliance](certification-compliance.md).
+- Understand [Azure Payment HSM support](support-guide.md).
+- Read the [frequently asked questions](faq.yml).

articles/payment-hsm/remove-payment-hsm.md

@@ -11,63 +11,76 @@ ms.author: mbaldwin
 ---
 # Tutorial: Remove a commissioned payment HSM
 
-Before deleting a commissioned payment HSM, it must first be decommissioned.
+Before deleting a commissioned payment HSM, decommission it first. For information on lifecycle management and deallocation scenarios, see [Azure Payment HSM lifecycle management](lifecycle-management.md).
 
 In this tutorial, you learn how to:
 
 > [!div class="checklist"]
 > * Remove a commissioned payment HSM
-> * Verify that the payment HSM has been deleted
+> * Verify that the payment HSM is deleted
+
+For information about creating payment HSMs, see [Tutorial: Create a payment HSM](create-payment-hsm.md).
 
 ## Remove a payment HSM from the payShield manager
 
-Navigate to the payShield manager, following the steps in [Access the payShield manager](access-payshield-manager.md). From there, select "Remove device".
+Navigate to the payShield manager by following the steps in [Access the payShield manager](access-payshield-manager.md). From there, select **Remove device**.
 
 :::image type="content" source="./media/payshield-manager-remove-device.png" alt-text="Screenshot of the payShield manager for Azure Payment HSM, remove device screen.":::
 
-> [!IMPORTANT]
-> The payment HSM must be in a Secure state before RELEASE button is enabled. To do this, login with both Left and Right Keys and change state to Secure.
+### Prepare the HSM for release
+
+Before releasing the HSM, complete the following steps:
+
+1. **Remove certificate data**: For HSMs running firmware versions earlier than 2.1a (1.15.0), use the `SV` command on the virtual console to view loaded certificates. Then, use the `SD` command to delete all certificate data. While residual certificates pose no security risk, remove them as a best practice. For more details, see [Known issues: TLS certificates aren't removed during HSM release](known-issues.md#tls-certificates-arent-removed-during-hsm-release).
+
+1. **Set HSM to Secure state**: The payment HSM must be in a Secure state before the RELEASE button is enabled. To set this state, sign in by using both Left and Right Keys and change the state to Secure.
+
+If you need assistance with these steps, contact [Thales Support](support-guide.md). For information on firmware versions, see [Support guide: Firmware and license support](support-guide.md#firmware-and-license-support).
 
 ## Delete the payment HSM
 
-Once the payment HSM is released, you can delete it using Azure CLI or Azure PowerShell.
+After you release the payment HSM, delete it by using Azure CLI or Azure PowerShell.
 
 # [Azure CLI](#tab/azure-cli)
 
-To remove your payment HSM, use the [az dedicated-hsm delete](/cli/azure/dedicated-hsm#az-dedicated-hsm-delete) command. The following example deletes the `myPaymentHSM` payment HSM from the `myResourceGroup` resource group:
+Use the [az dedicated-hsm delete](/cli/azure/dedicated-hsm#az-dedicated-hsm-delete) command to remove your payment HSM. The following example deletes the `myPaymentHSM` payment HSM from the `myResourceGroup` resource group:
 
 ```azurecli-interactive
 az dedicated-hsm delete --name "myPaymentHSM" -g "myResourceGroup"
 ```
 
-Afterward, you can verify that the payment HSM was deleted with the Azure CLI [az dedicated-hsm show](/cli/azure/dedicated-hsm#az-dedicated-hsm-show) command.
+You can verify that the payment HSM was deleted by using the Azure CLI [az dedicated-hsm show](/cli/azure/dedicated-hsm#az-dedicated-hsm-show) command.
 
 ```azurecli-interactive
 az dedicated-hsm show --resource-group "myResourceGroup" --name "myPaymentHSM"
 ```
 
-This returns a "resource not found" error.
+This command returns a "resource not found" error.
 
 # [Azure PowerShell](#tab/azure-powershell)
 
-To remove your payment HSM, use the Azure PowerShell [Remove-AzDedicatedHsm](/powershell/module/az.dedicatedhsm/remove-azdedicatedhsm) cmdlet. The following example deletes the `myPaymentHSM` payment HSM from the `myResourceGroup` resource group:
+Use the Azure PowerShell [Remove-AzDedicatedHsm](/powershell/module/az.dedicatedhsm/remove-azdedicatedhsm) cmdlet to remove your payment HSM. The following example deletes the `myPaymentHSM` payment HSM from the `myResourceGroup` resource group:
 
 ```azurepowershell-interactive
 Remove-AzDedicatedHsm -Name "myPaymentHSM" -ResourceGroupName "myResourceGroup"
 ```
 
-Afterward, you can verify that the payment HSM was deleted with the Azure PowerShell [Get-AzDedicatedHsm](/powershell/module/az.dedicatedhsm/get-azdedicatedhsm) cmdlet.
+You can verify that the payment HSM was deleted by using the Azure PowerShell [Get-AzDedicatedHsm](/powershell/module/az.dedicatedhsm/get-azdedicatedhsm) cmdlet.
 
 ```azurepowershell-interactive
 Get-AzDedicatedHsm -Name "myPaymentHSM" -ResourceGroup "myResourceGroup"
 ```
 
-This returns a "resource not found" error.
+This command returns a "resource not found" error.
 
 ---
 
 ## Next steps
 
-- Read an [Overview of Payment HSM](overview.md)
-- Find out how to [get started with Azure Payment HSM](getting-started.md)
-- [Access the payShield manager for your payment HSM](access-payshield-manager.md)
+- Read an [Overview of Payment HSM](overview.md).
+- Find out how to [get started with Azure Payment HSM](getting-started.md).
+- Learn how to [Create a payment HSM](create-payment-hsm.md).
+- Review [Azure Payment HSM lifecycle management](lifecycle-management.md).
+- [Access the payShield manager for your payment HSM](access-payshield-manager.md).
+- Understand [Azure Payment HSM support](support-guide.md).
+- Review [Known issues](known-issues.md).

articles/payment-hsm/support-guide.md

@@ -16,28 +16,28 @@ ms.custom: references_regions metadata
 This article outlines the Azure Payment HSM prerequisites, support channels, and division of support responsibility between Microsoft, Thales, and the customer.
 
 > [!NOTE]
-> If a customer's production environment does not has a High Availability setup as shown in [Deployment scenarios: high availability deployment](deployment-scenarios.md#high-availability-deployment), customer will not receive S2 level support.
+> If a customer's production environment doesn't have a high availability setup as shown in [Deployment scenarios: high availability deployment](deployment-scenarios.md#high-availability-deployment), the customer doesn't receive S2 level support.
 
 ## Prerequisites
 
 Microsoft works with Thales to ensure that customers meet the prerequisites before starting the onboarding process.
 
 - Customers must have access to the [Thales CPL Customer Support Portal](https://supportportal.thalesgroup.com/csm) (Customer ID).
-- Customers must have Thales smart cards and card readers for payShield Manager. If a customer need to purchase smart cards or card readers they should contact their Thales representatives, or find their contacts through the [Thales contact page](https://cpl.thalesgroup.com/contact-us):
+- Customers must have Thales smart cards and card readers for payShield Manager. If a customer needs to purchase smart cards or card readers, they should contact their Thales representatives or find their contacts through the [Thales contact page](https://cpl.thalesgroup.com/contact-us):
     - **Item**:  971-000135-001-000
     - **Description**: PS10-RMGT-KIT2 - payShield Manager Starter Kit - for software V1.4A (1.8.3) and higher
     - **Items Included**: 2 Thales Card Readers, 30 PayShield Manager Smartcards
 
     The only smart cards compatible with the ciphers used to enable over-network use smart cards have a blue band and are labeled "payShield Manager Card".
-- If a customer need to purchase a payShield Trusted Management Device (TMD), they should contact their Thales representatives or find their contacts through the [Thales contact page](https://cpl.thalesgroup.com/contact-us).
+- If a customer needs to purchase a payShield Trusted Management Device (TMD), they should contact their Thales representatives or find their contacts through the [Thales contact page](https://cpl.thalesgroup.com/contact-us).
 - Customers must download and review the "Hosted HSM End User Guide," which is available through the Thales CPL Customer Support Portal. The Hosted HSM End User Guide provides more details on the changes to payShield to this service.
-- Customers must review the "Azure Payment HSM - Get Ready for payShield 10K" guide that they received from Microsoft. (Customers who do not have the guide may request it from [Microsoft Support](#microsoft-support).)
+- Customers must review the "Azure Payment HSM - Get Ready for payShield 10K" guide that they received from Microsoft. (Customers who don't have the guide may request it from [Microsoft Support](#microsoft-support).)
 - If a customer is new to payShield or the remote management option, they should take the formal training courses available from Thales and its approved partners.
 - If a customer is using payShield on premises today with custom firmware, they must conduct a porting exercise to update the firmware to a version compatible with the Azure deployment. To request a quote, contact a Thales account manager.
 
 ## Firmware and license support
 
-The HSM base firmware installed is Thales payShield10K base software version 1.9a. Customer can upgrade or downgrade the firmware based on their needs. Versions less than 1.4a is not supported. Customers must ensure that they only upgrade or downgrade to a firmware version that meets their compliance requirements.
+The HSM base firmware installed is Thales payShield10K base software version 2.2b. Customer can upgrade or downgrade the firmware based on their needs. Versions less than 1.4a is not supported. Customers must ensure that they only upgrade or downgrade to a firmware version that meets their compliance requirements.
 
 The licenses included in Azure payment HSM: