Initializing the Remote PED Vector (RPV) and Creating an Orange Remote PED Key (RPK)
The Remote PED (via PEDserver) authenticates itself to the SafeNet Luna Network HSM with a randomly-generated encrypted value stored on an orange PED key. That secret originates in an HSM, and can be carried to other HSMs via the orange key. An HSM being newly configured either
>generates its own RPV secret to imprint on an orange PED Key,
or
>accepts a pre-existing RPV from a previously imprinted orange key, at your discretion.
The orange key proves to the HSM that the Remote PED is authorized to provide authentication for HSM roles. A SafeNet Luna Network HSM administrator can create this key
>Local RPV Initialization: The RPV is initialized using a Luna PED connected to the USB port on the HSM card. This is the standard method of initializing the RPV.
>Remote RPV Initialization: The RPV is initialized using a Luna PED connected to a remote workstation running PEDserver. A one-time numeric password is used to authenticate the Remote PED to the HSM before initializing the RPV. This optional method is useful if the HSM SO has only remote SSH access to the appliance. It is available only if the HSM is in a zeroized state (uninitialized) and your firewall settings allow an HSM-initiated Remote PED connection. If you choose this method, you will set up Remote PED before initializing the RPV (Remote RPV Initialization).
Continue to Installing PEDserver and Setting Up the Remote Luna PED.
NOTE Generally, the HSM SO creates an orange PED key (and backups), makes a copy for each valid Remote PED server, and distributes them to the Remote PED administrators.
Local RPV Initialization
If the HSM is already initialized, the HSM SO must log in to complete this procedure. You require:
>SafeNet Luna PED with firmware 2.7.1 or newer
>USB mini-B to USB-A connector cable
>Luna PED DC power supply (if included with your Luna PED)
>Blank or reusable orange PED key (or multiple keys, if you plan to make extra copies or use an M of N security scheme). See Creating PED Keys for more information.
To initialize the RPV and create the orange PED key locally
1.If you have not already done so, set up a Local PED connection (see Local PED Setup).
2.Using a serial or SSH connection, log in to the SafeNet Luna Network HSM appliance as admin.
3.If the HSM is initialized, login as HSM SO (hsm login). If not, skip to the next step.
lunash:>hsm login
4.Ensure that you have the orange PED key(s) ready. Initialize the RPV (hsm ped vector init).
lunash:>hsm ped vector init
lunash:>hsm ped vector init If you are sure that you wish to initialize remote PED vector (RPV), then enter 'proceed', otherwise type 'quit'. > proceed Proceeding... Luna PED operation required to initialize remote PED key vector - use orange PED key(s).
5.Attend to the Luna PED and respond to the on-screen prompts. See Creating PED Keys for a full description of the key-creation process.
•If you have an orange PED key with an existing RPV that you wish to use for this HSM, press Yes.
•If you are creating a new RPV, press No.
Continue following the prompts for PED PIN, M of N, and duplication options.
To continue setting up a Remote PED server, see Installing PEDserver and Setting Up the Remote Luna PED.
Remote RPV Initialization
When you initialize an RPV with the PED connected locally, you have direct physical control of the operation and its security.
When you initialize an RPV remotely, you must secure the link and the operation with a one-time password. The HSM must be uninitialized for this operation.
NOTE This feature has software and/or firmware dependencies. See Version Dependencies by Feature for more information.
If you open an HSM-initiated Remote PED connection with hsm ped connect, and you have not already initialized the RPV or the HSM, then the Remote PED connection command prepares to secure the connection and LunaSH returns the following message:
Luna PED operation required to connect to Remote PED - use orange PED key(s). Enter PED Password:
Use the following procedure to initialize the RPV. You require:
> A blank or reusable orange PED key (or multiple keys, if you plan to make extra copies or use an M of N security scheme). See Creating PED Keys for more information.
To initialize the RPV and create the orange key remotely
1.In LunaSH, when prompted to "Enter PED Password" set any 8-digit numeric password that the HSM will use to identify the Remote PED server this one time. The following message is displayed in LunaSH, and the Luna PED prompts you for the password:
Luna PED operation required to connect to remote PED - Enter PED password.
2.Enter the numeric password on the PIN pad, exactly as you entered it in LunaSH, and press Enter.
3.Ensure that you have the orange PED key(s) ready. Initialize the RPV (hsm ped vector init).
lunash:>hsm ped vector init
lunash:>hsm ped vector init If you are sure that you wish to initialize remote PED vector (RPV), then enter 'proceed', otherwise type 'quit'. > proceed Proceeding... Luna PED operation required to initialize remote PED key vector - use orange PED key(s).
4.Attend to the Luna PED and respond to the on-screen prompts. See Creating PED Keys for a full description of the key-creation process.
When you have created the orange key, the HSM launches PEDclient and establishes a Remote PED connection using the newly-created RPV:
Ped Client Version 2.0.1 (20001) Ped Client launched in "Release ID" mode. Callback Server is running.. ReleaseID command passed. "Release ID" command passed. Ped Client Version 2.0.1 (20001) Ped Client launched in "Delete ID" mode. Callback Server is running.. DeleteID command passed. "Delete ID" command passed. Command Result : 0 (Success)
You may now initialize the HSM. Return to HSM-Initiated Remote PED to complete the procedure.