HSM Administration
HSM Administration
The Remote PED concept (Luna PED with Remote Capability) was introduced to satisfy a need to administer HSMs that are housed away from their owners/administrators, at physically remote sites or inside heavily-secured premises, where obtaining local physical access to the HSM is difficult or time-consuming.
Remote PED provides administrative convenience similar to remotely accessing a Password-authenticated HSM, but with the added security and role separation of PED authentication. The remote system is asked to perform an HSM function (this is the Administration aspect); it demands the relevant PED Key (the Authentication). With local Luna PED this would mean that someone standing beside the remote appliance would need to connect a Luna PED, insert the requested PED Key and press [ENTER].
Remote PED provides a means to perform sensitive operations on HSMs that have access secured by Trusted Path (PED) Authentication, without being physically present to insert PED Keys and press PED buttons on a Luna PED connected directly to the HSM.
The feature requires:
- a Remote PED Server on a workstation that connects over a secure network link to
- a Remote PED Client in the computer or appliance that contains the HSM, and
- a SafeNet Luna SA PED 2.5.0-2 or greater, with the , and
- an orange RemotePED PED Key, which provides the authentication for the Remote PED connection between the workstation computer (with Luna SA PED 2 connected and PEDServer running) and the remotely located Luna SA appliance with the RemotePED client running.
| Term | Meaning |
|---|---|
| Remote PED | A Luna PED, with Remote capability, connected, powered on, and set to Remote mode. |
| RPV | Remote PED Vector - a randomly generated, encrypted value used to authenticate between a Remote PED (via PedServer) and a distant Luna HSM (PED Client). |
| RPK | Remote PED Key - an orange PED Key, the repository of an RPV value, for use in the Remote PED process. |
| PedServer | The PED server program that resides on a workstation and mediates between a locally-connected Remote PED and a distant PEDClient (running at a distant Luna HSM). |
| PEDClient | The PED Client program - embedded in the case of a Luna appliance, or installed on a computer with a contained Luna K-card HSM or with a USB-connected Luna G5 (or Backup) HSM - anchors the HSM end of the Remote PED service and initiates the contact with a PedServer instance, on behalf of its HSM. |
You want to locate your operational appliances at remote locations or multiple locations around the city, country, world, and be able to administer them fully, from one location, without need for site visits and without carrying of PED Keys through unsecured areas.
The HSM must initially be configured with a local PED, in order to set its authentication and create a relationship between the HSM and an orange PED Key (RPV, or Remote PED Vector). That RPV, carried via the orange PED Key, is the means by which a PED at a remote (PedServer) location can be recognized and trusted over a distance, by an HSM that shares the same RPV.
During the imprinting process, the HSM can take on the RPV of an existing orange PED Key (RPK, or Remote PED Key), or the HSM can generate a new RPV and imprint it on an orange PED Key.
The diagram shows the preliminary imprinting step, where the HSM and (at least one) orange PED Key are made to share an RPV. Again, this must take place via a locally connected PED. The administrator could be co-located with the HSM, or could be elsewhere issuing the commands, but either the administrator or an assistant must be present at the HSM to present the orange PED Key for the RPV imprinting. Once that is completed, further PED operations can be untethered from direct local PED connection and moved anywhere along with that RPV-bearing orange PED Key.
The HSM is then shipped and installed at its remote location.
At your administrative location, a workstation is configured with special (PedServer) software, and a Luna PED 2 Remote (remote-capable PED) is connected via USB to that workstation.
Using SSH, you open an administrative session (connect and log in as "admin") on the remote HSM. You tell the HSM to expect a remote PED, rather than local PED. You issue commands as needed.
When an HSM command requires authentication to the HSM, the HSM looks for a remote PED server with the same Remote PED Vector. If it can authenticate properly with that remote PED server, the HSM accepts authentication data via that connection.
A SafeNet Luna SA can establish a Remote PED connection with any workstation that
- is running PEDserver.exe,
- has a suitable Remote PED connected, and
- has the correct PED Keys (including the orange key) for that HSM.
However, the Luna SA appliance can make only a single connection for Remote PED operation at one time. The current session must timeout or be deliberately stopped before another workstation can be called into a Remote PED connection with that Luna SA appliance.'
Similarly, a given workstation can enter into a Remote PED connection with any Luna HSM with PEDClient, or any Luna SA appliance, that initiates such a connection (provided the proper PED, PED Keys, software, etc. are all in place), but it can make only one such connection at a time. This contrasts with SSH connections, where that same workstation could have multiple SSH windows open to multiple admin sessions on a single or multiple Luna SA appliances.
There is no requirement for the workstation providing the Remote PED connection to be the same one providing the SSH session to the appliance admin shell (lush), nor is there any requirement that they be different workstations.
A Remote PED connection is always initiated from the Luna HSM - a workstation cannot invoke a Remote PED session as a Remote PED function. That is, you could be sitting at Workstation "A", with a command-line window open, in which you can run the PedServer.exe, and there is no provision to use that program to connect to the Remote PED client on a Luna HSM-attached computer, or a Luna SA appliance. Nevertheless, you could open an SSH window on that same workstation "A" (or on any other computer), connect to the Luna SA appliance, log in, and tell the appliance to initiate a Remote PED connection (hsm ped connect) with workstation "A". The appliance doesn't care which computer runs the SSH (or local serial) connection to its admin interface - the two functions (a communication connection for Luna shell [lush] and a communication connection for Remote PED operation) are completely separate.
When a Remote PED connection is in force, the local PED interface to the HSM is disabled. If a local PED operation is in progress, it is not possible to start a Remote PED connection until the current local-PED-mediated HSM operation completes. But it must be an active operation sequence - merely having a local PED connected to the HSM does not lock out the initiation of a Remote PED connection. For example, if you had either an SSH or serial terminal session logged in to the Luna shell (lush) in which you started an HSM command that began using a connected local PED and PED Key for authentication, AND you started a second SSH session in which you issued the "hsm ped connect" command, one of two things would happen:
- the "hsm ped connect" command would begin executing, would pause while the local-PED operation (started in the other lush session) was in progress, then would resume when the local-PED operation terminated, or
- the "hsm ped connect" command would begin executing, would pause while the local-PED operation was in progress, and would eventually time-out if the local-PED operation did not terminate sufficiently quickly.
If a Remote PED connection is currently in force, then the local PED is ignored, and all PED requests are routed to the Remote PED.
If a Remote PED connection is currently in force, then subsequent attempts to start a different connection are refused until the current connection times out or is deliberately stopped.
In local PED mode, one Luna SA PED is connected directly to the HSM. Timeouts are governed by the configuration of the appliance and HSM and are not generally modifiable.
In Remote PED mode, the PED Server on each remote Workstation has a timeout setting (which can be modified), and the HSM has a Remote PED timeout setting that can be shown (lush command "hsm ped timeout show") and modified (lush command "hsm ped timeout set"). If nothing has been set, then the default value for the Remote PED connection timeout (1800 seconds) is in effect.
The Remote PED server instances on workstations, and the Remote PED client inside the Luna SA appliance are not aware of each others' timeout values. For a given Remote PED connection, the shorter timeout value rules. Thus, if a Remote PED server on one of your workstation computers were to timeout during a Remote PED sequence, it would log the event and send a message to the appliance that the connection had been open too long. The Remote PED Client on the Luna SA appliance, receiving that message, would gracefully close the link and the appliance-side timeout would not be reached.
We suggest port 1503 for the Remote PED connection, but you can use any port that does not conflict with another operation.
PedServer.exe (on the computer to which your Remote PED is attached) is run from the command line.
To use PedServer on a Windows 7 computer, right-click the Command Prompt icon, and from the resulting menu select "Run as Administrator".
If you lack system permissions to operate as Administrator on the computer that is to host the PED Server, contact your IT department to address the situation.
If you open a command-prompt window as an ordinary user in Windows 7, and run PedServer.exe, the program detects that it lacks access and permissions, and returns an error like the following:
C:\Program Files\SafeNet\LunaClient>pedserver mode start Ped Server Version 1.0.5 (10005) Failed to load configuration file. Using default settings. Ped Server launched in startup mode. Starting background process InternalRead: 10 seconds timeout Failed to recv query response command: RC_OPERATION_TIMED_OUT c0000303 Background process startup timed out after 10 seconds. Startup failed. : 0xc0000303 RC_OPERATION_TIMED_OUT C:\Program Files\SafeNet\LunaClient>
If you encounter the error above, use Windows Task Manager to select the PedServer process, right-click, and select "End process", before cleanly retrying PedServer.exe via an Administrator Command Prompt.
Other Windows versions have not exhibited this requirement.
The connection is one-on-one. While a Remote PED connection is active between one HSM and one remote PED workstation (running PedServer.exe), neither entity is able to make a similar connection with a different partner. The connection must time out, or be deliberately stopped before the HSM can connect with another PedServer workstation and enter a new remote PED authentication arrangement.
When an RPV is created, it is a randomly-generated value that exists nowhere else. You control which (and how many) HSMs will contain that RPV, and which (and how many) orange RPK PED Keys will contain copies of it. A Remote PED with an inserted RPK (orange Remote PED Key) can be used only with distant Luna HSMs that share that exact RPV. If you launch a Remote PedServer with a connected Remote PED and provide any other orange PED Key, it is not accepted by any distant Luna HSM that does not have the matching RPV. In this manner, you can segregate the ability of personnel to remotely control specific HSMs, by controlling which orange PED Keys they are issued. Two people in the same office could have access and control of entirely different sets of remotely located HSMs, with no overlap, as long as you trusted them not to exchange orange PED Keys. You can further control who has what access by invoking MofN when you first create an RPV.
Next, "Using the Remote PED Feature", and "Remote PED Architecture".
Remote PED for Luna HSM 5.2 is not compatible with earlier HSM versions.