Luna PCI-E Administration

Remote PED and pedclient and pedserver

When it is not convenient to be physically near the host computer that contains a Luna PCI-E HSM, in order to connect a Luna PED and present PED Keys, you can operate remotely and securely, as follows:

On the host computer (which can run Windows, Linux, Solaris, HP-UX - see the current OS support table in the Customer Release Notes) containing the Luna PCI-E HSMs, allow remote desktop access or ssh, and have the pedclient.exe program available.
In the case of Luna SA, the pedclient is always available.
On the remote administrative workstation (which for this purpose must run the Windows operating system) use remote-desktop client or use ssh, have a Luna PED2 (with Remote capability) connected, and have the SafeNet Luna pedserver tool installed and running.
Make the Remote PED connection between the host and the remote administrative workstation. Start the pedserver listening on the workstation. Start pedclient on the host (containing the HSM)
Make the remote desktop or ssh connection between the workstation and the host computer, and run pedclient.exe on the host computer, indicating the slot number of the HSM for which Remote PED services are to be provided. The combination of pedserver on one computer and pedclient on the other provides the trusted path for secure transfer of authentication data.
Run commands on the HSM (on the host computer) via the remote desktop or ssh

Use static IP addressing for PED Client / PED Server. PED Client can fail to find a server if a dynamic address is indicated.

An example error might look like this:

lunash:>hsm ped connect -ip 192.20.11.67 -port 1503
Luna PED operation required to connect to Remote PED - use orange PED Key(s).

Ped Client Version 1.0.5 (10005)
Ped Client launched in startup mode.
readIPFromConfigFile() : config file did not contain an IP address.
Startup failed. : 0xc0000404 RC_FILE_ERROR
Command Result : 65535 (Luna Shell execution)
lunash:>

Security of Remote PED

The authentication conversation is between the HSM and the PED. Authentication data retrieved from the PED Keys never exists unencrypted outside of the PED or the HSM.

PEDClient and PEDServer merely provide the communication pathway between the PED and the HSM. Along that path, the authentication data remains encrypted.

Multiple HSMs and Remote PED

A host computer with multiple PCIe slots (the slots must be x4 or larger and not dedicated for video card operation) can accept and operate multiple Luna PCI-E 5 HSMs.

Remote PED (via pedclient.exe) can communicate - can provide PED services - to one Luna PCI-E HSM in your host computer at any one time (pedclient sees each HSM as a numbered slot).

To provide PED interaction (remotely) to another Luna PCI-E HSM in that same host computer, you must close pedclient.exe (on your remote workstation) for that first slot/HSM and then open pedclient.exe for the next slot/HSM.

Once a Luna PCI-E HSM (a slot) has been set up with its authentication data cached (autoActivation), and pedclient has closed (perhaps because you need to open pedclient for another HSM in your host computer), you must not issue any command to that original slot that would require PED interaction.

If you issue a command that invokes a PED operation, when no PED is connected to the HSM (such as when pedclient and the Remote PED are busy with another HSM in your host computer, or when pedclient.exe is simply not running), the affected HSM pauses until the requested operation times out. This means that any client application that was using that HSM stops for the duration of the timeout.

Show the Table of Contents