Home >

Utilities Reference Guide > Pedserver and Pedclient > The pedclient Command

The pedclient Command

This is the syntax of the pedClient command, which includes starting and stopping of the service, and an assortment of configuration options. Specify "pedClient" at the command line, plus one of the modes, plus any option applicable to that mode.

[root@lunaclient101360 bin]# ./pedClient
Ped Client Version 2.0.0 (20000)

        Error: You must specify a mode.

Usage: pedClient [mode] [options...]

   Explanation of the modes:

     To query if a Ped Client is currently running, and to get details about
     the Ped Client, use this command:
        pedClient -m show [ options... ]

     To shut down an existing Ped Client, use this command:
        pedClient -m stop [ options... ]

     To start the Ped Client, use this command:
        pedClient -m start [ options... ]

     To start the Ped Client for Windows service, use this command:
        pedClient -m start -winservice [ options... ]

     To create a PED ID mapping, use this command:
        pedClient -m setid [ options... ]

     To test a PED ID mapping, use this command:
        pedClient -m testid [ options... ]

     To delete a PED ID mapping, use this command:
        pedClient -m deleteid [ options... ]

     To assign a PED ID mapping to an HSM, use this command:
        pedClient -m assignid [ options... ]

     To release a PED ID mapping from an HSM, use this command:
        pedClient -m releaseid [ options... ]

     To show the existing configuration file settings, use this command:
        pedClient -m config -show

     To restore the internal default configuration file settings, use this command:
        pedClient -m config -create

     To modify the existing configuration file settings, use this command:
        pedClient -m config -set [ options... ]

     To view a more detailed description of the Ped Client, use this command:
        pedClient -m desc


   Explanation of the options:

   Any options that are not specified on the command line will be read from
   the config file.  If the config file cannot be found, internal default settings
   will be used.  Invalid options do not generate an error and are ignored.

     -mode <mode>               -> Specifies the mode that the Ped Server will be
                                   executed in.  The supported modes are "start",
                                   "stop", "show", "setid", "testid",
                                   "deleteid", "assignid", "releaseid" and
                                   "config".
     -id                        -> Specifies the PED ID (larger then 0, less then 65535).
                                   Applicable to the "setid", "testid", "deleteid",
                                   "assignid" and"releaseid" modes.
     -id_ip                     -> Specifies the IP or hostname for the PED Server to
                                   be linked to the specified PED ID.
                                   Applicable to the "setid"  mode.
     -id_port                   -> Specifies the port for the PED Server to
                                   be linked to the specified PED ID.
                                   Applicable to the "setid"  mode.
     -id_serialnumber           -> Specifies the serial number of the HSM to be linked
                                   to the specified PED ID.
                                   Applicable to the "assignid" mode.
     -eadmin <0 or 1>           -> Specifies if the administration port is on
                                   "localhost" or listening on the external host
                                   name.
                                   Applicable to "start", "stop", "show" and
                                   "config set" modes.
     -admin <admin port number> -> Specifies the administration port number.
                                   Applicable to "show" and "config set" modes.
     -set                       -> When used with "-config", specifies that the
                                   configuration file should be updated with values
                                   of the other supplied options.
                                   Applicable to "config" mode.
     -show                      -> When used with "-config", specifies that the
                                   contents of the configuration file should be displayed.
                                   Applicable to "config" mode.
     -idletimeout<int>          -> Specifies the idle connection timeout in seconds.
                                   Applicable to "start", "assignid" and "config set"
                                   modes.
     -ignoreidletimeout         -> Specifies that the idle connection timeout should not
                                   apply to the connection established for the specified
                                   PED ID to HSM assignement.
                                   Applicable to "assignid"  and "config set" modes.
     -socketreadtimeout <int>   -> Specifies the socket read timeout in seconds.
                                   Applicable to "start", "stop", "show" and
                                   "config set" modes.
     -socketwritetimeout <int>  -> Specifies the socket write timeout in seconds.
                                   Applicable to "start", "stop", "show" and
                                   "config set" modes.
     -shutdowntimeout <int>     -> Specifies the shutdown timeout in seconds for
                                   internal services.
                                   Applicable to "start", "stop" and
                                   "config set" modes.
     -pstartuptimeout <int>     -> Specifies the startup timeout for the detached
                                   process.
                                   Applicable to "start", "stop" and
                                   "config set" modes.
     -pshutdowntimeout <int>    -> Specifies the shutdown timeout for the detached
                                   process.
                                   Applicable to "start", "stop" and
                                   "config set" modes.
     -loginfo <0 or 1>          -> Specifies if the logger should log "info" messages.
                                   Applicable to all modes.
     -logwarning <0 or 1>       -> Specifies if the logger should log "warning" messages.
                                   Applicable to all modes.
     -logerror <0 or 1>         -> Specifies if the logger should log "error" messages.
                                   Applicable to all modes.
     -logtrace <0 or 1>         -> Specifies if the logger should log "trace" messages.
                                   Applicable to all modes.
     -logfilename <filename>    -> Specifies the log file name.
                                   Applicable to all modes.
     -maxlogfilesize <size>     -> Specifies the maximum log file size in KB
                                   Applicable to all modes.
     -locallogger               -> Specifies that the Remote Ped logger should be used,
                                   not the IS logging system.
                                   Applicable to all modes.

[admin@myluna bin]#
 

pedClient must run on any host of an HSM that needs to be served by a Remote PED.

pedClient must run on any host of a Remote Backup HSM that will be serving remote primary HSMs*.

* A distant HSM that appears as a crypto slot at the host of the Backup HSM is not considered "remote" in this sense, and so the Backup HSM's host does not need RBS. This would be the case for (say) a Luna SA partition where the Remote Backup workstation is a registered client of the partition, and therefore has an NTLS link with the Luna SA appliance. In that case, a lunacm session on the Backup workstation sees the Luna SA's partition as just another "local" slot. A slot-to-slot backup operation launched by lunacm at the Backup workstation is a local operation, as is a restore operation. That client relationship implies that the Backup workstation's administrator is entrusted with the partition authentication (black PED Key, challenge secret, red PED Key) for the partition on that distant Luna SA. In many cases, that is a perfectly legitimate assumption. The partition is registered with two "clients" - one is the working, or production client that uses the partition for cryptographic operations; the other is the Backup workstation that connects with the partition only when it is time to perform backup or restore activity.

If, instead, the administrator of the Remote Backup HSM was not entrusted with the authentication secrets of the distant HSM partition, then the administrator could still perform a backup, but it would proceed differently. The backup administrator could connect by SSH or RDP session to a legitimate client computer and use lunacm at that client to launch the backup. The client, already authenticated to the activated Luna SA partition would see the partition as a local slot, but would see the backup HSM and its attached Luna Remote Backup HSM only through the intermediary Remote Backup Service (rbs) running on that Backup workstation and conversing with the distant client computer by means of pedClient instances at each end. This is one version of the method used when the organization (or its customer) prefers a strict separation of roles.

A variant of the RBS method might work from the other direction, with the owner of the client computer doing the work, and the owner of the administrative/backup workstation simply allowing the client to take over the admin/backup workstation for the duration of the backup-or-restore operation. In either case, RBS must reside on the computer with the Luna Remote Backup HSM attached, and pedClient must run on both.

The various methods have their place, depending on your organization's structure and security protocols.

See "Remote Application-Partition Backup and Restore Using the Backup HSM" in the Administration Guide for more information.