Home > |
---|
The Remote PED (Luna PED with Remote Capability) allows you to administer HSMs that are housed away from their owners/administrators, at physically remote sites or inside heavily-secured premises, where obtaining local physical access to the HSM is difficult or time-consuming. Remote PED provides administrative convenience similar to remotely accessing a Password-authenticated HSM, but with the added security and role separation of PED authentication.
The feature requires:
• a Remote PED Server on a workstation that connects over a secure network link to a Remote PED Client in the computer or appliance that contains the HSM
• a SafeNet Luna PED 2.4.0-3 or greater, with the Remote PED feature installed, (which has the capability to operate in Local PED or Remote PED mode, as needed).
Note: Not every PED 2.4.0 includes the Remote PED feature. That PED capability must be ordered specifically and factory installed.
• an orange RemotePED PED Key, which provides the authentication for the Remote PED connection between the workstation computer (with Luna PED 2 connected and PEDServer running) and the remotely located Luna HSM with the PEDclient running on the HSM's host.
Term | Meaning |
---|---|
Remote PED | A Luna PED, with Remote capability, connected, powered on, and set to Remote mode. |
RPV | Remote PED Vector - a randomly generated, encrypted value used to authenticate between a Remote PED (via PedServer) and a distant Luna HSM (PEDclient). |
RPK | Remote PED Key - an orange PED Key, the repository of an RPV value, for use in the Remote PED process. |
PedServer | The PED server program that resides on a workstation and mediates between a locally-connected Remote PED and a distant PEDclient (running at a distant Luna HSM). |
PEDClient | The PED Client program. For a Luna SA appliance, PEDclient is embedded. For Luna PCI-E, Luna G5, or Luna Backup HSM, PEDclient must be installed on the HSM's host computer. The PED client anchors the HSM end of the Remote PED service and initiates the contact with a PedServer instance, on behalf of its HSM. |
You want to locate your operational HSM hosts at remote locations or multiple locations around the city, country, world, and be able to administer them fully, from one location, without need for site visits and without carrying of PED Keys through unsecured areas.
The HSM must initially be configured with a local PED, in order to set its authentication and create a relationship between the HSM and an orange PED Key (RPV, or Remote PED Vector). That RPV, carried via the orange PED Key, is the means by which a PED at a remote (PedServer) location can be recognized and trusted over a distance, by an HSM that shares the same RPV. During the imprinting process, the HSM can take on the RPV of an existing orange PED Key (RPK, or Remote PED Key), or the HSM can generate a new RPV and imprint it on an orange PED Key.
The following diagram shows the preliminary imprinting step, where the HSM and (at least one) orange PED Key are made to share an RPV. Again, this must take place via a locally connected PED. The administrator could be co-located with the HSM, or could be elsewhere issuing the commands, but either the administrator or an assistant must be present at the HSM to present the orange PED Key for the RPV imprinting. Once that is completed, further PED operations can be untethered from direct local PED connection and moved anywhere along with that RPV-bearing orange PED Key.
The HSM is then shipped and installed at its remote location.
At your administrative location, a workstation is configured with special (PedServer) software, and a Luna PED 2 Remote (remote-capable PED) is connected via USB to that workstation.
Using SSH, you open an administrative session (connect and log in as "admin") on the remote HSM. You tell the HSM to expect a remote PED, rather than local PED. You issue commands as needed.
When an HSM command requires authentication to the HSM, the HSM looks for a remote PED server with the same Remote PED Vector. If it can authenticate properly with that remote PED server, the HSM accepts authentication data via that connection.
A SafeNet Luna HSM running the PED client can establish a Remote PED connection with any workstation that meets the following criteria:
• is running PEDserver.exe
• has a suitable Remote PED connected
• has the correct PED Keys (including the orange key) for that HSM.
The Luna HSM can make only a single connection for Remote PED operation at one time. The current session must timeout or be deliberately stopped before another workstation can be called into a Remote PED connection with that Luna HSM.'
Similarly, a given workstation can enter into a Remote PED connection with any Luna HSM with PEDClient, or any Luna HSM, that initiates such a connection (provided the proper PED, PED Keys, software, etc. are all in place), but it can make only one such connection at a time. This contrasts with SSH connections, where that same workstation could have multiple SSH windows open to multiple admin sessions on a single or multiple Luna HSMs.
There is no requirement for the workstation providing the Remote PED connection to be the same one that provides SSH administrative access to the HSM, nor is there any requirement that they be different workstations.
A Remote PED connection is always initiated from the Luna HSM - a workstation cannot invoke a Remote PED session as a Remote PED function. That is, you could be sitting at Workstation "A", with a command-line window open, in which you can run PedServer.exe, and there is no provision to use that program to connect to the Remote PED client on a Luna HSM-attached host computer, or a Luna SA appliance. Nevertheless, you could open an SSH window on that same workstation "A" (or on any other computer), connect to the Luna SA appliance or the Luna HSM host computer, log in, and tell the host to initiate a Remote PED connection with workstation "A". The appliance or HSM host computer does not care which computer runs the SSH (or local serial) connection to its admin interface. The function of a communication connection for Luna shell [lush] on Luna SA, or for a computer hosting a Luna PCI-E or Luna G5 HSM, is completely separate from the function of a communication connection for Remote PED operation.
When a Remote PED connection is in force, the local PED interface to the HSM is disabled. If a local PED operation is in progress, it is not possible to start a Remote PED connection until the current local-PED-mediated HSM operation completes. But it must be an active operation sequence - merely having a local PED connected to the HSM does not lock out the initiation of a Remote PED connection. For example, if you had started an HSM command that began using a connected local PED and PED Key for authentication, and you started an SSH session in which you issued the ped connect (LunaCM) command or hsm ped connect (LunaSH) command, one of the following two things would happen:
•the remote PED connect command would begin executing, but would pause while the local-PED operation (started in the other command session) was in progress, and resume when the local-PED operation terminated
•the remote PED connect command would begin executing, but would pause while the local-PED operation was in progress, and eventually time-out if the local-PED operation did not terminate sufficiently quickly.
If a Remote PED connection is currently in force, then the local PED is ignored, and all PED requests are routed to the Remote PED.
If a Remote PED connection is currently in force, then subsequent attempts to start a different connection are refused until the current connection times out or is deliberately stopped.
In local PED mode, one Luna PED is connected directly to the HSM. Timeouts are governed by the configuration of the appliance or host computer and the HSM and are not generally modifiable.
In Remote PED mode, the PED Server on each remote Workstation has a timeout setting (which can be modified), and the HSM has a Remote PED timeout setting that can be seen and modified in the configuration file. If nothing has been set, then the default value for the Remote PED connection timeout (1800 seconds) is in effect.
The Remote PED server instances on workstations, and the Remote PED client inside the Luna SA appliance or on an HSM host computer, are not aware of each other's timeout values. For a given Remote PED connection, the shorter timeout value rules. Thus, if a Remote PED server on one of your workstation computers were to timeout during a Remote PED sequence, it would log the event and send a message to the appliance or HSM host that the connection had been open too long. The Remote PED Client on the Luna SA appliance or HSM host computer, receiving that message, would gracefully close the link and the host-side timeout would not be reached.
Generally, the state that causes the HSM to look for PED authentication via the Remote path, rather than from a locally-connected PED, persists unless you change it. The session between the Remote PED and the PedServer on that host also remains intact. It is the link between PedClient (at the HSM end) and PedServer (at the Remote PED end) that goes down for lack of use, and that link can be restarted with a single command when needed.
If it has been some time (more than half an hour) since you performed any authentication operations via Remote PED, the link has probably lapsed. Find out with lunacm:>ped show. If it says "not assigned", then the connection has been lost. Simply issue the ped connect command again, when needed.
We suggest port 1503 for the Remote PED connection, but you can use any port that does not conflict with another operation.
PedServer.exe (on the computer to which your Remote PED is attached) is run from the command line.
To use PedServer on a Windows 7 computer, right-click the Command Prompt icon, and from the resulting menu select "Run as Administrator".
If you lack system permissions to operate as Administrator on the computer that is to host the PED Server, contact your IT department to address the situation.
If you open a command-prompt window as an ordinary user in Windows 7, and run PedServer.exe, the program detects that it lacks access and permissions, and returns an error like the following:
C:\Program Files\SafeNet\LunaClient>pedserver mode start Ped Server Version 1.0.5 (10005) Failed to load configuration file. Using default settings. Ped Server launched in startup mode. Starting background process InternalRead: 10 seconds timeout Failed to recv query response command: RC_OPERATION_TIMED_OUT c0000303 Background process startup timed out after 10 seconds. Startup failed. : 0xc0000303 RC_OPERATION_TIMED_OUT C:\Program Files\SafeNet\LunaClient>
If you encounter the error above, use Windows Task Manager to select the PedServer process, right-click, and select "End process", before cleanly retrying PedServer.exe via an Administrator Command Prompt.
Other Windows versions have not exhibited this requirement.
The connection is one-on-one. While a Remote PED connection is active between one HSM and one remote PED workstation (running PedServer.exe), neither entity is able to make a similar connection with a different partner. The connection must time out, or be deliberately stopped before the HSM can connect with another PedServer workstation and enter a new remote PED authentication arrangement.
When an RPV is created, it is a randomly-generated value that exists nowhere else. You control which (and how many) HSMs will contain that RPV, and which (and how many) orange RPK PED Keys will contain copies of it. A Remote PED with an inserted RPK (orange Remote PED Key) can be used only with distant Luna HSMs that share that exact RPV. If you launch a Remote PedServer with a connected Remote PED and provide any other orange PED Key, it is not accepted by any distant Luna HSM that does not have the matching RPV. In this manner, you can segregate the ability of personnel to remotely control specific HSMs, by controlling which orange PED Keys they are issued. Two people in the same office could have access and control of entirely different sets of remotely located HSMs, with no overlap, as long as you trusted them not to exchange orange PED Keys. You can further control who has what access by invoking MofN when you first create an RPV.
Remote PED for Luna HSM 5.2 is not compatible with earlier HSM versions.
All communication between the Remote PED and the HSM in its host is transmitted within an AES-256 encrypted channel using session keys based on secrets (the Remote PED Vector (RPV) on the orange Remote PED Key (RPK)) that are shared out-of-band via the Remote PED role. This is considered a very secure query/response mechanism.