Home > |
---|
Luna PED is a Luna accessory device that allows compatible Luna HSMs to securely store their authentication data on PED Keys (specially configured USB tokens), to retrieve that data when needed, and to modify the content of PED Keys for security and operational purposes. All of the Luna PED and PED Key actions can be accomplished with the Luna PED directly connected to the Luna HSM, and powered by that HSM. Sometimes that direct connection is inconvenient, due to location of the HSM and of the personnel who are charged with controlling and managing the HSM. In such circumstances, it can be useful to employ a Luna PED with Remote capability.
Remote PED is supported (and requires installation/configuration) in two parts:
•PEDClient, which runs on the HSM host and allows the HSM to seek PED Key data from a remotely located Luna PED. PEDClient is part of the LunaClient software installation for every type of Luna HSM except Luna SA (because PEDClient is already present within the Luna SA appliance).
•PEDServer, which runs on Remote PED host. PEDServer is installed if the "Remote PED" option is selected during Luna Client software installation, and includes the PedServer.exe executable, along with the SafeNet Luna PED device drivers. If the target computer is intended to be a PEDServer, but is not going to be a Client to your Luna HSM, then you do not need any of the other LunaClient software; you can use LunaClient installer to install only the Remote PED option.
•An HSM host, configured as described elsewhere in this document, with PEDClient available, and with its own working network connection.
•A remote PED host computer with a supported operating system (see the Customer Release Notes for supported platforms) to run PEDServer.
•Sufficient privileges on the remote PED host, depending on platform and location (local network, WAN, VPN...)
•Current LunaClient installer (LunaClient.msi)
•Luna PED (Remote capable) V.2.4.0-3 or newer (see the bottom of the PED's Select Mode menu for the version)
•The power block and cord that accompanied your Remote PED, and the USB-A to USB-Mini-b cable
•PED Keys.
•A network connection.
This configuration takes place in two locations:
•on the HSM host.
•on the Remote PED host.
1.Install/configure your HSM host as described previously.
2.Change to the directory where LunaClient is installed and launch lunacm.
Type: c:\Program Files\SafeNet\LunaClient> lunacm
3.With a Luna PED connected locally, initialize a Remote PED Vector for the HSM and for an orange PED Key.
Type: lunacm:> ped vector init and respond to the Luna PED prompts.
By means of your responses to the PED prompts, you can choose to have the HSM generate a new RPV to be held by both the HSM and a new orange PED Key, or you can choose to re-use an RPV already on an existing orange PED Key, and imprint that on the HSM.
As always, we suggest that you make at least one extra copy of the Remote PED Key.
4.Bring an orange PED Key, containing the RPV for this HSM, from the HSM to the location of the Remote PED server.
1.Luna PED should not yet be connected to the PEDServer computer.
2.Install the LunaClient software, selecting "Remote PED" option - for the purposes of Remote PED. Any additional LunaClient installation choices are optional for this host system.
3.Click Install when prompted to install the driver.
4.Reboot the computer to ensure that the LunaPED driver is accepted by the operating system. This is not required for Windows Server Series.
5.Connect the Remote Capable Luna PED to AC power, using the supplied power block, and to the PEDServer computer, using the supplied USB-A to USB-mini-b cable.
Windows acknowledges the new device.
Luna PED performs its start-up sequence, and settles into Local Mode, by default.
6.Press the [ < ] key on the PED to access the "Select Mode" menu.
7.Press [ 7 ] to select "Remote PED" mode.
8.Ensure that your firewall does not block communication between PEDClient and PEDServer. If switching off the firewall for Home and Public Network is not an option, see the Troubleshooting section below.
9.Open a Command Prompt window.
If PedServer.exe attempts to access the pedServer.ini file in C:\Program Files\.... that is treated as an action in a restricted area in some versions of Windows. In that case, you should open the Command Prompt as Administrator, rather than as your normal user. To do so, right-click the Command Prompt icon and, from the pop-up menu, select Run as administrator.
Note: Windows Server 2008 launches Command Prompt as Administrator, by default, so no special steps are necessary.
Note: By default, PedServer.exe attempts to access pedServer.ini if such a file exists in the expected location. If it does not exist, then default values are used by PedServer.exe until you perform a "-mode config -set" operation to create a pedServer.ini.
10.Go to the installed LunaClient directory.
Type cd "\Program Files\SafeNet\LunaClient"
11.Launch the PEDServer.
Type pedserver -mode start
12.Verify that the service has started.
Type pedserver -mode show
and look for mention of the default port "1503" (or other, if you specified a different listening port). In addition, "Ped2 Connection Status:" should say "Connected". This indicates that the Luna PED that you connected (above) was found by PEDServer.
Note: If a port other than the default 1503 was specified in pedserver -mode start
, for example pedserver -mode start -port 1523
, then pedserver -mode show
command should pass in the same port, for example pedserver -mode show -port 1523
.
If a non-default value for the listening port was configured (meaning that it was present in pedServer.ini), then pedserver -mode show
finds the port from that file.
13.Note the IP address of the PEDServer host. We generally recommend using static IP, but if you are operating over a VPN, you will likely need to ascertain the current address each time you [re-]connect to the VPN server and are assigned an address.
C:\windows\system32>ipconfig Windows IP Configuration Ethernet adapter Bluetooth Network Connection 2: Media State . . . . . . . . . . . : Media disconnected Connection-specific DNS Suffix . : Wireless LAN adapter Wireless Network Connection 4: Media State . . . . . . . . . . . : Media disconnected Connection-specific DNS Suffix . : Wireless LAN adapter Wireless Network Connection 3: Connection-specific DNS Suffix . : Link-local IPv6 Address . . . . . : fe80::cd74:173c:692a:22b0%26 IPv4 Address. . . . . . . . . . . : 192.168.0.16 Subnet Mask . . . . . . . . . . . : 255.255.255.0 Default Gateway . . . . . . . . . : 192.168.0.1 Ethernet adapter Local Area Connection 3: Media State . . . . . . . . . . . : Media disconnected Connection-specific DNS Suffix . : Ethernet adapter Local Area Connection 2: Connection-specific DNS Suffix . : Link-local IPv6 Address . . . . . : fe80::5456:b034:a1ff:96fe%14 IPv4 Address. . . . . . . . . . . : 182.16.153.114 <<--- this one, in our example Subnet Mask . . . . . . . . . . . : 255.255.255.0 Default Gateway . . . . . . . . . : Tunnel adapter isatap.{9EE24CB0-63D2-4D40-902B-3DC3193701FA}: Media State . . . . . . . . . . . : Media disconnected Connection-specific DNS Suffix . : Tunnel adapter Local Area Connection* 17: Connection-specific DNS Suffix . : IPv6 Address. . . . . . . . . . . : 2001:0:9d38:90d7:3cca:2f17:3f57:ffef Link-local IPv6 Address . . . . . : fe80::3cca:2f17:3f57:ffef%11 Default Gateway . . . . . . . . . : :: Tunnel adapter isatap.{9D552290-62C3-479B-A312-FAEA518B1655}: Media State . . . . . . . . . . . : Media disconnected Connection-specific DNS Suffix . : Tunnel adapter isatap.{184652AE-5DF0-470C-84BE-B4D09760D3C9}: Media State . . . . . . . . . . . : Media disconnected Connection-specific DNS Suffix . : C:\windows\system32>
Note: Your organization's VPN might be configured with a relatively short lease time, so that you might need to re-establish the Luna Remote PED connection at intervals of hours or days, providing the newly assigned IP address of your PEDServer computer each time.
Note: We generally advise not specifying the IP address when starting the PED server, unless you have a specific reason to set an address there. Just say "pedserver -mode start".
In a volatile network or VPN situation, this means that, when the host IP changes on the PED server, only pedclient needs restarting with the new pedserver IP address. There is no need to also stop-and-restart pedserver.exe with a new IP.
Once started, pedserver.exe remains on, and listening until you explicitly tell it to stop, or until the host computer stops.
Note: For the purposes of the PEDClient (the HSM that seeks a Remote PED connection) you can specify the PEDServer's IP address and listening port each time you connect. Or you can use the lunacm:> ped set
command to configure either, or both of those parameters, which are then picked up by the lunacm:> ped connect
command when you wish to establish the connection.
If the listening port of the PEDServer is not specified, then the default value "1503" is assumed. The IP address must be specified somewhere; there is no original default. If an IP address or a port is specified in the lunacm:> ped connect
command, it overrides any value that was set by lunacm:> ped set
, but only for the current connection.
1.Launch the PEDClient on your HSM server, identifying the PEDServer instance (configured above) to which the HSM is to connect for its authentication requirements.
Type lunacm:> ped connect -ip <pedserver ip> -port <pedserver listening port>
(substituting your actual PEDServer IP and port)
for example: lunacm:> ped connect -ip 182.16.153.114 -port 1503
Luna PED operation required to to connect to Remote PED - use orange PED Key(s).
At this point, the remote Luna PED should come to life, briefly saying "Token found..." followed by this prompt:
2.Insert the orange PED Key that you brought from the HSM to the remote PED, and press [ Enter ] on the PED keypad.
When the orange PED Key is accepted, control returns to the HSM command-line with a success message: "Command Result : 0 (Success)"
Once you have reached this point, you can continue to issue HSM or Partition commands, and whenever authentication is needed, the Remote PED will prompt for the required PED Key and associated key-presses.
The PEDServer utility continues to run until explicitly stopped.
On the HSM end, PEDClient (launched by the "connect" command) continues to run until you explicitly stop with the "disconnect" command, or the link is broken. At any time, you can run the command in "show" mode to see what state it is in.
If you physically disconnect the Remote PED from its host, the link between PEDClient and PEDServer is dropped.
If the network connection is disrupted, or if your VPN closes, the link between PEDClient and PEDServer is dropped.
If you attempt to change menus on the Remote PED, the PED warns you:
If you persist, the link between PEDClient and PEDServer is dropped.
If the "IdleConnectionTimeoutSeconds" is reached, the link between PEDClient and PEDServer is dropped. The default is 1800 seconds, or 30 minutes. You can modify the default value with the "-idletimeout" option.
Any time the link is dropped, as long as the network connection is intact (or is resumed), you can restart PEDClient and PEDServer to reestablish the Remote PED link. In a stable network situation, the link should remain available until timeout.
Here are some suggestions for addressing some possible issues when configuring Luna Remote PED.
If you experience problems while attempting to configure a Luna Remote PED session over VPN, you might need to adjust Windows Firewall settings.
1.From the Windows Start Menu, select "Control Panel".
2.From the "Control Panel", select "Windows Firewall".
3.From the "Windows Firewall" dialog, select "Change notification settings".
4.In the dialog "Customize settings for each type of network", go to the appropriate section and activate "Notify me when Windows Firewall blocks a new program".
Without this setting, it might not matter that you have Administrator-level privileges on the PEDServer host computer, because Windows would silently block the connection from PEDClient to PEDServer, and not give you an opportunity to exercise your power to approve the connection.
With notification turned on, a dialog box pops up whenever Windows Firewall blocks a program, allowing you to override the block, which permits the Luna Remote PED connection to successfully listen for PEDClient connections.
Another possible issue is that some networks might be configured to block access to certain ports. If such policy on your network includes ports 1503 (the default PEDServer listening port) and 1502 the administrative port, then you might need to choose a port other than the default, when starting PEDServer, and similarly, when you launch the connection from the HSM end and provide the IP and port where it should look for the PEDServer. Otherwise, perhaps your network administrator can assist.