Home > |
---|
When it is not convenient to be physically near the host computer that contains a Luna HSM, in order to connect a Luna PED and present required PED Keys, you can operate remotely and securely.
The PED-Authenticated Luna HSM, and one-or-more orange PED Keys are imprinted with a Remote PED Vector (RPV). This can occur at any time before the HSM is deployed, and requires a locally connected PED. All future PED and PED Key interaction can then be accomplished with Luna PED and PED Keys that are physically distant from the HSM, as follows:
•One computer, running a supported OS, hosts the HSM - this could be:
–a server or tower containing a Luna PCI-E HSM, or
–a server or other computer with a USB-connected Luna G5 HSM, or
–a Luna SA HSM appliance
•The HSM host computer must be network attached. HSM administration commands can be input locally, or via remote connection, but the network connection is essential for Remote PED operation
•A second computer (laptop, workstation, server running a supported Windows version) has a Luna PED (Remote Capable) attached via USB, and powered via its included power block.
•The Remote PED host computer must be network attached. The administration of the distant HSM host does not have to come from this Remote PED host computer, but it is usually done that way, since the person handling the PED must coordinate with the person giving commands to the HSM.
•The Remote PED host computer and PED must have the orange Remote PED Key (RPK) available, along with:
– either blue, black and red (optionally, white and purple, as well) PED Keys that were imprinted with the HSM previously,
–or blank blue, black. and red (optionally, white and purple) PED Keys that are about to be imprinted along with the HSM.
•The HSM is told to look to a remote PED for its authentication requests.
•The PED host computer has the LunaPED driver installed, and runs the pedserver utility.
•The HSM host computer runs the pedclient utility, and the HSM is told to connect to the Remote PED.
•The Remote PED (via the pedserver) receives the request and prompts for the orange PED Key.
•The Remote PED and the HSM (via the pedclient/pedserver connection) agree that the provided orange PED Key contains the same Remote PED Vector as is imprinted on the HSM, and the secure Remote PED link is established.
•The HSM SO runs commands on the HSM (on the host computer) via remote desktop or ssh connection.
All future authentication for the HSM can be performed at the Remote PED, with no need for personnel to visit the HSM host, which could be locked away in a lights-off facility on the other side of the world..