|
Home > |
|---|
By default, when Remote PED is needed, a SafeNet HSM uses a local instance of PEDClient to initiate a connection with a distant instance of PEDServer. In cases where a SafeNet Network HSM resides behind a firewall with rules prohibiting the HSM host from initiating external connections, it is possible to have the PEDServer perform the initial call toward the HSM host in peer-connection mode.
The default mode (initiated by PEDClient) and the peer-connection mode (initiated by PEDServer) are mutually exclusive.
Peer-connection mode is configured by two commands:
•PedServer.exe –appliance register
•PedServer.exe –appliance delete
For use with SafeNet Network HSM, the path to the pedServer.ini file and to the PEDserverCAFile.pem must be in the Remote PED server host's crystoki.ini file, and HSM appliance's server certificate must be added to the Remote PED server host's PEDserverCAFile.pem file. The server.pem is secure-copied from the SafeNet Network HSM appliance, and PedServer.exe -appliance register adds it to the PEDserverCAFile.pem file in the cert folder.
Peer-connection mode is supported by two commands:
•PedServer.exe –mode connect
•PedServer.exe –mode disconnect
The PEDServer.exe -mode disconnect command is used to terminate any existing peer connection with the intended HSM host, before a new connection can be launched.
The PEDClient on the SafeNet Network HSM appliance runs in background and listens on port 9697 for incoming Remote PED peer connection requests. You can specify different ports if needed, at both the pedclient and PedServer ends.
Two Lunash commands support peer-connection mode:
•hsm ped select –host <hostname> -serial <serial number>
•hsm ped deselect –host <hostname>
The following constraints apply:
•A maximum of twenty connections is supported on the PedClient.
•If the connection is terminated abnormally (for example, router switch died), there will be no auto-connection.
•When running in peer connection mode, the PedServer will have the listening service (the default mode) down for security reasons and to simplify the usability. That is, if you have set the PedServer for server-initiated connection, then the PedServer stops listening for a PedClient to attempt a connection.
•Once the PedServer connection to the PedClient is established, the connection remains up until
–disconnect command is executed from the PedServer
–PedClient terminates the connection
The PedClient (SafeNet Network HSM in this case) and the PedServer must be network accessible to each other. There must be no blocking firewall rules or other impediments to performing a certificate exchange and establishing a secure connection. PedServer has the commands to create a host certificate if necessary and to register a retrieved server cert obtained from the HSM appliance. Upload/download of the certs is done with scp/pscp.
Below is a step by step connection setup between PedServer and PedClient:
1.If the PedServer host does not have a certificate, create one with command:
pedServer -regenCert
Note: Use that command in the case where you have not installed LunaClient and have only installed the RemotePED option, OR if you have not already created a certificate for NTLS client connections, as this command replaces that earlier certificate, breaking any existing NTLS links.
2.Secure copy (SCP or PSCP) the host certificate to the admin account on the SafeNet Network HSM appliance.
3.Secure copy SCP or PSCP) the server.pem from SafeNet Network HSM appliance to the PedServer host.
4.Register the server.pem by using the pedServer command.
pedServer –appliance register –name <unique name> -certificate <Network HSM certificate file> -ip <Network HSM address> [-port <port number>]
5.Connect the PED to the PedServer host. See Installing and Configuring a SafeNet Remote PED.
6.Connect to the PedClient with command:
pedServer –mode connect –name <SafeNet HSM server name>
a.PedClient receives the SSL connection from the PedServer by listening at port 9697 (unless a different port was specified).
b.PedClient validates the PedServer client certificate.
c.PedClient sends the client information identity to the PedServer.
d.PedServer receives the client information identity and sends its own identity to the PedClient.
e.PedClient receives the server information identity and adds to the connection table.
f.PedClient sends a message back to the PedServer that the SSL connection is initialized and ready to go.
At this point, the secure network connection is in place between the PedServer and PedClient, which might be one of several PedServers available and connected to that PedClient, but the current PedServer is not selected to perform PED actions for the HSM associated with that PedClient. The PedClient might have another of its connected/available PedServers selected, or it might have none selected.
As a user of the HSM (or an application partition on that HSM) wanting to perform an HSM operation that requires a PED operation do the following:
7.From Lunash, run command:
hsm ped select –h <hostname> from Lush.
The hostname is the PedServer hostname.
a.PedClient sends a message to the PedServer with the HSM serial number to notify that the PedServer is now selected for PED operations.
b.PedServer receives the message and updates the processing status from waiting to process commands (read and write commands from and to the PED).
8.A user of the HSM (or an application partition of the HSM) executes an operation that requires authentication via PED.
a.The behavior is the same as for non-peer mode if the connection was initiated from the HSM side.
If you need to deselect the PedServer, do the following:
9.PedClient sends a message to the PedServer that it is no longer selected.
10.PedServer acknowledges the message and resets the PED to clear the current session ID and the generated Diffie-Hellman key.
11.PedServer sets the PED to stand-by. Any additional read and write command from PedClient is ignored and is logged for security and debugging purposes.
If the user executes the disconnect command in PedServer, the PedClient receives the message and removes that PedServer from the connection table (on SafeNet Network HSM, that appears in the output of the command hsm ped show). PedServer service in Windows is then terminated. If the connection is terminated abnormally, the PedClient simply removes the connection from the connection table. Similarly, the PedServer service in Windows is terminated.