Home > |
---|
This is the syntax of the pedClient command, which includes starting and stopping of the service, and an assortment of configuration options. Specify "pedClient" at the command line, plus one of the modes, plus any option applicable to that mode.
[root@lunaclient101360 bin]# ./pedClient Ped Client Version 2.0.0 (20000) Error: You must specify a mode. Usage: pedClient [mode] [options...] Explanation of the modes: To query if a Ped Client is currently running, and to get details about the Ped Client, use this command: pedClient -m show [ options... ] To shut down an existing Ped Client, use this command: pedClient -m stop [ options... ] To start the Ped Client, use this command: pedClient -m start [ options... ] To start the Ped Client for Windows service, use this command: pedClient -m start -winservice [ options... ] To create a PED ID mapping, use this command: pedClient -m setid [ options... ] To test a PED ID mapping, use this command: pedClient -m testid [ options... ] To delete a PED ID mapping, use this command: pedClient -m deleteid [ options... ] To assign a PED ID mapping to an HSM, use this command: pedClient -m assignid [ options... ] To release a PED ID mapping from an HSM, use this command: pedClient -m releaseid [ options... ] To show the existing configuration file settings, use this command: pedClient -m config -show To restore the internal default configuration file settings, use this command: pedClient -m config -create To modify the existing configuration file settings, use this command: pedClient -m config -set [ options... ] To view a more detailed description of the Ped Client, use this command: pedClient -m desc Explanation of the options: Any options that are not specified on the command line will be read from the config file. If the config file cannot be found, internal default settings will be used. Invalid options do not generate an error and are ignored. -mode <mode> -> Specifies the mode that the Ped Server will be executed in. The supported modes are "start", "stop", "show", "setid", "testid", "deleteid", "assignid", "releaseid" and "config". -id -> Specifies the PED ID (larger then 0, less then 65535). Applicable to the "setid", "testid", "deleteid", "assignid" and"releaseid" modes. -id_ip -> Specifies the IP or hostname for the PED Server to be linked to the specified PED ID. Applicable to the "setid" mode. -id_port -> Specifies the port for the PED Server to be linked to the specified PED ID. Applicable to the "setid" mode. -id_serialnumber -> Specifies the serial number of the HSM to be linked to the specified PED ID. Applicable to the "assignid" mode. -eadmin <0 or 1> -> Specifies if the administration port is on "localhost" or listening on the external host name. Applicable to "start", "stop", "show" and "config set" modes. -admin <admin port number> -> Specifies the administration port number. Applicable to "show" and "config set" modes. -set -> When used with "-config", specifies that the configuration file should be updated with values of the other supplied options. Applicable to "config" mode. -show -> When used with "-config", specifies that the contents of the configuration file should be displayed. Applicable to "config" mode. -idletimeout<int> -> Specifies the idle connection timeout in seconds. Applicable to "start", "assignid" and "config set" modes. -ignoreidletimeout -> Specifies that the idle connection timeout should not apply to the connection established for the specified PED ID to HSM assignement. Applicable to "assignid" and "config set" modes. -socketreadtimeout <int> -> Specifies the socket read timeout in seconds. Applicable to "start", "stop", "show" and "config set" modes. -socketwritetimeout <int> -> Specifies the socket write timeout in seconds. Applicable to "start", "stop", "show" and "config set" modes. -shutdowntimeout <int> -> Specifies the shutdown timeout in seconds for internal services. Applicable to "start", "stop" and "config set" modes. -pstartuptimeout <int> -> Specifies the startup timeout for the detached process. Applicable to "start", "stop" and "config set" modes. -pshutdowntimeout <int> -> Specifies the shutdown timeout for the detached process. Applicable to "start", "stop" and "config set" modes. -loginfo <0 or 1> -> Specifies if the logger should log "info" messages. Applicable to all modes. -logwarning <0 or 1> -> Specifies if the logger should log "warning" messages. Applicable to all modes. -logerror <0 or 1> -> Specifies if the logger should log "error" messages. Applicable to all modes. -logtrace <0 or 1> -> Specifies if the logger should log "trace" messages. Applicable to all modes. -logfilename <filename> -> Specifies the log file name. Applicable to all modes. -maxlogfilesize <size> -> Specifies the maximum log file size in KB Applicable to all modes. -locallogger -> Specifies that the Remote Ped logger should be used, not the IS logging system. Applicable to all modes. [admin@myluna bin]#
pedClient must run on any host of an HSM that needs to be served by a Remote PED.
pedClient must run on any host of a Remote Backup HSM that will be serving remote primary HSMs*.
* A distant HSM that appears as a crypto slot at the host of the Backup HSM is not considered "remote" in this sense, and so the Backup HSM's host does not need RBS. This would be the case for (say) a SafeNet Network HSM partition where the Remote Backup workstation is a registered client of the partition, and therefore has a Network Trust Link (NTL) with the SafeNet Network HSM appliance. In that case, a lunacm session on the Backup workstation sees the SafeNet Network HSM's partition as just another "local" slot. A slot-to-slot backup operation launched by lunacm at the Backup workstation is a local operation, as is a restore operation. That client relationship implies that the Backup workstation's administrator is entrusted with the partition authentication (black PED Key, challenge secret, red PED Key) for the partition on that distant SafeNet Network HSM. In many cases, that is a perfectly legitimate assumption. The partition is registered with two "clients" - one is the working, or production client that uses the partition for cryptographic operations; the other is the Backup workstation that connects with the partition only when it is time to perform backup or restore activity.
If, instead, the administrator of the Remote Backup HSM was not entrusted with the authentication secrets of the distant HSM partition, then the administrator could still perform a backup, but it would proceed differently. The backup administrator could connect by SSH or RDP session to a legitimate client computer and use lunacm at that client to launch the backup. The client, already authenticated to the activated SafeNet Network HSM partition would see the partition as a local slot, but would see the backup HSM and its attached SafeNet Remote Backup HSM only through the intermediary Remote Backup Service (rbs) running on that Backup workstation and conversing with the distant client computer by means of pedClient instances at each end. This is one version of the method used when the organization (or its customer) prefers a strict separation of roles.
A variant of the RBS method might work from the other direction, with the owner of the client computer doing the work, and the owner of the administrative/backup workstation simply allowing the client to take over the admin/backup workstation for the duration of the backup-or-restore operation. In either case, RBS must reside on the computer with the SafeNet Remote Backup HSM attached, and pedClient must run on both.
The various methods have their place, depending on your organization's structure and security protocols.
See Remote Application-Partition Backup and Restore Using the Backup HSM in the Administration Guide for more information.