Home > |
---|
To use Remote PED for the first time, you will need:
- a SafeNet PED 2.4.0-3 (or later) with Remote PED feature installed (new Remote PED units are shipped with this sticker on the front)
- a power adapter for the Remote PED (when the PED is not connected to a SafeNet Network HSM, via the PED port, it requires the separate power adapter to supply its power - the USB connection is insufficient for that purpose)
- a complete set of PED Keys, including an orange Remote PED key (either new/empty or already containing a Remote PED vector)
- local access to the SafeNet HSM (for the first session only)
- HSM that supports the Remote PED feature (includes the Remote PED Client)
- a workstation/PC with the PEDserver.exe (Remote PED Server application) running, and with the appropriate PED driver already installed
You will need physical access to your SafeNet Network HSM when first setting up Remote PED, because the Remote PED vector must be created by the HSM and imprinted on a blank PED Key, or it must be acquired from a previously imprinted orange PED Key and stored in the HSM. Thereafter, the orange PED Key is used with the Remote PED from a remote location, and the connection is secured by having the matching Remote PED vector at both the HSM and the Remote PED server (your remote workstation with Remote PED attached).
Note: If you encounter timeout problems (possible if you are using MofN with many keys, or if you are reading instructions as you go, or are otherwise not speedy while following prompts), you can adjust timeout values to allow for a more relaxed pace. For PedServer.exe, you can do:
pedserver -mode config set -socketreadrsptimeout <seconds>
but you would also need to increase the timeout in the crystoki.ini client software configuration file. Moreover, the PEDServer -socketreadrsptimeout must always be larger than the timeout in the configuration file.
Note: In general, do not change settings (especially in the crystoki.ini file) unless you have good reason to do so, or are instructed to do so, by SafeNet Customer Support.
Use static IP addressing for PED Client / PED Server. PED Client can fail to find a server if a dynamic address is indicated. An example error might look like this:
lunash:>hsm ped connect -ip 192.20.11.67 -port 1503
Luna PED operation required to connect to Remote PED - use orange PED Key(s).
Ped Client Version 1.0.5 (10005)
Ped Client launched in startup mode.
readIPFromConfigFile() : config file did not contain an IP address.
Startup failed. : 0xc0000404 RC_FILE_ERROR
Command Result : 65535 (Luna Shell execution)
lunash:>
Note: If the HSM host (a SafeNet Network HSM appliance or a host computer with SafeNet PCI-E HSM or SafeNet USB HSM) has more than one SafeNet HSM connected, then you might need to specify the "-serial" option, to identify the desired HSM by its serial number.
If "-serial" is not specified in commands
hsm ped vector init
hsm ped vector erase
hsm ped connect
hsm ped disconnect
then the action defaults to the first HSM that is found.
The steps to set up Remote PED are:
1. Initialize the HSM [if you have not already done so]- the creation of the orange Remote PED key requires HSM login; HSM login requires an initialized HSM, all of which must be done with a local PED connection the first time.
2.Have the SafeNet PED connected to the PED port of the HSM, and set to Local PED mode.
3.Login as SO:
[myluna] lunash:>hsm login
Luna PED operation required to login as HSM Administrator - use blue PED key(s).
'hsm login' successful.
Command Result : 0 (Success)
[myluna] lunash:>
4.Have a blank PED Key, with orange label, ready. Create and imprint the RPV (Remote PED Vector):
[myluna] lunash:>hsm ped vector init
WARNING !! This command will initialize remote PED vector (RPV).
If you are sure that you wish to proceed, then enter 'proceed', otherwise this command will abort.
> proceed
Proceeding... SafeNet
(At this time, go to the SafeNet PED and respond to the prompts by providing either a "fresh" orange PED key (which prompts creation and imprinting of a new/unique RPV) or an already-imprinted orange PED Key (which prompts the PED to ask you to reuse the existing PED Key data), along with additional blanks if you intend to make duplicates.)
Ped Client is not currently running.
Shutdown passed.
Command Result : 0 (Success)
[myluna] lunash:>
(If you see references to "shutdown mode", that's the shell [lunash] exchanging messages with the Remote PED Client application (also found on your SafeNet appliance), which is called, runs in the background, and shuts down, possibly multiple times, depending upon the task that you have initiated via [lunash:>] commands.)
5.At this point, you have an HSM with an RPV (Remote PED Vector) set, and one or more orange PED Keys carrying that same RPV. Bring a SafeNet PED 2 with Remote PED capability, the PED Keys (blue and black and red), and at least one imprinted orange PED Key to the location of your workstation computer (anywhere in the world with a suitable network connection). You should already have the most recent PED driver software and the PedServer.exe software installed on that computer
[ The software and driver are provided on the SafeNet Network HSM Client CD, but are optional during the installation process. If you intend to use Remote PED (and therefore need the PED driver and the PedServer executable program, ensure that Remote PED is among the options selected during installation. Alternatively, you can launch the installer at a later time and modify the existingSafeNet HSM Client installation to include Remote PED at that time.
When you connect your SafeNet PED2 Remote to electrical mains power (AC power outlet) and to your computer's USB port, the operating system detects the new hardware and should locate the appropriate driver. If that does not happen, then the system presents a dialog for you to help if find the location where the LunaPED driver has been placed. ].
6.Connect the Remote PED to its power source via the power adapter.
7.Connect the Remote PED to the workstation computer via the USB cable.
8.When the PED powers on and completes its self-test, it is in Local PED mode by default.
Press the [<] key to reach the "Select Mode" menu.
Press [7] to enter Remote PED mode.
9.Open a Command Prompt window on the computer (for Windows 7, this must be an Administrator Command Prompt), locate and run PedServer.exe (we suggest that you try it out beforehand, to become familiar with the modes and options - if you experience any problem with PED operation timeout being too short, use "PedServer -mode config -set <value in seconds>" to increment the "sreadrsptimeout" value).
Set PedServer.exe to its "listening" mode.
c: > PedServer -m start
Ped Server Version 1.0.5 (10005)
Ped Server launched in startup mode.
Starting background process
Background process started
Ped Server Process created, exiting this process.
c:\PED\ >
NOTE: if you encounter a message "Failed to load configuration file...", this is not an error. It just means that you have not changed the default configuration, so no file has been created. The server default values are used.
10.Open an ssh session to the SafeNet Network HSM appliance and login as admin.
11.Start the PED Client (the Remote PED enabling process on the appliance):
lush:> hsm ped connect -i 183.21.12.161 -port 1503
Luna PED operation required to connect to Remote PED - use orange PED key(s).
Ped Client Version 1.0.0 (10000)
Ped Client launched in startup mode.
Starting background process
Background process started
Ped Client Process created, exiting this process.
Command Result : 0 (Success)
[luna27] lush:>
NOTE: the serial number option on command hsm ped connect is needed if you are using Remote PED with an HSM other than the onboard SafeNet Network HSM (such as a connected SafeNet USB HSM for PKI). If a serial number is not specified, the internal HSM is assumed by default.
12.To verify that the Remote PED connection is functional, try some HSM commands that require PED action and PED Key authentication - the simplest is hsm login. First logout, because you were already logged in to the HSM...
[luna27] lush:>hsm logout
'hsm logout' successful.
Command Result : 0 (Success)
[luna27] lush:>hsm login
Luna PED operation required to login as HSM Administrator - use Security Officer (blue) PED key.
'hsm login' successful.
Command Result : 0 (Success)
[luna27] lush:>
13.At this point, you have successfully set up a Remote PED link between a workstation computer (with PED attached to its USB port) and a distant SafeNet Network HSM/appliance. You have demonstrated that success by performing an HSM operation that demanded SO/HSM Admin PED Key authentication, without being physically near to the SafeNet Network HSM/appliance, and without having a SafeNet Network HSM PED directly attached to the SafeNet Network HSM/appliance.
You can now perform any HSM administration chores (including Cluster creation/administration) as though you were physically adjacent to the HSM, with equal confidence in the security of the system [HSM products that include Remote PED are now routinely submitted to approving agencies (like NIST/FIPS) for validation].
14.To disconnect:
[luna27] lush:>hsm ped disconnect
WARNING !! This command will disconnect remote PED.
If you are sure that you wish to proceed, then enter 'proceed', otherwise this command will abort.
> proceed
Proceeding...
Ped Client Version 1.0.0 (10000)
Ped Client launched in shutdown mode.
Shutdown passed.
Command Result : 0 (Success)
[luna27] lush:>
Note: If a Remote PED session is in effect and you press the [<] key on the PED (to go to the PED's "Select mode" menu), that action amounts to exiting the Remote PED mode. Therefore, the PED displays a message:
** WARNING **
Exiting now will
invalidate the RPK.
Confirm ? YES/NO
If you press [YES], the RPK-validated Remote PED session is dropped and must be re-established from the HSM (with "hsm ped connect <network-target>" before you can resume activity with the Remote PED.
In other words, if you want to use that PED for any other purpose than the current connection with one remote HSM, you have to drop the current session to make such other use of the PED, and then have the appropriate RPK available when you are ready to re-establish the prior Remote PED connection. )
Note: The above note talks about a "session" that exists only between the Remote PED and the computer (actually the PedServer software running on that computer) to which the Remote PED is connected. That is separate from the session that was established between the distant appliance/HSM and the PedServer on your computer. The session between computer and HSM is time-sensitive - it is in existence while needed and is either dropped intentionally or times out after brief inactivity. The session between the Remote PED and its attached computer persists until you disconnect the PED or change modes, or until you stop the PedServer.exe process on the computer.
***** The default timeout for a Remote PED link between PedClient at the HSM and PedServer at the Remote PED, is 1800 seconds, or 30 minutes. If no Remote PED activity is requested for the entire timeout duration, the link ends, and must be re-established. While that link is down, and the HSM remains set to expect Remote PED operation, any requested PED operations simply fail. We recommend performing a disconnect before performing a connect, to ensure that the old link is cleanly severed and that a new link is cleanly established. *****
Note: PED KEY MIGRATION from older classic-PED Datakeys (the PED Keys that look like toy plastic keys) is NOT SUPPORTED over Remote PED, because the old classic PED 1.x has no way to connect to the PED Server. Migration of PED Keys from DataKeys to iKeys must be done locally. )
If you encounter problems with Remote PED, Troubleshooting Remote PED.