Home > |
---|
The Remote PED (SafeNet PED with Remote Capability) allows you to administer HSMs that are housed away from their owners/administrators, at physically remote sites or inside heavily-secured premises, where obtaining local physical access to the HSM is difficult or time-consuming. Remote PED provides administrative convenience similar to remotely accessing a Password-authenticated HSM, but with the added security and role separation of PED authentication.
The feature requires:
• a Remote PED Server instance
–on a workstation
–that connects over a network link
–to a Remote PED Client
–in the computer or appliance that hosts the HSM
• a SafeNet PED 2.4.0-3 or greater, with the Remote PED feature installed, (which has the capability to operate in Local PED or Remote PED mode, as needed).
Note: Not every PED 2.4.0 (or greater) includes the Remote PED feature. That PED capability must be ordered specifically and factory installed.
• an orange, Remote PED, PED Key that provides the authentication for the Remote PED connection between
–the workstation computer (with PED connected and PEDServer running) and
–the remotely located SafeNet HSM with the PEDclient running on the HSM's host.
Term | Meaning |
---|---|
Remote PED | A SafeNet PED, with Remote capability, connected, powered on, and set to Remote mode. |
RPV | Remote PED Vector - a randomly generated, encrypted value used to authenticate between a Remote PED (via PedServer) and a distant SafeNet HSM (PEDclient). |
RPK | Remote PED Key - an orange PED Key, the portable repository of an RPV value, for use in the Remote PED process. |
PedServer | The PED server program that resides on a workstation and mediates between a locally-connected Remote PED and a distant PEDclient (running at a distant SafeNet HSM). |
PEDClient | The PED Client program. For a SafeNet Network HSM appliance, PEDclient is embedded. For SafeNet PCIe HSM, SafeNet USB HSM, or SafeNet Backup HSM, PEDclient must be installed on the HSM's host computer. The PED client anchors the HSM end of the Remote PED service and initiates the contact with a PedServer instance, on behalf of its HSM. |
You want to locate your operational HSM hosts at remote locations or multiple locations around the city, country, world, and be able to administer them fully, from a different location, without need for site visits and without needing to carry PED Keys through unsecured areas.
The HSM must initially be configured with a local PED, in order to set its authentication and create a relationship between the HSM and an orange PED Key (RPV, or Remote PED Vector). That RPV, carried via the orange PED Key, is the means by which a PED at a remote (PedServer) location can be recognized and trusted over a distance, by an HSM that shares the same RPV. During the imprinting process, the HSM can take on the RPV of an existing orange PED Key (RPK, or Remote PED Key), or the HSM can generate a new RPV and imprint it on an orange PED Key. This allows you to choose whether
•the current HSM is one of possibly several HSMs that can be remotely administered with the PED data path secured by a single orange PED Key, or
•the current HSM will be the only one secured with that particular Remote PED authentication (it could remain alone, or could be the start of a new authentication group for Remote PED activity - your choice)
The following diagram shows the preliminary imprinting step, where the HSM and (at least one) orange PED Key are made to share an RPV. Again, this must take place via a locally connected PED. The administrator could be co-located with the HSM, or could be elsewhere issuing the commands, but either the administrator or an assistant must be present at the HSM to present the orange PED Key for the RPV imprinting. Once that is completed, further PED operations can be untethered from direct local PED connection and moved anywhere along with that RPV-bearing orange PED Key.
The HSM is then shipped and installed at its remote location.
At your administrative location, a workstation is configured with special (PedServer) software, and a SafeNet PED 2 Remote (remote-capable PED) is connected via USB to that workstation.
Using SSH, you open an administrative session (connect and log in as "admin") on the remote HSM. You tell the HSM to expect a remote PED, rather than local PED. You issue commands as needed.
When an HSM command requires authentication to the HSM, the HSM looks for a remote PED server with the same Remote PED Vector. If it can authenticate properly with that remote PED server, the HSM accepts authentication data via that connection.
A SafeNet HSM running the PEDclient can establish a Remote PED connection with any workstation that meets the following criteria:
• is running PEDserver.exe
• has a suitable Remote PED connected
• has the correct PED Keys (including the orange key) for that HSM.
The SafeNet HSM can make only a single connection for Remote PED operation at one time. The current session must timeout or be deliberately stopped before another workstation can be called into a Remote PED connection with that SafeNet HSM.
Similarly, a given workstation can enter into a Remote PED connection with any SafeNet HSM with PEDClient, or any SafeNet HSM, that initiates such a connection (provided the proper PED, PED Keys, software, etc. are all in place), but it can make only one such connection at a time. This contrasts with SSH connections, where that same workstation could have multiple SSH windows open to multiple admin sessions on a single or multiple SafeNet HSMs.
There is no requirement for the workstation providing the Remote PED connection to be the same one that provides SSH administrative access to the HSM, nor is there any requirement that they be different workstations. You can overlap those functions or keep them separate, for your convenience.
The above descriptions apply to Remote PED operations in general. The PEDClient runs on the computer that hosts the SafeNet HSM, while the PEDServer runs on the computer that hosts the SafeNet PED. Historically, this meant that PEDClient was launched and tried to open a connection to a specified instance of PEDServer. However, in some cases the network and firewall rules that surround the HSM host forbid that host initiating the connection from inside the firewall. For those situations, PEDServer now supports the ability to initiate the Remote PED connection from the PEDServer side, over a link secured by means of the HSM host's (usually SafeNet Network Appliance) server certificate. In aid of that peer-to-peer connection, Remote PED also makes use of a configuration file separate from the LunaClient crystoki.ini file.
Peer-to-peer connection is supported by PedServer.exe -mode connect and -mode disconnect commands. The rules governing the connections are as follows:
•The default mode when PEDServer starts is legacy mode (where PEDServer waits for a connection to be initiated from an instance of PEDClient).
•When you type the -mode connect command for PEDServer (requesting the start of peer-to-peer mode), that command requires the registered HSM appliance name, which is stored in the PedServer configuration file, where each appliance name is associated with an IP address. That information, along with the appliance certificate is used to create the connection to an instance of PEDClient on the HSM host computer (usually SafeNet Network HSM).
•The -mode connect command detects if legacy mode is running.
–If legacy mode is not running, the -mode connect command initiates a connection to the indicated HSM host (normally SafeNet Network HSM appliance).
–If legacy mode is running, then PEDServer -mode connect checks if a legacy-mode connection currently exists. If such a connection currently exists, then the -mode connect presents an error message informing you to terminate that connection before retrying the requested peer-to-peer connection. That is, a -mode connect request for peer connection does not override an existing legacy connection; it just tells you about it and lets you make the decision.
–If legacy mode is running and PEDServer -mode connect does NOT discover an existing legacy connection in effect, then the legacy mode is shut down and the peer-to-peer connection is initiated.
•The -mode disconnect command terminates an existing peer connection and returns the PEDServer to legacy mode. If the PEDServer is already in legacy mode, the the -mode disconnect command is ignored.
Direction | Connection and Security |
---|---|
Client-to-Server (original) connection | TCP/IP only; encryption by orange PED Key secret (RPV) |
Server-initiated (a.k.a. Peer-to-peer) | TLS with certificate exchange to create the secure tunnel and then also encrypted by the orange PED Key (RPV) |
Note:
Client-to-server - the server is on the Remote PED host, and the connection is initiated by the Network HSM (or other HSM host).
Server-initiated - the server is still on the Remote PED host, but it now initiates the connection to a Network HSM (or other HSM host) where that HSM host might be behind a firewall that forbids outbound connection requests).
The following constraints apply to Remote PED connections:
•A maximum of twenty connections is supported on the PedClient.
•A maximum of 80 Network HSM appliances can be registered in PedServer.
•If the connection is terminated abnormally (for example, a router switch died), there is no auto-connection. The PedServer automatically restarts and runs in legacy mode.
•When running in server-initiated connection mode, the PedServer does not engage the listening service, for security reasons and to simplify usability.
•Once the PedServer connection to the PedClient is established, the connection remains up until the
–the -mode disconnect command is executed from the PedServer, or
– PedClient terminates the connection.
The exchange of certificates for server-initiated Remote PED is similar to the exchange and registration of certificates for NTLS, and enables a TLS 1.2 link. It is implemented separately because a Remote PED host computer might also be a client for SafeNet Network HSM appliances, or it might not, and the secure peer-to-peer Remote PED connection must be able to work in either circumstance.
On a SafeNet Network HSM appliance at version 6.2.1 or newer, to support peer-mode (server-initiated) Remote PED, port number 9697 is opened for public TCP access. This is not considered a security hazard, since only incoming connections with a certificate are accepted.
In either mode, the major security for your HSM contents is the physical security that you maintain around the PED Keys.
•The Remote PED link can occur only if the person operating the PED can present an orange PED Key that contains an RPV that exactly matches the RPV on the HSM.
•The other PED Keys that are served over the Remote PED link must be the correct keys for each role/function on that HSM (SO, Crypto Officer or Crypto User, Cloning Domain, Auditor, SRK, respectively).
From release 6.2.1, onward, configuration file pedServer.ini supports certificate management and other aspects of peer-to-peer Remote PED. The pedServer.ini configuration file is used to change the timeouts values and to store a list of appliance certificates, to support SSL TLS v1.2 connections between the PedServer and a SafeNet Network HSM appliance.
The following entries are available :
[RemotePed] PongTimeout = 5 PingInterval = 1 LogFileTrace = 0 LogFileError = 1 LogFileWarning = 1 LogFileInfo = 1 ; MaxLogFileSize = 4194304 LogFileName = .\remotePedServerLog.log BGProcessShutdownTimeoutSeconds = 25 BGProcessStartupTimeoutSeconds = 10 InternalShutdownTimeoutSeconds = 10 SocketWriteTimeoutSeconds = 50 SocketReadRspTimeoutSeconds = 180 SocketReadTimeoutSeconds = 100 ExternalServerIF = 1 ServerPortValue = 1503 ExternalAdminIF = 0 AdminPort = 1502 IdleConnectionTimeoutSeconds = 1800 RpkSerialNumberQueryTimeout = 15 [Appliances] SSLConfigFile = \usr\safenet\lunaclient\bin\openssl.cnf ServerCAFile = \root\CAFile.pem ServerIP00 = 192.20.11.86 ServerPort00 = 9696 ServerName00 = mySafeNetAppliance CommonCertName00 = test1 ServerName01 = myotherSafeNetAppliance ServerIP01 = 192.20.9.46 ServerPort01 = 9697 CommonCertName01 = test2
An entry is added in the chrystoki configuration file to point to the location of the PedServer configuration file.
[Ped Server] PedConfigFile = \usr\safenet\lunaclient\data\ped\config
When a Remote PED connection is in force, the local PED interface to the HSM is disabled. If a local PED operation is in progress, it is not possible to start a Remote PED connection until the current local-PED-mediated HSM operation completes. But it must be an active operation sequence - merely having a local PED physically connected to the HSM does not lock out the initiation of a Remote PED connection.
For example, if you had started an HSM command that began using a connected local PED and PED Key for authentication, and you started an SSH session in which you issued the ped connect (LunaCM) command or hsm ped connect (LunaSH) command, one of the following two things would happen:
•the remote "PED connect" command would begin executing, but would pause while the local-PED operation (started in the other command session) was in progress, and resume when the local-PED operation terminated
OR
•the remote "PED connect" command would begin executing, but would pause while the local-PED operation was in progress, and eventually time-out if the local-PED operation did not terminate sufficiently quickly.
If a Remote PED connection is currently in force, then the local PED is ignored, and all PED requests are routed to the Remote PED.
If a Remote PED connection is currently in force, then subsequent attempts to start a different connection are refused until the current connection times out or is deliberately stopped.
In local PED mode, one SafeNet PED is connected directly to the HSM. Timeouts are governed by the configuration of the appliance or host computer and the HSM and are not generally modifiable.
In Remote PED mode, the PED Server on each remote Workstation has a timeout setting (which can be modified), and the HSM has a Remote PED timeout setting that can be seen and modified in the configuration file. If nothing has been set, then the default value for the Remote PED connection timeout (1800 seconds) is in effect.
The Remote PED server instances on workstations, and the Remote PED client inside the SafeNet Network HSM appliance or on an HSM host computer, are not aware of each other's timeout values. For a given Remote PED connection, the shorter timeout value rules.
Thus, if a Remote PED server on one of your workstation computers were to timeout during a Remote PED sequence, it would log the event and send a message to the appliance or the HSM host that the connection had been open too long. The Remote PED Client on the SafeNet Network HSM appliance or on an HSM host computer, receiving that message, would gracefully close the link and the host-side timeout would not be reached.
Generally, the state that causes the HSM to look for PED authentication via the Remote path, rather than from a locally-connected PED, persists unless you change it. The session between the Remote PED and the PedServer on that host also remains intact. It is the link between PedClient (at the HSM end) and PedServer (at the Remote PED end) that goes down for lack of use, and that link can be restarted with a single command when needed.
If it has been some time (more than half an hour) since you performed any authentication operations via Remote PED, the link has probably lapsed. Find out with lunacm:>ped show. If it says "not assigned", then the connection has been lost. Simply issue the ped connect command again, when needed.
We suggest port 1503 for the legacy Remote PED connection, but you can use any port that does not conflict with another operation.
PedServer.exe (on the computer to which your Remote PED is attached) is run from the command line. If you accepted default locations when installing LunaClient (or Remote PED option from within LunaClient installer), then the software is installed on your C: drive under "Program Files". This has implications regarding the permissions you have on the system.
To use PedServer from within a protected location on a Windows 7 computer, right-click the Command Prompt icon, and from the resulting menu select "Run as Administrator".
Note: If you lack system permissions to operate as Administrator on the computer that is to host the PED Server, contact your IT department to address the situation.
Alternatively, install LunaClient (or a subset of it, such as Remote PED) in a non-default location in your computer that is not subject to permission restrictions. If you do so, you avoid this permission problem, but you must translate all file-location references in this documentation to reflect the chosen install location.
If you open a command-prompt window as an ordinary user in Windows 7, and run PedServer.exe, the program detects if it lacks access and permissions, and returns an error like the following:
C:\Program Files\SafeNet\LunaClient>pedserver mode start Ped Server Version 1.0.5 (10005) Failed to load configuration file. Using default settings. Ped Server launched in startup mode. Starting background process InternalRead: 10 seconds timeout Failed to recv query response command: RC_OPERATION_TIMED_OUT c0000303 Background process startup timed out after 10 seconds. Startup failed. : 0xc0000303 RC_OPERATION_TIMED_OUT C:\Program Files\SafeNet\LunaClient>
If you encounter the error above, use Windows Task Manager to select the PedServer process, right-click, and select "End process", before cleanly retrying PedServer.exe via an Administrator Command Prompt.
Other Windows versions have not exhibited this requirement.
Regardless of whether you use Client-initiated mode or server-initiated, the connection is one-on-one. While a Remote PED connection is active between one HSM and one remote PED workstation (running PedServer.exe), neither entity is able to make a similar connection with a different partner. The connection must time out, or be deliberately stopped before the HSM can connect with another PedServer workstation and enter a new remote PED authentication arrangement.
When an RPV is created, it is a randomly-generated value that exists nowhere else. You control which (and how many) HSMs will contain that RPV, and which (and how many) orange RPK PED Keys will contain copies of it.
A Remote PED with an inserted RPK (orange Remote PED Key) can be used only with distant SafeNet HSMs that share that exact RPV. If you launch a Remote PedServer with a connected Remote PED and provide any other orange PED Key, it is not accepted by any distant SafeNet HSM that does not have the matching RPV. In this manner, you can segregate the ability of personnel to remotely control specific HSMs, by controlling which orange PED Keys they are issued. Two people in the same office could have access and control of entirely different sets of remotely located HSMs, with no overlap, as long as you trusted them not to exchange orange PED Keys. You can further control who has what access by invoking MofN when you first create an RPV.
Remote PED for SafeNet HSM 5.2 and newer is not compatible with earlier HSM versions.
All communication between the Remote PED and the HSM in its host is transmitted within an AES-256 encrypted channel using session keys based on secrets (the Remote PED Vector (RPV) on the orange Remote PED Key (RPK)) that are shared out-of-band via the Remote PED role. This is considered a very secure query/response mechanism.