Home > |
---|
At this point, you have a Remote PED Vector (RPV) shared between at least one orange PED Key and at least one HSM. The RPV is the means by which a Remote PED server authenticates to an HSM, allowing the HSM to accept other PED Key values (blue, red, black, gray, white, purple) from a SafeNet PED that is not directly, physically connected.
The following section details how to launch that connection from the HSM host (which is considered the client in the Remote PED world). If you have firewall or other constraints that prevent the initiation of a connection from your HSM host out to the PedServer in the external network, then see Using Server-initiated (Peer-to-Peer) Remote PED Connection, instead. The general process for client-initiated Remote PED is the same for Remote PED service toward
•a host computer containing an internally installed SafeNet PCIe HSM
•a host computer containing an externally connected SafeNet USB HSM
•a SafeNet Network HSM appliance.
1.Bring a SafeNet PED 2 with Remote PED capability, the PED Keys (blue and black and red), and at least one imprinted orange PED Key to the location of your compatible Windows workstation computer (anywhere in the world with a suitable network connection). You should already have the most recent PED driver software and the PedServer.exe software installed on that computer.
Note: The software and driver are provided on the SafeNet Client installer, but are optional during the installation process. If you intend to use Remote PED (and therefore need the PED driver and the PedServer executable program), ensure that Remote PED is among the options selected during installation. Alternatively, you can launch the installer at a later time and modify the existing SafeNet HSM Client installation to include Remote PED at that time.
When you connect your SafeNet PED2 Remote to electrical mains power (AC power outlet) and to your computer's USB port, the operating system detects the new hardware and should locate the appropriate driver. If that does not happen, then the system presents a dialog for you to help it find the location where the LunaPED driver has been placed.
2.Connect the Remote PED to its power source via the power adapter.
3.Connect the Remote PED to the workstation computer via the USB cable.
4.When the PED powers on and completes its self-test, it is in Local PED mode by default.
Press the [<] key to reach the "Select Mode" menu.
Press [7] to enter Remote PED mode.
5.Open a Command Prompt window on the computer (for Windows 7, this must be an Administrator Command Prompt), locate and run PedServer.exe (we suggest that you try it out beforehand, to become familiar with the modes and options - if you experience any problem with PED operation timeout being too short, use "PedServer -mode config -set <value in seconds>" to increment the "sreadrsptimeout" value).
Set PedServer.exe to its "listening" mode.
c: > PedServer -m start
Ped Server Version 1.0.5 (10005)
Ped Server launched in startup mode.
Starting background process
Background process started
Ped Server Process created, exiting this process.
c:\PED\ >
Note: When running pedserver -mode start on an IPv6 network, you must include the -ip <IPv6_address> option.
Note: If you encounter a message "Failed to load configuration file...", this is not an error. It just means that you have not changed the default configuration, so no file has been created. The server default values are used.
6.Open an ssh session to the SafeNet Network HSM appliance and login as admin.
7.Start the PED Client (the Remote PED enabling process on the appliance):
lush:> hsm ped connect -i 183.21.12.161 -port 1503
Luna PED operation required to connect to Remote PED - use orange PED key(s).
Ped Client Version 1.0.0 (10000)
Ped Client launched in startup mode.
Starting background process
Background process started
Ped Client Process created, exiting this process.
Command Result : 0 (Success)
[luna27] lush:>
Note: The serial number option on command hsm ped connect is needed if you are using Remote PED with an HSM other than the on-board SafeNet Network HSM (such as a connected SafeNet USB HSM for PKI). If a serial number is not specified, the internal HSM is assumed by default.
8.To verify that the Remote PED connection is functional, try some HSM commands that require PED action and PED Key authentication - the simplest is hsm login. First logout, because you were already logged in to the HSM...
[luna27] lush:>hsm logout
'hsm logout' successful.
Command Result : 0 (Success)
[luna27] lush:>hsm login
Luna PED operation required to login as HSM Administrator - use Security Officer (blue) PED key.
'hsm login' successful.
Command Result : 0 (Success)
[luna27] lush:>
9.At this point, you have successfully set up a Remote PED link between a workstation computer (with PED attached to its USB port) and a distant SafeNet Network HSM/appliance. You have demonstrated that success by performing an HSM operation that demanded SO/HSM Admin PED Key authentication, without being physically near to the SafeNet Network HSM/appliance, and without having a SafeNet Network HSM PED directly attached to the SafeNet Network HSM/appliance.
You can now perform any HSM administration chores (including Cluster creation/administration) as though you were physically adjacent to the HSM, with equal confidence in the security of the system [HSM products that include Remote PED are now routinely submitted to approving agencies (like NIST/FIPS) for validation].
10.To disconnect:
[luna27] lush:>hsm ped disconnect
WARNING !! This command will disconnect remote PED. If you are sure that you wish to proceed, then enter 'proceed', otherwise this command will abort.
> proceed Proceeding...
Ped Client Version 1.0.0 (10000)
Ped Client launched in shutdown mode.
Shutdown passed.
Command Result : 0 (Success)
[luna27] lush:>
Note: If a Remote PED session is in effect and you press the [<] key on the PED (to go to the PED's "Select mode" menu), that action amounts to exiting the Remote PED mode. Therefore, the PED displays a message:
** WARNING **
Exiting now will
invalidate the RPK.
Confirm ? YES/NO
If you press [YES], the RPK-validated Remote PED session is dropped and must be re-established from the HSM (with "hsm ped connect <network-target>" before you can resume activity with the Remote PED.
In other words, if you want to use that PED for any other purpose than the current connection with one remote HSM, you have to drop the current session to make such other use of the PED, and then have the appropriate RPK available when you are ready to re-establish the prior Remote PED connection. )
Note: The above note talks about a "session" that exists only between the Remote PED and the computer (actually the PedServer software running on that computer) to which the Remote PED is connected. That is separate from the session that was established between the distant appliance/HSM and the PedServer on your computer. The session between computer and HSM is time-sensitive - it is in existence while needed and is either dropped intentionally or times out after brief inactivity. The session between the Remote PED and its attached computer persists until you disconnect the PED or change modes, or until you stop the PedServer.exe process on the computer.
***** The default timeout for a Remote PED link between PedClient at the HSM and PedServer at the Remote PED, is 1800 seconds, or 30 minutes. If no Remote PED activity is requested for the entire timeout duration, the link ends, and must be re-established. While that link is down, and the HSM remains set to expect Remote PED operation, any requested PED operations simply fail. We recommend performing a disconnect before performing a connect, to ensure that the old link is cleanly severed and that a new link is cleanly established. *****
Note: PED KEY MIGRATION from older classic-PED Datakeys (the PED Keys that look like toy plastic keys) is NOT SUPPORTED over Remote PED, because the old classic PED 1.x has no way to connect to the PED Server. Migration of PED Keys from DataKeys to iKeys must be done locally. )
As a user of the HSM (or an application partition on that HSM) wanting to perform an HSM operation that requires a PED operation, do the following:
1.From LunaSH, run command hsm ped select –h <hostname>.The <hostname> is the PED Server hostname.
Note: The two LunaSH commands hsm ped deselect –host <hostname> and hsm ped select –host <hostname> -serial <serial number> both support peer-connection mode.
–PED Client sends a message to the PED Server with the HSM serial number to notify that the PED Server is now selected for PED operations.
–PED Server receives the message and updates the processing status from waiting to process commands (read and write commands from and to the PED).
2.A user of the HSM (or an application partition of the HSM) executes an operation that requires authentication via PED. The behavior is the same as for non-peer mode if the connection was initiated from the HSM side.
Note: There is no timeout for the connection between PED Server and PED Client when using the server-initiated (peer-to-peer) mode of connection.
If you need to deselect the PED Server, run hsm ped deselect –host <hostname>.
1.PED Client sends a message to the PED Server that it is no longer selected.
2.PED Server acknowledges the message and resets the PED to clear the current session ID and the generated Diffie-Hellman key.
3.PED Server sets the PED to stand-by. Any additional read and write command from PED Client is ignored and is logged for security and debugging purposes.
If the user executes the disconnect command in PED Server, or if the connection is terminated abnormally, the PED Client receives the message and removes that PED Server from the connection table.
If you encounter problems with Remote PED, Troubleshooting Remote PED.