Home > |
---|
When it is not convenient to be physically near the host computer that contains a SafeNet HSM, you can remotely and securely connect a SafeNet PED and present PED Keys, as follows:
1.On the computer used to host the HSM or SO Partition, allow remote desktop access or ssh, and have the pedclient.exe program available.
2.On the remote administrative workstation used to host the remote PED, (which for this purpose must run the Windows operating system) use remote-desktop client or use ssh, have a SafeNet PED2 (with Remote capability) connected, and have the pedserver tool installed and running.
3.Using remote desktop or ssh, make the Remote PED connection between the HSM host and the remote administrative workstation:
a. Start the pedserver listening on the remote PED host.
b. Start pedclient on the HSM host indicating the slot number of the HSM for which Remote PED services are to be provided.
The combination of pedserver on one computer and pedclient on the other provides the trusted path for secure transfer of authentication data.
4.Run commands on the HSM via the remote desktop or ssh.
Use static IP addressing for PED Client / PED Server. PED Client can fail to find a server if a dynamic address is indicated. An example error might look like this:
lunash:>hsm ped connect -ip 192.20.11.67 -port 1503
Luna PED operation required to connect to Remote PED - use orange PED Key(s).
Ped Client Version 1.0.5 (10005)
Ped Client launched in startup mode.
readIPFromConfigFile() : config file did not contain an IP address.
Startup failed. : 0xc0000404 RC_FILE_ERROR
Command Result : 65535 (Luna Shell execution)
lunash:>
The authentication conversation is between the HSM and the PED. Authentication data retrieved from the PED Keys never exists unencrypted outside of the PED or the HSM.
PEDClient and PEDServer merely provide the communication pathway between the PED and the HSM. Along that path, the authentication data remains encrypted.
Remote PED (via pedclient.exe) can provide PED services to only one HSM slot at a time. To provide PED interaction (remotely) to another slot, you must close pedclient.exe for that first slot/HSM and then open pedclient.exe for the next slot/HSM.
Once a a slot has been set up with its authentication data cached (autoActivation), and pedclient has closed (perhaps because you need to open pedclient for another slot), you must not issue any command to that original slot that would require PED interaction. If you issue a command that invokes a PED operation, when no PED is connected to the HSM (such as when pedclient and the Remote PED are busy with another slot, or when pedclient.exe is simply not running), the affected HSM pauses until the requested operation times out. This means that any client application that was using that HSM stops for the duration of the timeout.