|
Home > |
|---|
To use Remote PED for the first time, you will need:
- a SafeNet PED 2.4.0-3 (or later) with Remote PED feature installed (new Remote PED units are shipped with this sticker on the front)
- a power adapter for the Remote PED (when the PED is not connected to a SafeNet Network HSM, via the PED port, it requires the separate power adapter to supply its power - the USB connection is insufficient for that purpose)
- a complete set of PED Keys, including an orange Remote PED key (either new/empty or already containing a Remote PED vector)
- local access to the SafeNet HSM (for the first session only)
- HSM that supports the Remote PED feature (includes the Remote PED Client)
- a workstation/PC with the PEDserver.exe (Remote PED Server application) running, and with the appropriate PED driver already installed
You will need physical access to your SafeNet Network HSM when first setting up Remote PED, because the Remote PED vector must be created by the HSM and imprinted on a blank PED Key, or it must be acquired from a previously imprinted orange PED Key and stored in the HSM. Thereafter, the orange PED Key is used with the Remote PED from a remote location, and the connection is secured by having the matching Remote PED vector at both the HSM and the Remote PED server (your remote workstation with Remote PED attached).
Note: If you encounter timeout problems (possible if you are using MofN with many keys, or if you are reading instructions as you go, or are otherwise not speedy while following prompts), you can adjust timeout values to allow for a more relaxed pace. For PedServer.exe, you can do:
pedserver -mode config set -socketreadrsptimeout <seconds>
but you would also need to increase the timeout in the crystoki.ini client software configuration file. Moreover, the PEDServer -socketreadrsptimeout must always be larger than the timeout in the configuration file.
Note: In general, do not change settings (especially in the crystoki.ini file) unless you have good reason to do so, or are instructed to do so, by Gemalto Customer Support.
Use static IP addressing for PED Client / PED Server. PED Client can fail to find a server if a dynamic address is indicated. An example error might look like this:
lunash:>hsm ped connect -ip 192.20.11.67 -port 1503Luna PED operation required to connect to Remote PED - use orange PED Key(s).Ped Client Version 1.0.5 (10005)Ped Client launched in startup mode.readIPFromConfigFile() : config file did not contain an IP address.Startup failed. : 0xc0000404 RC_FILE_ERRORCommand Result : 65535 (Luna Shell execution)lunash:>
Note: If the HSM host (a SafeNet Network HSM appliance or a host computer with SafeNet PCIe HSM or SafeNet USB HSM) has more than one SafeNet HSM connected, then you might need to specify the "-serial" option, to identify the desired HSM by its serial number.
If "-serial" is not specified in commands
hsm ped vector init
hsm ped vector erase
hsm ped connect
hsm ped disconnect
then the action defaults to the first HSM that is found.
This section creates or copies a Remote PED Vector (RPV) such that the same RPV exists on the HSM and on an orange PED Key that can accompany the Remote PED, to permit a connection between that Remote PED and that HSM.
The steps to set up Remote PED are:
1. Initialize the HSM [if you have not already done so]- the creation of the orange Remote PED key requires HSM login; HSM login requires an initialized HSM, all of which must be done with a local PED connection the first time.
2.Have the SafeNet PED connected to the PED port of the HSM, and set to Local PED mode.
3.Login as SO:
[myluna] lunash:>hsm login
Luna PED operation required to login as HSM Administrator - use blue PED key(s).
'hsm login' successful.
Command Result : 0 (Success)
[myluna] lunash:>
4.Have a blank PED Key, with orange label, ready. Create and imprint the RPV (Remote PED Vector):
[myluna] lunash:>hsm ped vector init
WARNING !! This command will initialize remote PED vector (RPV).
If you are sure that you wish to proceed, then enter 'proceed', otherwise this command will abort.
> proceed
Proceeding... SafeNet
(At this time, go to the SafeNet PED and respond to the prompts by providing either a "fresh" orange PED key (which prompts creation and imprinting of a new/unique RPV) or an already-imprinted orange PED Key (which prompts the PED to ask you to reuse the existing PED Key data), along with additional blanks if you intend to make duplicates.)
The PED says:
If this is the first RPV that you are creating, then answer [NO].
If you have an existing RPV on an orange PED Key, then answer [YES] if you want to preserve it and add it to this current HSM, or [No] if you have made a mistake and wish to find a different blank (or outdated) key to imprint.
For this example, we will assume no existing RPV.
The PED says:
If you wish to split the RPV secret over several RPKs, for MofN split-knowledge, multi-person access control of the Remote PED function, then input a value for M that is greater than "1". This is the number of persons - each holding an orange key containing a split of the RPV secret - who must come together and present their portions whenever the RPK is required. If you prefer not to invoke MofN, then press [ 1 ], followed by [Enter].
If you have invoked MofN with an M value greater than "1", then you must enter a value for N that is equal to, or greater than, M. N is the total pool of orange keys over which your RPV will be split, from which sub-groups of quantity M will be required for authentication. The simplest scheme is to declare a value for M that gives you the desired security oversight of the Remote PED function, and then specify N slightly larger so that you can always have at least quantity M key-holders available, even when some are absent for vacation, travel, illness or other reasons. Example: M=3, N=5, where any 3 of the total 5 splits can combine to reconstitute the secret.
Do as prompted, inserting an unused PED Key into the PED's key slot (top-right of the PED), and press [ENTER].
For a fresh, new, never-before imprinted PED Key, the PED says:
Answer [YES] so that the HSM can create an RPV and transfer it to the PED, where it is imprinted onto the blank PED Key that you have inserted. If you invoked MofN, then the PED will prompt you to continue inserting orange PED Keys for imprinting with portions of the secret until you have imprinted quantity N of them. 
If you need two-part security to protect the Remote PED function, and wish to add a "something you know" component to the "something you have" (physical PED Key), type a series of digits on the keypad, then type them again to confirm. Now, whenever you are prompted to present the orange RPK, you must also input the code - called a PED PIN - that you have just added. The secret that unlocks the HSM to perform Remote PED operation is now a combination of a data secret contained in the physical key, and a typed-in numeric code that you must remember.
Press [Enter] with no digits, if you do not wish an additional "something you know" secret attached to this PED Key. In future, SafeNet PED will nevertheless prompt you for a PED PIN whenever you present the RPK, but you will always just press [Enter] (with no digits) at that prompt - no PED PIN required.
This completes the imprinting of the key (or keys if you opted for MofN).
While the imprinted orange PED Key is still in the PED's slot, SafeNet PED then wants to know if you intend to make some copies of the currently-inserted PED Key (that now carries the RPV for the HSM) or group of PED Keys:
Answer [YES] if you wish to make copies, and follow the instructions to insert keys and press ENTER. Respond to the prompts about overwriting, and PED PIN, etc.
When you have made all the copies that you wish, respond [NO] to the final prompt.
Control is returned to the lunash command line.
Ped Client Version 1.0.0 (10000)
Ped Client is not currently running.
Shutdown passed.
Command Result : 0 (Success)
[myluna] lunash:>
(If you see references to "shutdown mode", that's the shell [lunash] exchanging messages with the Remote PED Client application (also found on your SafeNet appliance), which is called, runs in the background, and shuts down, possibly multiple times, depending upon the task that you have initiated via [lunash:>] commands.)
5.Go to either Client-(HSM)-initiated Remote PED (Using Client-initiated Remote PED Connection) or Server-initiated Remote PED (Using Server-initiated (Peer-to-Peer) Remote PED Connection).