Home > |
---|
The PED is an accessory device that allows compatible SafeNet HSMs to securely store their authentication data on PED Keys (specially configured USB tokens), to retrieve that data when needed, and to modify the content of PED Keys for security and operational purposes. All of the SafeNet PED and PED Key actions can be accomplished with the SafeNet PED directly connected to the SafeNet HSM, and powered by that HSM. Sometimes that direct connection is inconvenient, due to location of the HSM and of the personnel who are charged with controlling and managing the HSM. In such circumstances, it can be useful to employ a SafeNet PED with Remote capability.
Remote PED is supported (and requires installation/configuration) in two parts:
•PEDClient, which runs on the HSM host and allows the HSM to seek PED Key data from a remotely located SafeNet PED. PEDClient is part of the SafeNet HSM Client software installation for every type of SafeNet HSM except SafeNet Network HSM (because PEDClient is already present, by default, within the SafeNet Network HSM appliance).
•PEDServer, which runs on Remote PED host. PEDServer is installed if the "Remote PED" option is selected during SafeNet Client software installation, and includes the PedServer.exe executable, along with the SafeNet PED device drivers. If the target computer is intended to be a PEDServer, but is not going to be a Client to your SafeNet HSM, then you can use SafeNet HSM Client installer to install only the Remote PED option and exclude any unneeded client-side options.
•An HSM host, configured as described elsewhere in this document, with PEDClient available, and with its own working network connection.
•A remote PED host computer with a supported operating system (see the Customer Release Notes for supported platforms) to run PEDServer.
•Sufficient privileges on the remote PED host, depending on platform and location (local network, WAN, VPN...)
•Current SafeNet HSM Client installer (LunaClient.msi)
•SafeNet PED (Remote capable) V.2.4.0-3 or newer (see the bottom of the PED's Select Mode menu for the version)
•The power block and cord that accompanied your Remote PED, and the USB-A to USB-Mini-b cable
•PED Keys.
•A network connection.
This configuration takes place in two locations:
•on the HSM host.
•on the Remote PED host.
1.Install/configure your HSM host as described previously.
2.Change to the directory where SafeNet HSM Client is installed and launch lunacm.
Type: c:\Program Files\SafeNet\LunaClient> lunacm
3.With a SafeNet PED connected locally, initialize a Remote PED Vector for the HSM and for an orange PED Key.
Type: lunacm:> ped vector init and respond to the SafeNet PED prompts.
By means of your responses to the PED prompts, you can choose to have the HSM generate a new RPV to be held by both the HSM and a new orange PED Key, or you can choose to re-use an RPV already on an existing orange PED Key, and imprint that on the HSM.
As always, we suggest that you make at least one extra copy of the Remote PED Key.
4.Bring an orange PED Key, containing the RPV for this HSM, from the HSM to the location of the Remote PED server.
1.SafeNet PED should not yet be connected to the PEDServer computer.
2.Install the SafeNet HSM Client software, selecting "Remote PED" option - for the purposes of Remote PED. Any additional SafeNet HSM Client installation choices are optional for this host system.
3.Click Install when prompted to install the driver.
4.Reboot the computer to ensure that the LunaPED driver is accepted by the operating system. This is not required for Windows Server Series.
5.Connect the Remote Capable SafeNet PED to AC power, using the supplied power block, and to the PEDServer computer, using the supplied USB-A to USB-mini-b cable.
Windows acknowledges the new device.
SafeNet PED performs its start-up sequence, and settles into Local Mode, by default.
6.Press the [ < ] key on the PED to access the "Select Mode" menu.
7.Press [ 7 ] to select "Remote PED" mode.
8.Ensure that your firewall does not block communication between PEDClient and PEDServer. If switching off the firewall for Home and Public Network is not an option, see the Troubleshooting section below.
9.Open a Command Prompt window.
If PedServer.exe attempts to access the pedServer.ini file in C:\Program Files\.... that is treated as an action in a restricted area in some versions of Windows. In that case, you should open the Command Prompt as Administrator, rather than as your normal user. To do so, right-click the Command Prompt icon and, from the pop-up menu, select Run as administrator.
Note: Windows Server 2008 launches Command Prompt as Administrator, by default, so no special steps are necessary.
Note: By default, PedServer.exe attempts to access pedServer.ini if such a file exists in the expected location. If it does not exist, then default values are used by PedServer.exe until you perform a "-mode config -set" operation to create a pedServer.ini.
10.Go to the installed SafeNet HSM Client directory.
Type cd "\Program Files\SafeNet\LunaClient"
11.Launch the PEDServer.
Type pedserver -mode start
12.Verify that the service has started.
Type pedserver -mode show
and look for mention of the default port "1503" (or other, if you specified a different listening port). In addition, "Ped2 Connection Status:" should say "Connected". This indicates that the SafeNet PED that you connected (above) was found by PEDServer.
Note: If a port other than the default 1503 was specified in pedserver -mode start
, for example pedserver -mode start -port 1523
, then pedserver -mode show
command should pass in the same port, for example pedserver -mode show -port 1523
.
If a non-default value for the listening port was configured (meaning that it was present in pedServer.ini), then pedserver -mode show
finds the port from that file.
13.Note the IP address of the PEDServer host. We generally recommend using static IP, but if you are operating over a VPN, you will likely need to ascertain the current address each time you [re-]connect to the VPN server and are assigned an address.
C:\windows\system32>ipconfig Windows IP Configuration Ethernet adapter Bluetooth Network Connection 2: Media State . . . . . . . . . . . : Media disconnected Connection-specific DNS Suffix . : Wireless LAN adapter Wireless Network Connection 4: Media State . . . . . . . . . . . : Media disconnected Connection-specific DNS Suffix . : Wireless LAN adapter Wireless Network Connection 3: Connection-specific DNS Suffix . : Link-local IPv6 Address . . . . . : fe80::cd74:173c:692a:22b0%26 IPv4 Address. . . . . . . . . . . : 192.168.0.16 Subnet Mask . . . . . . . . . . . : 255.255.255.0 Default Gateway . . . . . . . . . : 192.168.0.1 Ethernet adapter Local Area Connection 3: Media State . . . . . . . . . . . : Media disconnected Connection-specific DNS Suffix . : Ethernet adapter Local Area Connection 2: Connection-specific DNS Suffix . : Link-local IPv6 Address . . . . . : fe80::5456:b034:a1ff:96fe%14 IPv4 Address. . . . . . . . . . . : 182.16.153.114 <<--- this one, in our example Subnet Mask . . . . . . . . . . . : 255.255.255.0 Default Gateway . . . . . . . . . : Tunnel adapter isatap.{9EE24CB0-63D2-4D40-902B-3DC3193701FA}: Media State . . . . . . . . . . . : Media disconnected Connection-specific DNS Suffix . : Tunnel adapter Local Area Connection* 17: Connection-specific DNS Suffix . : IPv6 Address. . . . . . . . . . . : 2001:0:9d38:90d7:3cca:2f17:3f57:ffef Link-local IPv6 Address . . . . . : fe80::3cca:2f17:3f57:ffef%11 Default Gateway . . . . . . . . . : :: Tunnel adapter isatap.{9D552290-62C3-479B-A312-FAEA518B1655}: Media State . . . . . . . . . . . : Media disconnected Connection-specific DNS Suffix . : Tunnel adapter isatap.{184652AE-5DF0-470C-84BE-B4D09760D3C9}: Media State . . . . . . . . . . . : Media disconnected Connection-specific DNS Suffix . : C:\windows\system32>
Note: Your organization's VPN might be configured with a relatively short lease time, so that you might need to re-establish the SafeNet Remote PED connection at intervals of hours or days, providing the newly assigned IP address of your PEDServer computer each time.
Note: We generally advise not specifying the IP address when starting the PED server, unless you have a specific reason to set an address there. Just say "pedserver -mode start".
In a volatile network or VPN situation, this means that, when the host IP changes on the PED server, only pedclient needs restarting with the new pedserver IP address. There is no need to also stop-and-restart pedserver.exe with a new IP.
Once started, pedserver.exe remains on, and listening until you explicitly tell it to stop, or until the host computer stops.
Note: For the purposes of the PEDClient (the HSM that seeks a Remote PED connection) you can specify the PEDServer's IP address and listening port each time you connect. Or you can use the lunacm:> ped set
command to configure either, or both of those parameters, which are then picked up by the lunacm:> ped connect
command when you wish to establish the connection.
If the listening port of the PEDServer is not specified, then the default value "1503" is assumed. The IP address must be specified somewhere; there is no original default. If an IP address or a port is specified in the lunacm:> ped connect
command, it overrides any value that was set by lunacm:> ped set
, but only for the current connection.
1.Launch the PEDClient on your HSM server, identifying the PEDServer instance (configured above) to which the HSM is to connect for its authentication requirements.
Type lunacm:> ped connect -ip <pedserver ip> -port <pedserver listening port>
(substituting your actual PEDServer IP and port)
for example: lunacm:> ped connect -ip 182.16.153.114 -port 1503
SafeNet PED operation required to to connect to Remote PED - use orange PED Key(s).
At this point, the remote SafeNet PED should come to life, briefly saying "Token found..." followed by this prompt:
2.Insert the orange PED Key that you brought from the HSM to the remote PED, and press [ Enter ] on the PED keypad.
When the orange PED Key is accepted, control returns to the HSM command-line with a success message: "Command Result : 0 (Success)"
Once you have reached this point, you can continue to issue HSM or Partition commands, and whenever authentication is needed, the Remote PED will prompt for the required PED Key and associated key-presses.
The PEDServer utility continues to run until explicitly stopped.
On the HSM end, PEDClient (launched by the "connect" command) continues to run until you explicitly stop with the "disconnect" command, or the link is broken. At any time, you can run the command in "show" mode to see what state it is in.
If you physically disconnect the Remote PED from its host, the link between PEDClient and PEDServer is dropped.
If the network connection is disrupted, or if your VPN closes, the link between PEDClient and PEDServer is dropped.
If you attempt to change menus on the Remote PED, the PED warns you:
If you persist, the link between PEDClient and PEDServer is dropped.
If the "IdleConnectionTimeoutSeconds" is reached, the link between PEDClient and PEDServer is dropped. The default is 1800 seconds, or 30 minutes. You can modify the default value with the "-idletimeout" option.
Any time the link is dropped, as long as the network connection is intact (or is resumed), you can restart PEDClient and PEDServer to reestablish the Remote PED link. In a stable network situation, the link should remain available until timeout.
Here are some suggestions for addressing some possible issues when configuring SafeNet Remote PED.
If you experience problems while attempting to configure a SafeNet Remote PED session over VPN, you might need to adjust Windows Firewall settings.
1.From the Windows Start Menu, select "Control Panel".
2.From the "Control Panel", select "Windows Firewall".
3.From the "Windows Firewall" dialog, select "Change notification settings".
4.In the dialog "Customize settings for each type of network", go to the appropriate section and activate "Notify me when Windows Firewall blocks a new program".
Without this setting, it might not matter that you have Administrator-level privileges on the PEDServer host computer, because Windows would silently block the connection from PEDClient to PEDServer, and not give you an opportunity to exercise your power to approve the connection.
With notification turned on, a dialog box pops up whenever Windows Firewall blocks a program, allowing you to override the block, which permits the SafeNet Remote PED connection to successfully listen for PEDClient connections.
Another possible issue is that some networks might be configured to block access to certain ports. If such policy on your network includes ports 1503 (the default PEDServer listening port) and 1502 the administrative port, then you might need to choose a port other than the default, when starting PEDServer, and similarly, when you launch the connection from the HSM end and provide the IP and port where it should look for the PEDServer. Otherwise, perhaps your network administrator can assist.
An option that some customers use is a port-forwarding "jump" server, co-located with the SafeNet HSM appliances, on the datacenter side of the firewall. The datacenter is usually a very stable/static network environment. By contrast, a client host on a desktop in a corporate office is more likely to be separated from the internet by an assortment of switches, firewalls, routers, etc., subject to change for any number of reasons. Implementing a jump server can be a low-cost and useful addition:
•to get around port-blocking problems, or to be able to react quickly to shifts in the corporate port and routing environment,
•as a way to implement a PKI authentication layer for Remote PED, and optionally for other SSH access, by (for example) setting up smart-card access control to the jump server.
For our own test of the solution, we used a standard Ubuntu Server distribution, with OpenSSH installed. No other changes were made to the system from the standard installation.
1.Connect a SafeNet PED, set to Remote Mode, to a Windows host with SafeNet HSM Client installed, and PEDServer running (see above for details).
2.From the Windows host, in an Administrator Command Prompt, run this command:
plink -ssh -N -T -R 1600:localhost:1503 <user>@<IP of Linux Server>
3.From the SafeNet Network HSM, run the command:
hsm ped connect -ip <IP of Linux Server> -port 1600
The connection is made to the Windows host running PEDServer, via the Linux Server, through the SSH session that was initiated out-bound from the Windows host.
A variant of this arrangement has port 22 also routed through the jump server, which allows you to bring administrative access to the SafeNet appliance under the PKI access-control scheme.