Home > |
---|
By default, when Remote PED is needed, a SafeNet HSM uses a local instance of PEDClient to initiate a connection with a distant instance of PEDServer. In cases where a SafeNet Network HSM resides behind a firewall with rules prohibiting the HSM host from initiating external connections, it is possible to have the PEDServer perform the initial call toward the HSM host in peer-connection mode.
The default mode (initiated by PEDClient) and the peer-connection mode (initiated by PEDServer) are mutually exclusive.
Note: The server-initiated (or peer-to-peer) Remote PED connection is carried over a TLS channel and secured by exchanged certificates from the participants.
Server-initiated connection mode is configured by two commands on the PedServer end:
•PedServer.exe –appliance register
•PedServer.exe –appliance delete
For use with SafeNet Network HSM, the path to the pedServer.ini file and to the PEDserverCAFile.pem must be in the Remote PED server host's crystoki.ini file, and HSM appliance's server certificate must be added to the Remote PED server host's PEDserverCAFile.pem file. The server.pem is secure-copied from the SafeNet Network HSM appliance, and PedServer.exe -appliance register command adds it to the PEDserverCAFile.pem file in the cert folder.
Server-initiated connection mode is enacted by two commands:
•PedServer.exe –mode connect
•PedServer.exe –mode disconnect
The PEDServer.exe -mode disconnect command is used to terminate any existing peer connection with the intended HSM host, before a new connection can be launched.
The PedClient on the SafeNet Network HSM appliance runs in background and listens on port 9697 for incoming Remote PED peer connection requests. You can specify different ports if needed, at both the PedClient and PedServer ends.
Three Lunash commands support peer-connection mode:
•hsm ped server register -certificate <filename>
•hsm ped select –host <hostname> -serial <serial number>
•hsm ped deselect –host <hostname>
The following constraints apply:
•This feature is not currently supported for use with IPv6 networks.
•A maximum of twenty connections is supported on the PedClient.
•If the connection is terminated abnormally (for example, router switch died), there will be no auto-connection.
•When running in peer connection mode, the PedServer will have the listening service (the default mode) down for security reasons and to simplify the usability. That is, if you have set the PedServer for server-initiated connection, then the PedServer stops listening for a PedClient to attempt a connection.
•Once the PedServer connection to the PedClient is established, the connection remains up until
–disconnect command is executed from the PedServer
–PedClient terminates the connection
The following prerequisites are necessary to establish a functioning server-initiated Remote PED link.
•The PedClient (SafeNet Network HSM in this case) and the PedServer must be network accessible to each other.
•There must be no blocking firewall rules or other impediments to performing a certificate exchange and establishing a secure connection. Contact your network administrator, if this is an issue.
PedServer has the commands to create a host certificate if necessary and to register a retrieved server certificate obtained from the HSM appliance. Upload/download of the certs is done with scp/pscp (provided).
Refer to the Installation Guide for detailed hardware and software instructions, with diagrams.
1.Bring a SafeNet PED 2 with Remote PED capability, the PED Keys (blue and black and red), and at least one imprinted orange PED Key to the location of your compatible Windows workstation computer (anywhere in the world with a suitable network connection). You should already have the most recent PED driver software and the PedServer.exe software installed on that computer.
Note: The software and driver are provided on the SafeNet Client installer, but are optional during the installation process. If you intend to use Remote PED (and therefore need the PED driver and the PedServer executable program), ensure that Remote PED is among the options selected during installation. Alternatively, you can launch the installer at a later time and modify the existing SafeNet HSM Client installation to include Remote PED at that time.
When you connect your SafeNet PED2 Remote to electrical mains power (AC power outlet) and to your computer's USB port, the operating system detects the new hardware and should locate the appropriate driver. If that does not happen, then the system presents a dialog for you to help it find the location where the LunaPED driver has been placed.
2.Connect the Remote PED to its power source via the power adapter.
3.Connect the Remote PED to the workstation computer via the USB cable.
4.When the PED powers on and completes its self-test, it is in Local PED mode by default.
Press the [<] key to reach the "Select Mode" menu.
Press [7] to enter Remote PED mode.
5.Open a Command Prompt window on the computer (for Windows 7, this must be an Administrator Command Prompt), locate and run PedServer.exe (we suggest that you try it out beforehand, to become familiar with the modes and options - if you experience any problem with PED operation timeout being too short, use "PedServer -mode config -set <value in seconds>" to increment the "sreadrsptimeout" value).
Set PedServer.exe to its "listening" mode.
c: > PedServer -m start
Ped Server Version 1.0.5 (10005)
Ped Server launched in startup mode.
Starting background process
Background process started
Ped Server Process created, exiting this process.
c:\PED\ >
NOTE: if you encounter a message "Failed to load configuration file...", this is not an error. It just means that you have not changed the default configuration, so no file has been created. The server default values are used.
Below is a step by step connection setup between PedServer and PedClient:
1.If the PedServer host does not have a certificate, create one with command:
pedServer -regen -commonname <common name>
(Create the new cert if you do not already have a host certificate, otherwise keep and reuse an existing certificate if it is already in use for other purposes.)
2.Secure copy (SCP or PSCP) the host certificate to the admin account on the SafeNet Network HSM appliance.
pscp <pedserver-host-certificate>.pem admin@<hsm-appliance-hostname-or-ip>:
3.Secure copy (SCP or PSCP) the server.pem from SafeNet Network HSM appliance to the PedServer host.
pscp admin@<hsm-appliance-hostname-or-ip>:server.pem .
(The dot at the end ensures that the incoming file lands in the current folder.)
4.Register the server.pem with the pedServer appliance register command.
pedServer –appliance register –name <unique name> -certificate <Network HSM certificate file> -ip <Network HSM address> [-port <port number>]
5.In an SSH session to the admin account on the SafeNet Network HSM appliance, register the PedServer host certificate with the appliance, using the hsm ped server register command.
lunash:>hsm ped server register -certificate <pedserver-cert-name>.pem
6.Connect to the PedClient with command:
pedServer –mode connect –name <SafeNet HSM server name>
What happens
a.PedClient receives the TLS connection from the PedServer by listening at port 9697 (unless a different port was specified).
b.PedClient validates the PedServer client certificate.
c.PedClient sends the client information identity to the PedServer.
d.PedServer receives the client information identity and sends its own identity to the PedClient.
e.PedClient receives the server information identity and adds to the connection table.
f.PedClient sends a message back to the PedServer that the SSL connection is initialized and ready to go.
At this point, the secure network connection is in place between the PedServer and PedClient, which might be one of several PedServers available and connected to that PedClient, but the current PedServer is not selected to perform PED actions for the HSM associated with that PedClient. The PedClient might have another of its connected/available PedServers selected, or it might have none selected.
As a user of the HSM (or an application partition on that HSM) wanting to perform an HSM operation that requires a PED operation do the following:
1.From Lunash, run command:
hsm ped select –h <hostname> from Lush.
The hostname is the PedServer hostname (or IP address if that was used in the certificate).
What is happening
a.PedClient sends a message to the PedServer with the HSM serial number to notify that the PedServer is now selected for PED operations.
b.PedServer receives the message and updates the processing status from waiting to process commands (read and write commands from and to the PED).
2.A user of the HSM (or an application partition of the HSM) executes an operation that requires authentication via PED.
What is happening
a.The behavior is the same as for non-peer mode if the connection was initiated from the HSM side.
If you need to deselect the PedServer, do the following:
1.From Lunashell run the hsm ped deselect command
hsm ped deselect [-host <hostname>]
What is happening
a.PedClient sends a message to the PedServer that it is no longer selected.
b.PedServer acknowledges the message and resets the PED to clear the current session ID and the generated Diffie-Hellman key.
c.PedServer sets the PED to stand-by. Any additional read and write command from PedClient is ignored and is logged for security and debugging purposes.
1.Use the PedServer -mode disconnect command
pedServer –mode disconnect
The connection is terminated.