|
Home > |
|---|
This section contains the following:
•Client-initiated Remote PED Connections
•Server-initiated (Peer-to-Peer) Remote PED Connections
Stopping Remote PED is described in Relinquishing Remote PED.
You will need physical access to your SafeNet Luna Network HSM when first setting up Remote PED because the Remote PED vector must be created by the HSM and imprinted, or it must be acquired from a previously imprinted key and stored in the HSM. Thereafter, the orange PED key is used with the Remote PED from a remote location, and the connection is secured by having the matching Remote PED Vector at both the HSM and the Remote PED server (your remote workstation with Remote PED attached).
Note: If you encounter timeout problems you can adjust timeout values to allow for a more relaxed pace. For PedServer.exe, type pedserver -mode config set -socketreadrsptimeout <seconds> and replace <seconds> with your desired time. You also need to increase the timeout in the crystoki.ini client software configuration file. The pedserver -socketreadrsptimeout must always be larger than the timeout in the configuration file.
You require a remote PED (orange) key imprinted with the remote PED vector for the HSM you want to connect to. Use the following procedure to create the orange key.
1.Initialize the HSM - the creation of the orange Remote PED key requires HSM login; HSM login requires an initialized HSM, all of which must be done with a Local PED connection the first time.
2.Connect the Luna PED to the PED port of the HSM. The PED must be in Local mode, as follows:
– Set to Local PED-USB mode for USB connections (release 7).
–Set to Local PED-SCP mode for SCP connections (legacy).
If you need to switch between modes, press < to navigate to the main menu. Press 0 to enter Local PED-USB mode, or 1 to enter Local PED-SCP mode.
3.Login as SO with the command hsm login.
4.Have an orange PED key ready. Create and imprint the RPV (Remote PED Vector):
hsm ped vector init
lunash:>hsm ped vector init
If you are sure that you wish to initialize remote PED vector (RPV), then enter 'proceed', otherwise type 'quit'.
> proceed
Proceeding...
Luna PED operation required to initialize remote PED key vector - use orange PED key(s).
Command Result : 0 (Success)
At this time, go to the Luna PED and respond to the prompts by providing an orange PED key along with additional blanks if you intend to make duplicates.
–If this is the first RPV that you are creating, then answer No.
–If you have an existing RPV on an orange PED key, then answer Yes if you want to preserve it and add it to this current HSM, or No if you have made a mistake and wish to find a different blank (or outdated) key to imprint.
Continue following the prompts for MofN, duplication, and PED PIN options (described in detail in Using the PED).
To initiate a legacy Remote PED connection, proceed to Using Remote PED.
To initiate a peer-to-peer Remote PED connection, proceed to Using Remote PED.
At this point, you have a Remote PED Vector (RPV) shared between at least one orange PED key and at least one HSM.
If you have firewall or other constraints that prevent the initiation of a connection from your HSM host out to the PED Server in the external network, then see Using Remote PED instead.
1.Bring a Luna PED with Remote PED capability, PED keys (blue and black and red), and at least one imprinted orange PED key to the location of your workstation computer. You should already have the most recent PED driver software and the PedServer.exe software installed on that computer.
The software and driver are provided on the SafeNet Luna Client CD, but are optional during the installation process. If you intend to use Remote PED, ensure that Remote PED is among the options selected during installation. Alternatively, you can launch the installer at a later time and modify the existing SafeNet Luna HSM Client installation to include Remote PED at that time.
2.Connect the Remote PED to its power source via the power adapter.
3.Connect the Remote PED to the workstation computer via the USB cable.
4.When the PED powers on and completes its self-test, it automatically detects the active interface that it is plugged into and defaults to the appropriate mode after the first command is sent to it. The Luna PED waits in Remote PED-USB mode until a command is received from the HSM.
If you wish to manually change to Remote PED-USB mode instead of waiting for the PED to do so, press the < key to navigate to the main menu. Then, press 7 to enter Remote PED mode.
5.Open a Command Prompt window on the computer (for Windows 7, this must be an Administrator Command Prompt). Locate and run PedServer.exe. Set PedServer.exe to its "listening" mode.
c: > PedServer -m start
Ped Server Version 1.0.6 (10006)
Ped Server launched in startup mode.
Starting background process
Background process started
Ped Server Process created, exiting this process.
c:\PED\ >
Note: If you encounter a message "Failed to load configuration file..." this is not an error. It just means that you have not changed the default configuration, so no file has been created. The server default values are used.
6.Open an SSH session to the SafeNet Luna Network HSM appliance and login as admin.
7.Start the PED Client (the Remote PED enabling process on the appliance):
lunash:> hsm ped connect -i 183.21.12.161 -port 1503
Luna PED operation required to connect to Remote PED - use orange PED key(s).
Ped Client Version 1.0.0 (10000)
Ped Client launched in startup mode.
Starting background process
Background process started
Ped Client Process created, exiting this process.
Command Result : 0 (Success)
[luna27] lunash:>
Note: The serial number option on command hsm ped connect is needed if you are using Remote PED with an HSM other than the on-board SafeNet Luna Network HSM (such as a connected SafeNet Luna USB HSM for PKI). If a serial number is not specified, the internal HSM is assumed by default.
Optionally configure a default IP address and/or port that are used by the hsm ped connect command by using ped set –ip <ip_address> -port <port>.
8.To verify that the Remote PED connection is functional, try some HSM commands that require PED action and PED key authentication - the simplest is hsm login.
Note: If you want to use the PED for any other purpose than the current connection with one remote HSM, you have to drop the current session to make such other use of the PED, and then have the appropriate RPK available when you are ready to re-establish the prior Remote PED connection. To drop the current session, disconnect your PED with the command hsm ped disconnect.
If you have firewall or other constraints that prevent the initiation of a connection from your HSM host out to the PED Server in the external network, follow these steps. Otherwise, see Using Remote PED.
By default, when Remote PED is needed, a SafeNet Luna HSM uses a local instance of PED Client to initiate a connection with a distant instance of PED Server. In cases where a SafeNet Luna Network HSM resides behind a firewall with rules prohibiting the HSM host from initiating external connections, or if your IT policy forbids an IP port being open on the PED Server computer, it is possible to have the PED Server perform the initial call toward the HSM host in peer-connection mode.
Peer-connection mode is configured by two commands:
•pedserver -appliance register
•pedserver -appliance delete
Before you begin, retrieve the SafeNet Luna Network HSM server certificate (the same certificate used for STC and NTLS configuration). The certificate is required to create an SSL connection from the PED Server to the PED Client. If the PED Server host does not have a certificate, create one with command pedserver -regen -commonname <unique_name>.
1.Secure copy (SCP or PSCP) the host certificate to the admin account on the SafeNet Luna Network HSM appliance.
2.Secure copy (SCP or PSCP) the server.pem from SafeNet Luna Network HSM appliance to the PED Server host.
3.Register the server.pem by using the PED Server command:
pedserver -appliance register -name <unique_name> -certificate <server.pem_file> -ip <Network_HSM_IP> [-port <port_number>]
4.Log in to LunaSH as admin on the appliance, and register the PED server host certificate:
hsm ped server register -certificate <certificate_filename>
5.Connect the PED to the PED Server host. See Remote PED Setup and Configuration.
6.Connect to the PED Client with command pedserver -mode connect -name <HSM_unique_name>
Note: The pedserver -mode disconnect command is used to terminate any existing peer connection with the intended HSM host, before a new connection can be launched. Once the peer connection is dropped, the PED Server returns to legacy mode and you can disconnect your PED via hsm ped disconnect. The hsm ped disconnect command is only applicable in legacy mode.
Optionally configure a default IP address and/or port that are used by the hsm ped connect command by using ped set –ip <ip_address> -port <port>.
The PED Client receives the SSL connection from the PED Server by listening at port 9697. PED Client validates the PED Server client certificate, and sends the client information identity to the PED Server. PED Server receives the client information identity and sends its own identity to the PED Client. PED Client receives the server information identity and adds it to the connection table, then sends a message back to PED Server saying that the SSL connection is initialized and ready to go.
At this point, the secure network connection is in place between the PED Server and PED Client, but the current PED Server is not selected to perform PED actions for the HSM associated with that PED Client.
Note: If your Remote PED connections are server-initiated (peer-to-peer), you must restart the Call-Back Service (CBS) anytime you regenerate the SafeNet Luna Network HSM server certificate, or new peer-to-peer PedServer connections to the appliance will fail. In LunaSH, use the command service restart cbs.
As a user of the HSM (or an application partition on that HSM) wanting to perform an HSM operation that requires a PED operation, do the following:
1.From LunaSH, run command hsm ped select –h <hostname>.The <hostname> is the PED Server hostname.
Note: The two LunaSH commands hsm ped deselect –host <hostname> and hsm ped select –host <hostname> -serial <serial number> both support peer-connection mode.
–PED Client sends a message to the PED Server with the HSM serial number to notify that the PED Server is now selected for PED operations.
–PED Server receives the message and updates the processing status from waiting to process commands (read and write commands from and to the PED).
2.A user of the HSM (or an application partition of the HSM) executes an operation that requires authentication via PED. The behavior is the same as for non-peer mode if the connection was initiated from the HSM side.
Note: There is no timeout for the connection between PED Server and PED Client when using the server-initiated (peer-to-peer) mode of connection.
If you need to deselect the PED Server, run hsm ped deselect –host <hostname>.
1.PED Client sends a message to the PED Server that it is no longer selected.
2.PED Server acknowledges the message and resets the PED to clear the current session ID and the generated Diffie-Hellman key.
3.PED Server sets the PED to stand-by. Any additional read and write command from PED Client is ignored and is logged for security and debugging purposes.
If the user executes the disconnect command in PED Server, or if the connection is terminated abnormally, the PED Client receives the message and removes that PED Server from the connection table.
The following constraints apply:
•A maximum of twenty connections is supported on the PED Client.
•If the connection is terminated abnormally (for example, router switch died), there will be no auto-connection.
•When running in peer connection mode, or server-initiated connection, the PED Server stops listening for a PED Client to attempt a connection.
•Once the PED Server connection to the PED Client is established, the connection remains up until
–A disconnect command is executed from the PED Server.
–PED Client terminates the connection.
Peer-to-peer Remote PED introduces a pedServer.conf or pedServer.ini file.
RemotePed = {
PongTimeout = 5;
PingInterval = 1;
LogFileTrace = 0;
LogFileError = 1;
LogFileWarning = 1;
LogFileInfo = 1;
MaxLogFileSize = 4194304;
LogFileName = ./remotePedServerLog.log;
BGProcessShutdownTimeoutSeconds = 25;
BGProcessStartupTimeoutSeconds = 10;
InternalShutdownTimeoutSeconds = 10;
SocketWriteTimeoutSeconds = 50;
SocketReadRspTimeoutSeconds = 180;
SocketReadTimeoutSeconds = 100;
ExternalServerIF = 1;
ServerPortValue = 1503;
ExternalAdminIF = 0;
AdminPort = 1502;
IdleConnectionTimeoutSeconds = 1800;
RpkSerialNumberQueryTimeout = 15;
}
Appliances = {
SSLConfigFile = /usr/safenet/lunaclient/bin/openssl.cnf;
ServerCAFile = /root/CAFile.pem;
ServerIP00 = 192.20.11.86;
ServerPort00 = 9696;
ServerName00 = eddiebox;
CommonCertName00 = test1;
ServerName01 = devbox;
ServerIP01 = 192.20.9.46;
ServerPort01 = 9697;
CommonCertName01 = test2;
}
The Appliances section manages registered appliances.
A new entry in the main Crystoki.ini/chrystoki.conf file points to the location of the pedServer.ini or pedServer.conf file.
[Ped Server] PedConfigFile = /usr/safenet/lunaclient/data/ped/config
Peer-to-peer Remote PED introduces a pedServer.conf or pedServer.ini file in SafeNet Luna HSM Client. An entry in the main Crystoki.ini/chrystoki.conf file points to the location of the pedServer.ini or pedServer.conf file.
CAUTION: Do not edit the pedServer.conf or pedServer.ini file. If you have any issues, contact Gemalto Technical Support.