|
Home > |
|---|
If you receive a CKR_DEVICE_ERROR when trying to authenticate, you may be using the wrong mode. Your PED must be in USB mode when connected to a Release 7.x SafeNet Luna Network HSM. Otherwise you will get a CKR_DEVICE_ERROR when attempting to authenticate. See Changing Modes for instructions on how to switch modes.
Go to the secure lockup (a safe, an off-site secure deposit box, other) where you keep such important information, read and memorize the password. Return to the HSM and resume using it.
Retrieve one of its copies from your on-site secure storage, or from your off-site disaster-recovery secure storage. Make any necessary replacement copies, using Luna PED, and resume using your HSM(s).
If you have lost a blue PED key, someone else might have found it. Consider lunacm:>changePw or lunash:>hsm changePw, as appropriate to invalidate the current blue key secret, which might be compromised, and to safeguard your HSM with a new SO secret, going forward. HSM and partition contents are preserved.
If you truly have not kept a securely stored written backup of your HSM SO Password, or for PED-authenticated HSM, your blue SO PED key, then you are out of luck. If you have access to your partition(s), then immediately make backups of all partitions that have important content. When you have done what you can to safeguard partition contents, then perform hsm factoryReset, followed by hsm init - this is a "hard initialization" that wipes your HSM (destroying all partitions on it) and creates a new HSM SO password or blue PED key. You can then create new partitions and restore contents from backup. Any object that was in HSM SO space (rather than within a partition) is irretrievably lost.
If you have the red PED key or the HSM-or-Partition domain secret for another HSM or Partition that is capable of cloning (or backup/restore) with the current HSM or Partition, then you have the domain that you need - just make a copy. Cloning or backup/restore can take place only between entities that have identical domains, so that other domain must be the same as the one you "lost".
If you truly have not kept a secured written backup of your HSM or partition cloning domain, or for PED-authenticated HSM, your domain PED key(s), then you are out of luck. Any keys or objects that exist under that domain can still be used, but cannot be cloned or backed-up or restored. Begin immediately to phase in new/replacement keys/objects on another HSM, for which you have the relevant domain secret(s) or red PED key(s). Ensure that you have copies of the red PED keys, or that you have a written record of any text domain string, in secure on-site and off-site backup locations. Phase out the use of the old keys/objects, as you have no way to protect them against a damaged or lost HSM.
You will need to generate a new Remote PED Vector on one affected HSM with lunacm:>ped vector init or lunash:>hsm ped vector init to have that HSM and an orange key (plus backups) imprinted with the new RPV. Then you must physically go to all other HSMs that had the previous (lost) RPV and do the same, except you must say Yes to the PED's "Do you wish to reuse an existing keyset?" question, in order to bring the new RPV to all HSMs. If you forget and say No to the PED's "...reuse..." question, then you must start over.
You will need to initialize the audit role on any affected HSM. This creates a new Audit identity for that HSM, which orphans all records and files previously created under the old, lost audit role. The audit files that were previously created can still be viewed, but they can no longer be cryptographically verified. Remember, when performing Audit init on the first HSM, you can say Yes or No to Luna PED's "Do you wish to reuse an existing keyset?" question, as appropriate, but for any additional HSMs that share that audit role, you must answer Yes.
If you have lost one of the keys part of your MofN split-secret scheme and have enough remaining splits to login, retrieve its copy from your on-site secure storage, or from your off-site disaster-recovery secure storage. Make any necessary replacement copies, using Luna PED, and resume using your HSM(s).
If you have lost one of the keys part of your MofN split-secret scheme and have enough remaining splits to login, but you do not have a copy of that split, you must create a new set of keys. Login using the required number of MofN keys, and execute the HSM (or Partition) changePw command. When prompted to reuse an existing key set, answer No. Set your M and N values, and optional PED PINs. This overwrites the secret splits currently on the PED keys. Old splits can no longer be used with new splits.
If you have lost one of the keys part of your MofN split-secret scheme and do not have enough remaining splits to login, then you are out of luck. SeeLost PED key or forgotten password and No Backup for options in each situation.
Forgetting a PED PIN is the same as not having the correct PED key. SeeLost PED key or forgotten password and No Backup for options in each situation.
Once a PED PIN is imposed, it is a required component of role authentication unless you arrange otherwise. You can remove the requirement for a PED PIN on a given HSM role only if you are currently able to authenticate (login) to that role. For black PED keys, you can have the SO reset your authentication. For other roles you cannot.
For blue PED keys, forgetting a PED PIN is fatal.
For red PED keys, forgetting the PED PIN is eventually fatal, but you can work in the meantime while you phase out your orphaned keys and objects.
Forgetting PED PINs for other roles, like losing their PED keys is just more-or-less inconvenient, but not fatal.
For secrets split into several keys using the MofN scheme, you need all N splits to set a new PED PIN. Login using the required number of MofN keys, and duplicate all three keys. Set new PED PINs and overwrite your set of keys. If you do not have all N splits, you cannot use the key whose PIN you have forgotten.
See your options, above. The most serious one is the blue PED key or the PED PIN for the SO role. You have only three tries to get it right. On the third wrong attempt, the HSM contents are lost. Wrong attempts are counted if you present the wrong blue PED key, or if you type the wrong PED PIN with the right PED key.
For black User PED keys, and their PED PINS (if applicable) you have ten tries to get the right key or the right combination, unless the SO has changed from the default number of retries. If you are getting close to that maximum number of bad attempts, stop, and ask the SO to reset your partition PW.
For other PED keys, there is no restriction on re-tries.
For your first HSM, you must initialize a blue PED key for the HSM Admin.
If this HSM is not the first, then you can initialize a new blue PED key for it, or you can reuse the authentication data on another blue PED key. The HSM requires an imprinted blue PED key when you access it, but you decide whether that blue PED key should be unique to this particular HSM, or shared among two or more.
After the blue PED key, the other mandatory keys (red and black) can be added in any order. Additional optional keys are also added in any order.
Note: The person or persons charged with ownership of the HSM, are responsible safeguard the authentication secrets, ensuring that no unrecorded duplicates are made. Similarly, for application partitions with their own SO, the SO of each partition is responsible for securing the authentication secrets and copies.
Presenting a PED key from a wrong set, when MofN is not involved, can result in a lockout of a role or zeroization of content depending upon which secret is attempted. For SO PED keys, you have three tries, for other roles the default is ten tries, but HSM or partition policies can adjust that number.
Presenting a PED key from a wrong MofN set, or presenting the same split twice because members of primary and backup sets were accidentally mingled, does not allow the splits to successfully combine. That error does not increment the bad-login-attempt counter for that secret. Instead, it results in looping prompts on the PED until it gets enough of the correct splits or until the operation times out.
No, PED PIN and MofN are optional additional security level items when you first initialize an HSM or create a partition, etc. Your organization's security requirements determine the level of security your HSM(s) operate in.
Physically, they are electronic devices, and should be stored in environments that are not subjected to extremes of temperature, humidity, dust, or vibration.
With that said, PED keys that have their caps on when not immediately in use have survived years of daily use being carried around in office-workers' pockets here at SafeNet's labs.
Procedurally, they should be labeled and stored (filed) so that they are readily identifiable according to the HSM(s), the partitions, and the roles with which they have been associated.
If you find that Windows fails to detect Luna PED, especially if you have disconnected and reconnected the PED's USB cable to your computer the PED may not be receiving adequate power. Luna PED is powered by PED port connection only when it is connected to a SafeNet Luna HSM. When Luna PED is used for Remote PED, it is connected to a computer USB port, which does not have the same electrical characteristics as the PED port on a SafeNet Luna HSM. The PED switches on, but might not receive sufficient power to operate.
•If you are connecting locally, always connect the PED to the SafeNet Luna HSM.
•If you are connecting to a computer for use as a Remote PED server, always connect the PED power supply in addition to the USB connection.
If you experience problems while attempting to configure a SafeNet Remote PED session over VPN, you might need to adjust Windows Firewall settings.
1.From the Windows Start Menu, select Control Panel.
2.From the Control Panel, select Windows Firewall.
3.From the Windows Firewall dialog, select Change notification settings.
4.In the dialog Customize settings for each type of network, go to the appropriate section and activate Notify me when Windows Firewall blocks a new program.
With notification turned on, a dialog box pops up whenever Windows Firewall blocks a program, allowing you to override the block as Administrator, which permits the SafeNet Remote PED connection to successfully listen for PED Client connections.
Some networks might be configured to block access to certain ports. If such policy on your network includes ports 1503 (the default PED Server listening port) and 1502 (the administrative port), then you might need to choose a port other than the default when starting PED Server, and similarly when you launch the connection from the HSM end and provide the IP and port where it should look for the PED Server. Otherwise, perhaps your network administrator can assist.
An option that some customers use is a port-forwarding "jump" server, co-located with the SafeNet Luna HSM appliances, on the datacenter side of the firewall. The datacenter is usually a very stable network environment. A client host on a desktop in a corporate office is more likely to be separated from the internet by switches, firewalls, routers, etc. that are subject to change. Implementing a jump server can be a low-cost and useful addition:
•To get around port-blocking problems, or to be able to react quickly to shifts in the corporate port and routing environment,
•As a way to implement a PKI authentication layer for Remote PED, and optionally for other SSH access, by (for example) setting up smart-card access control to the jump server.
For our own test of the solution, we used a standard Ubuntu Server distribution, with OpenSSH installed. No other changes were made to the system from the standard installation.
1.Connect a Luna PED to a Windows host with SafeNet Luna HSM Client installed and PED Server running.
The Luna PED automatically detects the active interface that it is plugged into, and defaults to the appropriate mode after the first command is sent to it. The Luna PED should wait in Remote PED-USB mode until a command is received from the HSM it is connected to.
If you wish to manually change to Remote PED-USB mode instead of waiting for the PED to do so, press the < key to navigate to the main menu. Then, press 7 to enter Remote PED mode.
2.From the Windows host in an Administrator Command Prompt, run plink -ssh -N -T -R 1600:localhost:1503 <user>@<IP of Linux Server>.
3.From the SafeNet Luna Network HSM, run hsm ped connect -ip <IP of Linux Server> -port 1600.
The connection is made to the Windows host running PED Server, via the Linux Server, through the SSH session that was initiated out-bound from the Windows host.
A variant of this arrangement has port 22 also routed through the jump server, which allows you to bring administrative access to the SafeNet appliance under the PKI access-control scheme.
On a system with two network connections, if PED Server attempts to use an IP address that is not accessible externally, then command lunacm:>ped connect can fail.
1.Ensure that PED Server is listening on the IP address that is accessible from outside.
2.If that condition (step 1) is not the case then disable the network connection on which PED Server is listening.
3.Restart PED Server and confirm that PED Server is listening on the IP address that is accessible from outside.
If PED Server is running on a laptop that changes location, the active network address changes even though the laptop is not shutdown. If you unplugged from working at home, over the corporate VPN, commuted to the office, and reconnected the laptop there, PED Server is still configured with the address you had while using the VPN. Running pedserver -mode stop does not completely clear all settings, so running pedserver -mode start again fails with a message like "Startup failed. : 0x0000303 RC_OPERATION_TIMED_OUT".
1.Close the current Command Prompt window.
2.Open a new Command Prompt.
3.Verify the current IP address with command ipconfig.
4.Run pedserver -mode start -ip <new-ip-address> -port <port-number> and it should now succeed.
The default timeout for a Remote PED link between PED Client at the HSM and PED Server at the Remote PED, is 1800 seconds, or 30 minutes. If no Remote PED activity is requested for the entire timeout duration, the link ends and must be reestablished. While that link is down, and the HSM remains set to expect Remote PED operation, any requested PED operations simply fail. We recommend performing a disconnect before performing a connect to ensure that the old link is cleanly severed and that a new link is cleanly established.
The PedServer.exe process must be run using Administrator privileges. If you launch PedServer.exe in a non-privileged-user command-prompt window, the PED Server fails to work, but the process is launched and continues in the background. If you then attempt to launch PedServer.exe from an Administrator command prompt, it fails with message "LOGGER_init failed". The logger has failed to initialize for the new attempt because the earlier, non-functional instance of PED Server has locked the logger.
1.Check that the PED Server process is not already running.
2.If it is, stop the process (to free the logger service).
3.Start the PED Server process again, as Administrator.