Remote PED Troubleshooting

If you encounter problems at any stage of the Remote PED connection process, refer to this section.

PEDserver Requires Administrator Privileges

If PEDserver is installed in the default Windows directory, it requires Administrator privileges to make changes. if you run PEDserver as an ordinary user, you may receive an error like the following: 

c:\Program Files\SafeNet\LunaClient>pedserver mode start
Ped Server Version 1.0.6 (10006)
Ped Server launched in startup mode.
Starting background process
Failed to recv query response command: RC_SOCKET_ERROR c0000500
Background process failed to start : 0xc0000500 RC_SOCKET_ERROR
Startup failed. : 0xc0000500 RC_SOCKET_ERROR
 

To avoid this error, when opening a command line for PEDserver operations, right-click the Command Prompt icon and select Run as Administrator. Windows Server 20xx opens the Command Prompt as Administrator by default.

NOTE   If you do not have Administrator permissions on the Remote PED host, contact your IT department or install Luna HSM Client in a non-default directory (outside the Program Files directory) that is not subject to permission restrictions.

Reconnect HSM-initiated Remote PED Before Issuing Commands

As described in the connection procedures, HSM-initiated Remote PED connections time out after a default period of 1800 seconds (30 minutes). If you attempt PED authentication after timeout or after the connection has been broken for another reason, the Luna PED will not respond and you will receive an error like this: 

lunash:>hsm login
 
Luna PED operation required to login as HSM Administrator - use Security Officer (blue) PED key.
 
Error:  'hsm login' failed. (300142 : LUNA_RET_PED_UNPLUGGED)
 
Command Result : 65535 (Luna Shell execution)
 

To avoid this error, re-initiate the connection before issuing any commands requiring PED authentication:

lunash:>hsm ped connect -ip <PEDserver_IP> -port <PEDserver_port>

lunacm:>ped connect -ip <PEDserver_IP> -port <PEDserver_port>

Remote PED Firewall Blocking

If you experience problems while attempting to configure a SafeNet Remote PED session over VPN, you might need to adjust Windows Firewall settings. If your security policy prohibits changes to Windows Firewall, you can use a PED-initiated connection for HSM SO-level operations. See PED-Initiated Remote PED.

1.From the Windows Start Menu, select Control Panel.

2.Select Windows Firewall.

3.Select Change notification settings.

4.In the dialog Customize settings for each type of network, go to the appropriate section and activate Notify me when Windows Firewall blocks a new program.

With notifications turned on, a dialog box appears whenever Windows Firewall blocks a program, allowing you to override the block as Administrator. This allows PEDserver to successfully listen for PEDclient connections.

Remote PED Blocked Port Access

The network might be configured to block access to certain ports. If ports 1503 (the default PEDserver listening port) and 1502 (the administrative port) are blocked on your network, choose a different port when starting PEDserver, and when using ped connect (LunaCM) or hsm ped connect (LunaSH) to initiate the Remote PED connection. Contact your network administrator for help.

You might choose to use a port-forwarding jump server, co-located with the SafeNet Luna Network HSM(s) on the datacenter side of the firewall. This can be a low-cost solution for port-blocking issues. It can also be used to implement a PKI authentication layer for Remote PED or other SSH access, by setting up smart-card access control to the jump server.

For example, you can use a standard Ubuntu Server distribution with OpenSSH installed and no other changes made to the standard installation with the following procedure:

1.Connect the Luna PED to a Windows host with SafeNet Luna HSM Client installed and PEDserver running.

2.Open an Administrator command prompt on the Remote PED host and start the port-forwarding service.

>plink -ssh -N -T -R 1600:localhost:1503 <user>@<Ubuntu_server_IP>.

3.Login to the appliance as admin and open the HSM-initiated connection.

lunash:>hsm ped connect -ip <Ubuntu_server_IP> -port 1600

The Remote PED host initiates the SSH session, via the Ubuntu jump server, which returns to the Remote PED host running PEDserver.

A variant of this arrangement also routes port 22 through the jump server, which allows administrative access to the SafeNet Luna Network HSM under the PKI access-control scheme.

ped connect Fails if IP is Not Accessible

On a system with two network connections, if PEDserver attempts to use an IP address that is not externally accessible, lunacm:>ped connect can fail. To resolve this:

1.Ensure that PEDserver is listening on the IP address that is accessible from outside.

2.If not, disable the network connection on which PEDserver is listening.

3.Restart PEDserver and confirm that it is listening on the IP address that is accessible from outside.

PEDserver on VPN fails

If PEDserver is running on a laptop that changes location, the active network address changes even though the laptop is not shutdown. If you unplugged from working at home, over the corporate VPN, commuted to the office, and reconnected the laptop there, PEDserver is still configured with the address you had while using the VPN. Running pedserver -mode stop does not completely clear all settings, so running pedserver -mode start again fails with a message like "Startup failed. : 0x0000303 RC_OPERATION_TIMED_OUT". To resolve this problem:

1.Close the current command prompt window.

2.Open a new Administrator command prompt.

3.Verify the current IP address.

>ipconfig

4.Start PEDserver, specifying the new IP and port number.

>pedserver -mode start -ip <new_IP> -port <port>


Customer Support Portal

SafeNet Luna Network HSM 7.1 Product Documentation  13 December 2019  Copyright 2001-2019 Thales Group. All rights reserved.