Opening a Remote PED Connection
There are two methods of establishing a Remote PED connection to the HSM:
>HSM-initiated: When the HSM requires authentication, it sends (via PEDclient) a request for PED services to the Remote PED host (which receives the request via PEDserver). This requires that the SafeNet Luna Network HSM be allowed to initiate external connections, and that the PEDserver IP port remains open. If the SafeNet Luna Network HSM resides behind a firewall with rules prohibiting these connections, or if your IT policy prohibits opening a port on the Remote PED host, use a PED-initiated connection.
>PED-initiated: The HSM and Remote PED host exchange and register certificates, creating a trusted connection. This allows the Remote PED host (via PEDserver) to initiate the connection to the SafeNet Luna Network HSM. If you have firewall or other constraints that prevent your HSM from initiating a connection to a Remote PED in the external network, use this connection method.
If you encounter issues, see Remote PED Troubleshooting.
HSM-Initiated Remote PED
The HSM/client administrator can use this procedure to establish an HSM-initiated Remote PED connection.
>Administrative access to a network-connected workstation with PEDserver installed and Luna PED connected (see Installing PEDserver and Setting Up the Remote Luna PED)
>Administrative access to the SafeNet Luna Network HSM via SSH
>Administrative access to a Luna HSM Client workstation with an assigned user partition (if using Remote PED for partition-level authentication)
>One of the following:
•Orange PED key with the HSM's RPV (see Initializing the Remote PED Vector (RPV) and Creating the Orange PED Key)
•Blank orange PED key (or multiple keys, if you plan to use an M of N scheme)
To launch PEDserver
1.Open an Administrator command prompt by right-clicking the Command Prompt icon and selecting Run as administrator. This step is not necessary if you are running Windows Server 20xx, as the Administrator prompt is launched by default.
2.Navigate to the SafeNet Luna HSM Client install directory.
>cd C:\Program Files\SafeNet\LunaClient\
3.Launch PEDserver (see pedserver for all available options). If you are launching PEDserver on an IPv6 network, you must include the -ip option.
>pedserver mode start [-ip <PEDserver_IP>]
C:\Program Files\SafeNet\LunaClient>pedserver mode start
Ped Server Version 1.0.6 (10006)
Ped Server launched in startup mode.
Starting background process
Background process started
Ped Server Process created, exiting this process.
4.Verify that the service has launched successfully (pedserver mode).
>pedserver mode show
Note the Ped2 Connection Status. If it says Connected, PEDserver is able to communicate with the Luna PED.
Note also the server port number (default: 1503). You must specify this port along with the PEDserver host IP when you open a connection.
c:\Program Files\SafeNet\LunaClient>pedserver mode show
Ped Server Version 1.0.6 (10006)
Ped Server launched in status mode.
Server Information:
Hostname: DWG9999
IP: 0.0.0.0
Firmware Version: 2.7.1-5
PedII Protocol Version: 1.0.1-0
Software Version: 1.0.6 (10006)
Ped2 Connection Status: Connected
Ped2 RPK Count 0
Ped2 RPK Serial Numbers (none)
Client Information: Not Available
Operating Information:
Server Port: 1503
External Server Interface: Yes
Admin Port: 1502
External Admin Interface: No
Server Up Time: 190 (secs)
Server Idle Time: 0 (secs) (0%)
Idle Timeout Value: 1800 (secs)
Current Connection Time: 0 (secs)
Current Connection Idle Time: 0 (secs)
Current Connection Total Idle Time: 0 (secs) (100%)
Total Connection Time: 0 (secs)
Total Connection Idle Time: 0 (secs) (100%)
Show command passed.
5.Use ipconfig to determine the PEDserver host IP. A static IP is recommended, but if you are connecting over a VPN, you may need to determine the current IP each time you connect to the VPN server.
>ipconfig
If you are setting up Remote PED with a SafeNet Luna Network HSM appliance, see To open a Remote PED connection from the SafeNet Luna Network HSM appliance (LunaSH).
If you are setting up Remote PED with a client, see To open a Remote PED connection from a client workstation (LunaCM).
To open a Remote PED connection from the SafeNet Luna Network HSM appliance (LunaSH)
1.Open an SSH session to the SafeNet Luna Network HSM and log in to LunaSH as admin.
2.Initiate the Remote PED connection from the SafeNet Luna Network HSM (hsm ped connect).
lunash:> hsm ped connect -ip <PEDserver_IP> -port <PEDserver_port> [-serial <serial#>]
NOTE The -serial option is required only if you are using Remote PED to authenticate a SafeNet Luna Backup HSM connected to one of the SafeNet Luna Network HSM's USB ports. If a serial number is not specified, the appliance's internal HSM is used.
lunash:>hsm ped connect -ip 192.124.106.100 -port 1503
Luna PED operation required to connect to Remote PED - use orange PED key(s).
•If you have not yet initialized the RPV, and the HSM is not in initialized state, LunaSH prompts you to enter a password.
Enter PED Password:
See Remote RPV Initialization for this procedure.
•If you already initialized the RPV, the Luna PED prompts for the orange PED key.
Present the orange PED key with the correct RPV. The HSM authenticates the RPV, and control is returned to the LunaSH prompt.
Command Result : 0 (Success)
The HSM-initiated Remote PED connection is now open.
3.Verify the Remote PED connection by entering a command that requires PED authentication (hsm login, hsm init).
•If the HSM is already initialized and you have the blue HSM SO key, you can use hsm login.
•If the HSM is uninitialized, you can initialize it now with hsm init -label <label>. Have blank or reusable blue and red PED keys ready (or multiple blue and red keys for M of N or to make multiple copies). See Creating PED Keys for more information.
NOTE The HSM-initiated Remote PED connection eventually times out (default: 1800 seconds), and must be re-initiated each time authentication is required. To simplify this process, you can set a default IP address and/or port for LunaSH to use each time you connect. To drop the Remote PED connection manually, see Ending or Switching the Remote PED Connection.
4.[OPTIONAL] Set a default IP address and/or port for the SafeNet Luna Network HSM to look for a configured Remote PED (hsm ped set).
lunash:>hsm ped set -ip <PEDserver_IP> -port <PEDserver_port>
lunash:>hsm ped set -ip 192.124.106.100 -port 1503
Command Result : 0 (Success)
With this default address set, the HSM administrator can use hsm ped connect (without specifying the IP/port) to initiate the Remote PED connection. The orange PED key will be required each time.
NOTE If you want to use the Remote PED to authenticate a different HSM, you must first drop the current connection. See Ending or Switching the Remote PED Connection.
To open a Remote PED connection from a client workstation (LunaCM)
1.Launch LunaCM on the client.
2.Initiate the Remote PED connection (ped connect).
lunacm:>ped connect -ip <PEDserver_IP> -port <PEDserver_port>
lunacm:>ped connect -ip 192.124.106.100 -port 1503
Command Result : No Error
3.Issue the first command that requires authentication.
•If the partition is already initialized and you have the blue Partition SO key, log in (role login).
lunacm:>role login -name po
•If the partition is uninitialized, you can initialize it now (partition init). Have blank or reusable blue and red PED keys ready (or multiple blue and red keys for MofN or for multiple copies). See Creating PED Keys for more information on creating PED keys.
lunacm:>partition init -label <label>
4.The Luna PED prompts for an orange PED key. Present the orange PED key with the correct RPK.
5.The Luna PED prompts for the key associated with the command you issued. Follow the on-screen directions to complete the authentication process.
NOTE The HSM-initiated Remote PED connection eventually times out (default: 1800 seconds), and must be re-initiated each time authentication is required. To simplify this process, you can set a default IP address and/or port for LunaCM to use each time you connect. To drop the Remote PED connection manually, see Ending or Switching the Remote PED Connection
6.[OPTIONAL] Set a default IP address and/or port for the SafeNet Luna Network HSM to look for a configured Remote PED (ped set).
lunacm:>ped set -ip <PEDserver_IP> -port <PEDserver_port>
lunacm:>ped set -ip 192.124.106.100 -port 1503
Command Result : 0 (Success)
With this default address set, the HSM administrator can use ped connect (without specifying the IP/port) to initiate the Remote PED connection (ped connect). The orange PED key may be required if the RPK has been invalidated on the PED since you last used it.
NOTE If you want to use the Remote PED to authenticate a different HSM, you must first drop the current connection. See Ending or Switching the Remote PED Connection.
PED-Initiated Remote PED
A PED-initiated connection requires the HSM and Remote PED host to exchange and register certificates, creating a trusted connection. This allows the Remote PED host (via PEDserver) to initiate the connection to the SafeNet Luna Network HSM. If you have firewall or other constraints that prevent your HSM from initiating a connection to a Remote PED in the external network, use this connection method. The HSM administrator can use this procedure to set up the connection. You require:
>Administrative access to a network-connected workstation with PEDserver installed and Luna PED connected (see Installing PEDserver and Setting Up the Remote Luna PED)
>Orange PED key with the HSM's RPV (see Initializing the Remote PED Vector (RPV) and Creating the Orange PED Key)
>Administrative access to the SafeNet Luna Network HSM via SSH
NOTE The PED-initiated Remote PED connection procedure requires admin access to the appliance via LunaSH, and therefore this method cannot provide authentication services for client partitions.
To open a PED-initiated Remote PED connection
1.On the Remote PED host, open an Administrator command prompt by right-clicking the Command Prompt icon and selecting Run as administrator. This step is not necessary if you are running Windows Server 20xx, as the Administrator prompt is launched by default.
2.Navigate to the SafeNet Luna HSM Client install directory (C:\Program Files\SafeNet\LunaClient\)
3.You will need the Remote PED host's NTLS certificate. If you have already set up an NTLS client connection to the appliance using LunaCM, you can find the certificate in C:\Program Files\SafeNet\LunaClient\cert\client\ If the certificate is not available, you can generate it with the PEDserver utility (pedserver regen).
CAUTION! If the Remote PED host has registered NTLS partitions on any HSM, regenerating the certificate will cause you to lose contact with your registered NTLS partitions. Use the existing certificate instead.
>pedserver -regen -commonname <name>
c:\Program Files\SafeNet\LunaClient>pedserver -regen -commonname RemotePED1
Ped Server Version 1.0.6 (10006)
Are you sure you wish to regenerate the client certificate?
All registered partitions may disappear.
Are you sure you wish to continue?
Type 'proceed' to continue, or 'quit' to quit now -> proceed
Private Key created and written to: C:\Program Files\SafeNet\LunaClient\cert\client\RemotePED1Key.pem
Certificate created and written to: C:\Program Files\SafeNet\LunaClient\cert\client\RemotePED1.pem
Successfully regenerated the client certificate.
4.Use pscp to securely retrieve the SafeNet Luna Network HSM's NTLS certificate (SCP and PSCP). Enter the appliance's admin account password when prompted. Note the period at the end of the command.
>pscp admin@<appliance_IP>:server.pem .
c:\Program Files\SafeNet\LunaClient>pscp admin@192.20.11.78:server.pem .
admin@192.20.11.78's password:
server.pem | 1 kB | 1.1 kB/s | ETA: 00:00:00 | 100%
5.Use pscp to securely transfer the Remote PED host's NTLS certificate to the SafeNet Luna Network HSM's admin account.
>pscp .\cert\client\<certname> admin@<appliance_IP>:
c:\Program Files\SafeNet\LunaClient>pscp .\cert\client\RemotePED1.pem admin@192.20.11.78:
admin@192.20.11.78's password:
RemotePED1.pem | 1 kB | 1.1 kB/s | ETA: 00:00:00 | 100%
6.Register the SafeNet Luna Network HSM certificate with PEDserver (pedserver appliance register). Use the mandatory -name argument to set a unique name for the appliance. The appliance listens for the SSL connection from PEDserver at the default port 9697.
>pedserver -appliance register -name <appliance_name> -certificate <cert_filename> -ip <appliance_IP> -port <port>
c:\Program Files\SafeNet\LunaClient>pedserver -appliance register -name myLunaHSM -certificate server.pem -ip 192.20.11.78 -port 9697
Ped Server Version 1.0.6 (10006)
Successfully registered host myLunaHSM.
7.Open an SSH session to the SafeNet Luna Network HSM and log in to LunaSH as admin.
8.Register the PEDserver host certificate (hsm ped server register).
lunash:>hsm ped server register -certificate <certname>
lunash:>hsm ped server register -certificate RemotePED1.pem
'hsm ped server register' successful.
Command Result : 0 (Success)
9.Initiate the connection between PEDserver and the SafeNet Luna Network HSM (pedserver mode connect).
>pedserver mode connect -name <appliance_name>
c:\Program Files\SafeNet\LunaClient>pedserver mode connect -name myLunaHSM
Ped Server Version 1.0.6 (10006)
Connecting to myLunaHSM. Please wait..
Successfully connected to myLunaHSM.
10.Using LunaSH, list the available registered Remote PED servers to find the server name (taken from the certificate filename during registration). Select the server you want to use to authenticate credentials for the appliance (hsm ped server list, hsm ped select).
lunash:>hsm ped server list
lunash:>hsm ped select -host <server_name>
lunash:>hsm ped server list
Number of Registered PED Server : 1
PED Server 1 : CN = RemotePED1
Command Result : 0 (Success)
lunash:>hsm ped select -host RemotePED1
Luna PED operation required to connect to Remote PED - use orange PED key(s).
11.The Luna PED prompts for an orange PED key. Present the orange PED key with the correct RPK for the HSM.
The secure network connection is now in place between PEDserver and the appliance. You may now perform any actions that require Remote PED authentication. The PED-initiated Remote PED connection does not time out as long as PEDserver is running. If you wish to end the connection in order to connect to a different instance of PEDserver, see Ending or Switching the Remote PED Connection.