Opening a Remote PED Connection
There are two methods of establishing a Remote PED connection to the HSM:
>HSM-initiated: When the HSM requires authentication, it sends (via PEDclient) a request for PED services to the Remote PED host (which receives the request via PEDserver). This requires that the SafeNet Luna Network HSM be allowed to initiate external connections, and that the PEDserver IP port remains open. If the SafeNet Luna Network HSM resides behind a firewall with rules prohibiting these connections, or if your IT policy prohibits opening a port on the Remote PED host, use a PED-initiated connection instead.
>PED-initiated: The HSM and Remote PED host exchange and register certificates, creating a trusted connection. This allows the Remote PED host (via PEDserver) to initiate the connection to the SafeNet Luna Network HSM. If you have firewall or other constraints that prevent your HSM from initiating a connection to a Remote PED in the external network, use this connection method.
CAVEAT: For the SafeNet Luna Network HSM, only Luna Shell commands can be used with a PED-initiated Remote PED connection. Client-side lunacm commands such as partition init cannot be executed. This means that only administrative personnel, logging in via Luna Shell (lunash:>) can authenticate to the HSM
If you encounter issues, see Remote PED Troubleshooting.
HSM-Initiated Remote PED
The HSM/client administrator can use this procedure to establish an HSM-initiated Remote PED connection.
>Administrative access to a network-connected workstation with PEDserver installed and Luna PED connected (see Installing PEDserver and Setting Up the Remote Luna PED)
>Administrative access to the SafeNet Luna Network HSM via SSH
>Administrative access to a Luna HSM Client workstation with an assigned user partition (if using Remote PED for partition-level authentication)
>One of the following:
•Orange PED key with the HSM's RPV (see Initializing the Remote PED Vector (RPV) and Creating the Orange PED Key)
•Blank orange PED key (or multiple keys, if you plan to use an M of N scheme)
To launch PEDserver
1.Open an Administrator command prompt by right-clicking the Command Prompt icon and selecting Run as administrator. This step is not necessary if you are running Windows Server 20xx, as the Administrator prompt is launched by default.
2.Navigate to the SafeNet Luna HSM Client install directory.
>cd C:\Program Files\SafeNet\LunaClient\
3.Launch PEDserver (see pedserver for all available options). If you are launching PEDserver on an IPv6 network, you must include the -ip option.
>pedserver mode start [-ip <PEDserver_IP>]
C:\Program Files\SafeNet\LunaClient>pedserver mode start Ped Server Version 1.0.6 (10006) Ped Server launched in startup mode. Starting background process Background process started Ped Server Process created, exiting this process.
4.Verify that the service has launched successfully (pedserver mode).
>pedserver mode show
Note the Ped2 Connection Status. If it says Connected, PEDserver is able to communicate with the Luna PED.
Note also the server port number (default: 1503). You must specify this port along with the PEDserver host IP when you open a connection.
c:\Program Files\SafeNet\LunaClient>pedserver mode show Ped Server Version 1.0.6 (10006) Ped Server launched in status mode. Server Information: Hostname: DWG9999 IP: 0.0.0.0 Firmware Version: 2.7.1-5 PedII Protocol Version: 1.0.1-0 Software Version: 1.0.6 (10006) Ped2 Connection Status: Connected Ped2 RPK Count 0 Ped2 RPK Serial Numbers (none) Client Information: Not Available Operating Information: Server Port: 1503 External Server Interface: Yes Admin Port: 1502 External Admin Interface: No Server Up Time: 190 (secs) Server Idle Time: 0 (secs) (0%) Idle Timeout Value: 1800 (secs) Current Connection Time: 0 (secs) Current Connection Idle Time: 0 (secs) Current Connection Total Idle Time: 0 (secs) (100%) Total Connection Time: 0 (secs) Total Connection Idle Time: 0 (secs) (100%) Show command passed.
5.Use ipconfig to determine the PEDserver host IP. A static IP is recommended, but if you are connecting over a VPN, you may need to determine the current IP each time you connect to the VPN server.
>ipconfig
If you are setting up Remote PED with a SafeNet Luna Network HSM appliance, see To open a Remote PED connection from the SafeNet Luna Network HSM appliance (LunaSH).
If you are setting up Remote PED with a client, see To open a Remote PED connection from a client workstation (LunaCM).
To open a Remote PED connection from the SafeNet Luna Network HSM appliance (LunaSH)
1.Open an SSH session to the SafeNet Luna Network HSM and log in to LunaSH as admin.
2.Initiate the Remote PED connection from the SafeNet Luna Network HSM (hsm ped connect).
lunash:> hsm ped connect -ip <PEDserver_IP> -port <PEDserver_port> [-serial <serial#>]
NOTE The -serial option is required only if you are using Remote PED to authenticate a SafeNet Luna Backup HSM connected to one of the SafeNet Luna Network HSM's USB ports. If a serial number is not specified, the appliance's internal HSM is used.
lunash:>hsm ped connect -ip 192.124.106.100 -port 1503
Luna PED operation required to connect to Remote PED - use orange PED key(s).
•If you have not yet initialized the RPV, and the HSM is not in initialized state, LunaSH prompts you to enter a password.
Enter PED Password:
See Remote RPV Initialization for this procedure.
•If you already initialized the RPV, the Luna PED prompts for the orange PED key.
Present the orange PED key with the correct RPV. The HSM authenticates the RPV, and control is returned to the LunaSH prompt.
Command Result : 0 (Success)
The HSM-initiated Remote PED connection is now open.
3.Verify the Remote PED connection by entering a command that requires PED authentication (hsm login, hsm init).
•If the HSM is already initialized and you have the blue HSM SO key, you can use hsm login.
•If the HSM is uninitialized, you can initialize it now with hsm init -label <label>. Have blank or reusable blue and red PED keys ready (or multiple blue and red keys for M of N or to make multiple copies). See Creating PED Keys for more information.
NOTE The HSM-initiated Remote PED connection eventually times out (default: 1800 seconds), and must be re-initiated each time authentication is required. To simplify this process, you can set a default IP address and/or port for LunaSH to use each time you connect. To drop the Remote PED connection manually, see Ending or Switching the Remote PED Connection.
4.[OPTIONAL] Set a default IP address and/or port for the SafeNet Luna Network HSM to look for a configured Remote PED (hsm ped set).
lunash:>hsm ped set -ip <PEDserver_IP> -port <PEDserver_port>
lunash:>hsm ped set -ip 192.124.106.100 -port 1503
Command Result : 0 (Success)
With this default address set, the HSM administrator can use hsm ped connect (without specifying the IP/port) to initiate the Remote PED connection. The orange PED key will be required each time.
NOTE If you want to use the Remote PED to authenticate a different HSM, you must first drop the current connection. See Ending or Switching the Remote PED Connection.
To open a Remote PED connection from a client workstation (LunaCM)
1.Launch LunaCM on the client.
2.Initiate the Remote PED connection (ped connect).
lunacm:>ped connect -ip <PEDserver_IP> -port <PEDserver_port>
lunacm:>ped connect -ip 192.124.106.100 -port 1503
Command Result : No Error
3.Issue the first command that requires authentication.
•If the partition is already initialized and you have the blue Partition SO key, log in (role login).
lunacm:>role login -name po
•If the partition is uninitialized, you can initialize it now (partition init). Have blank or reusable blue and red PED keys ready (or multiple blue and red keys for MofN or for multiple copies). See Creating PED Keys for more information on creating PED keys.
lunacm:>partition init -label <label>
4.The Luna PED prompts for an orange PED key. Present the orange PED key with the correct RPK.
5.The Luna PED prompts for the key associated with the command you issued. Follow the on-screen directions to complete the authentication process.
NOTE The HSM-initiated Remote PED connection eventually times out (default: 1800 seconds), and must be re-initiated each time authentication is required. To simplify this process, you can set a default IP address and/or port for LunaCM to use each time you connect. To drop the Remote PED connection manually, see Ending or Switching the Remote PED Connection
6.[OPTIONAL] Set a default IP address and/or port for the SafeNet Luna Network HSM to look for a configured Remote PED (ped set).
lunacm:>ped set -ip <PEDserver_IP> -port <PEDserver_port>
lunacm:>ped set -ip 192.124.106.100 -port 1503
Command Result : 0 (Success)
With this default address set, the HSM administrator can use ped connect (without specifying the IP/port) to initiate the Remote PED connection (ped connect). The orange PED key may be required if the RPK has been invalidated on the PED since you last used it.
NOTE If you want to use the Remote PED to authenticate a different HSM, you must first drop the current connection. See Ending or Switching the Remote PED Connection.
PED-Initiated Remote PED
A PED-initiated connection requires the HSM and Remote PED host to exchange and register certificates, creating a trusted connection. This allows the Remote PED host (via PEDserver) to initiate the connection to the SafeNet Luna Network HSM. If you have firewall or other constraints that prevent your HSM from initiating a connection to a Remote PED in the external network, use this connection method. The HSM administrator can use this procedure to set up the connection. You require:
>Administrative access to a network-connected workstation with PEDserver installed and Luna PED connected (see Installing PEDserver and Setting Up the Remote Luna PED)
>Orange PED key with the HSM's RPV (see Initializing the Remote PED Vector (RPV) and Creating the Orange PED Key)
>Administrative access to the SafeNet Luna Network HSM via SSH
NOTE The PED-initiated Remote PED connection procedure requires admin access to the appliance via LunaSH, and therefore this method cannot directly provide authentication services for client partitions.
To open a PED-initiated Remote PED connection
1.On the Remote PED host, open an Administrator command prompt. (If you are running Windows Server 20xx, the Administrator prompt is launched by default. For any other supported Windows version, right-click the Command Prompt icon and select Run as administrator.)
2.Navigate to the SafeNet Luna HSM Client install directory (C:\Program Files\SafeNet\LunaClient\)
3.You will need the Remote PED host's NTLS certificate. If you have already set up an NTLS client connection to the appliance using LunaCM, you can find the certificate in C:\Program Files\SafeNet\LunaClient\cert\client\ If the certificate is not available, you can generate it with the PEDserver utility (pedserver regen).
CAUTION! If the Remote PED host has registered NTLS partitions on any HSM, regenerating the certificate will cause you to lose contact with your registered NTLS partitions. Use the existing certificate instead.
>pedserver -regen -commonname <name>
c:\Program Files\SafeNet\LunaClient>pedserver -regen -commonname RemotePED1 Ped Server Version 1.0.6 (10006) Are you sure you wish to regenerate the client certificate? All registered partitions may disappear. Are you sure you wish to continue? Type 'proceed' to continue, or 'quit' to quit now -> proceed Private Key created and written to: C:\Program Files\SafeNet\LunaClient\cert\client\RemotePED1Key.pem Certificate created and written to: C:\Program Files\SafeNet\LunaClient\cert\client\RemotePED1.pem Successfully regenerated the client certificate.
4.Use pscp to securely retrieve the SafeNet Luna Network HSM's NTLS certificate (SCP and PSCP). Enter the appliance's admin account password when prompted. Note the period at the end of the command.
>pscp admin@<appliance_IP>:server.pem .
c:\Program Files\SafeNet\LunaClient>pscp admin@192.20.11.78:server.pem .
admin@192.20.11.78's password: server.pem | 1 kB | 1.1 kB/s | ETA: 00:00:00 | 100%
5.Use pscp to securely transfer the Remote PED host's NTLS certificate to the SafeNet Luna Network HSM's admin account.
>pscp .\cert\client\<certname> admin@<appliance_IP>:
c:\Program Files\SafeNet\LunaClient>pscp .\cert\client\RemotePED1.pem admin@192.20.11.78: admin@192.20.11.78's password: RemotePED1.pem | 1 kB | 1.1 kB/s | ETA: 00:00:00 | 100%
6.Register the SafeNet Luna Network HSM certificate with PEDserver (pedserver appliance register). Use the mandatory -name argument to set a unique name for the appliance. The appliance listens for the SSL connection from PEDserver at the default port 9697.
>pedserver -appliance register -name <appliance_name> -certificate <cert_filename> -ip <appliance_IP> -port <port>
c:\Program Files\SafeNet\LunaClient>pedserver -appliance register -name myLunaHSM -certificate server.pem -ip 192.20.11.78 -port 9697 Ped Server Version 1.0.6 (10006) Successfully registered host myLunaHSM.
7.Open an SSH session to the SafeNet Luna Network HSM and log in to LunaSH as admin.
8.Register the PEDserver host certificate (hsm ped server register).
lunash:>hsm ped server register -certificate <certname>
lunash:>hsm ped server register -certificate RemotePED1.pem 'hsm ped server register' successful. Command Result : 0 (Success)
9.Initiate the connection between PEDserver and the SafeNet Luna Network HSM (pedserver mode connect).
>pedserver mode connect -name <appliance_name>
c:\Program Files\SafeNet\LunaClient>pedserver mode connect -name myLunaHSM Ped Server Version 1.0.6 (10006) Connecting to myLunaHSM. Please wait.. Successfully connected to myLunaHSM.
10.Using LunaSH, list the available registered Remote PED servers to find the server name (taken from the certificate filename during registration). Select the server you want to use to authenticate credentials for the appliance (hsm ped server list, hsm ped select).
lunash:>hsm ped server list
lunash:>hsm ped select -host <server_name>
lunash:>hsm ped server list Number of Registered PED Server : 1 PED Server 1 : CN = RemotePED1 Command Result : 0 (Success) lunash:>hsm ped select -host RemotePED1 Luna PED operation required to connect to Remote PED - use orange PED key(s).
11.The Luna PED prompts for an orange PED key. Present the orange PED key with the correct RPK for the HSM.
The secure network connection is now in place between PEDserver and the appliance. You may now perform any actions that require Remote PED authentication. The PED-initiated Remote PED connection does not time out as long as PEDserver is running. If you wish to end the connection in order to connect to a different instance of PEDserver, see Ending or Switching the Remote PED Connection.
Workaround when you need PED-initiated Remote PED for Client
LunaCM, which is a client-side tool, is not able to launch a PED-initiated Remote PED connection if the firewall blocks the initial attempt. LunaCM does not have administrative access to the HSM appliance and is not aware of PED-client settings on the HSM side (such as the port at which the HSM will look for the PED.
If you control two roles, if you are both the HSM owner/SO and the owner/user/PSO of the application partition that is assigned for crypto operations, then you can coordinate actions in Luna Shell (lunash command line) and in LunaCM at the client end, to establish a Remote PED connection.
Or, you can do the same, if you are the partition owner and are also able to coordinate closely with a person who has administrative access (lunash) to the HSM.
>On the HSM appliance, use the hsm ped commands, as described earlier, to prepare the HSM for Remote PED.
•Register a PedServer's certificate with hsm ped server register.
•Make a connection with the desired PedServer with hsm ped connect, specifying the IP of the Remote PED Server and a port number that you know is accessible through the firewall.
>On the Remote PED host, use the lunacm ped commands to set the identity of the PedServer to match what you have told the HSM to expect
•Use ped set to provide the IP address and the port number that you determined (or that your colleague determined) in the lunash session.
>On the HSM appliance, use the hsm ped select command to select the Remote PED server that you just configured, as the PED that will be requested by any upcoming HSM operations that need PED authentication.
>On the Client (which could also be the Remote PED host, or could be a separate computer/application server), run a command that invokes PED operation, like the role login command.
>The HSM receives the command and looks to the PED (in this case the Remote PED) that has been previously specified in lunash.
Example:
Person with access to 'admin' account on the Network HSM verfies that the HSM is expecting a Remote PED connection on a specific port, from a specific IP address -
lunash:>hsm ped show Default Remote PED Server Port: 1503 <snip> Callback Server is running.. Callback Server Information: Hostname: sa7-78 IP: 192.168.0.78 Software Version: 2.0.1 (20001) Operating Information: Admin Port: 1501 : <snip> : Show command passed. Command Result : 0 (Success) lunash:>
If not, see earlier on this page to set up Remote PED.
Person at the PEDserver (which could be the same computer as the partition client, or could be a separate computer, dedicated to being PED server) uses lunacm to ensure that the PEDserver is using the correct port and IP that the HSM (above) is expecting.
Lunacm>ped set -ip pedserver_ip -port pedserver_port
Lunacm>ped connect
Person who is the PSO of the current slot (which is the desired application partition on the distant Network HSM) runs the lunacm commands that will require the HSM to look for PED interaction.
Lunacm>partition init -label 550097_par1 -f
Lunacm>ped connect
Lunacm>role login -n po
Lunacm>ped connect
Lunacm>role init -n co
NOTE The use of "ped connect" before every partition administrative command is not always necessary, but is a best-practice in unstable network conditions or in situations where network/firewall rules might drop the pedclient-pedserver connection frequently or unexpectedly.
If the [re-] connection fails, have the person with "admin" access on the Network HSM re-establish the HSM side of the connection to the PEDserver (expected port and IP) before you issue any more client-side commands that need PED authentication.