Opening a Remote PED Connection
If you encounter issues, see Remote PED Troubleshooting.
The HSM/client administrator can use this procedure to establish an HSM-initiated Remote PED connection. You require:
>Administrative access to a network-connected workstation with PEDserver installed and Luna PED connected (see Installing PEDserver and Setting Up the Remote Luna PED)
>Administrative access to the SafeNet Luna PCIe HSM
>Orange PED key with the HSM's RPV (see Initializing the Remote PED Vector (RPV) and Creating the Orange PED Key)
To open a Remote PED connection
1.Open an Administrator command prompt by right-clicking the Command Prompt icon and selecting Run as administrator. This step is not necessary if you are running Windows Server 20xx, as the Administrator prompt is launched by default.
2.Navigate to the SafeNet Luna HSM Client install directory.
>cd C:\Program Files\SafeNet\LunaClient\
3.Launch PEDserver (see pedserver for all available options). If you are launching PEDserver on an IPv6 network, you must include the -ip option.
>pedserver mode start [-ip <PEDserver_IP>]
C:\Program Files\SafeNet\LunaClient>pedserver mode start Ped Server Version 1.0.6 (10006) Ped Server launched in startup mode. Starting background process Background process started Ped Server Process created, exiting this process.
4.Verify that the service has launched successfully (pedserver mode).
>pedserver mode show
Note the Ped2 Connection Status. If it says Connected, PEDserver is able to communicate with the Luna PED.
Note also the server port number (default: 1503). You must specify this port along with the PEDserver host IP when you open a connection.
c:\Program Files\SafeNet\LunaClient>pedserver mode show Ped Server Version 1.0.6 (10006) Ped Server launched in status mode. Server Information: Hostname: DWG9999 IP: 0.0.0.0 Firmware Version: 2.7.1-5 PedII Protocol Version: 1.0.1-0 Software Version: 1.0.6 (10006) Ped2 Connection Status: Connected Ped2 RPK Count 0 Ped2 RPK Serial Numbers (none) Client Information: Not Available Operating Information: Server Port: 1503 External Server Interface: Yes Admin Port: 1502 External Admin Interface: No Server Up Time: 190 (secs) Server Idle Time: 0 (secs) (0%) Idle Timeout Value: 1800 (secs) Current Connection Time: 0 (secs) Current Connection Idle Time: 0 (secs) Current Connection Total Idle Time: 0 (secs) (100%) Total Connection Time: 0 (secs) Total Connection Idle Time: 0 (secs) (100%) Show command passed.
5.Use ipconfig to determine the PEDserver host IP. A static IP is recommended, but if you are connecting over a VPN, you may need to determine the current IP each time you connect to the VPN server.
>ipconfig
6.Via SSH, launch LunaCM on the SafeNet Luna PCIe HSM host.
7.Initiate the Remote PED connection (ped connect).
lunacm:>ped connect -ip <PEDserver_IP> -port <PEDserver_port> -slot <slot>
NOTE The -slot option may be required if you have multiple SafeNet Luna PCIe HSMs installed in one server. If you do not include this option, the currently-active slot is used.
lunacm:>ped connect -ip 192.124.106.100 -port 1503 Command Result : No Error
8.Issue the first command that requires authentication.
•If the HSM is already initialized and you have the blue HSM SO key, log in (role login).
lunacm:>role login -name so
•If the HSM is uninitialized, you can initialize it now (hsm init). Have blank or reusable blue and red PED keys ready (or multiple blue and red keys in case of M of N or if making multiple copies). See Creating PED Keys for more information.
lunacm:>hsm init -label <label>
9.The Luna PED prompts for an orange PED key. Present the orange PED key with the correct RPK.
10.The Luna PED prompts for the key associated with the command you issued. Follow the on-screen directions to complete the authentication process.
NOTE The Remote PED connection eventually times out (default: 1800 seconds), and must be re-initiated each time authentication is required. To simplify this process, you can set a default IP address and/or port for LunaCM to use each time you connect. To drop the Remote PED connection manually, see Ending or Switching the Remote PED Connection.
11.[OPTIONAL] Set a default IP address and/or port for the SafeNet Luna PCIe HSM to look for a Remote PED host with PEDserver running (ped set).
lunacm:>ped set -ip <PEDserver_IP> -port <PEDserver_port>
lunacm:>ped set -ip 192.124.106.100 -port 1503
Command Result : 0 (Success)
With this default address set, the HSM administrator can use ped connect to initiate the Remote PED connection. The orange PED key may be required if the RPK has been invalidated since you last used it.
If not, see earlier on this page to set up Remote PED.
Person at the PEDserver (which could be the same computer as the partition client, or could be a separate computer, dedicated to being PED server) uses lunacm to ensure that the PEDserver is using the correct port and IP that the HSM (above) is expecting.
Lunacm>ped set -ip pedserver_ip -port pedserver_port
Lunacm>ped connect
Person who is the PSO of the current slot (which is the desired application partition on the distant Network HSM) runs the lunacm commands that will require the HSM to look for PED interaction.
Lunacm>partition init -label 550097_par1 -f
Lunacm>ped connect
Lunacm>role login -n po
Lunacm>ped connect
Lunacm>role init -n co
NOTE The use of "ped connect" before every partition administrative command is not always necessary, but is a best-practice in unstable network conditions or in situations where network/firewall rules might drop the pedclient-pedserver connection frequently or unexpectedly.
If the [re-] connection fails, have the person with "admin" access on the Network HSM re-establish the HSM side of the connection to the PEDserver (expected port and IP) before you issue any more client-side commands that need PED authentication.