Opening a Remote PED Connection

There are two methods of establishing a Remote PED connection to the HSM:

>HSM-initiated: When the HSM requires authentication, it sends (via PEDclient) a request for PED services to the Remote PED host (which receives the request via PEDserver). This requires that the Luna Network HSM be allowed to initiate external connections, and that the PEDserver IP port remains open. If the Luna Network HSM resides behind a firewall with rules prohibiting these connections, or if your IT policy prohibits opening a port on the Remote PED host, use a PED-initiated connection instead.

See HSM-Initiated Remote PED.

>PED-initiated: The HSM and Remote PED host exchange and register certificates, creating a trusted connection. This allows the Remote PED host (via PEDserver) to initiate the connection to the Luna Network HSM. If you have firewall or other constraints that prevent your HSM from initiating a connection to a Remote PED in the external network, use this connection method.

See PED-Initiated Remote PED.

NOTE   For the Luna Network HSM, only Luna Shell commands can be used with a PED-initiated Remote PED connection. Client-side LunaCM commands such as partition init cannot be executed. This means that only administrative personnel, logging in via Luna Shell (lunash:>) can authenticate to the HSM using a PED-initiated Remote PED connection.

To perform actions requiring authentication on Network HSM partitions (that is, from the client side) any Remote PED connection must be launched by the HSM, and the data-center firewall rules must permit such outward initiation of contact.

If you encounter issues, see Remote PED Troubleshooting.

HSM-Initiated Remote PED

The HSM/client administrator can use this procedure to establish an HSM-initiated Remote PED connection. The procedure is different depending on whether you are setting up Remote PED for the HSM appliance or a client. You require:

>Administrative access to a network-connected workstation with PEDserver installed and Luna PED connected (see Installing PEDserver and Setting Up the Remote Luna PED)

>Administrative access to the Luna Network HSM via SSH (if using Remote PED for HSM-level authentication)

>Administrative access to a Luna HSM Client workstation with an assigned user partition (if using Remote PED for partition-level authentication)

>One of the following:

Orange PED key with the HSM's RPV (see Initializing the Remote PED Vector and Creating an Orange Remote PED Key)

Blank orange PED key (or multiple keys, if you plan to use an M of N scheme)

To launch PEDserver

1.On Windows, open an Administrator command prompt by right-clicking the Command Prompt icon and selecting Run as administrator. This step is not necessary if you are running Windows Server 20xx, as the Administrator prompt is launched by default.

2.Navigate to the Luna HSM Client install directory.

Windows default: cd C:\Program Files\SafeNet\LunaClient\

Linux/UNIX default: cd /usr/safenet/lunaclient

3.Launch PEDserver. If you are launching PEDserver on an IPv6 network, you must include the -ip option.

> pedserver mode start [-ip <PEDserver_IP>]

C:\Program Files\SafeNet\LunaClient>pedserver mode start
Ped Server Version 1.0.6 (10006)
Ped Server launched in startup mode.
Starting background process
Background process started
Ped Server Process created, exiting this process.

4.Verify that the service has launched successfully.

> pedserver mode show

Note the Ped2 Connection Status. If it says Connected, PEDserver is able to communicate with the Luna PED.

Note also the server port number (default: 1503). You must specify this port along with the PEDserver host IP when you open a connection.

c:\Program Files\SafeNet\LunaClient>pedserver mode show
Ped Server Version 1.0.6 (10006)
Ped Server launched in status mode.


   Server Information:
      Hostname:                           DWG9999
      IP:                                 0.0.0.0
      Firmware Version:                   2.7.1-5
      PedII Protocol Version:             1.0.1-0
      Software Version:                   1.0.6 (10006)

      Ped2 Connection Status:             Connected
      Ped2 RPK Count                      0
      Ped2 RPK Serial Numbers             (none)

   Client Information:                    Not Available

   Operating Information:
      Server Port:                        1503
      External Server Interface:          Yes
      Admin Port:                         1502
      External Admin Interface:           No

      Server Up Time:                     190 (secs)
      Server Idle Time:                   0 (secs) (0%)
      Idle Timeout Value:                 1800 (secs)

      Current Connection Time:            0 (secs)
      Current Connection Idle Time:       0 (secs)
      Current Connection Total Idle Time: 0 (secs) (100%)
      Total Connection Time:              0 (secs)
      Total Connection Idle Time:         0 (secs) (100%)

Show command passed.

5.Use ipconfig (Windows) or ifconfig (Linux) to determine the PEDserver host IP. A static IP is recommended, but if you are connecting over a VPN, you may need to determine the current IP each time you connect to the VPN server.

If you are setting up Remote PED with a Luna Network HSM appliance, see To open a Remote PED connection from the Luna Network HSM appliance (LunaSH).

If you are setting up Remote PED with a client, see To open a Remote PED connection from a client workstation (LunaCM).

To open a Remote PED connection from the Luna Network HSM appliance (LunaSH)

1.Open an SSH session to the Luna Network HSM and log in to LunaSH as admin.

2.Initiate the Remote PED connection from the Luna Network HSM.

lunash:> hsm ped connect -ip <PEDserver_IP> -port <PEDserver_port> [-serial <serial#>]

NOTE   The -serial option is required only if you are using Remote PED to authenticate a Luna Backup HSM connected to one of the Luna Network HSM's USB ports. If a serial number is not specified, the appliance's internal HSM is used.

lunash:>hsm ped connect -ip 192.124.106.100 -port 1503

Luna PED operation required to connect to Remote PED - use orange PED key(s).

If you have not yet initialized the RPV, and the HSM is not in initialized state, LunaSH prompts you to enter a password.

Enter PED Password:

See Remote RPV Initialization for this procedure.

If you already initialized the RPV, the Luna PED prompts for the orange PED key.

Present the orange PED key with the correct RPV. The HSM authenticates the RPV, and control is returned to the LunaSH prompt.

Command Result : 0 (Success)

The HSM-initiated Remote PED connection is now open.

3.Verify the Remote PED connection by entering a command that requires PED authentication.

If the HSM is already initialized and you have the blue HSM SO key, you can use lunash:> hsm login.

If the HSM is uninitialized, you can initialize it now with lunash:> hsm init -label <label>. Have blank or reusable blue and red PED keys ready (or multiple blue and red keys for M of N or to make multiple copies). See Creating PED Keys for more information.

NOTE   The HSM-initiated Remote PED connection eventually times out (default: 1800 seconds), and must be re-initiated each time authentication is required. To simplify this process, you can set a default IP address and/or port for LunaSH to use each time you connect. To drop the Remote PED connection manually, see Ending or Switching the Remote PED Connection.

4.[OPTIONAL] Set a default IP address and/or port for the Luna Network HSM to look for a configured Remote PED.

lunash:> hsm ped set -ip <PEDserver_IP> -port <PEDserver_port>

lunash:>hsm ped set -ip 192.124.106.100 -port 1503

Command Result : 0 (Success)

With this default address set, the HSM administrator can use lunash:> hsm ped connect (without specifying the IP/port) to initiate the Remote PED connection. The orange PED key will be required each time.

NOTE   If you want to use the Remote PED to authenticate a different HSM, you must first drop the current connection. See Ending or Switching the Remote PED Connection.

To open a Remote PED connection from a client workstation (LunaCM)

1.Launch LunaCM on the client.

2.Initiate the Remote PED connection.

lunacm:> ped connect -ip <PEDserver_IP> -port <PEDserver_port>

lunacm:>ped connect -ip 192.124.106.100 -port 1503

Command Result : No Error

3.Issue the first command that requires authentication.

If the partition is already initialized and you have the blue Partition SO key, log in.

lunacm:> role login -name po

If the partition is uninitialized, you can initialize it now. Have blank or reusable blue and red PED keys ready (or multiple blue and red keys for MofN or for multiple copies). See Creating PED Keys for more information on creating PED keys.

lunacm:> partition init -label <label>

4.The Luna PED prompts for an orange PED key. Present the orange PED key with the correct RPK.

5.The Luna PED prompts for the key associated with the command you issued. Follow the on-screen directions to complete the authentication process.

NOTE   The HSM-initiated Remote PED connection eventually times out (default: 1800 seconds), and must be re-initiated each time authentication is required. To simplify this process, you can set a default IP address and/or port for LunaCM to use each time you connect. To drop the Remote PED connection manually, see Ending or Switching the Remote PED Connection.

6.[OPTIONAL] Set a default IP address and/or port for the Luna Network HSM to look for a configured Remote PED.

lunacm:> ped set -ip <PEDserver_IP> -port <PEDserver_port>

lunacm:>ped set -ip 192.124.106.100 -port 1503

Command Result : 0 (Success)

With this default address set, the HSM administrator can use lunacm:> ped connect (without specifying the IP/port) to initiate the Remote PED connection. The orange PED key may be required if the RPK has been invalidated on the PED since you last used it.

NOTE   If you want to use the Remote PED to authenticate a different HSM, you must first drop the current connection. See Ending or Switching the Remote PED Connection.

PED-Initiated Remote PED

A PED-initiated connection requires the HSM and Remote PED host to exchange and register certificates, creating a trusted connection. This allows the Remote PED host (via PEDserver) to initiate the connection to the Luna Network HSM. If you have firewall or other constraints that prevent your HSM from initiating a connection to a Remote PED in the external network, use this connection method. The HSM administrator can use this procedure to set up the connection. You require:

>Administrative access to a network-connected workstation with PEDserver installed and Luna PED connected (see Installing PEDserver and Setting Up the Remote Luna PED)

>Orange PED key with the HSM's RPV (see Initializing the Remote PED Vector and Creating an Orange Remote PED Key)

>Administrative access to the Luna Network HSM via SSH

NOTE   The PED-initiated Remote PED connection procedure requires admin access to the appliance via LunaSH, and therefore this method cannot directly provide authentication services for client partitions.

To open a PED-initiated Remote PED connection

1.On Windows, open an Administrator command prompt on the Remote PED host. (If you are running Windows Server 20xx, the Administrator prompt is launched by default. For any other supported Windows version, right-click the Command Prompt icon and select Run as administrator.)

2.Navigate to the Luna HSM Client install directory (C:\Program Files\SafeNet\LunaClient\ or /usr/safenet/lunaclient)

3.You will need the Remote PED host's NTLS certificate. If you have already set up an NTLS client connection to the appliance using LunaCM, you can find the certificate in C:\Program Files\SafeNet\LunaClient\cert\client\ or /usr/safenet/lunaclient/cert/client. If the certificate is not available, you can generate it with the PEDserver utility.

CAUTION!   If the Remote PED host has registered NTLS partitions on any HSM, regenerating the certificate will cause you to lose contact with your registered NTLS partitions. Use the existing certificate instead.

> pedserver regen -commonname <name>

c:\Program Files\SafeNet\LunaClient>pedserver -regen -commonname RemotePED1
Ped Server Version 1.0.6 (10006)

Are you sure you wish to regenerate the client certificate?
All registered partitions may disappear.

Are you sure you wish to continue?

Type 'proceed' to continue, or 'quit' to quit now -> proceed

Private Key created and written to: C:\Program Files\SafeNet\LunaClient\cert\client\RemotePED1Key.pem
Certificate created and written to: C:\Program Files\SafeNet\LunaClient\cert\client\RemotePED1.pem

Successfully regenerated the client certificate.

4.Use pscp or scp to securely retrieve the Luna Network HSM's NTLS certificate. Enter the appliance's admin account password when prompted. Note the period at the end of the command.

>pscp admin@<appliance_IP>:server.pem .

c:\Program Files\SafeNet\LunaClient>pscp admin@192.20.11.78:server.pem .
admin@192.20.11.78's password:

server.pem                | 1 kB |   1.1 kB/s | ETA: 00:00:00 | 100%

5.Use pscp or scp to securely transfer the Remote PED host's NTLS certificate to the Luna Network HSM's admin account.

>pscp .\cert\client\<certname> admin@<appliance_IP>:

c:\Program Files\SafeNet\LunaClient>pscp .\cert\client\RemotePED1.pem admin@192.20.11.78:
admin@192.20.11.78's password:

RemotePED1.pem              | 1 kB |   1.1 kB/s | ETA: 00:00:00 | 100%

6.Register the Luna Network HSM certificate with PEDserver. Use the mandatory -name argument to set a unique name for the appliance. The appliance listens for the SSL connection from PEDserver at the default port 9697.

>pedserver appliance register -name <appliance_name> -certificate <cert_filename> -ip <appliance_IP> -port <port>

7.Open an SSH session to the Luna Network HSM and log in to LunaSH as admin.

8.Register the PEDserver host certificate.

lunash:> hsm ped server register -certificate <certname>

lunash:>hsm ped server register -certificate RemotePED1.pem

'hsm ped server register' successful.

Command Result : 0 (Success)

9.Initiate the connection between PEDserver and the Luna Network HSM.

>pedserver mode connect -name <appliance_name>

c:\Program Files\SafeNet\LunaClient>pedserver mode connect -name myLunaHSM
Ped Server Version 1.0.6 (10006)

Connecting to myLunaHSM. Please wait..

Successfully connected to myLunaHSM.

10.Using LunaSH, list the available registered Remote PED servers to find the server name (taken from the certificate filename during registration). Select the server you want to use to authenticate credentials for the appliance.

lunash:> hsm ped server list

lunash:> hsm ped select -host <server_name>

lunash:>hsm ped server list

   Number of Registered PED Server :  1

      PED Server  1 : CN = RemotePED1

Command Result : 0 (Success)


lunash:>hsm ped select -host RemotePED1



Luna PED operation required to connect to Remote PED - use orange PED key(s).

11.The Luna PED prompts for an orange PED key. Present the orange PED key with the correct RPK for the HSM.

The secure network connection is now in place between PEDserver and the appliance. You may now perform any actions that require Remote PED authentication. The PED-initiated Remote PED connection does not time out as long as PEDserver is running. If you wish to end the connection in order to connect to a different instance of PEDserver, see Ending or Switching the Remote PED Connection.

Workaround when you need PED-initiated Remote PED for Client

LunaCM, which is a client-side tool, is not able to launch a PED-initiated Remote PED connection if the firewall blocks the initial attempt. LunaCM does not have administrative access to the HSM appliance and is not aware of PED-client settings on the HSM side (such as the port at which the HSM will look for the PED.

If you control two roles, if you are both the HSM owner/SO and the owner/user/PSO of the application partition that is assigned for crypto operations, then you can coordinate actions in Luna Shell (lunash command line) and in LunaCM at the client end, to establish a Remote PED connection.

Or, you can do the same, if you are the partition owner and are also able to coordinate closely with a person who has administrative access to LunaSH on the HSM appliance.

>On the HSM appliance, use the hsm ped commands, as described earlier, to prepare the HSM for Remote PED.

Register a PedServer's certificate with hsm ped server register.

Make a connection with the desired PedServer with hsm ped connect, specifying the IP of the Remote PED Server and a port number that you know is accessible through the firewall.

>On the Remote PED host, use the lunacm ped commands to set the identity of the PedServer to match what you have told the HSM to expect

Use ped set to provide the IP address and the port number that you determined (or that your colleague determined) in the lunash session.

>On the HSM appliance, use the hsm ped select command to select the Remote PED server that you just configured, as the PED that will be requested by any upcoming HSM operations that need PED authentication.

>On the Client (which could also be the Remote PED host, or could be a separate computer/application server), run a command that invokes PED operation, like the role login command.

>The HSM receives the command and looks to the PED (in this case the Remote PED) that has been previously specified in lunash.

Example:

Person with access to admin account on the Network HSM verfies that the HSM is expecting a Remote PED connection on a specific port, from a specific IP address -

lunash:>hsm ped show

Default Remote PED Server Port: 1503
<snip>
Callback Server is running..

   Callback Server Information:
         Hostname:                        sa7-78
         IP:                              192.168.0.78
         Software Version:                2.0.1 (20001)

   Operating Information:
      Admin Port:                         1501
:
<snip>
:

Show command passed.

Command Result : 0 (Success)
lunash:>

If not, see earlier on this page to set up Remote PED.

Person at the PEDserver (which could be the same computer as the partition client, or could be a separate computer, dedicated to being PED server) uses LunaCM to ensure that the PEDserver is using the correct port and IP that the HSM (above) is expecting.

lunacm:> ped set -ip pedserver_ip -port pedserver_port
lunacm:> ped connect

Person who is the PSO of the current slot (which is the desired application partition on the distant Network HSM) runs the LunaCM commands that will require the HSM to look for PED interaction.

lunacm:> partition init -label 550097_par1 -f
lunacm:> ped connect
lunacm:> role login -n po
lunacm:> ped connect
lunacm:> role init -n co

NOTE   The use of lunacm:> ped connect before every partition administrative command is not always necessary, but is a best-practice in unstable network conditions or in situations where network/firewall rules might drop the pedclient-pedserver connection frequently or unexpectedly.

If the [re-] connection fails, have the person with "admin" access on the Network HSM re-establish the HSM side of the connection to the PEDserver (expected port and IP) before you issue any more client-side commands that need PED authentication.