Luna PED Hardware Functions
The Luna PED reads authentication secrets from PED keys on behalf of an HSM or partition. This section contains the following information about the Luna PED device:
>PED with Newer CPU (AC Power Block Now Optional)
Physical Features
The Luna PED is illustrated below, with important features labeled.
1 | Liquid Crystal Display (LCD), 8 lines. |
2 | Keypad for command and data entry. See Keypad Functions. |
3 | DC power connector. Not used for PED version 2.8 and above. * |
4 | USB mini-B connector. Used for connecting to the HSM and for file transfer to or from the PED. PED version 2.8 and above is powered by this USB connection. |
5 | Micro-D subminiature (MDSM) connector. Not used for Luna release 7.x. |
6 | USB A-type connector for PED keys. |
7 | PED key. Keys are inserted in the PED key connector (item 6). |
* PEDs with firmware version 2.8 and above are powered by any USB 2.x or 3.x connection, and do not have an external DC power supply. The PED driver must be installed on the connected computer. If the PED is connected to a hub or to a computer without the driver, then the PED display backlight illuminates, but no PED menu is presented.)
Keypad Functions
The Luna PED keypad functions are as follows:
Key | Function |
---|---|
Clear |
>Clear the current entry, such as when entering a PED PIN >Hold the key down for five seconds to reset the PED during an operation. This applies only if the PED is engaged in an operation or is prompting for action. There is no effect when no command has been issued or when a menu is open |
< |
>Backspace: clear the most recent digit you typed on the PED >Exit: return to the previous PED menu |
> |
>Log: displays the most recent PED actions (since entering Local or Remote Mode) |
Numeric keys |
>Select numbered menu items >Input PED PINs |
Yes and No |
>Respond to Yes or No questions from the PED |
Enter |
>Confirm an action or entry |
Modes of Operation
The Luna PED can operate in four different modes, depending on the type of HSM connection you want to use:
>Local PED-SCP: This mode is reserved for legacy Luna 6.x HSMs that use an MDSM connector between the PED and the HSM. It does not apply to Luna 7.x. Initial HSM configuration must be done in Local PED mode. See Local PED Setup for instructions.
>Admin: This mode is for upgrading the PED device firmware, diagnostic tests, and PED key duplication. See Admin Mode Functions for the functions available in this mode.
>Remote PED: In this mode, the PED is connected to a remote workstation and authenticated to the HSM with an orange PED key containing a Remote PED Vector (RPV) secret. This mode allows the Luna PCIe HSM to be located in a data center or other location restricting physical access. See About Remote PED for more information.
>Local PED-USB: In this mode, the PED is connected directly to the HSM card with a USB mini-B to USB-A connector cable. Initial HSM configuration must be done in Local PED mode.
If the Luna PED is connected to an interface when it is powered up, it automatically detects the type of connection being used and switches to the appropriate mode upon receiving the first command from the HSM.
Changing Modes
If you change your PED configuration without disconnecting the PED from power, you must select the correct mode from the main menu.
To change the Luna PED's active mode
1.Press the < key to navigate to the main menu.
The main menu displays all the available modes, as well as the PED’s current firmware version.
2.Press the corresponding number on the keypad for the desired mode.
NOTE The Luna PED must be in Local PED-USB mode when connected to a Release 7.x Luna PCIe HSM card, or LunaCM will return an error (CKR_DEVICE_ERROR) when you attempt authentication.
Admin Mode Functions
In this mode, you can upgrade the PED device software, run diagnostic tests, and duplicate PED keys without having the Luna PED connected to an HSM. Press the corresponding number key to select the desired function.
>PED Key: allows you to identify the secret on an inserted PED key, or duplicate the key, without having the Luna PED connected to an HSM.
>Backup Devices: Not applicable to Luna 7.x.
>Software Update: requires a PED software file and instructions sent from Thales.
>Self Test: test the PED’s functionality. Follow the on-screen instructions to test button functions, display, cable connections, and the ability to read PED keys. The PED returns a PASS/FAIL report once it concludes the test.
PED with Newer CPU (AC Power Block Now Optional)
A refresh of PED hardware (December 2017) was made necessary by suppliers discontinuing some original components. One of the replaced parts was the CPU, which necessitated a new line of PED firmware, incompatible with the previous versions.
The older PED was shipped with an AC adapter.
The newer PED has the same socket, for connection to an AC adapter, but an adapter/power-block is not shipped with the PED. You can purchase one locally if desired, but the new-CPU PED is reliably powered via USB.
The following points apply to the new-CPU PED - versions 2.8, 2.8.1, 2.9.0 - (that is, any released new CPU PED firmware version)
>when connected over USB to a PCIe HSM or to a Network HSM, if the server housing the HSM card is booted from power off - the PED display might come up blank. The PED must be reset. Reset = power cycle
>when connected via USB to a server (but not directly to the HSM card), if the server is booted from power off - the PED display may come up blank OR unresponsive to PED server; the PED must be reset.
>when powered by the HSM over USB, if an AC power block is then connected, the PED resets.
>when powered by an AC power block, and also plugged into the HSM's USB port ,then if the AC power block is disconnected, the PED will power off.
>the new-CPU PED will be unresponsive after HSM firmware update or rollback, and the display might come up blank; the PED must be reset.
>if the new-CPU PED is powered via the USB connection on the HSM, and the HSM is reset, the PED becomes unresponsive; the PED must be reset.
>if the new-CPU PED is connected to AC and to the HSM's USB connector, if the server housing the HSM is power cycled (not the PED), the PED will not be unresponsive when the server and the HSM are back online; nevertheless, the PED must be reset.
"The PED must be reset" means that the PED must be power cycled by unplugging/replugging the USB cable, or by removing/reinserting the cord from the AC power block (if it is in use).