Local PED Setup

A Local PED connection is the simplest way to set up the Luna PED. In this configuration, the PED is connected directly to the HSM card. It is best suited for situations where all parties who need to authenticate credentials have convenient physical access to the HSM. When the HSM is stored in a secure data center and accessed remotely, you must use a Remote PED setup.

Setting Up a Local PED Connection

The Luna PCIe HSM administrator can use these directions to set up a Local PED connection. You require:

>Luna PED with firmware 2.7.1 or newer

>USB mini-B to USB-A connector cable

>Luna PED DC power supply (if included with your Luna PED)

To set up a Local PED connection

1.Connect the Luna PED to the HSM using the supplied USB mini-B to USB-A connector cable.

NOTE   To operate in Local PED-USB mode, the Luna PED must be connected directly to the HSM card's USB port, and not one of the other USB connection ports on the host system.

2.PED version 2.8 and above is powered via the USB connection. If you are using PED version 2.7.1, connect it to power using the Luna PED DC power supply.

As soon as the PED receives power, it performs start-up and self-test routines. It verifies the connection type and automatically switches to the appropriate operation mode when it receives the first command from the HSM.

3.If you prefer to set the operation mode to Local PED-USB manually, see Changing Modes.

The Luna PED is now ready to perform authentication for the HSM. You may proceed with setting up or deploying your Luna PCIe HSM. All commands requiring authentication (HSM/partition initialization, login, etc.) will now prompt the user for action on the locally-connected Luna PED.

PED Actions

There are several things that you can do with the Luna PED at this point:

>Wait for a PED authentication prompt in response to a LunaCM command (see Performing PED Authentication)

>Create copies of your PED keys (see Duplicating Existing PED Keys)

>Change to the Admin Mode to run tests or update PED software (see Changing Modes)

>Prepare to set up a Remote PED server (see About Remote PED)

Local PED Troubleshooting

If you encounter problems with Local PED, refer to this section.

CKR_PED_UNPLUGGED error after hsm restart

After running hsm restart, LunaCM returns a CKR_PED_UNPLUGGED error when authentication is attempted.

lunacm:>role login -n so
 
        Please attend to the PED.
 
Caution: You have only 3 so login attempts left. If you fail 3
         more consecutive login attempts (i.e. with no successful
         logins in between) the HSM will be ZEROIZED!!!
 
Error in execution: CKR_PED_UNPLUGGED.
 
Command Result : 0x8000002e (CKR_PED_UNPLUGGED)
 

If you receive this error, disconnect the Luna PED from the HSM's USB port and reconnect it before issuing the login command again.

Secure Local PED

PED firmware can be updated to version 2.7.4 in the PED with older CPU, and to version 2.9.0 in the PED with new CPU.

>The firmware update

is optional and continues to work just fine, with older PED-auth HSMs, and with 7.x HSMs with firmware versions less than 7.7.0,

while also being required to work with HSMs at firmware 7.7.0 and newer.

>The PED firmware update is mandatory before updating or using any HSM with firmware 7.7.0 or newer. This combination complies an eIDAS-related requirement for an updated secure channel.

>The updated secure channel for Remote PED operation is now also replicated in the local channel, but because it is local it does not need to be mediated via an orange PED Key. The PED, however, sees both local and remote connections as equivalent.

NOTE   Pressing the "<" key on the PED, to change menus, now warns that the RPV will be invalidated, even though the local connection does not use an orange PED Key. Simply ignore the message.