Opening a Remote PED Connection
NOTE For the Luna Network HSM, only Luna Shell commands can be used with a PED-initiated Remote PED connection. Client-side LunaCM commands such as partition init cannot be executed. This means that only administrative personnel, logging in via Luna Shell (lunash:>) can authenticate to the HSM using a PED-initiated Remote PED connection.
To perform actions requiring authentication on Network HSM partitions (that is, from the client side) any Remote PED connection must be launched by the HSM, and the data-center firewall rules must permit such outward initiation of contact.
If you encounter issues, see Remote PED Troubleshooting.
The HSM/client administrator can use this procedure to establish an HSM-initiated Remote PED connection. You require:
>Administrative access to a network-connected workstation with PEDserver installed and Luna PED connected (see Installing PEDserver and Setting Up the Remote Luna PED)
>Administrative access to the Luna PCIe HSM
>Orange PED key with the HSM's RPV (see Initializing the Remote PED Vector and Creating an Orange Remote PED Key)
To open a Remote PED connection
1.On Windows, open an Administrator command prompt by right-clicking the Command Prompt icon and selecting Run as administrator. This step is not necessary if you are running Windows Server 20xx, as the Administrator prompt is launched by default.
2.Navigate to the Luna HSM Client install directory.
Windows default: cd C:\Program Files\SafeNet\LunaClient\
Linux/UNIX default: cd /usr/safenet/lunaclient
3.Launch PEDserver. If you are launching PEDserver on an IPv6 network, you must include the -ip option.
> pedserver -mode start [-ip <PEDserver_IP>]
C:\Program Files\SafeNet\LunaClient>pedserver mode start Ped Server Version 1.0.6 (10006) Ped Server launched in startup mode. Starting background process Background process started Ped Server Process created, exiting this process.
4.Verify that the service has launched successfully.
Note the Ped2 Connection Status. If it says Connected, PEDserver is able to communicate with the Luna PED.
Note also the server port number (default: 1503). You must specify this port along with the PEDserver host IP when you open a connection.
c:\Program Files\SafeNet\LunaClient>pedserver mode show Ped Server Version 1.0.6 (10006) Ped Server launched in status mode. Server Information: Hostname: DWG9999 IP: 0.0.0.0 Firmware Version: 2.7.1-5 PedII Protocol Version: 1.0.1-0 Software Version: 1.0.6 (10006) Ped2 Connection Status: Connected Ped2 RPK Count 0 Ped2 RPK Serial Numbers (none) Client Information: Not Available Operating Information: Server Port: 1503 External Server Interface: Yes Admin Port: 1502 External Admin Interface: No Server Up Time: 190 (secs) Server Idle Time: 0 (secs) (0%) Idle Timeout Value: 1800 (secs) Current Connection Time: 0 (secs) Current Connection Idle Time: 0 (secs) Current Connection Total Idle Time: 0 (secs) (100%) Total Connection Time: 0 (secs) Total Connection Idle Time: 0 (secs) (100%) Show command passed.
5.Use ipconfig (Windows) or ifconfig (Linux) to determine the PEDserver host IP. A static IP is recommended, but if you are connecting over a VPN, you may need to determine the current IP each time you connect to the VPN server.
6.Via SSH, launch LunaCM on the Luna PCIe HSM host.
7.Initiate the Remote PED connection.
lunacm:> ped connect -ip <PEDserver_IP> -port <PEDserver_port> -slot <slot>
NOTE The -slot option may be required if you have multiple Luna PCIe HSMs installed in one server. If you do not include this option, the currently-active slot is used.
lunacm:>ped connect -ip 192.124.106.100 -port 1503 Command Result : No Error
8.Issue the first command that requires authentication.
•If the HSM is already initialized and you have the blue HSM SO key, log in.
lunacm:> role login -name so
•If the HSM is uninitialized, you can initialize it now (see Initializing the HSM). Have blank or reusable blue and red PED keys ready (or multiple blue and red keys in case of M of N or if making multiple copies). See Creating PED Keys for more information.
lunacm:> hsm init -label <label>
9.The Luna PED prompts for an orange PED key. Present the orange PED key with the correct RPK.
10.The Luna PED prompts for the key associated with the command you issued. Follow the on-screen directions to complete the authentication process.
NOTE The Remote PED connection eventually times out (default: 1800 seconds), and must be re-initiated each time authentication is required. To simplify this process, you can set a default IP address and/or port for LunaCM to use each time you connect. To drop the Remote PED connection manually, see Ending or Switching the Remote PED Connection.
11.[OPTIONAL] Set a default IP address and/or port for the Luna PCIe HSM to look for a Remote PED host with PEDserver running.
lunacm:> ped set -ip <PEDserver_IP> -port <PEDserver_port>
lunacm:>ped set -ip 192.124.106.100 -port 1503 Command Result : 0 (Success)
With this default address set, the HSM administrator can use lunacm:> ped connect to initiate the Remote PED connection. The orange PED key may be required if the RPK has been invalidated since you last used it.