Initializing the Remote PED Vector and Creating an Orange Remote PED key
The Remote PED (via PEDserver) authenticates itself to the Luna Network HSM 7 with a randomly-generated encrypted value stored on an orange PED key. That secret originates in an HSM, and can be carried to other HSMs via the orange key. An newly-configured HSM either:
>generates its own RPV secret to imprint on an orange PED key,
>accepts a pre-existing RPV from a previously imprinted orange PED key, at your discretion.
The orange key proves to the HSM that the Remote PED is authorized to provide authentication for HSM roles. A Luna Network HSM 7 administrator can create this key using one of the following two methods:
>Local RPV Initialization: The RPV is initialized using a Luna PED connected to the USB port on the HSM card. This is the standard method of initializing the RPV.
>Remote RPV Initialization: The RPV is initialized using a Luna PED connected to a remote workstation running PEDserver. A one-time numeric password is used to authenticate the Remote PED to the HSM before initializing the RPV.
NOTE Generally, the HSM SO creates an orange PED key (and backups), makes a copy for each valid Remote PED server, and distributes them to the Remote PED administrators.
See also Rotating or Re-Initializing the Orange Remote PED key.
Local RPV Initialization
If the HSM is already initialized, the HSM SO must log in to complete this procedure. You require:
>Luna PED with Luna PED Firmware 2.7.1 or newer
>USB mini-B to USB-A connector cable
>Luna PED DC power supply (if included with your Luna PED)
>Blank or reusable orange PED key (or multiple keys, if you plan to make extra copies or use an M of N security scheme). See Creating PED keys for more information.
NOTE Orange PED keys (RPK) for use with Luna HSM Firmware 7.7.0 or newer, with enhanced security to address modern threat environments and to comply with updated standards, have increased infrastructure onboard the key. If such an initialized RPK is overwritten to become a different role PED key (example SO), this process that formerly would take about six seconds now takes about 36 seconds.
To initialize the RPV and create the orange PED key locally
1.If you have not already done so, set up a Local PED connection (see Local PED Setup).
2.Using a serial or SSH connection, log in to the Luna Network HSM 7 appliance as admin.
3.If the HSM is initialized, log in as HSM SO (see Logging In as HSM Security Officer). If not, skip to the next step.
lunash:> hsm login
4.Ensure that you have the orange PED key(s) ready. Initialize the RPV.
lunash:> hsm ped vector init
5.Attend to the Luna PED and respond to the on-screen prompts. See Creating PED keys for a full description of the key-creation process.
•If you have an orange PED key with an existing RPV that you wish to use for this HSM, press Yes.
•If you are creating a new RPV, press No.
Continue following the prompts for PIN, M of N, and duplication options.
To continue setting up a Remote PED server, see Installing PEDserver and Setting Up the Remote Luna PED.
Remote RPV Initialization
When you initialize an RPV with the PED connected locally, you have direct physical control of the operation and its security.
When you initialize an RPV remotely, you must secure the link and the operation with a one-time password. The HSM must be uninitialized for this operation.
NOTE This feature requires minimum Luna Appliance Software 7.2.0 and Luna HSM Client 7.2.0.
Use the following procedure to initialize the RPV. You require:
> A blank or reusable orange PED key (or multiple keys, if you plan to make extra copies or use an M of N security scheme). See Creating PED keys for more information.
>The HSM must be in a zeroized state and the RPV uninitialized.
To initialize the RPV and create the orange key remotely
1.Open an HSM-initiated Remote PED connection. Using Luna HSM Firmware 7.7.0 or newer, the -password option is mandatory; you can include an 8-digit numeric PIN, or specify -password alone to have one randomly generated.
lunash:> hsm ped connect -ip <PEDserver_IP> -password <optional_PIN>
The Remote PED connection command prepares to secure the connection and LunaSH does one of the following:
•If you are using Luna HSM Firmware 7.7.0 or newer and Luna HSM Client 10.3.0 or newer, and did not specify a PIN in the command line, LunaSH presents a randomly-generated 8-digit numeric one-time password that the HSM will use to identify the Remote PED server.
Please attend to the PED and enter following password: 18246843 Command Result : No Error
The remote Luna PED prompts you for the one-time password:
•If you are using Luna HSM Firmware 7.4.2 or older and Luna HSM Client 10.2.0 or older, LunaSH returns the following message:
Luna PED operation required to connect to Remote PED - use orange PED key(s). Enter PED Password:
In LunaSH, when prompted to "Enter PED Password" set any 8-digit numeric one-time password that the HSM will use to identify the Remote PED server. The following message is displayed in LunaSH, and the Luna PED prompts you for the password:
Luna PED operation required to connect to remote PED - Enter PED password.
2.Enter the numeric password on the PIN pad, exactly as
3.Ensure that you have the orange PED key(s) ready. Initialize the RPV.
lunash:> hsm ped vector init
4.Attend to the Luna PED and respond to the on-screen prompts. See Creating PED keys for a full description of the key-creation process.
When the initialization is complete, the HSM
Ped Client Version 2.0.1 (20001) Ped Client launched in "Release ID" mode. Callback Server is running.. ReleaseID command passed. "Release ID" command passed. Ped Client Version 2.0.1 (20001) Ped Client launched in "Delete ID" mode. Callback Server is running.. DeleteID command passed. "Delete ID" command passed. Command Result : 0 (Success)
You may now initialize the HSM. See Initializing the HSM for more information.
NOTE After creating the orange (Remote PED Vector) key for an HSM using the single-session, one-time password-authenticated PED connection that is used to create the key, the Luna PED prompts for the one-time password when you end the session using ped disconnect.
This prompt can be safely ignored. The PED session is disconnected properly by pressing the Enter key on the Luna PED, without entering the password.
Rotating or Re-Initializing the Orange Remote PED key
You can rotate the RPV at any time, using either a local or remote Luna PED. This might be necessary if an orange PED key is lost, or as part of scheduled security measures. If the original orange PED key is lost, or you do not have enough M of N splits to reach a quorum, you must use a local PED. You require:
> [Remote PED only] The original orange PED key or enough M of N splits for a quorum.
>A blank or reusable orange PED key (or multiple keys, if you plan to make extra copies or use an M of N security scheme). See Creating PED keys for more information.
To rotate or re-initialize the orange remote PED key
1.If you have not already done so, set up a Local or Remote PED connection (see Local PED Setup or Opening a Remote PED Connection).
2.Using a serial or SSH connection, log in to the Luna Network HSM 7 appliance as admin.
3.[Remote PED only] Open a Remote PED connection using the original orange PED key(s).
lunash:> hsm ped connect -ip <PEDserver_IP>
4.Log in as HSM SO (see Logging In as HSM Security Officer).
lunash:> hsm login
5.Ensure that you have the blank orange PED key(s) ready. Initialize the RPV.
CAUTION! Do not overwrite your original orange PED key(s) unless you have a backup copy. The RPV is not rotated until the entire operation is complete. If you encounter network connectivity or PED timeout issues, particularly when presenting multiple M of N splits, you might not have enough splits of the original RPV left for quorum. In this case, you must re-initialize the orange RPK using a Local PED connection.
lunash:> hsm ped vector init
6.Attend to the Luna PED and respond to the on-screen prompts. See Creating PED keys for a full description of the key-creation process.