Opening a Remote PED Connection
There are two methods of establishing a Remote PED connection to the HSM:
>HSM-initiated: When the HSM requires authentication, it sends (via PEDclient) a request for PED services to the Remote PED host (which receives the request via PEDserver). This requires that the Luna Network HSM 7 be allowed to initiate external connections, and that the PEDserver IP port remains open. If the Luna Network HSM 7 resides behind a firewall with rules prohibiting these connections, or if your IT policy prohibits opening a port on the Remote PED host, use a PED-initiated connection instead.
>PED-initiated: The HSM and Remote PED host exchange and register certificates, creating a trusted connection. This allows the Remote PED host (via PEDserver) to initiate the connection to the Luna Network HSM 7. If you have firewall or other constraints that prevent your HSM from initiating a connection to a Remote PED in the external network, use this connection method.
NOTE For the Luna Network HSM 7, only Luna Shell commands can be used with a PED-initiated Remote PED connection. Client-side LunaCM commands such as partition init cannot be executed. This means that only administrative personnel, logging in via Luna Shell (lunash:>) can authenticate to the HSM using a PED-initiated Remote PED connection.
To perform actions requiring authentication on Luna Network HSM 7 partitions (that is, from the client side) any Remote PED connection must be launched by the HSM, and the data-center firewall rules must permit such outward initiation of contact.
HSM-Initiated Remote PED
The HSM/client administrator can use this procedure to establish an HSM-initiated Remote PED connection.
>Administrative access to a network-connected workstation with PEDserver installed and Luna PED connected (see Installing PEDserver and Setting Up the Remote Luna PED)
>Administrative access to the Luna Network HSM 7 via SSH
>Administrative access to a Luna HSM Client workstation with an assigned user partition (if using Remote PED for partition-level authentication)
>One of the following:
•Orange PED key with the HSM's RPV (see Initializing the Remote PED Vector and Creating an Orange Remote PED key)
•Blank orange PED key (or multiple keys, if you plan to use an M of N scheme)
If you encounter issues, see Remote PED Troubleshooting.
To launch PEDserver
1.On Windows, open an Administrator command prompt by right-clicking the Command Prompt icon and selecting Run as administrator. This step is not necessary if you are running Windows Server 20xx, as the Administrator prompt is launched by default.
2.Navigate to the Luna HSM Client install directory.
Windows default: cd C:\Program Files\SafeNet\LunaClient\
Linux/UNIX default: cd /usr/safenet/lunaclient
3.Launch PEDserver. If you are launching PEDserver on an IPv6 network, you must include the -ip option.
> pedserver -mode start [-ip <PEDserver_IP>]
C:\Program Files\SafeNet\LunaClient>pedserver mode start Ped Server Version 1.0.6 (10006) Ped Server launched in startup mode. Starting background process Background process started Ped Server Process created, exiting this process.
4.Verify that the service has launched successfully.
Note the Ped2 Connection Status. If it says Connected, PEDserver is able to communicate with the Luna PED.
Note also the server port number (default: 1503). You must specify this port along with the PEDserver host IP when you open a connection.
c:\Program Files\SafeNet\LunaClient>pedserver mode show Ped Server Version 1.0.6 (10006) Ped Server launched in status mode. Server Information: Hostname: DWG9999 IP: 0.0.0.0 Firmware Version: 2.7.1-5 PedII Protocol Version: 1.0.1-0 Software Version: 1.0.6 (10006) Ped2 Connection Status: Connected Ped2 RPK Count 0 Ped2 RPK Serial Numbers (none) Client Information: Not Available Operating Information: Server Port: 1503 External Server Interface: Yes Admin Port: 1502 External Admin Interface: No Server Up Time: 190 (secs) Server Idle Time: 0 (secs) (0%) Idle Timeout Value: 1800 (secs) Current Connection Time: 0 (secs) Current Connection Idle Time: 0 (secs) Current Connection Total Idle Time: 0 (secs) (100%) Total Connection Time: 0 (secs) Total Connection Idle Time: 0 (secs) (100%) Show command passed.
5.Use ipconfig (Windows) or ifconfig (Linux) to determine the PEDserver host IP. A static IP is recommended, but if you are connecting over a VPN, you may need to determine the current IP each time you connect to the VPN server.
If you are setting up Remote PED with a Luna Network HSM 7 appliance, see To open a Remote PED connection from the Luna Network HSM 7 appliance.
If you are setting up Remote PED with a client, see To open a Remote PED connection from a client workstation.
To open a Remote PED connection from the Luna Network HSM 7 appliance
1.Open an SSH session to the Luna Network HSM 7 and log in to LunaSH as admin.
2.Initiate the Remote PED connection from the Luna Network HSM 7.
lunash:> hsm ped connect -ip <PEDserver_IP> -port <PEDserver_port> [-serial <serial#>]
NOTE The -serial option is required only if you are using Remote PED to authenticate a Luna Backup HSM connected to one of the Luna Network HSM 7's USB ports. If a serial number is not specified, the appliance's internal HSM is used.
lunash:>hsm ped connect -ip 192.124.106.100 -port 1503 Luna PED operation required to connect to Remote PED - use orange PED key(s).
•If you have not yet initialized the RPV, and the HSM is not in initialized state, LunaSH prompts you to enter a password.
Enter PED Password:
See Remote RPV Initialization for this procedure.
•If you already initialized the RPV, the Luna PED prompts for the orange PED key.
Present the orange PED key with the correct RPV. The HSM authenticates the RPV, and control is returned to the LunaSH prompt.
Command Result : 0 (Success)
The HSM-initiated Remote PED connection is now open.
3.Verify the Remote PED connection by entering a command that requires multifactor quorum authentication.
•If the HSM is already initialized and you have the blue HSM SO PED key, you can use lunash:> hsm login.
•If the HSM is uninitialized, you can initialize it now with lunash:> hsm init -label <label>. Have blank or reusable blue and red PED keys ready (or multiple blue and red keys for M of N or to make multiple copies). See Creating PED keys for more information.
NOTE The HSM-initiated Remote PED connection eventually times out (default: 1800 seconds), and must be re-initiated each time authentication is required. To simplify this process, you can set a default IP address and/or port for LunaSH to use each time you connect. To drop the Remote PED connection manually, see Ending or Switching the Remote PED Connection.
4.[OPTIONAL] Set a default IP address and/or port for the Luna Network HSM 7 to look for a configured Remote PED.
lunash:> hsm ped set -ip <PEDserver_IP> -port <PEDserver_port>
lunash:>hsm ped set -ip 192.124.106.100 -port 1503 Command Result : 0 (Success)
With this default address set, the HSM administrator can use lunash:> hsm ped connect (without specifying the IP/port) to initiate the Remote PED connection. The orange Luna PED will be required each time.
NOTE If you want to use the Remote PED to authenticate a different HSM, you must first drop the current connection. See Ending or Switching the Remote PED Connection.
To open a Remote PED connection from a client workstation
1.Launch LunaCM on the client.
2.Initiate the Remote PED connection.
lunacm:> ped connect -ip <PEDserver_IP> -port <PEDserver_port>
lunacm:>ped connect -ip 192.124.106.100 -port 1503 Command Result : No Error
3.Issue the first command that requires authentication.
•If the partition is already initialized and you have the blue Partition SO key, log in.
lunacm:> role login -name po
•If the partition is uninitialized, you can initialize it now. Have blank or reusable blue and red PED keys ready (or multiple blue and red keys for MofN or for multiple copies). See Creating PED keys for more information on creating PED keys.
lunacm:> partition init -label <label>
4.The Luna PED prompts for an orange PED key. Present the orange PED key with the correct RPK.
5.The Luna PED prompts for the key associated with the command you issued. Follow the on-screen directions to complete the authentication process.
NOTE The HSM-initiated Remote PED connection eventually times out (default: 1800 seconds), and must be re-initiated each time authentication is required. To simplify this process, you can set a default IP address and/or port for LunaCM to use each time you connect. To drop the Remote PED connection manually, see Ending or Switching the Remote PED Connection.
6.[OPTIONAL] Set a default IP address and/or port for the Luna Network HSM 7 to look for a configured Remote PED.
lunacm:> ped set -ip <PEDserver_IP> -port <PEDserver_port>
lunacm:>ped set -ip 192.124.106.100 -port 1503 Command Result : 0 (Success)
With this default address set, the HSM administrator can use lunacm:> ped connect (without specifying the IP/port) to initiate the Remote PED connection. The orange PED key may be required if the RPK has been invalidated on the PED since you last used it.
NOTE If you want to use the Remote PED to authenticate a different HSM, you must first drop the current connection. See Ending or Switching the Remote PED Connection.
PED-Initiated Remote PED
A PED-initiated connection requires the HSM and Remote PED host to exchange and register certificates, creating a trusted connection. This allows the Remote PED host (via PEDserver) to initiate the connection to the Luna Network HSM 7. If you have firewall or other constraints that prevent your HSM from initiating a connection to a Remote PED in the external network, use this connection method. The HSM administrator can use this procedure to set up the connection. You require:
>Administrative access to a network-connected workstation with PEDserver installed and Luna PED connected (see Installing PEDserver and Setting Up the Remote Luna PED)
>Orange PED key with the HSM's RPV (see Initializing the Remote PED Vector and Creating an Orange Remote PED key)
>Administrative access to the Luna Network HSM 7 via SSH
NOTE The PED-initiated Remote PED connection procedure requires admin access to the appliance via LunaSH, and therefore this method cannot directly provide authentication services for client partitions.
>Only self-signed certificates are supported for this procedure.
To open a PED-initiated Remote PED connection
1.On Windows, open an Administrator command prompt on the Remote PED host. (If you are running Windows Server 20xx, the Administrator prompt is launched by default. For any other supported Windows version, right-click the Command Prompt icon and select Run as administrator.)
2.Navigate to the Luna HSM Client install directory (C:\Program Files\SafeNet\LunaClient\ or /usr/safenet/lunaclient)
3.You will need the Remote PED host's NTLS certificate. If you have already set up an NTLS client connection to the appliance using LunaCM, you can find the certificate in C:\Program Files\SafeNet\LunaClient\cert\client\ or /usr/safenet/lunaclient/cert/client. If the certificate is not available, you can generate it with the PEDserver utility.
CAUTION! If the Remote PED host has registered NTLS partitions on any HSM, regenerating the certificate will cause you to lose contact with your registered NTLS partitions. Use the existing certificate instead.
> pedserver -regen -commonname <name>
c:\Program Files\SafeNet\LunaClient>pedserver -regen -commonname RemotePED1 Ped Server Version 1.0.6 (10006) Are you sure you wish to regenerate the client certificate? All registered partitions may disappear. Are you sure you wish to continue? Type 'proceed' to continue, or 'quit' to quit now -> proceed Private Key created and written to: C:\Program Files\SafeNet\LunaClient\cert\client\RemotePED1Key.pem Certificate created and written to: C:\Program Files\SafeNet\LunaClient\cert\client\RemotePED1.pem Successfully regenerated the client certificate.
4.Use pscp or scp to securely retrieve the Luna Network HSM 7's NTLS certificate. Enter the appliance's admin account password when prompted. Note the period at the end of the command.
>pscp admin@<appliance_IP>:server.pem .
c:\Program Files\SafeNet\LunaClient>pscp admin@192.20.11.78:server.pem . admin@192.20.11.78's password: server.pem | 1 kB | 1.1 kB/s | ETA: 00:00:00 | 100%
5.Use pscp or scp to securely transfer the Remote PED host's NTLS certificate to the Luna Network HSM 7's admin account.
>pscp .\cert\client\<certname> admin@<appliance_IP>:
c:\Program Files\SafeNet\LunaClient>pscp .\cert\client\RemotePED1.pem admin@192.20.11.78: admin@192.20.11.78's password: RemotePED1.pem | 1 kB | 1.1 kB/s | ETA: 00:00:00 | 100%
6.Register the Luna Network HSM 7 certificate with PEDserver. Use the mandatory -name argument to set a unique name for the appliance. The appliance listens for the SSL connection from PEDserver at the default port 9697.
>pedserver -appliance register -name <appliance_name> -certificate <cert_filename> -ip <appliance_IP> -port <port>
7.Open an SSH session to the Luna Network HSM 7 and log in to LunaSH as admin.
8.Register the PEDserver host certificate.
lunash:> hsm ped server register -certificate <certname>
lunash:>hsm ped server register -certificate RemotePED1.pem 'hsm ped server register' successful. Command Result : 0 (Success)
9.Initiate the connection between PEDserver and the Luna Network HSM 7.
>pedserver -mode connect -name <appliance_name>
c:\Program Files\SafeNet\LunaClient>pedserver mode connect -name myLunaHSM Ped Server Version 1.0.6 (10006) Connecting to myLunaHSM. Please wait.. Successfully connected to myLunaHSM.
10.Using LunaSH, list the available registered Remote PED servers to find the server name (taken from the certificate filename during registration). Select the server you want to use to authenticate credentials for the appliance.
lunash:> hsm ped server list
lunash:> hsm ped select -host <server_name>
lunash:>hsm ped server list Number of Registered PED Server : 1 PED Server 1 : CN = RemotePED1 Command Result : 0 (Success) lunash:>hsm ped select -host RemotePED1 Luna PED operation required to connect to Remote PED - use orange PED key(s).
11.The Luna PED prompts for an orange PED key. Present the orange PED key with the correct RPK for the HSM.
The secure network connection is now in place between PEDserver and the appliance. You may now perform any actions that require Remote PED authentication, from lunash. The PED-initiated Remote PED connection does not time out as long as PEDserver is running. If you wish to end the connection in order to connect to a different instance of PEDserver, see Ending or Switching the Remote PED Connection.
PED-initiated Remote PED for Client (lunacm)
LunaCM, which is a client-side tool, is not able to launch a PED-initiated Remote PED connection if the firewall blocks the initial attempt. LunaCM does not have administrative access to the HSM appliance and is not aware of PED-client settings on the HSM side (such as the port at which the HSM will look for the PED.
If you control two roles, if you are both the HSM SO and the owner/user/PSO of the application partition that is assigned for crypto operations, then you can coordinate actions in Luna Shell (LunaSH command line) and in LunaCM at the client end, to establish a Remote PED connection.
Or, you can do the same if you are the partition owner and are also able to coordinate closely with a person who has administrative access to LunaSH on the HSM appliance.
>Setup PED-initiated Remote PED connection (refer to the steps above in To open a PED-initiated Remote PED connection section).
>On the Remote PED host, use the lunacm ped commands to set the identity of the PedServer to match what you have told the HSM to expect
•Use ped set to provide the IP address and the port number that you determined (or that your colleague determined) in the LunaSH session.
NOTE IP address and port number are found in the "Connected PED Server Table:" section of lunash hsm ped show command output.
The port number will need to be opened for inbound traffic on the host with that IP address.
>On the Client (which could also be the Remote PED host, or could be a separate computer/application server), run a command that invokes PED operation, like the role login command.
>The HSM receives the command and looks to the PED (in this case the Remote PED) that has been previously specified in LunaSH.
Example:
Person with access to admin account on the Luna Network HSM 7 verfies that the HSM is expecting a Remote PED connection on a specific port, from a specific IP address -
lunash:>hsm ped show <snip> Connected PED Server Table: PED ID: 4 Server Hostname: 192.168.0.178 Server Port: 49982 Status: Selected Server Information: IP: 192.168.0.178 Firmware Version: 2.9.0-2 PedII Protocol Version: 1.0.1-0 Software Version: 1.0.6 (10006) Ped2 Connection Status: Connected Ped2 Connection Type: Inbound Connection Ped2 RPK Count 0 Ped2 RPK Serial Numbers (none) Show command passed. Command Result : 0 (Success) lunash:>
If not, see earlier on this page to set up Remote PED.
Person at the PEDserver (which could be the same computer as the partition client, or could be a separate computer, dedicated to being PED server) uses LunaCM to ensure that the PEDserver is using the correct port and IP that the HSM (above) is expecting.
NOTE pedserver_ip and pedserver_port below are respectively "IP:" and "Server Port:" fields from the "Connected PED Server Table" section.
lunacm:> ped set -ip pedserver_ip -port pedserver_port
lunacm:> ped connect
Person who is the PSO of the current slot (which is the desired application partition on the distant Luna Network HSM 7) runs the LunaCM commands that will require the HSM to look for PED interaction.
lunacm:> partition init -label 550097_par1 -f
lunacm:> ped connect
lunacm:> role login -n po
lunacm:> ped connect
lunacm:> role init -n co
NOTE The use of lunacm:> ped connect before every partition administrative command is not always necessary, but is a best-practice in unstable network conditions or in situations where network/firewall rules might drop the PEDclient-PEDserver connection frequently or unexpectedly.
If the (re-)connection fails, have the person with "admin" access on the Luna Network HSM 7 re-establish the HSM side of the connection to the PEDserver (expected port and IP) before you issue any more client-side commands that need multifactor quorum authentication.