Remote PED Troubleshooting
If you encounter problems at any stage of the Remote PED connection process, the following troubleshooting tips may help resolve the problem:
>Cryptographic Operations Blocked During Remote PED Operations When Audit Logging Is Enabled
>No Menu Appears on Luna PED Display: Ensure Driver is Properly Installed
>RC_SOCKET_ERROR: PEDserver Requires Administrator Privileges
>CKR_PED_UNPLUGGED: Reconnect Remote PED Before Issuing Commands
>Remote PED Blocked Port Access
>ped connect Fails if IP is Not Accessible
Cryptographic Operations Blocked During Remote PED Operations When Audit Logging Is Enabled
With audit logging enabled on the HSM, crypto operations are blocked on all application partitions during Remote PED operations. During this time, requests sent to HA member partitions on this HSM will not fail over to other members. When the Remote PED operation is complete, all crypto operations resume normally. If your application has its own timeout programmed, it may incorrectly conclude that the entire HA group has failed.
Using Luna HSM Client 10.7.2 or newer, you can configure the ProbeTimeout setting in the Chrystoki.conf/crystoki.ini file to trigger an HA failover after a specified time. This allows operations to continue normally during Remote PED operations.
Intermittent CKR_CALLBACK_ERROR: PED Cannot Service its USB Data Channel Fast Enough to Communicate with PEDserver
NOTE This issue might occur during Remote PED connections between
>A Luna PCIe HSM 7 with Luna HSM Firmware 7.7.0 or newer and a remote workstation with Luna HSM Client 10.3.0 or newer.
>A Luna Backup HSM 7 with firmware 7.7.1 or newer and a remote workstation with Luna HSM Client 10.3.0 or newer.
The PED might not be able service its USB data channel fast enough to communicate with PEDserver and you will intermittently receive CKR_CALLBACK_ERROR.
The following error appears in the PEDserver log file:
* ERROR ** 32725 : pedsock_rmtped_write_1_waitack_write_n_waitack failed: 0xffffffff (-1)*
If driver log messages are available on your system, the following message may appear where driver logs are reported:
kernel: lunaped: read: usb_bulk_msg: rc = -110
To avoid this error, throttle communication between the PED and PEDserver by running the following command from a command prompt:
pedserver -mode config -set -pedwritedelay <int>
NOTE To resolve this error in most cases, Thales recommends setting the value of -pedwritedelay to 50. If you still experience this issue, set -pedwritedelay to a value higher than 50. For more information about this option, refer to pedserver -mode config.
No Menu Appears on Luna PED Display: Ensure Driver is Properly Installed
If the PED driver is not properly installed before connecting the PED to the workstation's USB port, the PED screen does not display the menu. If you encounter this problem, ensure that you have followed the entire procedure at Installing PEDserver and Setting Up the Remote Luna PED.
RC_SOCKET_ERROR: PEDserver Requires Administrator Privileges
If PEDserver is installed in the default Windows directory, it requires Administrator privileges to make changes. if you run PEDserver as an ordinary user, you may receive an error like the following:
c:\Program Files\SafeNet\LunaClient>pedserver mode start Ped Server Version 1.0.6 (10006) Ped Server launched in startup mode. Starting background process Failed to recv query response command: RC_SOCKET_ERROR c0000500 Background process failed to start : 0xc0000500 RC_SOCKET_ERROR Startup failed. : 0xc0000500 RC_SOCKET_ERROR
To avoid this error, when opening a command line for PEDserver operations, right-click the Command Prompt icon and select Run as Administrator. Windows Server 20xx opens the Command Prompt as Administrator by default.
NOTE If you do not have Administrator permissions on the Remote PED host, contact your IT department or install Luna HSM Client in a non-default directory (outside the Program Files directory) that is not subject to permission restrictions.
CKR_PED_UNPLUGGED: Reconnect Remote PED Before Issuing Commands
As described in the connection procedures, Remote PED connections time out after a default period of 1800 seconds (30 minutes). If you attempt authentication via PED after timeout or after the connection has been broken for another reason, the Luna PED will not respond and you will receive an error like this:
lunacm:> role login -n so
Please attend to the PED.
Error in execution: CKR_PED_UNPLUGGED.
Command Result : 0x8000002e (CKR_PED_UNPLUGGED)
To avoid this error, re-initiate the connection before issuing any commands requiring authentication via PED:
lunacm:> ped connect -ip <PEDserver_IP> -port <PEDserver_port>
Remote PED Firewall Blocking
If you experience problems while attempting to configure a Luna Remote PED session over VPN, you might need to adjust Windows Firewall settings.
1.From the Windows Start Menu, select Control Panel.
2.Select Windows Firewall.
3.Select Change notification settings.
4.In the dialog Customize settings for each type of network, go to the appropriate section and activate Notify me when Windows Firewall blocks a new program.
With notifications turned on, a dialog box appears whenever Windows Firewall blocks a program, allowing you to override the block as Administrator. This allows PEDserver to successfully listen for PEDclient connections.
Remote PED Blocked Port Access
The network might be configured to block access to certain ports. If ports 1503 (the default PEDserver listening port) and 1502 (the administrative port) are blocked on your network, choose a different port when starting PEDserver, and when using lunacm:> ped connect to initiate the Remote PED connection. Contact your network administrator for help.
You might choose to use a port-forwarding jump server, co-located with the Luna PCIe HSM 7(s) on the datacenter side of the firewall. This can be a low-cost solution for port-blocking issues. It can also be used to implement a PKI authentication layer for Remote PED or other SSH access, by setting up smart-card access control to the jump server.
For example, you can use a standard Ubuntu Server distribution with OpenSSH installed and no other changes made to the standard installation with the following procedure:
1.Connect the Luna PED to a Windows host with Luna HSM Client installed and PEDserver running.
2.Open an Administrator command prompt on the Remote PED host and start the port-forwarding service.
>plink -ssh -N -T -R 1600:localhost:1503 <user>@<Ubuntu_server_IP>.
3.Launch LunaCM on the Luna PCIe HSM 7 host, and open the HSM-initiated connection.
lunacm:> ped connect -ip <Ubuntu_server_IP> -port 1600
The Remote PED host initiates the SSH session, via the Ubuntu jump server, which returns to the Remote PED host running PEDserver.
A variant of this arrangement also routes port 22 through the jump server, which allows administrative access to the Luna PCIe HSM 7 under the PKI access-control scheme.
ped connect Fails if IP is Not Accessible
On a system with two network connections, if PEDserver attempts to use an IP address that is not externally accessible, lunacm:>ped connect can fail. To resolve this:
1.Ensure that PEDserver is listening on the IP address that is accessible from outside.
2.If not, disable the network connection on which PEDserver is listening.
3.Restart PEDserver and confirm that it is listening on the IP address that is accessible from outside.
PEDserver on VPN fails
If PEDserver is running on a laptop that changes location, the active network address changes even though the laptop is not shutdown. If you unplugged from working at home, over the corporate VPN, commuted to the office, and reconnected the laptop there, PEDserver is still configured with the address you had while using the VPN. Running pedserver -mode stop does not completely clear all settings, so running pedserver -mode start again fails with a message like "Startup failed. : 0x0000303 RC_OPERATION_TIMED_OUT". To resolve this problem:
1.Close the current command prompt window.
2.Open a new Administrator command prompt.
3.Verify the current IP address.
>ipconfig
4.Start PEDserver, specifying the new IP and port number ().
> pedserver -mode start -ip <new_IP> -port <port>
