Configuring PED Timeout Settings

You can configure the PED timeout settings for your Remote PED connection. This is useful in the following situations:

>You would like to improve workflows for your HSM roles or enhance the security of your multifactor quorum-authenticated Luna Network HSM 7 deployment by increasing or decreasing the duration of PED inactivity that can elapse until the PED connection breaks.

>You are using a quorum (M of N split-secret) authentication scheme for your HSM roles and need to increase the time that is available for each required user to present their PED key. For more information about this authentication scheme, refer to Quorum Split Secrets (M of N).

>You are updating to Luna HSM Firmware 7.7.0 or newer and need to increase the time that is available migrate all your pre-existing orange PED keys. For more information about this migration procedure, refer to Migrating Existing Orange Remote PED keys.

Configuring PED Inactivity Timeout

You can increase or decrease the number of seconds of PED inactivity that can elapse before the PED connection breaks. PEDserver and PEDclient both have configurable timeout settings, but the utility that uses the briefer value determines the actual timeout duration.

PED inactivity timeout does not apply to PED-initiated Remote PED connections.

To configure PED inactivity timeout, run hsm ped timeout set -type rped -seconds <seconds>.

After configuration, you can verify that the PED inactivity timeout duration has changed by running hsm ped timeout show.

Configuring PED key Interaction Timeout

You can set the amount of time that can elapse without completing PED key requests, before the PED key request ends and must be repeated.

Estimate your actual settings based on the number of keys you are migrating.

To configure PED key interaction timeout, run lunash:> hsm ped timeout set -type pedk -seconds <seconds>.

NOTE   If you decrease the value of pedk, the newly set timeout duration only takes effect after running lunash:> hsm restart.

After configuration, you can verify that the PED key interaction timeout duration has changed by running hsm ped timeout show.

Configuring Luna PED Operation Timeout

You can set the amount of time that can elapse without completing a Luna PED operation request, before the PED operation ends and must be repeated.

To configure PED key interaction timeout, run lunash:> hsm ped timeout set -type pedo -seconds <seconds>.

After configuration, you can verify that the PED key interaction timeout duration has changed by running hsm ped timeout show.