Installing PEDserver and Setting Up the Remote Luna PED
The PEDserver software, installed on the Remote PED host workstation, allows the USB-connected Luna PED to communicate with remotely-located HSMs. The Remote PED administrator can install PEDserver using the Luna HSM Client installer. You require:
>Network-connected workstation with compatible operating system (refer to the release notes)
>Luna HSM Client installer
>Luna PED with Luna PED Firmware 2.7.1 or newer
>USB mini-B to USB-A connector cable
>Luna PED DC power supply if required by your Luna PED hardware
NOTE To set up a Remote PED Server on Linux, you require Luna HSM Client 10.1.0 or newer.
To install PEDserver and the PED driver, and set up the Luna PED
1.Run the Luna HSM Client installer and follow the on-screen instructions, as detailed in Luna HSM Client Software Installation, and select the Luna Remote PED option. Any additional installation choices are optional, for the purpose of this procedure.
2.On Windows, if you are prompted to install the driver, accept the installation.
3.On Windows, reboot the computer to ensure that the Luna PED driver is accepted by Windows. This step is not required for Linux or Windows Server operating systems.
4.Connect the Luna PED to a USB port on the host system using the supplied USB mini-B to USB-A connector cable.
Luna PED with Luna PED Firmware 2.8.0 and above is powered via the USB connection. If you are using a Luna PED with Luna PED Firmware 2.7.1, connect it to power using the Luna PED DC power supply.
As soon as the PED receives power, it performs start-up and self-test routines (for PED v2.8 and later, the PED driver must be installed on the connected computer, or the display remains blank). It verifies the connection type and automatically switches to the appropriate operation mode when it receives the first command from the HSM.
To manually set the operation mode to Remote PED, see Changing Modes.
5.On Windows, open the Windows Device Manager to confirm that the Luna PED is recognized as PED2. If it appears as an unrecognized USB device:
a.Disconnect the Luna PED from the host USB port.
b.Reboot the computer to ensure that the Luna PED driver is accepted by Windows.
c.Reconnect the Luna PED.
To continue setting up a Remote PED connection, see Opening a Remote PED Connection.
PED Utilities Run by Non-root Users
The default location of the PED utility log is the current directory where the PED utility command has executed, like ./remotePedServerLog.log. Non-root users, even members of the hsmusers group, do not have write permission to the bin directory, or any directory in /usr/safenet, so the PED utility PedServer or PedClient started by a non-root user fails to start.
PED Server
Without root access (or workaround... see below), the utility fails to launch, displaying the following error message:
[bin]$ ./PedServer -m start
Ped Server Version 1.0.6 (10006)
Ped Server launched in startup mode.
Connecting to PED. Please wait..........InternalRead: 10 seconds timeout
Failed to recv query response command: RC_OPERATION_TIMED_OUT c0000303
Failed to connect to PED. Please see logs for further details.
Ped Server Process created, exiting this process.
-----------------------------------------------------------------------------------------
The service needs to log all its actions, including the action of making a connection to the PED, so after failing to create the log (no write permission), it aborts the action of connecting to the PED.
The workaround is to set the PED server LogFileName to a location where the current user has read and write access, such as the user’s home directory.
Examples:
$ ./PedServer -mode config -set LogFileName $HOME/remotePedServerLog.log
OR
$./PedServer -mode config -set LogFileName /tmp/remotePedServerLog.log
Then run $./PedServer -mode start
OR
start the PedServer with log file option: -logfilename /dev/null
$bin/PedServer -m start -logfilename /dev/null
$bin/PedServer -m start -logfilename $HOME/remotePedServerLog.log
PEDClient
PedClient has some similar requirements.
Have the user in an appropriate user group, and they can then launch with systemctl
