Remote access
Configuring remote access to HSM management
The HSM can be configured for remote management.
Actions such as starting the service, rebooting and synchronizing replication (and others) can only be carried out, in principle, with physical access to the HSM. With remote management enabled, the administrator can perform these operations from the station itself using a USB smart card reader and the corresponding smart cards.
The smart card reader certified by DINAMO is the Gemalto/Thales IDBridge CT30 universal reader.
Requirements
- Physical access to the HSMs with the smart cards and PIN for each one.
- Keyboard and monitor.
- A Windows workstation with SSL connectivity via TCP port 3344 to the HSM.
- HSM client software installed in Full mode or customized with the Remote access option (see Downloads page).
- Smart card reader.
- HSM service started.
Info
Firmware versions prior to 5x do not have the remote access option.
Enabling remote access in HSM
-
To enable remote access, you must physically go to the HSM and authenticate with the cards.
-
Once authenticated, choose Remote Management and press Enter.
Dinamo - Local Management Console ┌──────────┤ Main ├──────────┐ │ About │ │ Start Service │ │ Monitor ▸ │ │ Remote Management │ │ Configuration ▸ │ │ Partition ▸ │ │ Self Test │ │ Lock Console │ │ Power Off ▸ │ └────────────────────────────┘ Service stopped Replication Domain: <none>Remote management option on the local console -
The remote is now active and you can now manage the HSM remotely in Windows.
Dinamo - Local Management Console ┌─────────┤ RM (press ESC to exit) ├──────────┐ │ │ │ │ │ │ │ ready to process remote commands │ │ │ │ │ │ │ └─────────────────────────────────────────────┘ Service running... Replication Domain: <none>Remote management enabled
For more details on remote management in HSM, see the topic Remote Management.
Accessing HSM management
-
To access HSM, open DINAMOcon and use the Remote Management option.
Console home screen -
Then choose Remote HSM Management.
Start remote authentication screen -
Click on the Start remote authentication button and insert the card into the reader.
-
Enter the card PIN and click OK.
-
A success message will appear.
Intermediary custodian -
Then you (or the other custodians of the cards) will do the same procedure for the next cards. Right after the last card, DINAMOcon will display the following message.
Final Custodian Attention
Only the final custodian will have remote operation of the HSM.
-
It is now possible to manage the HSM remotely.
Operations menu on the device
For more details on remote access to the HSM, see the topic Remote Management.
Troubleshooting
- Cannot connect to HSM (error
-12) or DINAMOcon crashes trying to connect when you click on Device management.
-
Possible causes:
- Port 3344 is not allowed on the network.
- SSL connection not closed due to network blocking.
- Remote access is not enabled in the HSM (see Starting Remote Management).
- Button to start authentication does not appear.
-
Solutions:
- Reinstall the client with the Full or Custom option by selecting Remote Console.
- If you have already reinstalled, check whether the file
libusb-1.0.dllinC:/Windows/System32.