Learn more about HSM

Connecting to HSM

To connect to the Hardware Security Module (HSM) VPN to your customer account or connect from a server on your account that has connectivity to the private VLAN on which the HSM was provisioned. See figure 1 below on connectivity.

  1. Connect with ssh to the HSM from through the VPN or a server located on the same private VLAN.
    1. # ssh customer_admin@10.1.1.101
  2. Change HSM "customer_admin" password.
    1. # user password
  3. Enable PKI-based authentication.
    1. # ssh-keygen -b 2048 -t rsa
      Generating public/private rsa key pair.
      Enter file in which to save the key (/root/.ssh/id_rsa):
      Enter passphrase (empty for no passphrase):
      Enter same passphrase again:
      Your identification has been saved in /root/.ssh/id_rsa.
      Your public key has been saved in /root/.ssh/id_rsa.pub.
      The key fingerprint is: 6e:7a:7e:e1:2a:54:8f:99:3e:6a:56:f8:38:22:fb:a6 root@host
    2. Two files are created, a private key file (which stays on the connecting host) and a public key file which is sent to the HSM appliance.
    3. Use SCP to send the public key to the appliance # scp /root/.ssh/id_rsa.pub customer_admin@10.1.1.101
      customer_admin@appliance password:
      id_rsa.pub 100% |*****************************| 220 00:00
    4. Verify, on the appliance, the default settings of the Public Key Authentication service. [myLuna] lunash:>sysconf -ssh show
      SSH is unrestricted.
      Password authentication is enabled
      Public key authentication is enabled
      Command Result : 0 (Success)
    5. Verify that there are no public key entries by default. [myLuna] lunash:>sysconf -ssh publickey list
      SSH Public Keys for user 'admin':
      Name Type Bits Fingerprint
      ------------------------------------------------------------------------------
      Command Result : 0 (Success)
    6. Add the public key that was sent to the appliance. [myLuna] lunash:>sysconf -ssh publickey add root@host -f id_rsa.pub
      Public key added
      Command Result : 0 (Success)
    7. Verify the list of public keys. [myLuna] lunash:>sysconf -ssh publickey list
      SSH Public Keys for user 'admin':
      Name Type Bits Fingerprint
      ------------------------------------------------------------------------------
      root@host ssh-rsa 1024 6e:7a:7e:e1:2a:54:8f:99:3e:6a:56:f8:38:22:fb:a6
      Command Result : 0 (Success)
    8. Check that the fingerprint reported matches the fingerprint originally generated on the connecting host.

Initialize the HSM

  1. Initialize the HSM [myLuna] lunash:>hsm init -label Customer1Prod Please enter a password for the HSM Administrator:
    > **************
    Please re-enter password to confirm:
    >**************
    Please enter the cloning domain to use for initializing this HSM (press to use the default domain):
    >MyDomain
    CAUTION: Are you sure you wish to re-initialize this HSM?
    All partitions and data will be erased.
    Type 'proceed' to initialize the HSM, or 'quit' to quit now.
    >proceed
    'hsm init' successful.
    Command Result : 0 (Success)

Creating Partitions

Within the HSM, separate cryptographic workspaces must be initialized and designated for clients. A workspace, or Partition, and all its contents are protected by encryption derived (in part) from its authentication. Only a Client that presents the proper authentication is allowed to see the Partition and to work with its contents. Partition names must be unique in the HSM. You are not permitted to create two partitions with the same label on one HSM. This will be the label seen by PKCS#11 applications.

  1. Login as the HSM Administrator (use the password used for initializing the HSM) [myLuna] lunash:>hsm login
    Please enter the HSM Administrators' password:
    > **************
    'hsm login' successful.
    Command Result : 0 (Success)
  2. Create the partition. [myLuna] lunash:>partition create -partition customerPartionProd
    Please ensure that you have purchased licenses for at least this number of partitions: 1
    If you are sure to continue then type 'proceed', otherwise type 'quit'
    > proceed
    Proceeding...
    Please enter a password for the partition:
    > **************
    Please re-enter password to confirm:
    > **************
    Please enter the cloning domain to use when creating this partition (press to use the default domain):
    > MyDomain
    'partition create' successful.
    Command Result : 0 (Success)

Additional Information on HSM