All Products
Document Center

Step 7: Initialize the cluster

Last Updated: Jun 09, 2021

This topic introduces how to initialize HSM cluster.

In order to initialize HSM cluster, users need to have a CA, which is used to issue HSM certificate and enable E2E encryption. In the following example, use OpenSSL to create a self-signed certificate, issue HSM certificate and initialize cluster.

Add the HSM to cluster

  1. Log on to the Data Encryption Service console.

  2. Find the cluster you want to use, and click Details.Details

  3. Click Add HSM.

  4. Select the HSM which would be add to cluster as the first one. Then, click OK to add the HSM instance.Add hsm

Get the cluster CSR

In the Cluster details page, move mouse over the ClusterCsr. Then you can copy the CSR.Cluster certificate

Create a private key

Go to the /opt/hsm/etc directory. Run the following command to create a private key.

$ openssl genrsa -aes256 -out exampleCA.key 2048
Generating RSA private key, 2048 bit long modulus
........ +++
e is 65537 (0x10001)
Enter pass phrase for exampleCA.key:
Verifying - Enter pass phrase for exampleCA.key:

Create a self-signed certificate

The following command uses OpenSSL and the private key that you created in the previous step to create a signed certificate. The certificate is valid for 10 years (3652 days).

$ openssl req -new -x509 -days 3652 -key exampleCA.key -out exampleCA.crt
Enter pass phrase for exampleCA.key:
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
Country Name (2 letter code) [AU]:
State or Province Name (full name) [Some-State]:
Locality Name (eg, city) []:
Organization Name (eg, company) [Internet Widgits Pty Ltd]:
Organizational Unit Name (eg, section) []:
Common Name (e.g. server FQDN or YOUR name) []:
Email Address []:

This command creates a certificate file named exampleCA.crt. The value of owner_cert_path in configuration file /opt/hsm/etc/hsm_mgmt_tool.cfg and e2e_owner_crt_path in configuration file /opt/hsm/etc/hsm_proxy.cfg need to be updated to the path of exampleCA.crt.

Sign cluster CSR

Run the following command to issue the HSM cluster certificate:

openssl x509 -req -in hsm.csr -days 3652 -CA exampleCA.crt -CAkey exampleCA.key -set_serial 01 -out hsm.crt

Initialize cluster

  1. In the Cluster details page, click Initialize Cluster.

  2. Input the issuer certificate and signed cluster certificate, then click OK.Initialize cluster