This topic introduces how to initialize an HSM cluster. In order to establish trusted e2e connections with the HSM instances in a cluster, you need to initialize the cluster with trusted certificates.
Complete the following operations to initialize an HSM cluster: 1. Add an HSM instance to the cluster.
2. Get the cluster CSR.
3. Create a trusted private key.
4. Generate a self-signed certificate(Issuer Certificate) with the trusted private key.
5. Sign the cluster CSR with the trusted private key and the self-signed certificate (Issuer Certificate), the signing process will generate a new certificate (Cluster Certificate).
6. Upload both certificates to finish initializing the cluster.
Add an HSM to the cluster
Log on to the Data Encryption Service console.
In the Clusters page, find the cluster you want to use, and click Manage.
In the Cluster details page, click Add HSM instance.
Select the HSM which would be added to the cluster as the first one (master HSM instance). Then, click Save to add the HSM instance.
Get the cluster CSR
Refresh the Cluster details page, when the cluster signing request is ready, you will see a link in the HSM cluster information tab. Choose ClusterCsr, then you can copy and save the CSR.
Create a trusted private key
Go to the /opt/hsm/etc directory. Run the following command to create a private key.
$ openssl genrsa -aes256 -out exampleCA.key 2048 Generating RSA private key, 2048 bit long modulus ........ +++ ............+++ e is 65537 (0x10001) Enter pass phrase for exampleCA.key: Verifying - Enter pass phrase for exampleCA.key:
Create a self-signed certificate
The following command uses OpenSSL and the private key that you created in the previous step to create a signed certificate. The certificate is valid for 10 years (3652 days).
$ openssl req -new -x509 -days 3652 -key exampleCA.key -out exampleCA.crt Enter pass phrase for exampleCA.key: You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [AU]: State or Province Name (full name) [Some-State]: Locality Name (eg, city) : Organization Name (eg, company) [Internet Widgits Pty Ltd]: Organizational Unit Name (eg, section) : Common Name (e.g. server FQDN or YOUR name) : Email Address :
This command creates a certificate file named exampleCA.crt. The value of
owner_cert_path in configuration file
e2e_owner_crt_path in configuration file
/opt/hsm/etc/hsm_proxy.cfg need to be updated to the path of exampleCA.crt.
Sign the cluster CSR
Run the following command to issue the HSM cluster certificate:
openssl x509 -req -in hsm.csr -days 3652 -CA exampleCA.crt -CAkey exampleCA.key -set_serial 01 -out hsm.crt
The Issued Cluster Certificate is stored in the hsm.crt file.
Upload certificates & Finish cluster initialization
In the Clusters page, choose Activate for the cluster you want to initialize.
In the Initialize & Activate Cluster page, check if the cluster master HSM instance (first HSM in the cluster) is correct.
Download cluster CSR and sign the CSR with a self-signed certificate. Detailed steps are shown in previous sections: Get the cluster CSR, Create a private key, Create a self-signed certificate, and Sign the cluster CSR.
Fill in both the Issuer Certificate and the Issued Cluster Certificate boxes with the corresponding certificates encoded in the PEM format. Then click Next:Activate Cluster to finish cluster initialization. Note: The Issuer Certificate is the signing certificate used to sign the cluster CSR. The Issued Cluster Certificate is the signed cluster certificate from the cluster CSR.
Upon Initialize Cluster success, you will be directed to the Activate Cluster page.