This topic introduces how to initialize HSM cluster.
In order to initialize HSM cluster, users need to have a CA, which is used to issue HSM certificate and enable E2E encryption. In the following example, use OpenSSL to create a self-signed certificate, issue HSM certificate and initialize cluster.
Add the HSM to cluster
Log on to the Data Encryption Service console.
Find the cluster you want to use, and click Details.
Click Add HSM.
Select the HSM which would be add to cluster as the first one. Then, click OK to add the HSM instance.
Get the cluster CSR
In the Cluster details page, move mouse over the ClusterCsr. Then you can copy the CSR.
Create a private key
Go to the /opt/hsm/etc directory. Run the following command to create a private key.
$ openssl genrsa -aes256 -out exampleCA.key 2048 Generating RSA private key, 2048 bit long modulus ........ +++ ............+++ e is 65537 (0x10001) Enter pass phrase for exampleCA.key: Verifying - Enter pass phrase for exampleCA.key:
Create a self-signed certificate
The following command uses OpenSSL and the private key that you created in the previous step to create a signed certificate. The certificate is valid for 10 years (3652 days).
$ openssl req -new -x509 -days 3652 -key exampleCA.key -out exampleCA.crt Enter pass phrase for exampleCA.key: You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [AU]: State or Province Name (full name) [Some-State]: Locality Name (eg, city) : Organization Name (eg, company) [Internet Widgits Pty Ltd]: Organizational Unit Name (eg, section) : Common Name (e.g. server FQDN or YOUR name) : Email Address :
This command creates a certificate file named exampleCA.crt. The value of
owner_cert_path in configuration file
e2e_owner_crt_path in configuration file
/opt/hsm/etc/hsm_proxy.cfg need to be updated to the path of exampleCA.crt.
Sign cluster CSR
Run the following command to issue the HSM cluster certificate:
openssl x509 -req -in hsm.csr -days 3652 -CA exampleCA.crt -CAkey exampleCA.key -set_serial 01 -out hsm.crt
In the Cluster details page, click Initialize Cluster.
Input the issuer certificate and signed cluster certificate, then click OK.