All Products
Search
Document Center

Step 7: Initialize the cluster

Last Updated: Sep 02, 2021

This topic introduces how to initialize an HSM cluster. In order to establish trusted e2e connections with the HSM instances in a cluster, you need to initialize the cluster with trusted certificates.

Overview

Complete the following operations to initialize an HSM cluster: 1. Add an HSM instance to the cluster.

2. Get the cluster CSR.

3. Create a trusted private key.

4. Generate a self-signed certificate(Issuer Certificate) with the trusted private key.

5. Sign the cluster CSR with the trusted private key and the self-signed certificate (Issuer Certificate), the signing process will generate a new certificate (Cluster Certificate).

6. Upload both certificates to finish initializing the cluster.

Add an HSM to the cluster

  1. Log on to the Data Encryption Service console.

  2. In the Clusters page, find the cluster you want to use, and click Manage.clusters_manage

  3. In the Cluster details page, click Add HSM instance.cluster-detail_addhsminstance

  4. Select the HSM which would be added to the cluster as the first one (master HSM instance). Then, click Save to add the HSM instance.cluster-details_addhsmins_select

Get the cluster CSR

Refresh the Cluster details page, when the cluster signing request is ready, you will see a link in the HSM cluster information tab. Choose ClusterCsr, then you can copy and save the CSR.clusters-details_clustercsr

Create a trusted private key

Go to the /opt/hsm/etc directory. Run the following command to create a private key.

$ openssl genrsa -aes256 -out exampleCA.key 2048
Generating RSA private key, 2048 bit long modulus
........ +++
............+++
e is 65537 (0x10001)
Enter pass phrase for exampleCA.key:
Verifying - Enter pass phrase for exampleCA.key:

Create a self-signed certificate

The following command uses OpenSSL and the private key that you created in the previous step to create a signed certificate. The certificate is valid for 10 years (3652 days).

$ openssl req -new -x509 -days 3652 -key exampleCA.key -out exampleCA.crt
Enter pass phrase for exampleCA.key:
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:
State or Province Name (full name) [Some-State]:
Locality Name (eg, city) []:
Organization Name (eg, company) [Internet Widgits Pty Ltd]:
Organizational Unit Name (eg, section) []:
Common Name (e.g. server FQDN or YOUR name) []:
Email Address []:

This command creates a certificate file named exampleCA.crt. The value of owner_cert_path in configuration file /opt/hsm/etc/hsm_mgmt_tool.cfg and e2e_owner_crt_path in configuration file /opt/hsm/etc/hsm_proxy.cfg need to be updated to the path of exampleCA.crt.

Sign the cluster CSR

Run the following command to issue the HSM cluster certificate:

openssl x509 -req -in hsm.csr -days 3652 -CA exampleCA.crt -CAkey exampleCA.key -set_serial 01 -out hsm.crt

The Issued Cluster Certificate is stored in the hsm.crt file.

Upload certificates & Finish cluster initialization

  1. In the Clusters page, choose Activate for the cluster you want to initialize.clusters_activate

  2. In the Initialize & Activate Cluster page, check if the cluster master HSM instance (first HSM in the cluster) is correct. initialize&activatecluster_masterhsm

  3. Download cluster CSR and sign the CSR with a self-signed certificate. Detailed steps are shown in previous sections: Get the cluster CSR, Create a private key, Create a self-signed certificate, and Sign the cluster CSR. initialize&activatecluster_csr

  4. Fill in both the Issuer Certificate and the Issued Cluster Certificate boxes with the corresponding certificates encoded in the PEM format. Then click Next:Activate Cluster to finish cluster initialization. Note: The Issuer Certificate is the signing certificate used to sign the cluster CSR. The Issued Cluster Certificate is the signed cluster certificate from the cluster CSR.initialize&activatecluster_upload

Step Result

Upon Initialize Cluster success, you will be directed to the Activate Cluster page.initialize&activatecluster_activatetitle