Cloud Hardware Security Module (HSM) provides the hardware security module (HSM) cluster feature. You can use the feature to associate and manage HSMs that reside in different zones in the same region and are used by the same service in a centralized manner. The feature provides high availability, load balancing, and scale-out capabilities on cryptographic operations for applications. This topic describes how to use an HSM cluster.
If you want to create a hardware security module (HSM) cluster for Key Management Service (KMS) instances of the hardware key management type, see Configure an HSM cluster for a KMS instance of the hardware key management type.
Scenarios
Applications can access any HSM in an HSM cluster to use the same key.
Applications are used in production environments and require Cloud Hardware Security Module (HSM) to provide continuous services.
Prerequisites
An HSM is purchased and enabled. For more information, see Step 1: Create an HSM and Step 2: Enable and configure the HSM.
Create and activate the HSM cluster
An HSM cluster includes one master HSM and multiple non-master HSMs. HSMs in a zone within a cluster use the same VPC subnet.
On the Instances page, find an HSM that you want to use as the master HSM and click Create Cluster in the Actions column.
In the Create and Activate Cluster panel, complete the Create Cluster step and click Next.
Parameter
Description
Cluster Name
The name of the cluster. The name must be unique and cannot exceed 24 characters in length.
Configure Whitelist
The range of the IP addresses that are allowed to access the cluster. If you do not configure a whitelist, all IP addresses are allowed to access the cluster. If you configure a whitelist, only the IP addresses in the whitelist are allowed to access the cluster.
IP addresses and CIDR blocks are supported. You can specify one IP address or one CIDR block in each row. You can specify up to 10 rows in total.
ImportantThe whitelist of a cluster has a higher priority than the whitelist of an HSM in the cluster. For example, if you add 10.10.10.10 to the whitelist of an HSM and add 172.16.0.1 to the whitelist of the cluster that includes the HSM, you can access the HSM only from 172.16.0.1.
Specify a vSwitch for the zone of another purchased HSM
The vSwitch for the zone of another purchased HSM. You can select the vSwitch based on your business requirements.
You must configure two vSwitches for a cluster to create and activate the cluster.
In the Create and Activate Cluster panel, complete the Activate Cluster step.
Import a cluster certificate.
In the Upload Cluster Certificate section, click Cluster CSR Certificate to download a certificate signing request (CSR) file. Then, upload the CSR file to the ECS instance. In this example, the CSR file is saved in the cluster.csr file.
Create a private key and configure a password for the private key as prompted. In this example, the private key and the password are saved in the issuerCA.key file.
openssl genrsa -aes256 -out issuerCA.key 2048
Create a self-signed certificate. In this example, the self-signed certificate is saved in the issuerCA.crt file.
openssl req -new -x509 -days 3652 -key issuerCA.key -out issuerCA.crt
Sign the CSR and save the issued certificate in the cluster.crt file.
NoteIn this step, the cluster.csr, issuerCA.key, and issuerCA.crt files are used.
openssl x509 -req -in cluster.csr -days 3652 -CA issuerCA.crt -CAkey issuerCA.key -set_serial 01 -out cluster.crt
Go to the Activate Cluster step in the Cloud Hardware Security Module (HSM) console, import the cluster certificate, and then click Submit.
In the Enter the issuer certificate in the PEM format section, enter the content of the issuerCA.crt file.
In the Enter the issued cluster certificate in the PEM format section, enter the content of the cluster.crt file.
Initialize the master HSM.
Step
Description
Step 1: Download the HSM management tool.
ImportantYou can install the HSM management tool only in Linux operating systems.
Download the HSM management tool by using one of the following methods:
Run the following command to download the HSM management tool. You can use this method only if your ECS instance is connected to the Internet.
wget -O hsm-client-v2.03.15.10-1.x86_64.rpm 'https://yundun-hsm4.oss-ap-southeast-1.aliyuncs.com/hsm-client-v2.03.15.10-1.x86_64.rpm'
On the Instances page, find the master HSM, click the information about the master HSM in the Specifications column, and then click Download HSM Management Tool.
In the Activate Cluster step in the Create and Activate Cluster panel, click Download HSM Management Tool.
Step 2: Install the HSM management tool.
Run the following command to install the program and client configuration file in the /opt/hsm directory:
sudo yum install -y hsm-client-v2.03.15.10-1.x86_64.rpm
Step 3: Modify the client configuration file.
Modify the configuration items of servers in the /opt/hsm/etc/hsm_mgmt_tool.cfg file.
name and hostname: Replace the values with the private IP address of the master HSM.
owner_cert_path: Replace the value with the path to the issuerCA.crt file.
Step 4: Log on to the master HSM and query a list of users.
Run the following command to log on to the master HSM:
/opt/hsm/bin/hsm_mgmt_tool /opt/hsm/etc/hsm_mgmt_tool.cfg
Run the
listUsers
command to query users.cloudmgmt>listUsers Users on server 0(172.16.XX.XX): Number of users found:2 User Id User Type User Name MofnPubKey LoginFailureCnt 2FA 1 PRECO admin NO 0 NO 2 AU app_user NO 0 NO
Step 5: Change a precrypto officer (PRECO) to a crypto officer (CO).
Run the
loginHSM
command to log on to the HSM as a precrypto officer (PRECO).server0>loginHSM PRECO admin password loginHSM success
Run the
changePswd
command to change the password of the PRECO. After you change the password, the PRECO changes to a CO.cloudmgmt>changePswd PRECO admin <NewPassword> *************************CAUTION******************************** This is a CRITICAL operation, should be done on all nodes in the cluster. Cav server does NOT synchronize these changes with the nodes on which this operation is not executed or failed, please ensure this operation is executed on all nodes in the cluster. **************************************************************** Do you want to continue(y/n)?y Changing password for admin(PRECO) on 1 nodes
Run the
listUsers
command to query users and check whether the PRECO changes to a CO.cloudmgmt>listUsers Users on server 0(172.16.XX.XX): Number of users found:2 User Id User Type User Name MofnPubKey LoginFailureCnt 2FA 1 CO admin NO 0 NO 2 AU app_user NO 0 NO
Step 6: Create a crypto user (CU).
WarningBefore you add non-master HSMs to a cluster, you must create a CU. If you create a CU before you add non-master HSMs to a cluster, the CU information cannot be synchronized to the non-master HSMs.
Run
createUser
command to create a CU.The username and the password of a CU can contain ASCII characters. The username can be up to 20 characters in length and the password can be 8 to 32 characters in length.
In this example, the CU username is
crypto_user
. You can specify the username based on your business requirements. If you configure an HSM cluster for a KMS instance of the hardware key management type, the CU username iskmsuser
.createUser CU crypto_user <enter password>
Run the
listUsers
command to check whether the CU is created.Expected output:
cloudmgmt>listUsers Users on server 0(172.16.XX.XX): Number of users found:3 User Id User Type User Name MofnPubKey LoginFailureCnt 2FA 1 CO admin NO 0 NO 2 AU app_user NO 0 NO 3 CU crypto_user NO 0 NO
Step 7: Check the status of the master HSM.
In the Activate Cluster step, click the icon to refresh the status of the master HSM. Then, click Next.
In the Add HSM step, add non-master HSMs to the cluster as prompted and click Complete.
You can purchase more HSMs and add them to the cluster based on your business requirements.
Scale out the HSM cluster
You can add HSMs in different zones to the same cluster and manage the HSMs in a centralized manner. This helps ensure the high availability of Cloud Hardware Security Module. HSMs can be added to a cluster only when the following requirements are met:
HSMs are not initialized.
HSMs are in the Enabled or New state.
HSMs are of the same type as the master HSM of the cluster.
No vSwitches are configured for HSMs, or the HSMs use the same vSwitch as the master HSM.
If a whitelist is configured for an HSM, the whitelist of the cluster prevails after the HSM is added to the cluster. The whitelist of the HSM is cleared.
On the Instances page, find the required master HSM and click Expand Cluster in the Actions column.
Add HSMs to the cluster based on your business requirements.
If no HSMs are available, click Purchase an HSM instance in the Add HSM dialog box to purchase HSMs.
The purchased HSMs are automatically added to the cluster. Cloud Hardware Security Module automatically assigns IP addresses to the HSMs and synchronizes data in the cluster.
If HSMs are available, perform the following operations: In the Add HSM dialog box, select the HSMs that you want to add, click the icon, and then click OK.
Use the HSM cluster
To use an HSM cluster, you can use OpenSSL Dynamic Engine, the JCE provider, or the PKCS#11 library. For more information, see OpenSSL Dynamic Engine, JCE provider, or Install the PKCS #11 library.
What to do next
Operation | Procedure |
Promote a non-master HSM to the master HSM | You can promote a non-master HSM to the master HSM.
|
Remove an HSM from a cluster | You can remove only a non-master HSM from a cluster. You cannot remove the master HSM from a cluster.
|
Modify the name and whitelist of a cluster |
|