This topic describes how to enable, modify, disable, resume, and reset hardware security modules (HSMs).
Enable an HSM
To create an HSM cluster, you must enable an HSM as the master HSM. You do not need to enable the non-master HSMs in the cluster.
To create an HSM by using images, you do not need to enable the HSM. For more information, see Data backup and restoration.
Visit the VSMs page of the Cloud Hardware Security Module console and select the destination region in the top navigation bar.
On the VSMs page, find the created HSM and click Enable in the Actions column.
In the Configure HSM Instance dialog box, configure parameters and click OK.
Parameter
Description
VPC ID
The VPC that you want to bind to the HSM.
VPC Subnet
The subnet that you want to assign to the HSM in the VPC.
Private IP Address
The private IP address that you want to assign to the HSM.
ImportantThe private IP address must belong to the subnet that is assigned to the HSM. Otherwise, the configuration fails.
The system reserves IP addresses whose last octet is 253, 254, or 255. Do not use the reserved IP addresses.
Configure HSM Whitelist
The range of the IP addresses that are allowed to access the HSM. If you do not configure the whitelist, all IP addresses are allowed to access the HSM. If you configure a whitelist, only the IP addresses in the whitelist are allowed to access the HSM.
IP addresses and CIDR blocks are supported. You can specify one IP address or one CIDR block in each row. You can specify up to 10 rows in total.
ImportantIf you create a cluster, add an HSM to the cluster, and configure a whitelist for the cluster, the whitelist of the cluster takes precedence over the whitelist of the HSM. For example, if you add 10.10.10.10 to the whitelist of an HSM and add 172.16.0.1 to the whitelist of the cluster that includes the HSM, you can access the HSM only from 172.16.0.1.
The whitelist configuration of 0.0.0.0/0 is not supported. If you enter 0.0.0.0/0, requests from all IP addresses are allowed.
For security reasons, we recommend that you do not allow requests from all IP addresses. If you need to allow requests from all IP addresses, do not configure the whitelist.
If the configuration is successful, the value of Status for the HSM changes to Enabled.
Modify HSM configuration
If the HSM is not added to a cluster, you can modify the VPC, VPC subnet, private IP address, and whitelist of the HSM. If the HSM is added to a cluster, you can only modify the private IP address of the HSM.
On the VSMs page, locate the desired HSM, click the
icon in the Actions column, and then click Config.In the Configure HSM Instance dialog box, modify the HSM configuration and click OK.
Disable HSMs
Before you reset an HSM or remove it from a cluster, you must first disable the business of the HSM.
Disabling will disconnect the network of the HSM. Proceed with caution.
You cannot disable the master HSM in a cluster.
On the VSMs page, locate the desired HSM and click Actions in the Disable column.
In the pop-up dialog box, click Disable again.
After the HSM is disabled, the Status column will show Disabled.
Resume HSMs
By resuming an HSM, you can re-enable the business features of a disabled HSM.
On the VSMs page, locate the desired HSM and click Actions in the Enable column.
In the pop-up dialog box, click Enable again. After resuming, the Status column for the HSM will show Enabled.
Reset HSMs
After disabling an HSM, you can reset it to restore it to the factory defaults, which is the uninitialized state.
Resetting will clear the data in the HSM and restore it to the factory defaults. Proceed with caution.
On the VSMs page, locate the desired HSM and click Actions in the Reset column.
In the pop-up dialog box, click Reset again.