{"id":62,"date":"2014-06-29T18:23:57","date_gmt":"2014-06-29T18:23:57","guid":{"rendered":"http:\/\/credelius.com\/credelius\/?p=62"},"modified":"2014-06-29T18:39:38","modified_gmt":"2014-06-29T18:39:38","slug":"cloud-hsm-automation-part-2","status":"publish","type":"post","link":"https:\/\/credelius.com\/credelius\/?p=62","title":{"rendered":"Cloud HSM Automation – Part 2"},"content":{"rendered":"

Why would you need HA<\/b><\/p>\n

While the previous Cloud HSM article<\/a> was mostly covering “Why Cloud HSM is Important” topics, this one describes technical details about how<\/b> Luna HA (High Availability ) cluster<\/a> can be built in a cloud and provides links to scripts that could help automating and codifying a rather complicated Luna’s setup process.<\/p>\n

It’s obvious that when you build an HA system with subsystems that rely heavily on cryptographic services built around Luna, you need to put latter to the same HA category. That’s why a single Luna appliance is not usually sufficient and you need an array (or cluster) of HSM’s that look and behave as a single one from a client’s point of view.<\/p>\n

The first few chapters of this document cover manual Luna and Luna array configuration topics, while “Setup Automation” section describes a command line tool that allows automating the whole process by creating a JSON configuration file and running a Python script. You do need to go through manual setup topics if you didn’t have a prior experience with configuring Luna, otherwise it could be very difficult to understand how to create the JSON file and troubleshoot possible issues.<\/p>\n

Provisioning<\/b><\/p>\n

Unfortunately, there is no way to deploy a Luna device to a cloud in the same automated manner (e.g. through CloudFormation<\/a>) as other pieces of AWS infrastructure. There is a well documented\u00a0 manual process for that, which is not very difficult to follow,\u00a0 but it’s still manual. The process is described here<\/a>.<\/p>\n

The two important things that are worth mentioning are the facts that you’ll need a VPC<\/a> to deploy a Luna appliance and that you’ll need at least two devices to create an HA array.<\/p>\n

After the appliances are provisioned to a VPC, you’ll be given managers passwords that could be used to connect to the devices remotely and perform all necessary configuration jobs.<\/p>\n

Configuring Luna Servers<\/b><\/p>\n

You’ll need to login to a Luna device using SSH from a client machine to perform a configuration job. I would strongly recommend to enable key based authentication on a Luna device, because most likely you’ll need to SSH to the device many times before you’re done with configuration and verification:<\/p>\n

scp <public-cert-file-name> manager@<luna-ip>:.<\/p>\n

ssh manager@<luna-ip><\/p>\n

sysc ssh pu esysc ssh pu a -f <public-cert-file-name>\u00a0 \u00a0<\/b><\/p>\n

where <public-cert-file-name> is a public certificate generated by a ‘ssh-keygen’ command on a client machine.<\/p>\n

The following high level manual steps are required to configure a Luna server:<\/p>\n

    \n
  1. ‘hsm init’ command to initialize the device<\/li>\n
  2. ‘sysconf re’ command to regenerate server side certificates<\/li>\n
  3. ‘ntls bind’ command to restart Luna’s network interfaces<\/li>\n
  4. ‘hsm login’ to as admin to Luna<\/li>\n
  5. ‘par cr …’ to create a partition<\/li>\n
  6. ‘c reg …’ to register client<\/li>\n
  7. ‘c a …’ to assign a partition to a client<\/li>\n<\/ol>\n

    The Luna configuration process is described in details here<\/a>.<\/p>\n

    Configuring Luna Clients<\/b><\/p>\n

    This one is interesting and requires some re-thinking because of differences introduced by AWS’ auto scaling groups (ASG<\/a>). In a traditional ‘static’ environment each client would require a unique client certificate and an IP (or client’s host name) to be registered on a Luna server. Since EC2 instances can randomly go up and down in ASG that approach would be difficult to implement. Fortunately, there is a way around that allows sharing a single client’s certificate for the whole ASG.<\/p>\n

    The first step in configuring clients is to download and install Luna’s client tools and libraries\u00a0 that are available for free:<\/p>\n