After successfully deploying a USB HSM manager appliance and blockchain with USB_HSM as the secure store type, you can clone the USB HSM device.

Prerequisites

  • Verify that you have deployed a USB HSM manager appliance and blockchain with USB_HSM as the secure store type. See Deploy a USB HSM Manager Appliance on vSphere.

  • Identify a separate ESXi host which has not been used for a blockchain deployment to deploy the USB HSM Manager appliance for cloning.

Procedure

  1. Locate the VMware Blockchain OVA file on the VMware download portal.
  2. Navigate to the usb-hsm-manager-appliance.ova file.
  3. In the vSphere Client, select the host or host cluster to install VMware Blockchain.
  4. Right-click and select Deploy OVA Template to start the installation wizard.
  5. Enter the download OVA URL or navigate to the OVA file and click Next.
  6. Enter a name and a location for the USB HSM VM, and click Next.

    The VM name you enter appears in the vSphere and vCenter Server inventory.

    Note:

    Note the USB HSM VM name. This VM name is required to configure the USB HSM manager on the vCenter Server.

  7. Assign the USB HSM VM compute resource within the data center.
  8. Review and verify the OVA template details and click Next.
  9. Allocate the Datastore Default storage from the drop-down menu and click Next.
  10. Accept the default VM Network configuration settings for the source and destination network and click Next.
  11. Set a unique password for the root user account.
  12. Set a unique password for the initial VMware Blockchain user account.

    Your passwords must comply with the password strength restrictions.

    • At least 12 characters

    • At least one lower-case letter

    • At least one upper-case letter

    • At least one digit

    • At least one special character

    • At least five different characters

  13. Configure the network properties and click Next.

    Option

    Description

    Host Name

    Enter the USB HSM VM host name.

    Note:

    Make sure that the appliance host name does not contain any underscores.

    The default host name localhost is assigned if you do not specify a host name.

    Network IP Address

    Enter the IPv4 interface address, which is the appliance static IP address.

    Note:

    After entering the network IP address, you must populate the network prefix, default IPv4 gateway, and domain name server information.

    The DHCP IP address is designated when you leave this option blank.

    Network Prefix

    Enter the network prefix for the interface.

    The prefix range is between 0 and 24.

    Default IPv4 Gateway

    Enter the default IPv4 gateway for the interface.

    Domain Name Server

    Enter the IPv4 addresses for the domain name server.

    Each IP address must be separated by one space.

    Clone USB HSM

    Select the option to create a clone USB HSM VM.

    Note:

    Deploy the USB HSM manager appliance for cloning on a different ESXi host.
  14. Validate that your custom OVA specification is accurate, and click Finish to initiate the deployment.
  15. After successful deployment, you can power on the USB HSM VM.
  16. Note the VM IP address of the newly deployed appliance.
  17. Power on the USB HSM manager appliance.
  18. Share the USB HSM manager appliance credentials with the HSM manager. 
    curl --location --request POST '10.115.43.75:9798/api/hsm-manager/vcenter/credential/' \
--data-raw '{
    "url": "10.115.43.10",
    "username": "<username>",
    "password": "<password>",
    "usbHsmVmName": "usb-hsm-manager-new"
}'

    • url is the URL or IP address of the vCenter Server that contains the USB HSM manager appliance.

    • username and username are the vCenter Server log in credentials.

    • usbHsmVmName is the USB HSM manager appliance name you configured during installation.

    Note:

    You must rerun the API command if any of the listed parameter values are updated.

    When the API is successfully configured, the message Successfully received vCenter Credential appears.

  19. Verify that the Replica and Client nodes are running properly.

    See Validate a Replica Node in VMware Blockchain Orchestrator on vSphere and Validate a Client Node and Backup in VMware Blockchain Orchestrator for vSphere.

    Note:

    You must check the node status before configuring the infrastructure and deployment descriptor files.

  20. Power on the USB HSM VM.
  21. (Optional) Troubleshooting USB HSM VM, manager, or device error messages.

    • The USB HSM VM operation details are available in the Wavefront analytics platform.

    • The USB HSM manager Docker container logs are available within the USB HSM manager appliance.

    • If the YubiHSM USB HSM device shows error messages, refer to the vendor site for the error message description.

  22. Unplug the USB HSM device from the ESXi host with the blockchian deployment and plug it to the ESXi host where the USB HSM manager appliance for cloning is running.

    The cloned USB HSM manager appliance has a Docker container capable of communicating with the USB HSM device.

  23. Follow the USB HSM device backup and restore instructions from the vendor to create clone copies of the USB HSM device.

    See https://developers.yubico.com/YubiHSM2/Backup_and_Restore/

What to do next

Configure the infrastructure and deployment descriptor files to deploy the VMware Blockchain nodes. See Configuring the Infrastructure Descriptor Parameters on vSphere, Configuring the Deployment Descriptor Parameters on vSphere, and Deploy VMware Blockchain Nodes Using VMware Blockchain Orchestrator on vSphere.