After using the above steps to install the Thales Luna software bundle onto the NSX Advanced Load Balancer Controller, the Controller may be configured to secure virtual services with HSM certificates. Follow the detailed steps below:

Step 1: Create the HSM Group and Add the HSM Devices to It

To begin, use the following commands on Controller bash shell to fetch the certificates of the HSM servers. The example below fetches certificates from two servers 1.1.1.11 and 1.1.1.13.

username@avi:~$ sudo scp admin@1.1.1.11:server.pem hsmserver11.pem
username@avi:~$ sudo scp admin@1.1.1.13:server.pem hsmserver13.pem

The contents of these certificates are used while creating the HSM Group. NSX Advanced Load Balancer supports trusted authentication for all nodes in the system. This can be done by providing IP addresses of Controller(s) and Service Engine(s) which will interact with HSM. Use the below options of the HSM Group editor. The Thales Luna server certificates can also be provided by the Security team managing the Thales Luna appliances. In either case, having access to these certificates is a pre-requisite to creating any HSM configuration in NSX Advanced Load Balancer.

By default, SEs use the management network to interact with the HSM. On CSP, NSX Advanced Load Balancer also supports the use of a dedicated network for HSM interaction. Also, on the CSP platform, you can use a dedicated interface on the Controllers for HSM communication.

To create the HSM group from the GUI follow the below:

  • Switch to the desired tenant and navigate to Templates > Security > HSM Groups.

  • Click Create and provide a suitable name.

  • Type as SafeNet Luna.

  • Specify the IP addresses of the desired Thales Luna appliances and the respective server certificates obtained previously. Multiple HSMs may be included in the group via the green Add Additional HSM button.

The Password and partition Serial Number fields (as shown in the below screenshot of the NSX Advanced Load Balancer UI) can be populated if the respective HSM partition passwords are available at this stage. Otherwise, this has to be done after client registration step below.

Note:
  • If any dedicated SE or Controller interfaces have been configured for HSM communication, check Dedicated Interface box and verify the IPs listed are those of the desired dedicated interfaces on the Service Engines and/or Controllers. The UI should allow changing the IP addresses if this is not the case.

  • All NSX Advanced Load Balancer Controller's and all Service Engines associated with the SE group should have at least 1 IP address in the list to ensure access to the HSMs. This step is extremely important because Thales Luna appliances will not allow communications from un-registered client-IP addresses. Click Save once all client-IP addresses have been verified.



Step 2: Register the Client with HSM Devices for Mutual Authentication

The clients in this case are NSX Advanced Load Balancer Controller's and Service Engines and the generated client certificates need to be registered with the Thales Luna appliances for purposes of mutual authentication. This can be done directly per steps 3 and 4 below or by sending the client certificates to the concerned security team managing the HSM appliances.

Follow the steps below:

  1. Icon next to the Edit icon leads to a page which allows the user to download generated certificates.

  2. After download, save the certificate as **.pem**. In this example, the certificate needs to be saved as 10.160.100.220.pem before scp to HSM.

    scp 10.160.100.220.pem admin@1.1.1.11:
  3. Register the client on the HSM.

    username@avi:~$ ssh admin@1.1.1.11
        admin@1.1.1.11's password:
        Last login: Thu May 12 19:52:00 2016 from 12.97.16.194
        Luna SA 7.3.3-7 Command Line Shell - Copyright (c) 2001-2014 SafeNet, Inc. All rights reserved.
        [1.1.1.11] lunash: client register -c 10.160.100.220 -i 10.160.100.220 'client register' successful. Command Result : 0 (Success)
        [1.1.1.11] lunash: client assignPartition -c 10.160.100.220 -p par43 'client assignPartition' successful. Command Result : 0 (Success)
        [1.1.1.11] lunash: exit
  4. Perform the above steps (1) and (2) for all HSM devices. The next steps must only be performed after all client certificates are registered on all HSM appliances configured above to verify the registration. First ensure the (partition) password is populated in the HSM group by editing the same.

  5. On the NSX Advanced Load Balancer Controller bash shell, the application ID must be opened before the NSX Advanced Load Balancer Controller SE can communicate with the HSM. This can be done using the following command, which will automatically be replicated to each NSX Advanced Load Balancer Controller in the cluster. In case HSM groups were created in different tenants, safenet.py scripts can take an optional argument -t . Alternately the default admin tenant can be provided as the argument value. Verify that the application ID can be opened successfully per output below.

    username@avi:~$ /opt/avi/scripts/safenet.py -p [HSM-GROUP] -i [CLIENT IP OF CONTROLLER REGISTERED WITH HSM] -t [TENANT_NAME] —c "/etc/luna/bin/sautil -v -s 1 -i 1792:1793 -o -p my_partition_password"
    Copyright (C) 2009 SafeNet, Inc. All rights reserved.
    sautilis the property of SafeNet, Inc. and is provided to our customers for
    the purpose of diagnostic and development only.  Any re-distribution of this
    program in whole or in part is a violation of the license agreement.
    Config file: /etc/Chrystoki.conf.
    Will use application ID [1792:1793].
    Application ID [1792:1793] opened.
    Open ok.
    Session opened. Handle 1
    HSM Slot Number is 1.
    HSM Label is "ha1                             ".WARNING: Application Id 1792:1793 has been opened for access. Thus access will
    remain open until all sessions associated with this Application Id are
    closed or until the access is explicitly closed.
Note:

In the step above, if an error message appears stating that the application is already open, you can close it using the following command. After closing it, reopen the application.

username@avi:~$ /opt/avi/scripts/safenet.py -p [HSM-GROUP] -i [CLIENT IP OF CONTROLLER REGISTERED WITH HSM] -t [TENANT_NAME] —c "/etc/luna/bin/sautil -v -s 1 -i 1792:1793 -c -p my_partition_password" Copyright (C) 2009 SafeNet, Inc. All rights reserved. sautilis the property of SafeNet, Inc. and is provided to our customers for the purpose of diagnostic and development only. Any re-distribution of this program in whole or in part is a violation of the license agreement. Config file: /etc/Chrystoki.conf. Close ok.

Step 3: Setting Up HA Across HSM Devices (optional)

NSX Advanced Load Balancer automates configuration of HA across HSM devices. Before configuring HA, ensure that the clients are registered with the HSM using listSlots command. This command provides details about the HSM devices to be set up. The serial number provided in the output of this command is needed to set up HA across these devices.

Verify that the partition serial numbers listed below match the ones set up on the Thales Luna appliances or the ones provided by the security team. This should also match with the configuration in the HSM group object. Internally, the serial number is used to configure HA if the client is registered on more than one partition on the HSM.

username@avi:~$ /opt/avi/scripts/safenet.py -p [HSM-GROUP] -i [CLIENT IP OF CONTROLLER REGISTERED WITH HSM] -t [TENANT_NAME] -c "/usr/safenet/lunaclient/bin/vtl listSlots"

Number of slots: 5

The following slots were found:

Slot #         Description                    Label             Serial #     Status
========= ==================== =============================== ========== ============
slot #1   LunaNet Slot         par43                           156908040  Present
slot #2   LunaNet Slot         par40                           156936072  Present
slot #3   -                    -                               -          Not present
slot #4   -                    -                               -          Not present
slot #5   -                    -                               -          Not present

HA can be enabled from the CLI as follows after switching to the appropriate tenant if required.

[username:avi]: > switchto tenant [TENANT_NAME] [username:avi]: > configure hardwaresecuritymodulegroup safenet-network-hsm-1 [username:avi]: hardwaresecuritymodulegroup> hsm type hsm_type_safenet_luna [username:avi]: hardwaresecuritymodulegroup:hsm> sluna [username:avi]: hardwaresecuritymodulegroup:hsm:sluna> is_ha [username:avi]: hardwaresecuritymodulegroup:hsm:sluna> save [username:avi]: hardwaresecuritymodulegroup:hsm:sluna> save [username:avi]: hardwaresecuritymodulegroup> save

Alternatively, this can also be done in the web interface by selecting the HSM group and editing it to select the ‘Enable HA’ check box. This option is available only while editing the HSM group with more than one server.

Once HA is set up, verify the output of the listSlots command to ensure the “avi_group” virtual card slot is configured.

[username:avi]: /opt/avi/scripts/safenet.py -p [HSM-GROUP] -i [CLIENT IP OF CONTROLLER REGISTERED WITH HSM] -t [TENANT_NAME] -c "/usr/safenet/lunaclient/bin/vtl listSlots"

Number of slots: 1

The following slots were found:

Slot #          Description                 Label               Serial #     Status
========= ==================== =============================== ========== ============
slot #1   HA Virtual Card Slot avi_group                       1529532014 Present

Step 4: Associate the HSM Group with an SE Group

The HSM group must be added to the SE group that will be used by virtual service.

  • Switch to appropriate tenant and navigate to Infrastructure > Cloud > Default-Cloud > Service Engine Group.

  • Bring up the Service Engine group editor for the desired Service Engine group.

  • Click Advanced tab.

  • Select the desired HSM group from the pulldown.

  • Click Save.



This also can be configured using the CLI shell:

[username:avi]: > switchto tenant [TENANT_NAME]
[username:avi]: > configure serviceenginegroup [SE-GROUP]
[username:avi]: hardwaresecuritymodulegroup_ref

Step 5: Add the Application Certificates and Keys

Create Application Certificate and Keys

The Controller is setup as a client of HSM and can be used to create keys and certificates on the HSM. Both the RSA and EC type of key/cert creation is supported.

Use a browser to navigate to the Avi Controller’s management IP address. If NSX Advanced Load Balancer is deployed as a 3-node Controller cluster, navigate to the management IP address of the cluster. Use this procedure to create keys and certificates. The creation process is similar to any other key/certificate creation. For a key/certificate bound to HSM, select the HSM group while creating the object. The picture below illustrates the creation of self-signed certificate bound to a HSM group.

  • Navigate to Templates > Security > SSL/TLS Certificates .

  • Click Create > Application Certificate.



Note:

HSM Group t2-avihsm2 is selected. This is the HSM group that was created earlier. You can create the self-signed EC cert on HSM provided in t2-avihsm2 by clicking on Save button.

Import Application Certificate and Keys

Use a browser to navigate to the NSX Advanced Load Balancer Controller’s management IP address. If NSX Advanced Load Balancer is deployed as a 3-node Controller cluster, navigate to the management IP address of the cluster. Use this procedure to import the private keys created using the Thales Luna cmu/sautil utilities, and the associated certificates.

  • Navigate to Templates > Security > SSL/TLS Certificates.

  • Click Create > Application Certificate.

  • Specify the name for the certificate definition.

  • Click Import.

  • Prepare to import the private key for the server certificate.

    • Above Key field, in the Certificate Information section, select Paste text (to copy-and-paste the certificate text directly in the web interface) or Upload File.

    • If the key file is secured by a passphrase, enter it in the Key Passphrase field.

    • Paste the key file (if copy-and-pasting) or navigate to the location of the file (if uploading).

  • Prepare to import the server certificate:

    • Above the Certificate field, select Paste text or Upload File.

    • Paste the key file (if copy-and-pasting) or navigate to the location of the file (if uploading).

  • Click Validate. NSX Advanced Load Balancer checks the key and certificate files to ensure they are valid.

Step 6: Enable HSM Support on a Virtual Service

  • In the Controller web management interface, navigate to Applications > Virtual Services

  • Click New or Edit.

  • If configuring a new virtual service, specify the name of the VIP.

  • Select the HSM certificate from the SSL Certificate drop-down list.

  • Specify the virtual service name and VIP address.

  • In the Service Port section, enable SSL.

  • Click Advanced. On the Advanced page, select the SE group to which the HSM group was added.

  • Click Save.

The virtual service is now ready to handle SSL/TLS traffic using the encryption/decryption services of the Thales Luna Network HSM device.