This article describes how to configure NSX Advanced Load Balancer to use the key generation and encryption/decryption services provided by Thales Luna Network HSM. This enables use of Thales Luna Network HSM to store keys associated with SSL/TLS resources configured on a virtual service.

Integration Support

NSX Advanced Load Balancer can be configured to support a cluster of HSM devices in high availability (HA) mode. NSX Advanced Load Balancer support of HSM devices requires installation of the user’s Thales Luna Client Software bundle, which can be downloaded from the Thales website.

By default, NSX Advanced Load Balancer Controller and Service Engines use their respective management interfaces for HSM communication. On CSP, NSX Advanced Load Balancer supports the use of a dedicated Service Engine data interface for HSM interaction. Also, on the CSP platform, you can use dedicated Controller interface for HSM communication.

The user may choose to create the HSM group in the admin tenant with all the Service Engines spread across multiple tenants. This way, HSM can be enabled on a per-SE-group basis by attaching the HSM group to the corresponding SE group. In this mode, the configuration to choose between a dedicated interface and a management interface for HSM communication is done in the admin tenant; all other tenants are forced to use that configuration.

Alternatively, you can create HSM groups in their respective tenants. The configuration choice of a dedicated or management interface for HSM communication is determined at the tenant level. In this mode, Controller IPs can overlap in every HSM group. Internally, the certificate for these overlapping clients is created once and reused for any subsequent HSM group creation.

Prerequisites

Before using NSX Advanced Load Balancer with Thales Luna Network HSM, the following are required:

  • Thales Luna devices are installed on your network.

  • Thales Luna devices are reachable from the NSX Advanced Load Balancer Controller and Service Engines.

  • Thales Luna devices must have a virtual HSM partition defined before installing the client software. Clients are associated with a unique partition on the HSM. These partitions should be pre-created on all the HSMs that will be configured in HA/non-HA mode. Also note that the password to access these partitions should be the same across the partitions on all HSM devices.

  • Server certificates for Thales Luna devices are available for creating the HSM Group in NSX Advanced Load Balancer Controller for mutual authentication.

  • Each NSX Advanced Load Balancer Controller and Service Engine must:

    • Have the client license from Thales Luna to access the HSM.

    • Be able to reach the HSM at ports 22 and 1792 through Controller management or Controller dedicated and Service Engine management or Service Engine dedicated management interface.

Download

You need to download the following:

  • Thales Luna Network HSM client software

  • Thales Luna Network HSM customer documentation

HSM Group Updates

After creation, update or deletion of an HSM group requires reloading of a new Thales Luna configuration, which can only be achieved by restarting the Service Engines. Restart of Service Engines temporarily disrupts traffic.