Académique Documents
Professionnel Documents
Culture Documents
AWS CloudHSM helps you meet corporate, contractual and regulatory compliance requirements for data
security by using dedicated HSM appliances within the AWS cloud. AWS and AWS Marketplace partners
offer a variety of solutions for protecting sensitive data within the AWS platform, but additional protection
is necessary for some applications and data that are subject to strict contractual or regulatory requirements
for managing cryptographic keys.
Until now, your only options were to maintain the sensitive data or the encryption keys protecting the
sensitive data in your on-premises data centers. However, those options either prevented you from
migrating these applications to the cloud or significantly slowed application performance. AWS CloudHSM
allows you to protect your encryption keys within HSMs that are designed and validated to government
standards for secure key management. You can securely generate, store, and manage the cryptographic
keys used for data encryption in a way that ensures that only you have access to the keys. AWS CloudHSM
helps you comply with strict key management requirements within the AWS cloud without sacrificing
application performance.
AWS CloudHSM works with Amazon Virtual Private Cloud (Amazon VPC). HSM appliances are provisioned
inside your VPC with an IP address that you specify, providing simple and private network connectivity
to your EC2 instances. Placing HSM appliances near your EC2 instances decreases network latency,
which can improve application performance. Your HSM appliances are dedicated exclusively to you and
are isolated from other AWS customers. Available in multiple regions and Availability Zones, AWS
CloudHSM can be used to build highly available and durable applications.
For more information on Amazon VPC, see What Is VPC? in the Amazon Virtual Private Cloud User
Guide.
Important
AWS strongly recommends that you use two or more HSM appliances in a high availability (HA)
configuration. The failure of a single HSM appliance in a non-HA configuration can result in the
permanent loss of keys and data. For information about how to set up a high availability
configuration, go to Configuring High Availability and Load Balancing (p. 21).
If you have an AWS account already, skip to the next step. If you don't have an AWS account, use
the following procedure to create one.
a.
b.
Part of the sign-up process involves receiving a phone call and entering a PIN using the phone
keypad. AWS notifies you by email when your account is active and available for you to use.
2.
3.
Sign up for AWS CloudHSM by clicking Contact Us on the AWS CloudHSM page, completing the
form, and selecting Start service or Try the service. The AWS CloudHSM team will contact you
with further instructions.
In the meantime, complete the steps below to create a VPC and security group rules, and collect the
information that is required by AWS to provision your AWS CloudHSM service. You can do this
automatically, using AWS CloudFormation (p. 3), or you can do it manually (p. 6).
3. Subnets are created as follows: one subnet that is publicly accessible, and one private subnet per
Availability Zone. For example:
For regions which have three Availability Zones, four VPC subnets are created: one subnet that is
publicly accessible (3a), and three private subnets (3b, 3c, and 3d).
For regions which have two Availability Zones, three subnets are created: one subnet that is publicly
accessible (3a), and two private subnets (3c and 3d).
Note
The AWS CloudHSM team provisions an HSM appliance into the private subnet, to isolate it
from the rest of the Internet.
4. Security groups that allow both SSH into the public subnet from the Internet, and SSH and NTLS into
the private subnet from the public subnet.
5. An Elastic IP address for the EC2 instance.
Also included are the IAM role needed for the AWS CloudHSM provisioning process, as well as IAM
credentials used to send an SNS notification of your stack's configuration to the AWS CloudHSM team.
5.
If you have not already done so, sign up for AWS CloudFormation. For more information, see Getting
Started with AWS CloudFormation in the AWS CloudFormation User Guide.
Open the Amazon EC2 console at https://console.aws.amazon.com/ec2/.
Select CloudFormation.
Click Create Stack. Give the stack a meaningful name, such as AWS CloudHSM environment.
Select Provide a Template URL, and type
http://cloudhsm.s3.amazonaws.com/cloudhsm-quickstart.json , then click Continue.
In KeyName, provide the name of an existing Amazon EC2 key pair and check I acknowledge that
this template may create IAM resources.
6.
Add any tags you want to apply to the stack, then click Continue.
7.
8.
When the EC2 instance boots, it creates data about your stack's configuration settings, such as the
private subnet ID and the IAM role ARN created for AWS CloudHSM.
Click your stack in the AWS CloudFormation console. This shows you the stack detail pane.
In the detail pane, click the Outputs tab to view the outputs associated with your stack. For more
information about stacks, see Viewing the Outputs of an AWS CloudFormation Stack in the AWS
CloudFormation User Guide.
10. Make note of the stack outputs, as you must provide these to the AWS CloudHSM team. After your
HSM appliance has been provisioned, you can configure the EC2 instance to connect to AWS
CloudHSM by following the instructions in Configuring Your HSM Client (p. 14).
11. You can now proceed to Getting Set Up with AWS CloudHSM (p. 10).
9.
Note
These steps are not necessary if you have completed the steps in Automatically Setting Up Your
AWS CloudHSM Environment Using AWS CloudFormation (p. 3).
In the Amazon VPC console, create a VPC, set up the VPC and Internet gateway, and set up a
security group.You must choose one of the following regions that currently support AWS CloudHSM:
us-east-1
eu-west-1
us-west-2
ap-southeast-2
For more information, see Getting Started with Amazon VPC in the Amazon Virtual Private Cloud
Getting Started Guide.
2.
3.
After setting up a security group but before you launch an instance, complete the following additional
steps.
In the NETWORK & SECURITY section of the navigation pane, select Security Groups, then select
the security group that you created for your VPC.
Create an RDP rule for inbound traffic. If you connect to your VPC via Windows Remote Desktop
Protocol (RDP):
a.
b.
4.
Create an SSH rule for inbound traffic. If you connect to your VPC via SSH:
a.
b.
5.
On the Inbound tab, in the Create a new rule: list, select RDP. Type the source IP address
range of the sites from which you will connect to your VPC, so that connections are only allowed
from your site. This opens port 3389, which is required if you are connecting to your instance
via Windows using RDP.
Click Add Rule, then click Apply Rule Changes.
On the Inbound tab, in the Create a new rule: list, select SSH, then enter the source IP address
range of the sites from which you will connect to your VPC, so that connections are only allowed
from your site. This opens port 22, so you can open a terminal connection to your VPC.
Click Add Rule, then click Apply Rule Changes.
6.
a.
On the Inbound tab, in the Create a new rule: list, select Custom TCP rule. In the Port range:
box, type 1792. In the Destination: box, type the IP address of your VPC subnet (for example,
10.0.0.0/16). This opens port 1792, which allows access via your VPC subnet.
b.
b.
On the Outbound tab, in the Create a new rule: list, select SSH. In the Destination: box, type
the IP address of your VPC subnet. This opens port 22, so you can open an SSH terminal
connection to the HSM appliance.
Click Add Rule, then click Apply Rule Changes.
c.
On the Outbound tab, in the Create a new rule: list, select Custom TCP rule. In the Port
range: box, type 1792. In the Destination: box, type the IP address of your VPC subnet. This
opens port 1792, which allows access via your VPC subnet.
d.
Note
The security group rules provided here are the minimum set of rules that you need to get started
with the AWS CloudHSM service. For production deployments, you should define appropriate
rules to constrain network traffic according to your security policies and best practices.
5.
Under Select Role Type, select AWS Service Roles, and then click Select next to AWS CloudHSM.
6.
Review the policy statement to confirm that you are granting permission to the AWS CloudHSM
service to perform the actions listed. These actions are required in order for the AWS CloudHSM
service to attach an ENI in your VPC. After reviewing and accepting the policy and permissions, click
Continue.
7.
8.
In the IAM console, select the role you just created, then select the Summary tab. Verify that the
information is correct, then note the role ARN to provide to AWS later.
9.
To find your External ID, from the AWS Management Console dashboard, select IAM, then Roles.
Select the role, then the Trust Relationships tab. The External ID is in the Key:Value column.
10. Contact the AWS CloudHSM team with the information you collected in the previous step. The AWS
CloudHSM team creates an elastic network interface (ENI) on the subnet that you specified, assigns
to your HSM appliance the IP address that you specified, and sends you login credentials that allow
you to connect to your HSM appliance.
11. Proceed to Getting Set Up with AWS CloudHSM (p. 10).
This list summarizes the procedures needed to get up and running with AWS CloudHSM. Step-by-step
instructions are detailed in the sections below.
1. If you have not already done so, follow the steps in the previous section to create a VPC and security
group rules (p. 6). This allows you to connect from your instance to your HSM appliance.
2. If you are manually (p. 6) setting up your AWS CloudHSM environment, launch an EC2-VPC
instance (p. 11). Your application and the HSM client that communicates with the HSM appliance run
on this instance.
Note
These steps are not necessary if you have completed the steps in Automatically Setting Up
Your AWS CloudHSM Environment Using AWS CloudFormation (p. 3).
3. Initialize and configure HSM appliances (p. 11).
4. (Optional) Initialize, connect and configure your on-premise HSM appliances (p. 14).
5. Configure your HSM client (p. 14).
6. Configure HA (p. 21).
7. Select from the following two options:
Integrate AWS CloudHSM with third-party software applications. For more information, see Integrating
Third-Party Applications with AWS CloudHSM (p. 40).
Building a Test Application (p. 41) to prepare to Building Your Own Applications (p. 43).
10
Important
This guide provides an abbreviated set of instructions that allow you to get started quickly with
your AWS CloudHSM service. To secure production deployments, be sure to read the detailed
descriptions and background information provided in the SafeNet Luna SA documentation in
order to get a deeper understanding of the operation of the HSM. This guide does not attempt
to provide those important details, which are essential for secure operation of the HSM.
Note
These steps are not necessary if you have completed the steps in Automatically Setting Up Your
AWS CloudHSM Environment Using AWS CloudFormation (p. 3).
Note
We recommend using the Classic Wizard to create your instance, so that you can select
your VPC.
4.
5.
6.
7.
8.
9.
11
When you are finished, store the completed worksheet in a secure location for future reference. It is also
recommended that you store at least one copy of the worksheet in secure offsite storage.
After AWS connects your HSM to your VPC, confirm that the elastic network interface (ENI) exists
and confirm its IP address. To find the new ENI of the HSM, from the AWS Management Console
dashboard, select EC2, then Network Interfaces. On the Viewing menu, select All VPC Network
Interfaces. The table contains an ENI, which has the private IP address of your HSM.
2.
Apply the security group that you created earlier to the ENI that AWS created for you, which is the
ENI of your HSM.
a.
Right-click the row containing that IP address, select Change Security Groups, then select the
security group you created for your VPC.
Note
If you completed the steps in Automatically Setting Up Your AWS CloudHSM
Environment Using AWS CloudFormation (p. 3), Security Groups were created
automatically.
b.
3.
(Optional) To aid in troubleshooting network connectivity to your HSM appliance, add incoming
and outgoing rules to your security group for ICMP Echo Request and Echo Reply. These allow
you to ping the HSM appliance, and allows the HSM appliance to respond.
From within an instance running in the VPC, use your login credentials to connect to your HSM client
over SSH. If your instance is a Windows instance, use PuTTY or a similar SSH client for Windows
to connect to the HSM and perform the steps below.
4.
Change the manager password that was provided to you, by executing the following:
lunash:> user password
You are prompted to enter the new password twice. For more information, go to password in the
User Commands Menu section of the SafeNet Luna SA documentation. Note the new password on
your worksheet.
5.
(Optional) Set the time zone, system date and time. For more information, go to Set System Date
and Time in the SafeNet Luna SA documentation.
Note
AWS configures the time of each HSM to use the UTC time zone. This is also the default
setting for Amazon Linux AMIs. Only change the time zone if your HSM client uses a different
time zone than UTC.
If you change the time zone, you must set it before setting the system date and time;
otherwise, the time zone change adjusts the time you just set.
6.
To monitor the HSM via syslog, you cannot add the IP address of your syslog collector directly in
the HSM configuration. Contact AWS Support and provide the IP addresses of your syslog monitoring
servers. AWS will then perform the required configuration to set up syslog monitoring, and let you
know when the setup is complete. Please remember to add a rule to your security group to allow
syslog traffic on port 514.
12
7.
The label (-label MyLuna) should be given a unique name without spaces or special characters.
Note
If you plan to use HA and load balancing among multiple HSM appliances as recommended
by AWS see Configuring High Availability and Load Balancing (p. 21) for additional
instructions.
For more information, go to Use hsm-init to Initialize an HSM in the SafeNet Luna SA documentation.
Initializing an HSM permanently deletes the keys and entire cryptographic domain on the HSM. After
initializing the HSM, any previously existing keys are destroyed.
8.
Initializing an HSM also creates the HSM Administrator account and requires that a password be
created and assigned to that account. Make a note of the password on your worksheet and do not
lose it. It is also recommended that you store at least one copy of the worksheet in secure offsite
storage. AWS does not have the ability to recover your key material from an HSM for which you do
not have the proper HSM administrator credentials.
Create a key pair for the HSM server. This generates a certificate from the public key.
9.
For more information, go to Generate a New HSM Server Certificate in the SafeNet Luna SA
documentation.
Make an association between the HSM appliance and an NTLS interface by executing the following:
For more information, go to the ntls bind Command in the SafeNet Luna SA documentation.
10. Execute the following commands to log in to the HSM appliance using the appropriate password,
and then create a partition:
The partition (-partition MyPartition1) should be given a unique name without spaces or
special characters.
11. When prompted, type proceed.
12. Supply the appropriate new HSM partition password when prompted. Write down this password, as
it will be used in the following situations:
To authenticate the administrator performing partition management tasks via lunash.
To authenticate client applications that want to use the HSM appliance.
13
For more information, go to Create an HSM partition in the SafeNet Luna SA documentation.
(Optional) Connect your on-premise SafeNet Luna SA HSM appliances in your data center to your
AWS instances using VPN or AWS Direct Connect. For more information, see the AWS Direct
Connect detail page.
4.
From the client instance command prompt, extract and install the HSM client software and answer
yes to all prompts:
[ec2-user@client-ip bin]$ tar -xvf Luna_5.1_Client_Software.tar
[ec2-user@client-ip bin]$ cd 610-011477-003/linux/x86/64/
[ec2-user@client-ip bin]$ sudo sh install.sh
Note
In the second command above, [610-011477-003] changes with each version of the client
software.
5.
14
[ec2-user@client-ip bin]$ cd ~
[ec2-user@client-ip bin]$ tar -xvf Luna_5.1.1_Client_Patch.tar
[ec2-user@client-ip bin]$ cd 630-010275-001/linux/x86/64/
[ec2-user@client-ip bin]$ sudo sh install.sh
Copy the server (HSM) certificate from the HSM appliance to the client instance. For more information,
go to Importing the server certificate onto the client in the SafeNet Luna SA documentation.
[ec2-user@client-ip bin]$ cd /usr/lunasa/bin
[ec2-user@client-ip bin]$ sudo scp manager@[hsm ip address]:server.pem .
Note
The dot (.) at the end of the command provides an instruction to "place the resulting file in
the current directory".
2.
3.
Note
If you prefer, you can create a certificate that uses a name instead of an IP address. You
can also create certificates to be shared among multiple instances. For more information,
see Creating an AMI with the HSM Client Configuration (p. 38).
[ec2-user@client-ip bin]$ sudo ./vtl createCert -n [client IP address]
Private Key created and written to:
/usr/lunasa/cert/client/<client ip address>Key.pem
15
4.
Copy the client certificate to the HSM. For more information, go to Export a Client Certificate to an
HSM Appliance (UNIX) in the SafeNet Luna SA documentation.
[ec2-user@client-ip bin]$ scp /usr/lunasa/cert/client/[client ip address].pem
manager@[hsm ip address]:
Note
The colon (:) after the destination is required. Without it, scp does not recognize the supplied
destination as a remote server.
5.
Using your login credentials to connect to your HSM client over SSH, register the client and assign
the client to a partition on the HSM appliance. For more information, go to Register the Client
Certificate to an HSM Server in the SafeNet Luna SA documentation.
[ec2-user@client-ip bin]$ ssh manager@[hsm appliance ip address]
lunash:> client register -client [clientname] -ip [hsm client ip address]
'client register' successful.
Note
You can create certificates to be shared among multiple instances. For more information,
see Creating an AMI with the HSM Client Configuration (p. 38).
6.
For more information, go to Assign a client to a Luna HSM partition in the SafeNet Luna SA
documentation.
7.
For more information on creating a partition, go to step 10 in Configuring Your HSM Appliance (p. 11).
Verify that the partition is assigned to the HSM client:
8.
Log in to the HSM client, and verify that it has been properly configured by executing the following:
16
Slot
====
1
Serial #
========
2279315
Label
=====
Partition1
If you get an error message, some part of the configuration may not have been properly completed.
Retrace the procedure.
2.
Install the Luna SA client tools. For more information, go to Installing the Luna Software in the SafeNet
Luna SA documentation.
Use the following links to download the HSM client software to your home directory and client patch
to your EC2 instance:
3.
Client software
Client patch
4.
5.
6.
Browse to the appropriate subdirectory and install the HSM client software.
Accept the license agreement and click Next.
7.
17
8.
Choose the default installation directory, choose a Complete setup, and then click Next.
9.
Click Install to proceed with the installation, then click Finish to exit the installer.
10. Extract the latest client software patch to a local directory using an unzip utility.
11. Browse to the appropriate subdirectory and repeat the steps above to install the Luna SA client
software.
Copy the server (HSM) certificate from the HSM server to the client instance by typing the following
at a command prompt on the client:
2.
Securely transfer the server .pem file from the HSM server, using the supplied pscp utility:
18
server.pem
100%
|*******************************************************|
00:00
928
Note
The dot (.) at the end of the command provides an instruction to "place the resulting file in
the current directory".
3.
4.
5.
Important
You must execute this command as an administrator. To do this, right-click the cmd.exe
window and select Run as Administrator.
This allows the client to create a secure connection with the HSM server.
6.
The vtl executable is located at c:\Program Files\LunaSA, unless you changed the default installation
directory.
Create a client certificate.
Important
You must execute this command as an administrator. To do this, right-click the cmd.exe
window and select Run as Administrator.
7.
-n [clientIPaddress]
Copy the client certificate to the HSM. For more information, see Export a Client Certificate to an
HSM Appliance (Windows) in the SafeNet Luna SA documentation.
19
ip address]:
Note
The colon (:) after the destination is required. Without it, scp does not recognize the supplied
destination as a remote server.
8.
The file arriving at the HSM is automatically placed in the appropriate directory. Do not specify a
directory for the destination.
Register the client and assign the client to a partition on the HSM appliance. Use your login credentials
to connect to your HSM client over SSH.
9.
For more information, go to Register the Client Certificate to an HSM Server in the SafeNet Luna
SA documentation.
Assign a client to a partition on an HSM appliance.
For more information, go to Assign a client to a Luna HSM partition in the SafeNet Luna SA
documentation.
10. Verify that the client has been properly configured by executing the following command.
Important
You must execute this command as an administrator. To do this, right-click the cmd.exe
window and select Run as Administrator.
vtl verify
Important
You must execute this command as an administrator. To do this, right-click the cmd.exe
window and select Run as Administrator.
20
Slot
====
1
Serial #
========
2279315
Label
=====
Partition1
If you get an error message, some part of the configuration may not have been properly completed.
Retrace the procedure.
21
Important
The failure of a single HSM appliance in a non-HA configuration can result in the permanent
loss of keys and data.
HA allows multiple HSM appliances to be grouped together to form one virtual device or logical unit as
seen from the client, similar to clustering or RAID technologies. In an HA configuration, service is maintained
even if one or several HSM appliances are unavailable. For example, if three HSM appliances are combined
into an HA group, service is maintained even if two HSM appliances are offline.
When configured for HA, each HSM appliance joins an HA group, managed through the HSM client. To
HSM clients, the HA group appears as a single HSM appliance. However, from an operational perspective,
the members in the HA group share the transaction load, synchronize data with each other, and gracefully
redistribute the processing capacity in the event of failure in a member machine, to maintain uninterrupted
service to clients. HA provides load balancing across all HSM members in the HA group to increase
performance and response time, while providing the assurance of high-availability service. All HSM
members in the HA group are active (rather than one active and the rest passive). Calls are passed from
each client application through the HSM client-side software (library) to one of the HSM members in the
HA group on a least-busy basis. However, operation requests directed at the virtual slot are served by
the primary appliance (the first member in the client's list) until that member reaches its capacity; at that
point, operations are directed to other members in the HA group.
For more information, go to HA with Luna SA in the SafeNet Luna SA documentation.
Set up the network on your HSM appliances that will be used in the HA group. For more information,
go to Preparing to configure appliance network settings in the SafeNet Luna SA documentation.
Create the policy settings needed for HA by verifying that Enable cloning and Enable network
replication are set to Allowed in hsm showPolicies, as shown in the excerpt below. If they are
not set to Allowed, change them with hsm changePolicy -policy [policyCode] -value
[policyValue].
Value
=====
Enable cloning
.
.
.
Enable network replication
.
.
.
Allowed
Allowed
22
Note
Cloning to a hardware token is the backup method for which your HSM appliances are
configured. All HSM appliances in an HA group must use the same backup method.
3.
Initialize the HSM appliances into a common cloning domain. For password-authenticated appliances,
they must share the same domain string.
Warning
Initializing an HSM permanently deletes the keys and entire cryptographic domain on the
HSM. After initializing the HSM, any previously existing keys are destroyed. For more
information, go to Use hsm-init to Initialize an HSM in the SafeNet Luna SA documentation.
Note
If you have already configured your HSM appliance in Configuring Your HSM Client (p. 14),
the following steps help you reconfigure your HSM appliance for HA.
Three of the values are required, but the only one that you should type at the command
line is a label for the HSM (-label). Typing the password and the cloning domain at the
command line makes them visible to anyone who can see the computer screen, or to
anyone who later scrolls back in your console or ssh session buffer. If you omit the
password and the cloning domain, lunash prompts you for them, and hides your input
with ******** characters. This is preferable from a security standpoint. Additionally, you
are prompted to re-enter each string, thus helping to ensure that the string you type is
the one you meant to type.
23
> proceed
hsm - init successful.
4.
5.
The partition (-partition MyPartition1) should be given a unique name without spaces or
special characters. For more information, go to Create an HSM partition in the SafeNet Luna SA
documentation.
When prompted, type proceed.
6.
7.
Change the partitions' passwords so that they match. The partitions do not need to have the same
labels, but they must have the same password.
8.
Record partition serial numbers and passwords, and store this information in a secure place.
9. Proceed with a normal client setup as described in Configuring Your HSM Client (p. 14).
10. Register your client computer with each partition that will be part of the HA group. On each HSM
appliance, assign the partition to its respective HSM client; repeat for each HSM appliance in the HA
group.
lunash:> client assignPartition -client [clientname] -partition [Partition1]
lunash:> client assignPartition -client [clientname] -partition [Partition2]
11. Create a new HA group on the client, which consists of the following:
A unique label for the group.
The serial number of the primary partition (Partition1).
The password for the primary partition.
When you create this new HA group, the vtl utility also generates and assigns a serial number to
it.
Important
You must execute the next command as an administrator. To do this, right-click the cmd.exe
window and select Run as Administrator.
24
bash-2.05# ./vtl haAdmin -newGroup -serialNum 65003001 -label myHAgroup password userpin
New group with label "myHAgroup" created at group number 742276409.
Group configuration is:
HA Group Number: 742276409
HA Group Label: myHAgroup
Group Members: 65003001
Needs sync: no
12. Your chrystoki.conf (Linux/UNIX) or crystoki.ini (Windows) file should now have a new section:
VirtualToken = {
VirtualToken00Members = 65003001;
VirtualToken00SN = 742276409;
VirtualToken00Label = myHAgroup;
}
Important
Do not insert tab characters into the chrystoki.conf or crystoki.ini file.
13. Add another member to the HA group (Partition2 on the second appliance).
Important
You must execute the next command as an administrator. To do this, right-click the cmd.exe
window and select Run as Administrator.
For more information, as well as additional optional checking and verification steps, go to Create
Client HA Group in the SafeNet Luna SA documentation.
14. Verify your setup, then point your client application at the HSM, referring to that HSM by the HA
group label that you assigned.
25
15. When an HA group is shared by multiple clients, the best practice is for these clients to select different
primary members. This provides better fault tolerance and load balancing of cryptographic operations.
Enabling Auto-Recovery
Automatic recovery (autoRecovery) is disabled by default.
To enable auto-recovery
26
When an HA group is shared by multiple AWS CloudHSM clients, the best practice is for these clients
to select different primary HA members, for better fault tolerance and more equal distribution of the
workload of cryptographic operations.
For more information, see the following topics in the SafeNet Luna SA documentation:
Overview of Luna High Availability and Load Balancing
HA with Luna SA
HA autoRecovery is enabled.
The HA group has at least two nodes.
The HA node is reachable (connected) at startup.
The HA node recover retry limit is not reached. If it is reached or exceeded, the only option to restore
the downed connections is a manual recovery.
If all HA nodes fail (there are no links from the HSM client), recovery is not possible.
The HA recovery logic in the library makes its first attempt at recovering a failed member when your
application makes a call to its HSM appliance (the HA group). In other words, an idle HSM client does
not attempt a recovery.
However, a busy HSM client would notice a slight pause every minute, as the library attempts to recover
a dropped HA group members until the members are reinstated, or until the retry period has been
reached/exceeded and it stops trying. Therefore, set the retry period according to your normal operational
situation; for example, the types and durations of network interruptions you experience.
HA autoRecovery is not on by default. It must be explicitly enabled by executing the following command
from your HSM client:
For more information on HA and autoRecovery, go to the following topics in the SafeNet Luna SA
documentation:
Configuring HA
Client - Create HA Group
27
When you are notified by AWS that the connection has been recovered, execute the following
command to reintroduce disconnected members to the HA group:
2.
AWS also recommends retrying the connection for a short period of time, so that any disconnections
caused by transient network outages can be automatically recovered. For example, retry the
connection 5 times, at an interval of one try every minute, as shown below.
3.
Reintroduce disconnected members to the group when notified by AWS of the connection recovery.
If you don't want to recover the group members manually, but still want to minimize the overhead caused
by automatic recovery, use the following steps:
Retry the connection once every 3 minutes, until the connection is successful.
For special cryptographic applications, discuss with SafeNet and/or AWS on a case-by-case basis.
28
Important
Do not perform a manual resynchronization between the members of the HA group. For more
information, see Best Practices for Loss and Recovery (p. 27).
29
3.
Connect the Luna Backup HSM to your HSM appliance using USB. For more information about the
Luna Backup HSM, see the see Luna Backup HSM Product Brief.
Install the Luna Remote Backup Driver (610-011646-001) from the following location:
http://c3.safenet-inc.com/downloads/F/E/FEAB55E0-5B3F-4DFD-8DEF-B068C5531AED/610-011646-001.tar
From your Windows computer's Control Panel, open Device Manager, select Luna G5 Device, then
right-click and select Update Driver Software.
4.
Complete the steps in Configuring AWS CloudHSM (p. 11), Configuring Your HSM Appliance (p. 11),
and Configuring Your HSM Client (p. 14).
5.
Use your login credentials to connect to your HSM client over SSH:
6.
Execute the following command on your HSM client to display the details of the HSM appliance:
30
7.
Execute the following command on your HSM client to display the contents of the partition:
8.
Establish an NTLS connection by executing the following command from the Windows command
prompt:
9.
31
10. Restore the Luna Backup HSM appliance to its factory settings by executing the following command:
12. Initialize the Luna Backup HSM appliance by executing the following command:
13. Type yes when prompted to initialize the HSM, and no when prompted to use PED authentication.
Important
It is important that your HSM uses password authentication.
32
16. If you want to check the details of the backup, execute the following command:
Clear the contents of the partition by executing the following from your HSM client:
2.
3.
4.
33
5.
Confirm that no objects exist on the HSM client partition by executing the following command from
the Windows command prompt:
6.
7.
8.
Confirm that the restore was successful by executing the following from the HSM client:
9.
10. Confirm that the restore operation was successful by executing the following command:
34
Important
If you need to stop using an HSM appliance (such as when your subscription ends), back up the
contents of the HSM to another HSM that you control, or confirm that the keys stored within the
HSM are no longer needed.
Complete the following steps to stop using an HSM appliance.
Delete all HSM partitions from the HSM appliance by executing the following, replacing
[HSM-partition-name] with the name of the partition that you want to delete (do not include the brackets
"[]"). If you are not sure of the partition name, use the partition list command.
Note
To delete an HSM partition, you must be logged into the HSM appliance command shell
(lunash) as admin, and you must be logged in to the onboard HSM as HSM Admin.
When a partition is deleted, the partition is cleared from the HSM and all contents are deleted. This
also implies that the partition is revoked from any clients that were registered to it. For more
information, go to Removing Partitions and partition delete command in the SafeNet Luna SA
documentation.
2.
Declassify the HSM appliance by first executing the following command to rotate all logs.
3.
35
4.
5.
AWS will review the HSM. If the HSM appliance is in an uninitialized state, then AWS will de-provision it
and your subscription to the HSM will be terminated. If the HSM appliance still contains any HSM partitions,
AWS will contact you with a request to remove the partitions from the appliance.
AWS reserves the right to terminate service and reinitialize an HSM in the case of non-payment.
Best Practices
Use a high availability configuration. AWS recommends that you use two or more HSM appliances, in
separate Availability Zones, in a high availability configuration, to avoid data loss in the case that an
Availability Zone becomes unavailable.
For more information about best practices in and how to set up a high availability configuration, go to
Configuring High Availability and Load Balancing (p. 21).
Initializing an HSM irrevocably destroys the key material inside the HSM. Never initialize the HSM
unless you are certain that the keys have been backed up somewhere else or that the keys are no
longer required.
Keep your HSM administrator password secure and do not lose it. AWS does not have the ability to
recover your key material from an HSM for which you do not have the proper HSM administrator
credentials.
Do not apply software patches or updates to the appliance. Contact AWS Support if you need the
software updated.
Do not change the network configuration of the appliance.
Do not remove or change the syslog forwarding configuration that is provided on the appliance. You
may add additional destinations for syslog messages, as long as you do not change or remove the
ones that are already there.
Do not change or remove any SNMP configuration that is provided on the appliance. You may add
additional SNMP configuration as long as you do not disturb the configuration that is already present.
Do not change the NTP configuration that is provided on the appliance.
Troubleshooting
For frequently asked questions about AWS CloudHSM, see AWS CloudHSM FAQs.
Q: My HSM isn't working. What do I do?
Contact AWS Support. Your incident will be routed to the team that supports AWS CloudHSM.
Appendices
Topics
36
Connecting Multiple Client Instances to AWS CloudHSM with One Certificate (p. 38)
Integrating Third-Party Applications with AWS CloudHSM (p. 40)
Building a Test Application (p. 41)
Building Your Own Applications (p. 43)
37
Note
If you use a name instead of an IP address when creating the certificate on the HSM client, make
sure that the registered client name on the HSM appliance matches exactly.
To create an AMI with the client configuration and prepare the HSM client
1.
Execute the following commands on the HSM client, where ClientCertName is the name you have
chosen for the certificate on the HSM client.
2.
| 1 kB |
Execute the following commands on the HSM appliance, where ClientName is the name of your
HSM client and ClientCertName is your certificate name.
[hsm6105.iad6] lunash:>c reg -c ClientName -h ClientCertName
'client register' successful.
Command Result : 0 (Success)
[hsm6105.iad6] lunash:>c l
38
3.
After completing the steps above, create an AMI that includes the client configuration, then create
one or more Amazon EC2 instances from the AMI. Each Amazon EC2 instance can connect to the
HSM appliance using the same certificate, and instances started from Auto Scaling groups can
establish a secure connection to AWS CloudHSM.
For more information about creating AMIs, go to Creating Your Own AMIs in the Amazon Elastic
Compute Cloud User Guide.
For more information about creating instances from AMIs, go to Launch Your Instance in the Amazon
Elastic Compute Cloud User Guide.
Create an Amazon S3 bucket. For more information, see Create a Bucket in the Amazon Simple
Storage Service Getting Started Guide.
Change permissions on the Amazon S3 bucket to reduce permissions to the minimum set of people
necessary.
Upload the certificates into the Amazon S3 bucket.
Create a role for your application. For more information, see Creating a Role in the Using IAM.
As part of creating the role, modify the role's policy to allow read-only access to the Amazon S3
bucket; for example, "Resource": ["arn:aws:S3:::bucket/*"].
Use the role when launching your application.
Write scripts on the application instance to download the certificate files from the Amazon S3 bucket.
This allows you to update the certificates from time to time, and also does not require you to figure
out how to secure your AMI to prevent credential leakage.
To learn more about using IAM roles with Amazon S3 buckets, see Using IAM roles to distribute non-AWS
credentials to your EC2 instances in the AWS Security blog or Using IAM Roles for EC2 Instances with
the SDK for Java in the AWS SDK for Java Developer Guide.
39
Set up your Luna SA/PCI/HSM appliances. For more information, see the instructions in Before You
Begin (p. 2).
Install Oracle Database 11g on the target machine. For more information and detailed instructions,
go to the Oracle Database Luna SA/PCI Integration Guide.
Integrate Oracle Database 11g R1 (11.1.0.6 or 11.1.0.7) or 11g R2 (11.2.0.1, 11.2.0.2, or 11.2.0.3)
with your Luna SA/PCI/your HSM appliances. For more information, go to the Oracle Database Luna
SA/PCI Integration Guide.
To set up TDE for Microsoft SQL Server and the EKM Library
The following instructions are explained in detail in the Microsoft SQL Server and LunaSA/PCI Integration
Guide.
40
1.
2.
3.
Set up your HSM appliance(s). Refer to the instructions in Before You Begin (p. 2).
Integrate Luna SA/PCI/HSM appliances with Microsoft SQL Server. For more information, go to the
Microsoft SQL Server Integration Guide.
Download and install the EKM libraries.
Install the SafeNet client and certificates on your instance in your VPC, as described in the previous
sections.
Download the sample source code to your instance.
3.
mkdir Sample
mv P11Sample.zip Sample
cd Sample/
unzip P11Sample.zip
more README.txt
41
4.
Follow the instructions in the README.txt file for installing make, gcc, setting the SfntLibPath
environment variable, building the sample application, and running it.
javac *.java
Note
If you chose the default installation directory when installing the client software (p. 14), the
samples are located in
/usr/lunasa/jsp/samples/com/safenetinc/luna/sample/
2.
mkdir workspace
3.
cp -R /usr/lunasa/jsp luna
4.
42
cd luna/samples
5.
6.
7.
sudo vi /usr/java/jdk1.7.0_07/jre/lib/security/java.security
security.provider.10=com.safenetinc.luna.provider.LunaProvider
8.
43
44
Document History
The following table describes the important changes to the documentation in this release of AWS
CloudHSM.
Latest documentation update: November 05, 2013
Change
Description
Date Changed
Initial Release
2013-03-26
Update
45