Your suggested change has been received. Thank you.

close

Suggest A Change

https://thales.na.market.dpondemand.io/docs/dpod/services/kmo….

back

Install Virtual CipherTrust Manager

Provisioning with a Microsoft Azure Dedicated HSM

search

Please Note:

Provisioning with a Microsoft Azure Dedicated HSM

Microsoft Azure provides a dedicated Hardware Security Module (HSM) service which can be used as a root of trust to a Virtual CipherTrust Manager which is also hosted on Microsoft Azure.

Architecture Overview

To integrate together Virtual CipherTrust Manager and a Dedicated HSM on the Microsoft Azure cloud, you must create and configure the following entities, as shown in the diagram:

  1. Necessary Azure resources, including a virtual network and two subnets within the virtual network.

  2. A dedicated HSM instance within its own subnet, called "Luna" in the diagram.

  3. A Virtual CipherTrust Manager instance in another subnet, called "Compute" in the diagram.

  4. A Windows VM in the "Compute" subnet to host the Luna Client, which can access and configure an HSM partition.

Azure assets including two subnets, a Windows VM, a Luna VM, and a Virtual CipherTrust

Acquire Permissions to a Dedicated HSM

  1. Contact the Microsoft HSM account HSMrequest@Microsoft.com to request access to a dedicated HSM. Outline your application, the regions you would like HSMs and the volume of HSMs you are looking for. If you work with a Microsoft representative, such as an Account Executive or Cloud Solution Architect for example, then include them in any request.

    Once Microsoft is establishes your requirement, they email you a list of documents and schema files that are necessary to deploy a Luna.

  2. Check if permissions have been granted in the Azure console by running:

    az feature show --namespace Microsoft.HardwareSecurityModules --name AzureDedicatedHSM
    

    The expected result is that the returned "state" is set to "Registered", as shown in the following example:

    {
      "id": "/subscriptions/d44a44b4-f4ce-4bb4-b4bc-4444444c444a/providers/Microsoft.Features/providers/Microsoft.HardwareSecurityModules/features/AzureDedicatedHsm",
      "name": "Microsoft.HardwareSecurityModules/AzureDedicatedHsm",
      "properties": {
        "state": "Registered"
      },
      "type": "Microsoft.Features/providers/features"
    }
    

Create the Microsoft Azure Resources

We need to create resources on the on Microsoft Azure before provisioning the Luna HSM.

We will be creating the following resources:

  1. A resource group to place all the resources
  2. A virtual network (vnet) that will be used for network communications.
  3. A subnet called "Compute", to later contain the Windows VM lunaclient host and Virtual CipherTrust Manager instances.
  4. A subnet dedicated to the HSM
  5. A gateway

Refer to Microsoft Azure documentation for more advanced configuration options.

To create a resource group

  1. Open the left sidebar.

  2. Hover over Resource groups.

    A popup opens to the right.

  3. Click on the + Create icon.

    This opens a new page to create the resource group

  4. Enter the Subscription name and the Resource group name.

  5. Select an appropriate region from the Region dropdown.

  6. Click on Review + create

  7. Once the validation passes, click on the Create button to create the resource group.

To create a virtual network (vnet)

  1. On your resource group page click on the button Create resources.

  2. Click on the Networking button.

  3. Click on Virtual network.

  4. Select a Subscription and Resource group.

  5. Select a Name and Region for the vnet instance.

  6. Click on Next: IP Addresses >

To create a Compute subnet

  1. Click on the default subnet name and rename it to the "Compute" subnet.

  2. Click on Save.

To create a subnet for the HSM

  1. Click on the + Add subnet button.

  2. Provide a name for the HSM subnet.

  3. Provide a subnet address range and mask.

  4. Click on Add.

  5. Once the subnet is added, click on Next: Security >.

  6. Leave the default option and click on Next: Tags >.

  7. Create an optional tag.

  8. Click on Next: Review + create >.

  9. Once the validation passes, click on the button Create to create the virtual network and the subnets.

To delegate the HSM subnet to the dedicated HSM

  1. Navigate to the Subnets section.

  2. Select the HSM subnet.

    A panel to the right opens up

  3. In the right panel, under SUBNET DELEGATION, click on Delegate subnet to a service.

  4. Select Microsoft.HardwareSecurityModules/dedicatedHSMs

  5. Click OK.

To create a gateway

  1. Navigate to the Subnets section.

  2. Click on the + Gateway subnet.

  3. Choose a Name and Subnet address range.

  4. Click on OK.

Deploy the Dedicated Luna HSM in the Subnet

After you have delegated the HSM to the subnet, you have to deploy the HSM.

  1. Copy the example text into a Deploy-1HSM-toVNET-Params-v1.1.json file. Edit the file to provide your previously configured values for the vnet and HSM subnet.

      {
          "$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json",
          "contentVersion": "1.0.0.0",
          "parameters": {
              "ResourcePrefix": {
                  "value": "HSMLuna"
              },
              "ExistingVNetName": {
                  "value": "Luna_kylo_vnet"
              },
              "ExistingHSMSubnetName": {
                  "value": "Luna_kylo_HSM_subnet"
              },
              "HSMResourceName": {
                  "value": "kylo-luna-hsm"
              }
          }
      }
    
  2. Copy the provided Deploy-1HSM-toVNET-Template-v1.1.json file and do not edit it:

    Deploy-1HSM-toVNET-Template-v1.1.json

  3. Open an Azure powershell terminal.

  4. Click on the Upload/Download button on the terminal

  5. Upload the two files.

  6. Run the following command on the powershell terminal to deploy the dedicated Luna HSM:

    New-AzResourceGroupDeployment -ResourceGroupName Luna_kylo_rg -TemplateFile .\Deploy-1HSM-toVNET-Template-v1.1.json -TemplateParameterFile .\Deploy-1HSM-toVNET-Params-v1.1.json -Name HSMdeploy -Verbose
    

    It takes approximately 30 minutes to deploy. You receive a ProvisioningState: Succeeded when complete

  7. Verify the deployment by running the following commands:

    PS> $subid = (Get-AzContext).Subscription.Id
    PS> $resourceGroupName = "Luna_kylo_rg"
    PS> $resourceName = "kylo-luna-hsm"
    PS > Get-AzResource -Resourceid /subscriptions/$subId/resourceGroups/$resourceGroupName/providers/Microsoft.HardwareSecurityModules/dedicatedHSMs/$resourceName
    

    The expected result looks like:

    Name              : kylo-luna-hsm
    ResourceGroupName : Luna_kylo_rg
    ResourceType      : Microsoft.HardwareSecurityModules/dedicatedHSMs
    Location          : westus2
    ResourceId        : /subscriptions/d44a44b4-f4ce-4bb4-b4bc-4444444c444a/resourceGroups/Luna_kylo_rg/providers/Microsoft.HardwareSecurityModules/dedicatedHSMs/kylo-luna-hsm
    Tags              :
                    Name          Value
                    ============  =====
                    Environment   prod
                    resourceType  Hsm
    

Create a Windows instance

A windows instance is necessary to access the Dedicated Luna HSM. From the windows instance, you can SSH into the HSM to perform general HSM configuration, and you can install the Luna client to configure an HSM partition.

Consult Azure Documentation for more detail on provisioning this resource if necessary.

  1. Create a Windows 10 Pro instance on the Compute subnet with a Standard HDD disk. Be sure to use the Resource group you created for the Windows VM, Dedicated HSM, and Virtual CipherTrust Manager.

  2. Get the public IP address of the Windows instance and use it with the Remote Desktop Client (RDP) to access the Windows instance.

Configure the Dedicated Luna HSM

You must perform some configuration on the Dedicated Luna HSM instance to ensure its passwords and policies are secure enough, and to create a partition to act as a root of trust for Virtual CipherTrust Manager.

Consult Luna Network HSM 7.2 Documentation for more information on these commands, if necessary.

To configure the HSM

  1. To find the HSM's IP address, go to the Azure portal, and click on HSMLuna-ergwpip.

  2. Use the IP address to SSH to the HSM from your Windows VM. The default user name is tenantadmin and the default password is PASSWORD.

    You are brought into the Luna Shell (LunaSH) utility.

    PS > ssh tenantadmin@172.22.1.4
    The authenticity of host '172.22.1.4 (172.22.1.4)' can't be established.
    ECDSA key fingerprint is SHA256:vf96hinpthrML150b4jNGFlaf1oJT0+QQjdfz/B0+yQ.
    Are you sure you want to continue connecting (yes/no)? yes
    Warning: Permanently added '172.22.1.4' (ECDSA) to the list of known hosts.
    tenantadmin@172.22.1.4's password:
    Last login: Wed Oct 7 19:28:44 2020
    
    Luna Network HSM Command Line Shell v7.2.0-220. Copyright (c) 2018 SafeNet. All rights reserved.
    
  3. Change your password immediately, as prompted.

  4. Run network show to confirm the IP address for eth0.

    Do not change the IP address on eth0. The access to the Luna would be lost.

  5. Run hsm show to view the current state of the HSM. This command also displays firmware version, software version, and FIPS (Federal Information Process Standards) operating mode.

  6. Initialize the HSM with a label. Take care to remember your password.

    lunash:>hsm init -label LunaHSM -password mystrongpassword -domain domain1
    

    hsm show now shows the HSM label.

  7. Run hsm login to login to the HSM. Use the password set in the previous step.

  8. If your organization requires FIPS compliance, you need to set the HSM to FIPS 140-2 Operation mode.

    1. To change the FIPS mode and restrict non-FIPS algorithms, set the policy 12 to value 0.

      Setting the HSM to the FIPS mode zeroizes the HSM. All the data on the HSM is lost.

      lunash:>hsm changePolicy -policy 12 -value 0
      
    2. Run hsm show to confirm the FIPS 140-2 Operation mode is on.

  9. Create the partition using partition create. Provide a name and a slot number.

    lunash:>partition create -p luna_part -s 10000
    
  10. Run partition list to verify the partition was created. You can also get more details about the partition using partition show -p <partition_name>

Access and Configure the HSM Partition

Consult Luna Network HSM 7.2 Documentation for more information on lunaCM commands and partition roles, if necessary.

  1. Obtain the Luna Client (version 7.4 or higher) from the Thales Customer Support Portal.

  2. Transfer the client package to the Windows instance.

  3. Install the client with all options and features.

  4. Open powershell in Administrator mode and b to the location where Lunaclient is installed.

  5. Run luna.exe. No HSMs are currently registered with the client.

  6. Use clientconfig deploy to register the HSM with the Luna client and to secure the connection. Provide the HSM's IP address, user and password, and the partition name.

    lunacm:> clientconfig deploy -server <HSM_IP> -client <Windows_VM_IP> -partition <partition_name> -user tenantadmin -password <password> -verbose
    
    Please wait while we set up the connection to the HSM. This may take several minutes...
    
  7. Initialize the partition, providing a label. You are prompted for a password for the Partition Security Officer, and a domain name.

    partition init -label <partition_name>
    
  8. Login as the Partition Officer (PO) and initialize the Crypto Officer (CO) with a temporary password.

    lunacm:> role login -name po
    
            enter password: ********
    
    lunacm:> role init -name co
    
            enter new password: ********
    
            re-enter new password: ********
    
  9. Login as the Crypto Officer and change the temporary password.

    lunacm:> role login -name co
    
           enter password: ********
    
    lunacm:> role changepw -name co
    
           enter existing password: ********
    
           enter new password: ********
    
           re-enter new password: ********
    
  10. To verify the partition is active, return to the Luna Shell on the Dedicated HSM instance, and run partition show -p <partition_name>.

Deploy the Virtual CipherTrust Manager on Azure

  1. Sign in to the Azure or Azure Government portal.

  2. Search for Thales Virtual CipherTrust Manager on the Marketplace page.

    Only the latest version is available on the Marketplace page.

    Older versions back to 2.6 are available through the Azure CLI. Some versions older than 2.6 are available from Thales customer support as a VHD file.

To deploy the latest Virtual CipherTrust Manager Version from Marketplace

  1. Select the Thales Virtual CipherTrust Manager image from the Virtual Machines group.

    The following steps apply to the Azure recommended 'Resources Manager' deployment model.

  2. Click Create. The first screen of the Create virtual machine page is displayed.

  3. Change the Subscription type if desired.

  4. Select an existing Resource group or enter the name for a new one.

    For deployments with Azure Dedicated HSMs, this must be the same resource group as for Luna client host VM and the Dedicated HSM.

  5. Specify the Region of an Azure Datacenter. For example, East US.

    For Azure government, this must be one of USGov Arizona, USGov Iowa, USGov Virginia, or USGov Texas.

  6. Enter a Virtual machine name, which is the hostname for the virtual machine your are creating, for example, "mycompany-ciphertrust".

  7. Select the Size for the VM that supports the Minimum Requirements.

  8. Select the SSH Public Key for the Authentication type.

    SSH Public Key authentication must be used. Password authentication is not allowed when connecting as the initial user. We support OpenSSH format for the public key, and OpenSSH, PKCS1, or PKCS8 format for the private key. RSA is the supported key algorithm. We recommend RSA 4096, with RSA 2048 as a minimum size for adequate security.

  9. For the Username, enter "ksadmin", the default name for the System Administrator.

    You MUST use the name “ksadmin” for this initial user.

  10. For the SSH public key source, select one of "Generate new key pair", "Use existing public key", "Use existing public key stored in Azure". We support OpenSSH format for the public key, and OpenSSH, PKCS1, or PKCS8 format for the private key. RSA is the supported key algorithm. We recommend RSA 4096, with RSA 2048 as a minimum size for adequate security.

    It is important that you have access to the key pair you select, otherwise you will not have permissions to perform administrator operations like performing upgrades, advanced logging or an appliance reset.

  11. In the SSH Public Key field, provide the necessary information for the SSH public key source selected in the last step.

  12. Select Next: Disks >. The Disks screen is displayed.

  13. Change the OS disk type to "Standard HDD", unless you desire a faster disk.

  14. Select an Encryption type depending on the Azure-level disk encryption you prefer.

  15. Select Next: Networking >. The Networking screen is displayed.

    The Virtual Network, Subnet, Public IP and Configure network security group fields are populated with default values for this VM, if you have preset networking values for other Azure VMs. Create new values if needed.

    For deployments with Azure Dedicated HSMs, the virtual network must also include the Dedicated HSM instance, and the lunaclient host instance. The subnet must also include the lunaclient host instance; this is subnet is referred to as the "Compute" subnet.

    For a list of security groups/ports, refer to Network Security Groups.

  16. Select Next: Management >. The Management screen is displayed.

  17. Select Next: Advanced > The Advanced screen is displayed.

  18. If desired, you can apply cloud-init configuration. Paste cloud-init configuration in the Custom Data field.

  19. Select Next: Tags >. The Tags screen is displayed.

  20. Enter any desired tags.

  21. Select Next: Review + create >. This is the final screen. Enter an email address, and click Create to launch the VM.

    Azure will run an evaluation of your virtual machine creation configuration.

    1. If the validation was not successful, a Validation failed message is displayed:

      Click on the arrow for details and precede to correct the cause of the validation error.

    2. If the validation is successful, a Validation passed screen is displayed, listing all VM details:

  22. Select Create to begin deployment of this VM. This screen is displayed indicating that deployment is in process.

    When deployment completes, this screen is displayed, providing access to all resources supporting the new VM.

  23. Connect to the CipherTrust Manager Web Page.

    1. Select the resource with the IP address, in this example: Keysecure-k170v-test-ip.

    2. Browse to this IP address (in this example enter https://40.117.142.62). The Log In screen appears.

  24. Log in using the initial default credentials: Username = admin, Password = admin

    The following notice is displayed:

    If the default credentials do not work, you may need to retrieve an autogenerated password, as described in changing the initial password.

  25. Enter a new password using this default Password Policy:

    Min length: 8
    Max length: 30
    Min number of upper cases: 1
    Min number of lower cases: 1
    Min number of digits: 1
    Min number of other characters: 1
    

    A new Login screen appears.

  26. Using your new password, log in again. The CipherTrust Manager Web Page appears.

Virtual CipherTrust Manager includes a 90 day trial license. To activate your instance with a term or perpetual license, see Licensing.

To deploy versions back to 2.6 using the Azure CLI

  1. List the Virtual CipherTrust Manager images available through the Azure CLI. Find the URN value for your desired version.

    az vm image list --offer cm_k170v --all
    

    Example response:

    [
      {
        "offer": "cm_k170v",
        "publisher": "thalesdiscplusainc1596561677238",
        "sku": "ciphertrust_manager",
        "urn": "thalesdiscplusainc1596561677238:cm_k170v:ciphertrust_manager:2.6.6506",
        "version": "2.6.6506"
      },
      {
        "offer": "cm_k170v",
        "publisher": "thalesdiscplusainc1596561677238",
        "sku": "ciphertrust_manager",
        "urn": "thalesdiscplusainc1596561677238:cm_k170v:ciphertrust_manager:2.7.6808",
        "version": "2.7.6808"
      }
    ]
    
  2. Accept the terms for the desired Virtual CipherTrust Manager image version.

    az vm image terms accept --urn <image_urn>
    
  3. Create the VM image. You provide or specify the following values:

    • The image URN.

    • The name of an existing resource group. The image's region will be taken from this resource group.

      For deployments with Azure Dedicated HSMs, this must be the same resource group as for Luna client host VM and the Dedicated HSM.

      For Azure government, the region must be one of USGov Arizona, USGov Iowa, USGov Virginia, or USGov Texas.

    • A new name for the VM.

    • A desired size for the VM, that meets the Minimum Requirements.

    • The admin username set to ksadmin. This is required to supply an SSH key at launch time, and for SSH access. The only allowed value is ksadmin.

    • A public IP SKU set to Standard

    • A source for the SSH key. You can choose to generate a new SSH key pair(--generate-ssh-keys), enter a name for an existing key already stored in Azure (--ssh-key-name <name_of_existing_ssh_key_in_azure>), or upload an SSH key file (--ssh-key-value <ssh_key_file>). We support OpenSSH format for the public key, and OpenSSH, PKCS1, or PKCS8 format for the private key. RSA is the supported key algorithm. We recommend RSA 4096, with RSA 2048 as a minimum size for adequate security.

      It is important that you have access to the key pair you select, otherwise you will not have permissions to perform administrator operations like performing upgrades, advanced logging or an appliance reset.

    • (Optional) If you wish to perform cloud-init configuration to set some initial values for CipherTrust Manager, you can use the -d or --custom-data flag to pass in the user data from config.dat file.

    Example syntax

     az vm create --resource-group <resource_group> --name <desired_vm_name> --image <image_urn> --size <desired_image_size> --admin-username ksadmin {--generate-ssh-keys | --ssh-key-name <name_of_existing_ssh_key_in_azure> | --ssh-key-value <ssh_key_file>} [--custom-data <config.dat_file_path>] --public-ip-sku Standard
    

    Example command with Standard_F4s_V2 size and SSH key generation

     az vm create --resource-group myURNVM --name myVM --image thalesdiscplusainc1596561677238:cm_k170v:ciphertrust_manager:2.6.6506 --admin-username ksadmin --size Standard_F4s_v2 --generate-ssh-keys --public-ip-sku Standard
    

    Example response

    {
      "fqdns": "",
      "id": "/subscriptions/260ecbe7-777b-4d3c-84ea-887620498863/resourceGroups/myURNVM/providers/Microsoft.Compute/virtualMachines/myVM",
      "location": "westus",
      "macAddress": "00-00-00-00-00-00",
      "powerState": "VM running",
      "privateIpAddress": "1.1.1.1",
      "publicIpAddress": "2.2.2.2",
      "resourceGroup": "myURNVM",
      "zones": ""
    }
    

    Note the public IP address returned in the VM creation response.

  4. Open the 443 port to allow web browsing to the Virtual CipherTrust Manager instance.

    az vm open-port -g <resource_group_name> -n <virtual_machine_name> --port '443'
    
  5. Navigate to the https://<VM_public_IP_address> to connect to the CipherTrust Manager Web Page. The public IP address was returned when the VM was created. You can also view this value in the Azure portal Virtual Machine list.

    The Log In screen appears.

  6. Log in using the initial default credentials: Username = admin, Password = admin

    The following notice is displayed:

    If the default credentials do not work, you may need to retrieve an autogenerated password, as described in changing the initial password.

  7. Enter a new password using this default Password Policy:

    Min length: 8
    Max length: 30
    Min number of upper cases: 1
    Min number of lower cases: 1
    Min number of digits: 1
    Min number of other characters: 1
    

    A new Login screen appears.

  8. Using your new password, log in again. The CipherTrust Manager Web Page appears.

Virtual CipherTrust Manager launches in Community Edition, with some restrictions on functionality. You can activate a 90 day trial evaluation for full functionality. To activate your instance with a trial evaluation, or term or perpetual license, see Licensing.

Configuring the HSM Partition as the Root of Trust for Virtual CipherTrust Manager

To configure the HSM Partition as a root of trust for the CipherTrust Manager, you must first register the Virtual CipherTrust Manager as a client to the HSM partition. Then, you must provide some HSM partition authentication values and certificates to the Virtual CipherTrust Manager to establish a connection.

To register the Virtual CipherTrust Manager as a client to the HSM

  1. RDP to the Windows client.

  2. Download a version 7.2 Luna client from the Support Portal. Copy the client installer into the Windows remote desktop.

  3. Fetch the server.pem certificate from the Dedicated HSM instance with SCP.

    scp.exe tenantadmin@<dedicated_HSM_IP>:server.pem .
    tenantadmin@<dedicated_HSM_IP>'s password:
    server.pem                                            100% 1159     1.1KB/s   00:00
    
  4. Use the VTL tool to create a client certificate and key for the Virtual CipherTrust Manager instance.

    ./vtl createcert -n <Virtual_CipherTrust_IP_address> -d 10 -v
    

    The client certificate and key are available in the cert/client folder

  5. Use partition showinfo on LunaCM to view the partition name and serial number.

  6. Copy the client certificate to the HSM with SCP.

    PS C:\Users\LunaAdmin\Desktop> scp client.pem tenantadmin@<dedicated_HSM_IP>:
    tenantadmin@<dedicated_HSM_IP>'s password:
    
    172.22.0.5.pem                                      100% 1184     1.2KB/s   00:00
    
  7. SSH into the Dedicated HSM.

  8. With the LunaSH utility, register the client to the HSM, setting a client name and providing the Virtual CipherTrust Manager IP address.

    lunash:>client register -client <client_name> -ip <Virtual_CipherTrust_IP_address>
    
  9. Assign the HSM partition to the client.

    lunash:>client assignPartition -client <client_name> -partition <partition_name>
    
  10. Run client show -c <client_name> to verify that the partition has been assigned to the client.

To add the HSM connection to the Virtual

  1. Login to the Virtual CipherTrust Manager.

  2. Navigate to System> HSMs.

  3. Select SafeNet Luna SA 5, 6, or 7 - Network HSM

  4. Enter the following values:

    • Partition label

    • Partition Password: This is the Crypto Officer password created above

    • Partition Serial Number,

    • IP of the Dedicated HSM

    • HSM server certificate,

    • Client certificate,

    • Client certificate key.

  5. Click Next to be taken to a validation page.

    If the validation is successful the server will restart and you will be prompted to login again.

  6. Login with the default credentials (username: admin , password: admin).

  7. Change the password and login.

  8. Verify that the HSM has been added on System> HSMs.