Configuring IP and Network Parameters
The Luna Network HSM is a network device that is intended to be installed in a data center and accessed remotely over a network. Network access to the Luna Network HSM is provided by four 1 Gb/s Ethernet LAN ports. The Luna Network HSM is also equipped with an RJ-45 serial port, used to provide serial access to the appliance for initial network configuration.
NOTE Always employ network security best practices. Place the Luna Network HSM behind a firewall.
The network device interfaces (eth0, eth1, eth2, and eth3) and serial port are located on the rear of the appliance, as illustrated below:
Serial port
Thales recommends using a device connected to the Luna Network HSM appliance serial port to make any changes to the network configuration and routes. If you use an SSH connection to make such changes, the connection can be disrupted by the changes, and associated commands may be interrupted. Partially-configured network settings can make the Luna Network HSM inaccessible via remote SSH connection.
Ethernet LAN device configuration
Depending on the model you chose at time of purchase, the Luna Network HSM is equipped with:
>4 individually-configurable 1 GB/s auto-sensing Ethernet LAN network devices
>2 10G SFP optical Ethernet network interfaces (mapped to eth0/eth1), and two 1G copper RJ45 network interfaces (mapped to eth2/eth3)
You can configure the following network settings for each device:
> IPv4 or IPv6 address. You can configure the addresses using static or DHCP addressing. If you are using IPv6 addressing, you can also use Stateless Autoconfiguration (SLAAC) to have a SLAAC-enabled router in your network automatically configure an IPv6 address on a device.
>Network gateway. IPv4 devices must use an IPv4 gateway. IPv6 devices must use an IPv6 gateway.
>Network mask. IPv4 devices must use dotted-quad format (for example, 255.255.255.0). IPv6 devices can use full or shorthand syntax.
>Static network route.
>DNS configuration. Although you configure DNS at the device level, the settings you configure for a device are available to all devices on the appliance if the configured device is connected to the network. To ensure DNS access, it is recommended that you configure each device. You can configure the following settings:
•DNS nameservers. You can add up to three DNS nameservers.
•DNS search domains.
These settings apply to static network configurations only. If you are using DHCP, the DNS search domains and DNS nameservers configured on the DHCP server are used.
Network Routing Table
The Luna Network HSM appliance software allows you to configure the routing table to suit your network. With appliance software versions older than 7.7.0, you can configure a default route for each network interface or bonded virtual interface (eth0/eth1/eth2/eth3/bond0/bond1). The default route for the device is defined automatically when using DHCP, or by specifying the -gateway option when configuring a static address.
Starting with appliance software 7.7.0, the network routing table can have one default route only, bound to one network device or bonded virtual interface. The default route is defined automatically when using DHCP, or by specifying the -gateway option when configuring a static address. Once a default route is defined, no additional default routes can be defined without deleting the first default route. You can use network show at any time to see which device has the default route set -- Default Route (eth#) : Yes/No.
NOTE If you updated your appliance from an older software version to 7.7.0 or newer, your existing configuration is preserved. If you delete a default route on one device, you will be unable to add it back to the table if a default route is configured on a different device.
Use the network route commands to make changes to the routing table.
CAUTION! A change to network routing when updating to Network HSM appliance version 7.7.0 or newer, from any prior 7.x version, can cause your appliance to become unreachable via network connection. Older appliance versions permitted the existence of multiple default routes. Beginning with appliance version 7.7.0, only one instance of the default route can exist.
Options for a successful update with minimal disruption are:
•Remove all but one instance of the ‘default route’, using the network route delete command, before upgrading from any pre-7.7.0 appliance software version.
OR
•Connect locally via serial cable to perform the update, so your access to the network appliance is not lost when network connection becomes temporarily unavailable (pending proper network configuration).
Note also that if you reimage, going back to a pre-7.7.0 version, the routing table goes back to the old format and you must apply one of the above precautions again, to update.
Port Bonding
The Luna Network HSM supports port bonding. Port bonding allows you to create a bond between two interfaces (eth0 and eth1, or eth2 and eth3) into a single bonded interface (bond0 or bond1). In a bonded interface, both ports are bound to a virtual interface with a single IP address, with one port active and one port standby. See Luna Network HSM Appliance Port Bonding for more information.
NTLS Binding
You can bind the NTLS traffic (used to securely transport cryptographic messages exchanged between a client and the HSM across the network) to a specific Ethernet device (eth0, eth1, eth2, eth3, bond0, bond1, all) on the appliance. This allows you to divide the traffic going to the appliance into cryptographic (destined for the HSM) and administrative (LunaSH) streams, for enhanced security and performance. See Binding Your NTLS or SSH Traffic to a Device for more information.
SSH Binding
You can optionally bind/restrict the SSH traffic (used to securely transport administrative messages across the network) to a specific Ethernet device (eth0, eth1, eth2, eth3, bond0, bond1, all) on the appliance, to the appliance hostname, or to a specific IP address. This allows you to divide the traffic going to the appliance into cryptographic (destined for the HSM) and administrative (LunaSH) streams, for enhanced security and performance. By default, SSH traffic is unrestricted. See Binding Your NTLS or SSH Traffic to a Device for more information.
Gathering Appliance Network Information
Before you begin, obtain the following information (see your network administrator for most of these items):
HSM Appliance Network Parameters
>IP address and subnet mask for each LAN port you want to use (if you are using static IP addressing)
>Hostname for the HSM appliance (registered with network DNS)
>Domain name (per port)
>Default gateway IP address (per port)
>DNS Name Server IP address(es) (per port)
>Search Domain name(s) (per port)
>Device subnet mask (per port)
DNS Entries
>Ensure that you have configured your DNS Server(s) with the correct entries for the appliance and the client. The Network HSM appliance expects fully qualified hostnames.
>If you are using DHCP, then all references to the Client and the HSM appliance (as in Certificates) should use hostnames.
Other Considerations
Clients need to be able to route directly to each HSM appliance they need to talk to, with no load balancing in place. The Luna Network HSM does not work with off-the-shelf load balancers and service discovery techniques. You can NAT or forward the traffic so long as it always goes to the same place so the TLS tunnel isn’t terminated by outside forces.
Configuring the Network Parameters
You can use the serial connection to configure all of your network parameters now, or you can perform a minimal configuration now, where you only configure a single port, and then use the configured port to access the appliance over the network and complete the configuration.
NOTE Use a locally connected serial terminal when changing the appliance IP address, to avoid SSH admin console disconnection due to the change.
To configure the appliance and port network parameters
You can configure all of the ports now, using the serial connection, or you can configure only one port now, and then use a network connection to that port to configure the remaining ports. It is recommended that you configure and test each device. You need to know the IP address of at least one network interface to establish a SSH connection to the appliance.
Once configured, you can find the interface IP addresses on the appliance's front-panel LCD screen. If there is no IP address shown on the LCD, you must use a serial port connection to connect to the appliance.
1.Configure the IP address, network mask, and gateway (optional) on at least one of the Ethernet LAN ports, using the network interface commands. You can configure the ports to use an IPv4 or IPv6 address. A mix of IPv4 and IPv6 ports is supported. If you are configuring a static address, the -gateway option is used to define the default route for the appliance.
CAUTION! Clients connecting to the appliance must use the same IP version that is configured on the port they are connecting to, so that certificates resolve. That is, all clients connecting to an IPv4 port must have an IPv4 address, and all clients connecting to an IPv6 port must have an IPv6 address.
•If you are configuring an IPv4 address, you can configure a static address, or use DHCP.
| Static | lunash:> network interface static -device <netdevice> -ip <IP_address> -netmask <netmask> [-gateway <IP_address>] |
| DHCP | lunash:> network interface dhcp -device <netdevice> |
•If you are configuring an IPv6 address, you can configure a static address, configure the port to obtain an IPv6 address using the Stateless Address Autoconfiguration (SLAAC) protocol, or use DHCP. To use SLAAC, you must have a SLAAC-enabled router in your network.
| Static | lunash:> network interface static -device <netdevice> -ip <IP_address> -netmask <netmask> [-gateway <IP_address>] -ipv6 |
| SLAAC | lunash:> network interface slaac -device <netdevice> |
| DHCP | lunash:> network interface static -device <netdevice> -ipv6 |
You are prompted to confirm the action. If no network cable is attached to the port you configured, the following message is displayed:
Warning. Unable to activate interface <netdevice> Ensure that the network cable is connected.
This message is informational. The interface will automatically activate when you connect a network cable to the port.
2.[Optional] If you wish to use the Port Bonding feature described above to configure bond0 and/or bond1 interface, use lunash:> network interface bonding config and lunash:> network interface bonding enable. See Luna Network HSM Appliance Port Bonding for more information.
3.[Optional] Make any desired changes to the appliance network routing table. Note that the first network route configured (either automatically using DHCP, or by specifying a valid -gateway option when configuring a static IP on a network device) becomes the default route. If you wish to change this default route, you must first delete the original default route. The default route remains constant if you switch the device between static and DHCP address selection. See Network Routing Table for more information.
lunash:> network route show
lunash:> network route add <routetype> <IP_address> -device <netdevice>
lunash:> network route delete <routetype> <ipaddress> -device <netdevice>
lunash:> network route metric -name <netdevice> -metric <metric>
4.[Optional] Set the appliance hostname and domain name. You can specify a simple hostname or a Fully Qualified Domain Name (FQDN) using the format <hostname.domainname>. If you supply a hostname that includes a space, all text after the space is ignored. For example, if you typed network hostname my hsm the system would assign a hostname of “my”. Therefore, if you want "my hsm", use "my_hsm", "my-hsm", or similar.
lunash:> network hostname <hostname>
You must configure your DNS server to resolve the hostname to the IP address configured on the Ethernet port of the appliance. Do this for each Ethernet port you are configuring. See your network administrator for assistance.
5.[Optional] If you wish to use the NTLS or SSH binding features described above to restrict NTLS or SSH messages to an interface (eth0, eth1, eth2, eth3, bond0, bond1, all), use the ntls bind or sysconf ssh commands. See Binding Your NTLS or SSH Traffic to a Device for more information.
6.[Optional] Add a domain name server to the network configuration for the appliance. The name server is added to the appliance DNS table. You can add up to three different DNS name servers to the appliance DNS table. There is one DNS table that applies to all network devices (ports) on the appliance.
NOTE The domain name settings apply to static network configurations only. If you are using DHCP, the DNS name servers configured on the DHCP server are used.
When you add a DNS server, you add it to a specific network device on the appliance (eth0, eth1, eth2, eth3, bond0, bond1). When you add a DNS server to a device, it is added to the DNS table for the appliance and becomes available to all devices on the appliance, provided the device you added it to is connected to the network. For example, if you add a DNS server to eth0, all devices will be able to access the DNS server if eth0 is connected to the network. If eth0 is disconnected from the network, access to the DNS server is lost for any devices to which you did not add the DNS server. To ensure that any DNS server you add is available in the event of a network or port failure, it is recommended that you add it to all devices you will use to connect the appliance to the network.
lunash:> network dns add nameserver <ip_address> -device <net_device>
7.[Optional] Add a search domain to the network configuration for the appliance. Search domains allow you to avoid typing the complete address of frequently used Internet domains by automatically appending the search domain to an internet address you specify in LunaSH. For example, if you add the search domain mycompany.com, entering the command network ping hsm1 would search for the domain hsm1.mycompany.com. If the domain resolves, it would ping the device with that hostname.
The search domain is added to the appliance DNS table. You can add a maximum of six search domains totaling no more than 256 characters.
NOTE The search domain settings apply to static network configurations only. If you are using DHCP, the DNS search domains configured on the DHCP server are used.
When you add a DNS search domain, you add it to a specific network device on the appliance (eth0, eth1, eth2, eth3, bond0, bond1). When you add a search domain to a device, it is added to the DNS table for the appliance and becomes available to all devices on the appliance, provided the device you added it to is connected to the network. For example, if you add a search domain to eth0, all devices will use the search domain if eth0 is connected to the network. If eth0 is disconnected from the network, the search domain is not used by any devices to which you did not add the search domain. To ensure that any search domain you add is available in the event of a network or port failure, it is recommended that you add it to all devices you will use to connect the appliance to the network.
lunash:> network dns add searchdomain <domain> -device <net_device>
If you have chosen to perform setup via SSH, rather than via the direct (serial) administrative connection, then you will likely lose your network connection at this point, as you confirm the change of IP address from the default setting.
8.Display the current network settings, so you can verify that they are now correct for your environment before attempting to use them.
lunash:> network show
