|
Home > |
Network HSM Installation/Configuration Guide > Testing and Configuration > Step 4: Network Configuration
|
|---|
IPv4 and IPv6 network addressing are supported. IPv4 addressing can be configured manually (as root) as described below, or by using PSESH (as admin or pseoperator) as described in PSESH Command Reference. IPv6 addressing must be configured manually by logging in as root and using standard Linux commands.
It is recommended that you use psesh:> network interface to configure the IPv4 address, instead of the manual procedure below. See network interface for command syntax.
The SafeNet ProtectServer Network HSM is equipped with two NICs (eth0 and eth1). Dual-stack support allows you to configure the interfaces with both an IPv4 and IPv6 address. Refer to the Linux documentation for the commands required to set the IPv6 address.
The IP address for each NIC is specified in these files:
| NIC | Configuration file |
|---|---|
|
eth0 |
/etc/sysconfig/network-scripts/ifcfg-eth0 |
|
eth1 |
/etc/sysconfig/network-scripts/ifcfg-eth1
Note: If you want to use the eth1 interface, you must create this file. The recommended method is to copy, rename, and edit the ifcfg-eth0 file. |
The entries in the ifcfg-eth[0|1] files are similar to the following:
DEVICE= "eth0"
BOOTPROTO="static"
HWADDR="00:0D:48:3B:15:30"
IPADDR="192.168.9.35"
NETMASK="255.255.255.0"
NM_CONTROLLED="yes"
ONBOOT=yes
IPV6INIT=yes
IPV6ADDR=2607:f0d0:1002:0011:0000:0000:0000:0002
IPV6_DEFAULTGW=2607:f0d0:1002:0011:0000:0000:0000:0001
Edit the files as required to specify the IP address and network mask for each NIC. You must configure at least one of the NICs. The second needs to be configured only if you want to use it.
It is recommended that you use psesh:> network interface dhcp or psesh:> network interface static to set the hostname and gateway, instead of using the manual procedure below. See network interface dhcp and network interface static for command syntax.
Set the default gateway (that this SafeNet ProtectServer Network HSM should use) by editing the file /etc/sysconfig/network.
If you ever want to address the unit by its name using the loopback connection, you can set the hostname by editing the /etc/hosts file and the /etc/sysconfig/network file (which governs external connections).
It is recommended that you use psesh:> network dns to set the name server, instead of using the manual procedure below. See network dns for command syntax.
The SafeNet ProtectServer Network HSM processing modules do not have the resources to operate as their own name servers. If name resolution is required, it needs to be provided by a DNS server on the network. In order for the SafeNet ProtectServer Network HSM to use the DNS server, you must add an entry for the DNS server to the file /etc/resolv.conf, in the following format:
nameserver <IP-ADDRESS>
It is recommended that you use psesh:>network iptables to configure the iptables instead of using the manual procedure below. See network iptables for command syntax.
Access control on the SafeNet ProtectServer Network HSM is performed using iptables(8). Below is a list of iptables(8) commands:
iptables -[ADC] chain rule-specification [options]
iptables -I chain [rulenum] rule-specification [options]
iptables -R chain rulenum rule-specification [options]
iptables -D chain rulenum [options]
iptables -[LFZ] [chain] [options]
iptables -N chain
iptables -X [chain]
iptables -P chain target [options]
iptables –L [chain]
The following iptables configuration prevents access to all but one IP address:
1.iptables -F INPUT (deletes any previous chains in the INPUT table)
2.iptables -A INPUT -s [ip-address] -j ACCEPT (sets an IP address which can be accepted)
3.iptables -A INPUT -j DROP (drops everything else)
Once a table configuration has been created that provides suitable network access, it can be stored as the active network configuration using the following command:
/etc/init.d/iptables save active
Before iptables(8) is completely configured, it should have an inactive table defined. This is less critical, as there is very little running in the operating system by the time the inactive table is loaded. The following is a suitable inactive table:
iptables -F INPUT
iptables -F OUTPUT
iptables -F FORWARD
iptables -A INPUT -j DROP
iptables -A OUTPUT -j DROP
iptables -A FORWARD -j DROP
/etc/init.d/iptables save inactive
The active iptables configuration must be restored before connections to the SafeNet ProtectServer Network HSM are allowed. The following command restores the previously saved active configuration.
/etc/init.d/iptables stop/etc/init.d/iptables start
After making any change to the networking configuration, reboot the SafeNet ProtectServer Network HSM. As admin or pseoperator, enter the PSESH command sysconf appliance reboot.
As root, enter the following Linux command to restart networking:
/etc/init.d/networking restart
Continue to Step 5: SSH Network Access