Network Configuration
The ProtectServer Network HSM is intended to be installed in a data center and accessed remotely over a network. Network access is provided by two Ethernet LAN ports. The ProtectServer Network HSM is also equipped with an RJ-45 console port, used to provide serial access to the appliance for initial network configuration.
The network device interfaces (eth0 and eth1) and console port are located on the front of the appliance, as illustrated below:
Serial port
Connect a serial device to the ProtectServer Network HSM to perform initial network configuration via PSESH. Use the console port to configure at least one of the network interfaces. Once you have configured an interface, you can connect the appliance to the network and access PSESH to complete the network configuration.
Appliance configuration
The following network parameters are configured at the appliance level:
>Appliance hostname. A hostname is optional, unless you are using DNS.
Ethernet LAN device configuration
The ProtectServer Network HSM is equipped with two individually-configurable Ethernet LAN network devices. You can configure the following network settings for each device:
> IPv4 or IPv6 address. You can configure the addresses using static or DHCP addressing.
>Network gateway. Devices must use a gateway appropriate for the network (IPv4 or IPv6).
>Network mask. IPv4 devices must use dotted-quad format (for example, 255.255.255.0). IPv6 devices can use full or shorthand syntax.
>Static network route.
>DNS configuration. Although you configure DNS at the device level, the settings you configure for a device are available to all devices on the appliance if the configured device is connected to the network. To ensure DNS access, it is recommended that you configure each device. You can configure the following settings:
•DNS nameservers
•DNS search domains
These settings apply to static network configurations only. If you are using DHCP, the DNS search domains and DNS nameservers configured on the DHCP server are used.
>Network device bonding
Gathering Appliance Network Information
Before you begin, obtain the following information (see your network administrator for most of these items):
HSM Appliance Network Parameters
>IP address and subnet mask for each LAN port you want to use (if you are using static IP addressing)
>Hostname for the HSM appliance (registered with network DNS)
>Domain name (per port)
>Default gateway IP address (per port)
>DNS Name Server IP address(es) (per port)
>Search Domain name(s) (per port)
>Device subnet mask (per port)
DNS Entries
>Ensure that you have configured your DNS Server(s) with the correct entries for the appliance and the client.
>If you are using DHCP, then all references to the Client and the HSM appliance (as in Certificates) should use hostnames.
Configuring the Network Parameters
You can use the serial connection to configure all of your network parameters, or configure a single port and use it to access the appliance over the network and complete the configuration.
NOTE Use a locally-connected serial terminal when changing the appliance IP address, to avoid SSH admin console disconnection.
To configure the appliance and port network parameters
It is recommended that you configure and test each device. You need to know the IP address of at least one network interface to establish an SSH connection to the appliance.
1.Login to the appliance as admin or pseoperator.
2.Configure the IP address, network mask, and gateway (optional) on at least one of the Ethernet LAN ports (eth0 or eth1). You can specify a static address, or retrieve one from a DHCP server. You can configure each port to use an IPv4 or IPv6 address.
Static | psesh:> network interface static -device <netdevice> -ip <IP_address> -netmask <netmask> [-gateway <IP_address>] |
DHCP | psesh:> network interface dhcp -device <netdevice> |
Either of these commands will prompt you to restart the network service.
3.[Optional] Configure network interface bonding. This allows the two network devices to function as a single interface, with a single MAC address, improving bandwidth and providing redundancy.
NOTE Use network interface bonding with static IP addresses only. If DHCP is used, the bond will be broken if one interface is assigned a different IP.
psesh:>network interface bonding config -ip <IP> -netmask <IP> [-gateway <IP>] [-mode <mode>]
psesh:>network interface bonding enable
psesh:>sysconf appliance reboot
Multiple bonding modes provide different options for load-balancing between the two physical interfaces:
•0: Balance Round Robin. Packets are transmitted alternately on each device in the bond, providing load balancing and fault tolerance.
•1: Active-Backup. One bonded device is active and the other serves as a backup. The backup only becomes active if the active device loses connectivity.
•2: Balance XOR. Transmits based on an XOR formula, where the source MAC address is XOR'd with the destination MAC address. The same bonded device is selected for each destination MAC address, providing load balancing and fault tolerance.
•3: Broadcast. All packets are transmitted on both bonded interfaces, providing fault tolerance.
•4: 802.3ad (Dynamic Link Aggregation). Creates aggregated groups that share the same speed and duplex settings. This mode requires a switch that supports IEEE 802.3ad dynamic links. The dvice used for an outgoing packet is selected by the transmit hash policy (by default, a simple XOR). This policy can be changed via the xmit_hash_policy option. NOTE: Check the 802.3ad standard to ensure that your transmit policy is 802.3ad-compliant. In particular, check section 43.2.4 for packet mis-ordering requirements. Non-compliance tolerance may vary between different peer implementations.
•5: Balance TLB (Transmit Load Balancing). Outgoing traffic is distributed according to the current load and queue on each bonded device. Incoming traffic is received by the current device.
•6: Balance ALB (Adaptive Load Balancing). Both outgoing and incoming traffic is load-balanced like outgoing traffic in mode 5. Incoming load balancing is governed by ARP negotiation. The bonding driver intercepts the ARP replies sent by the appliance and overwrites the source hardware address with the unique hardware address of one of the bonded devices. Different clients will therefore use different hardware addresses for the appliance.
4.[Optional] Set the appliance hostname and domain name.
psesh:> network hostname <hostname>
psesh:> network domain <netdomain>
You must configure your DNS server to resolve the hostname to the IP address configured on the Ethernet port of the appliance. Do this for each Ethernet port connected to a network. See your network administrator for assistance.
5.[Optional] Add a domain name server to the network configuration for the appliance. The name server is added to the appliance DNS table. There is one DNS table that applies to all network devices (ports) on the appliance.
psesh:> network dns add nameserver <IP_address> -device <net_device>
NOTE The domain name settings apply to static network configurations only. If you are using DHCP, the DNS name servers configured on the DHCP server are used.
When you add a DNS server to a specific network device, it is added to the DNS table for the appliance and becomes available to both devices, provided the device you added it to is connected to the network. For example, if you add a DNS server to eth0, eth1 will be able to access the DNS server if eth0 is connected to the network. If eth0 is disconnected from the network, eth1 also loses DNS server access. To ensure that any DNS server you add is available in the event of a network or port failure, it is recommended that you add it to both network-connected devices.
6.[Optional] Add a search domain to the network configuration. These are automatically appended to an internet address you specify in PSESH. For example, if you add the search domain mycompany.com, entering the command network ping hsm1 would search for the domain hsm1.mycompany.com. If the domain resolves, it pings the device with that hostname.
lunash:> network dns add searchdomain <domain> -device <net_device>
The search domain is added to the appliance DNS table.
NOTE The search domain settings apply to static network configurations only. If you are using DHCP, the DNS search domains configured on the DHCP server are used.
When you add a DNS search domain to a specific network device, it is added to the DNS table for the appliance and becomes available to both devices, provided the device you added it to is connected to the network. For example, if you add a DNS server to eth0, eth1 will be able to access the DNS server if eth0 is connected to the network. If eth0 is disconnected from the network, eth1 also loses DNS server access. To ensure that any DNS server you add is available in the event of a network or port failure, it is recommended that you add it to both network-connected devices.
If you have chosen to perform setup via SSH, you will likely lose your network connection as you confirm the change of IP address from the default setting.
7.[Optional] Add iptables ACCEPT and DROP rules to manage network access to the appliance.
By default, the ProtectServer Network HSM allows access to all networks and hosts. The default policy for the INPUT and OUTPUT chain is set to ACCEPT. The default policy for the FORWARD chain is set to DROP, since the ProtectServer Network HSM is not used to forward packets, as in a router or proxy.
CAUTION! If you are configuring iptables via SSH, a malformed rule can cause a lockout.
a.To add an ACCEPT rule, specify a host or network:
psesh:> network iptables addrule accept host -ip <IP_address>
psesh:> network iptables addrule accept network -net <IP_address> -mask <netmask>
b.To add a DROP rule, specify a host or network:
psesh:> network iptables addrule drop host -ip <IP_address>
psesh:> network iptables addrule drop network -net <IP_address> -mask <netmask>
c.To see the current list of rules:
psesh:> network iptables show
d.To delete a rule, specify the rule's position on the list:
psesh:> network iptables delrule -rulenum <number>
A rule's number is based on its current list position, so executing network iptables delrule -rulenum 1 multiple times will eventually delete the entire list.
e.Save your iptables changes:
psesh:> network iptables save
You must execute this command, or any changes will be lost on the next appliance reboot.
8.After making any change to the network configuration, reboot the appliance:
psesh:> sysconf appliance reboot
9.View the new network settings:
psesh:> network show
SSH Network Access
After you have completed the network configuration, you can access the ProtectServer Network HSM over the network using the SSH protocol. You need an SSH client such as puTTY (available for free from www.putty.org).