hsm-gsg

AWS CloudHSMGetting Started Guide

Amazon Web Services

AWS CloudHSM Getting Started Guide

AWS CloudHSM: Getting Started GuideAmazon Web ServicesCopyright 2014 Amazon Web Services, Inc. and/or its affiliates. All rights reserved.The following are trademarks of Amazon Web Services, Inc.: Amazon, Amazon Web Services Design, AWS, Amazon CloudFront,Cloudfront, Amazon DevPay, DynamoDB, ElastiCache, Amazon EC2, Amazon Elastic Compute Cloud, Amazon Glacier, Kindle, KindleFire, AWS Marketplace Design, Mechanical Turk, Amazon Redshift, Amazon Route 53, Amazon S3, Amazon VPC. In addition,Amazon.com graphics, logos, page headers, button icons, scripts, and service names are trademarks, or trade dress of Amazon inthe U.S. and/or other countries. Amazon's trademarks and trade dress may not be used in connection with any product or service thatis not Amazon's, in any manner that is likely to cause confusion among customers, or in any manner that disparages or discreditsAmazon.

All other trademarks not owned by Amazon are the property of their respective owners, who may or may not be affiliated with, connectedto, or sponsored by Amazon.


Getting Started with AWS CloudHSM ..................................................................................................... 1What Is AWS CloudHSM? ...................................................................................................................... 1Before You Begin .................................................................................................................................... 2

Generating an SSH Key ................................................................................................................ 3Set up Using AWS CloudFormation .............................................................................................. 5Manual Setup ................................................................................................................................ 9

Getting Started ..................................................................................................................................... 13Configuring Your HSM Appliance .......................................................................................................... 14Configuring Your HSM Client ................................................................................................................ 16

Configuring a Linux HSM Client .................................................................................................. 16Create a Network Trust Link using Linux ............................................................................ 17

Configuring a Windows HSM Client ............................................................................................ 19Create a Network Trust Link using Windows ...................................................................... 21

Operations and Maintenance ................................................................................................................ 23Configuring High Availability and Load Balancing ................................................................................ 23

HA Failover and Auto-Recovery .................................................................................................. 27Best Practices for High Availability and Load Balancing ............................................................. 28

Resynchronizing HSM Appliances ........................................................................................................ 30Backing Up and Restoring HSM Data to a Luna SA Backup HSM ....................................................... 31How to Stop Using an HSM .................................................................................................................. 36Best Practices ....................................................................................................................................... 36Troubleshooting .................................................................................................................................... 37Appendices ........................................................................................................................................... 37

Connecting Multiple Client Instances to AWS CloudHSM with One Certificate .......................... 38Integrating Third-Party Applications with AWS CloudHSM .......................................................... 40Sample Application ...................................................................................................................... 41Building Your Own Applications ................................................................................................... 43

Where to Get Additional Help ............................................................................................................... 44Document History ................................................................................................................................. 45

4


Getting Started with AWSCloudHSM

AWS CloudHSM provides secure cryptographic key storage to customers by making hardware securitymodules (HSMs) available in the AWS cloud.This guide gives you a hands-on introduction to using AWS CloudHSM, by walking you through the stepsneeded to set up and configure your HSM appliance, integrate third-party software applications with AWSCloudHSM, and write a simple application that uses the HSM appliance. This guide also describes bestpractices for using the AWS CloudHSM service.

Topics What Is AWS CloudHSM? (p. 1) Before You Begin (p. 2) Getting Started with AWS CloudHSM (p. 13) Configuring Your HSM Appliance (p. 14) Configuring Your HSM Client (p. 16) Operations and Maintenance (p. 23) Configuring High Availability and Load Balancing (p. 23) Resynchronizing HSM Appliances (p. 30) Backing Up and Restoring HSM Data to a Luna SA Backup HSM (p. 31) How to Stop Using an HSM (p. 36) Best Practices (p. 36) Troubleshooting (p. 37) Appendices (p. 37)

What Is AWS CloudHSM?A hardware security module (HSM) is a hardware appliance that provides secure key storage andcryptographic operations within a tamper-resistant hardware module. HSMs are designed to securelystore cryptographic key material and use the key material without exposing it outside the cryptographicboundary of the appliance.

1

AWS CloudHSM Getting Started GuideWhat Is AWS CloudHSM?

AWS CloudHSM helps you meet corporate, contractual and regulatory compliance requirements for datasecurity by using dedicated HSM appliances within the AWS cloud. AWS and AWS Marketplace partnersoffer a variety of solutions for protecting sensitive data within the AWS platform, but additional protectionis necessary for some applications and data that are subject to strict contractual or regulatory requirementsfor managing cryptographic keys.

Until now, your only options were to maintain the sensitive data or the encryption keys protecting thesensitive data in your on-premises data centers. However, those options either prevented you frommigrating these applications to the cloud or significantly slowed application performance. AWS CloudHSMallows you to protect your encryption keys within HSMs that are designed and validated to governmentstandards for secure key management.You can securely generate, store, and manage the cryptographickeys used for data encryption in a way that ensures that only you have access to the keys. AWS CloudHSMhelps you comply with strict key management requirements within the AWS cloud without sacrificingapplication performance.

AWS CloudHSM works with Amazon Virtual Private Cloud (Amazon VPC). HSM appliances are provisionedinside your VPC with an IP address that you specify, providing simple and private network connectivityto your EC2 instances. Placing HSM appliances near your EC2 instances decreases network latency,which can improve application performance.Your HSM appliances are dedicated exclusively to you andare isolated from other AWS customers. Available in multiple regions and Availability Zones, AWSCloudHSM can be used to build highly available and durable applications.

For more information about Amazon VPC, see What Is VPC? in the Amazon Virtual Private Cloud UserGuide.

ImportantAWS strongly recommends that you use two or more HSM appliances in a high availability (HA)configuration. The failure of a single HSM appliance in a non-HA configuration can result in thepermanent loss of keys and data. For information about how to set up a high availabilityconfiguration, see Configuring High Availability and Load Balancing (p. 23).

Before You BeginBefore you can use AWS CloudHSM, you must have an AWS account, sign up for the AWS CloudHSMservice, and have a specific environment in which your HSM appliances are provisioned. To get AWSCloudHSM set up, perform the following steps.

To create an AWS account and sign up for CloudHSM

1. If you have an AWS account already, skip to the next step. If you don't already have an AWS account,use the following procedure to create one.

a. Go to http://aws.amazon.com and click Sign Up Now.b. Follow the on-screen instructions.

Part of the sign-up process involves receiving a phone call and entering a PIN using the phonekeypad. AWS notifies you by email when your account is active and available for you to use.

2. Sign up for AWS CloudHSM by clicking Contact Us on the AWS CloudHSM page, completing theform, and selecting Start service or Try the service. The AWS CloudHSM team will contact youwith further instructions. In the meantime, complete the remaining steps.

3. You need an SSH key to connect to the HSM appliances with SSH. The public portion of this key isinstalled on the HSM appliance, which allows you to authenticate with the HSM appliance using theprivate key.You need to create this key no matter which procedure you use to set up your AWSCloudHSM environment. For more information about creating this key, see Generating an SSHKey (p. 3).

2

AWS CloudHSM Getting Started GuideBefore You Begin

4. AWS CloudHSM requires the following environment before an HSM appliance can be provisioned.

A virtual private cloud (VPC) in the region where you want the AWS CloudHSM service. For moreinformation about Amazon VPC, see What Is VPC? in the Amazon Virtual Private Cloud UserGuide.

One private subnet (a subnet with no Internet gateway) in the VPC. The HSM appliance isprovisioned into this subnet.

One public subnet (a subnet with an Internet gateway attached).The control instances are attachedto this subnet.

An AWS Identity and Access Management (IAM) role that delegates access to your AWS resourcesto AWS CloudHSM.This is needed so AWS CloudHSM can create and configure AWS resources,such as elastic network interfaces, on your behalf. For more information about IAM roles, seeRoles in the Using IAM guide.

An EC2 instance, in the same VPC as the HSM appliance, that has the SafeNet client softwareinstalled.This instance is referred to as the control instance and is used to connect to and managethe HSM appliance.

A security group that has port 22 (for SSH) or port 3389 (for RDP) open to your network. Thissecurity group is attached to your control instances so you can access them remotely. For moreinformation, see Authorizing Inbound Traffic for Your Instances in the Amazon Elastic ComputeCloud User Guide.

Complete one of the procedures below to set up your AWS CloudHSM environment.

Automatically Setting Up Your AWS CloudHSM Environment Using AWS CloudFormation (p. 5) Manually Setting Up Your AWS CloudHSM Environment (p. 9)

Generating an SSH KeyAWS CloudHSM uses an SSH key pair to authenticate the manager account when logging in to the HSMappliance. When you sign up for the AWS CloudHSM service, you supply the public key to AWS. It isimportant that you only send the public key information to AWS. The public key is installed on the HSMappliance during provisioning. The private key must be available to any instance you use to connect tothe HSM appliance.

You can generate the key pair on any machine, but you need to copy the private key to any instancesthat will be used to connect to the HSM appliance. If you generate the key pair on the same instance thatyou will use to connect to the HSM appliance, you don't have to copy the private key file.You can usean existing SSH key pair or generate a new one. There are many key pair generators available, but onLinux, a common generator is the ssh-keygen command. On Windows, you can use the PuTTYgenutility.

You should include a passphrase with the private key to prevent unauthorized persons from logging into your HSM appliance. When you include a passphrase, you have to enter the passphrase wheneveryou log in to the HSM appliance.

Topics Generating an SSH Key on Linux (p. 4) Generating an SSH Key on Windows (p. 4) Copying the Private Key (p. 4)

3

AWS CloudHSM Getting Started GuideGenerating an SSH Key

Generating an SSH Key on LinuxTo generate an SSH key on a Linux machine, you can use the ssh-keygen command. The commandlooks like the following:

$ ssh-keygenGenerating public/private rsa key pair.Enter file in which to save the key (/home/user/.ssh/id_rsa):Enter passphrase (empty for no passphrase):Enter same passphrase again:Your identification has been saved in /home/user/.ssh/id_rsa.Your public key has been saved in /home/user/.ssh/id_rsa.pub.The key fingerprint is:df:c4:49:e9:fe:8e:7b:eb:28:d5:1f:72:82:fb:f2:69 [email protected] key's randomart image is:+--[ RSA 2048]----+| || . || o || + . || S *. || . =.o.o || ..+ +..|| .o Eo .|| .OO=. |+-----------------+

$

Generating an SSH Key on WindowsTo generate an SSH key on a Windows machine, you can use the PuTTYgen utility. For more informationabout using the PuTTYgen utility to create a key pair, go tohttp://www.howtoforge.com/ssh_key_based_logins_putty.

PuTTYgen stores its private keys in a proprietary format that is only used by PuTTY. If you need to usethe private key with an SSH client other than PuTTY, you can use PuTTYgen to convert the private keyto OpenSSH format by clicking on Conversion in the PuTTYgen menu and selecting Export OpenSSHkey.

Copying the Private KeyYou must copy the private key to all instances that will be used to connect to the HSM appliance. Theseinstances are referred to as control instances.

Topics Copy the Private Key to a Linux Instance (p. 4) Copy the Private Key to a Windows Instance (p. 5)

Copy the Private Key to a Linux InstancePerform the following steps if your control instance is a Linux instance.

1. If the key was created using PuTTYgen, use PuTTYgen to convert the private key to OpenSSHformat. For more information, see Generating an SSH Key on Windows (p. 4).

4

AWS CloudHSM Getting Started GuideGenerating an SSH Key

2. Copy the private key file from the machine it is stored on to the ~/.ssh/ directory on the controlinstance.

3. Connect to the control instance over SSH.The remaining steps in this procedure are performed fromthe control instance.

4. In the control instance, modify the permissions for the private key file.

$ chmod 600 ~/.ssh/[private_key_file]

5. Use ssh-add to add the private key to the authentication agent. The ssh-add command promptsyou for the passphrase that was used to secure the private key when it was generated.

$ ssh-add ~/.ssh/[private_key_file]

When you connect to the HSM appliance, this key is now used for authentication.You have to repeatthis command every time you reconnect to the control instance. As an alternative, you can specifywhich private key file ssh and scp should use with the -i option.

Copy the Private Key to a Windows InstancePerform the following steps if your control instance is a Windows instance.

1. Copy the private key file from the machine it was stored on to the directory on the control instancewhere your PuTTY keys are stored.

2. Connect to the control instance over RDP.The remaining steps in this procedure are performed fromthe control instance.

3. If the private key is not a PuTTY private key file, perform the following steps:

a. In the control instance, use PuTTYgen to import the private key file that was copied by clickingon Conversion in the PuTTYgen menu, selecting Import key, ans selecting the private key file.You are prompted for the passphrase for the key.

b. In PuTTYgen, save the private key as a PuTTY private key file by selecting Save private key.

When you connect to the HSM appliance using PuTTY, you use this private key file for authentication.To prevent you from having to enter your passphrase every time you log in, you can use Pageant.Pageant is an SSH authentication agent that is used with PuTTY. It holds your private keys in memory,already decoded, so that you can use them often without needing to type a passphrase. For moreinformation about Pageant, go to Using Pageant for authentication.

Automatically Setting Up Your AWS CloudHSMEnvironment Using AWS CloudFormationYou can use an AWS CloudFormation template provided by the AWS CloudHSM team to set up anenvironment automatically for use with AWS CloudHSM.

Topics AWS CloudHSM Environment Details (p. 6) Prerequisites (p. 7) Setting up Using AWS CloudFormation (p. 7) Preparing For Signup (p. 8)

5

AWS CloudHSM Getting Started GuideSet up Using AWS CloudFormation

AWS CloudHSM Environment DetailsThe following diagram demonstrates how AWS CloudFormation automatically sets up your AWS CloudHSMenvironment.

The following components are set up by AWS CloudFormation:

1. A VPC.2. Subnets are created as follows: one subnet that is publicly accessible, and one private subnet per

Availability Zone. For example: For regions which have three Availability Zones, four VPC subnets are created: one subnet that is

publicly accessible (3a), and three private subnets (3b, 3c, and 3d). For regions which have two Availability Zones, three subnets are created: one subnet that is publicly

accessible (3a), and two private subnets (3c and 3d).NoteThe AWS CloudHSM team provisions an HSM appliance into the private subnet, to isolate itfrom the rest of the Internet.

3. An EC2 control instance (m1.small running Amazon Linux x86 64-bit) in the public subnet, with theSafeNet client software already installed. This instance uses the key that you specified during thecreation of the AWS CloudFormation stack.

4. Security groups that allow both SSH into the public subnet from the Internet, and SSH and NTLS intothe private subnet from the public subnet.

5. An Elastic IP address for the control instance.6. An IAM role that delegates AWS resource access to the AWS CloudHSM service.

6


7. IAM credentials used to send an Amazon SNS notification of your stack's configuration to the AWSCloudHSM team.

PrerequisitesBefore you can start this process, you need the following:

Your AWS account must have one VPC available to be created in the selected region. An Amazon EC2 key pair.This is used to authenticate with the control instance that AWS CloudFormation

creates. This key pair must be created in the same region that the AWS CloudHSM service is set upin. For more information about Amazon EC2 key pairs, see Amazon EC2 Key Pairs in the AmazonElastic Compute Cloud User Guide.

An SSH key. The public portion of this key is installed on the HSM appliance, which allows you toauthenticate with the HSM appliance using the private key. For more information about creating thiskey, see Generating an SSH Key (p. 3).

Setting up Using AWS CloudFormationComplete the following steps to use AWS CloudFormation to set up your AWS CloudHSM environment.

To use AWS CloudFormation to set up your AWS CloudHSM environment automatically

1. If you have not already done so, sign up for AWS CloudFormation. For more information, see GettingStarted with AWS CloudFormation in the AWS CloudFormation User Guide.

2. Open the AWS CloudFormation console at https://console.aws.amazon.com/cloudformation/.3. Select one of the following regions where AWS CloudHSM is currently supported:

US East (Northern Virginia) Region EU (Ireland) Region US West (Oregon) Region Asia Pacific (Sydney) Region

4. Launch the Create Stack wizard by clicking Create Stack.5. In the Create A New Stack page, under Stack, enter a name for the stack, such as

CloudHSM-Environment. The name can only contain alphanumeric characters and the dashcharacter, and must start with a letter.

Under Source, select Provide an S3 URL to template, enter one of the following URLs, dependingon the selected region, and click Next Step.

AWS CloudFormation Templates for AWS CloudHSM

Template URLRegion

http://cloudhsm.s3.amazonaws.com/cloudhsm-quickstart.jsonUS East (Northern Virginia) RegionUS West (Oregon) RegionEU (Ireland) Region

http://cloudhsm.s3.amazonaws.com/cloudhsm-quickstart-2az.jsonAsia Pacific (Sydney) Region

7


6. In the Specify Parameters page, enter the suffixes for your Availability Zones in the selected region.The number of Availability Zones, and their suffixes, vary by region and account. For example, inthe US East (Northern Virginia) region, your account may only have access to the us-east-1a,us-east-1c, and us-east-1d Availability Zones. In this case, you would enter a, c, and d for theAvailability Zone suffixes.

To find the Availability Zones that your account has access to in a particular region, open the AmazonEC2 console at https://console.aws.amazon.com/ec2/, sign in if needed, and select the desiredregion.Your Availability Zones are displayed in the Service Health area of the EC2 Dashboard.

Enter the suffixes that match the Availability Zones that are available to your account in the selectedregion.

In the KeyName field, enter the name of an existing Amazon EC2 key pair. The Amazon EC2 keypair is used to authenticate with the control instance.

Check the I acknowledge that this template may create IAM resources checkbox. Thisacknowledges that you understand that AWS CloudFormation will create an IAM role on your behalf.

Click Next Step.7. In the Options page, add any tags you want to apply to the stack, then click Next Steps.8. In the Review page, review your settings, then click Create.9. Select your stack in the AWS CloudFormation console. After the stack is created, the status changes

to CREATE_COMPLETE. If an error occurs, the stack is rolled back and the status eventually changesto ROLLBACK_COMPLETE.You can use the Events tab in the AWS CloudFormation console tohelp determine why the failure occurred.

10. In the detail pane, click the Outputs tab to view the outputs associated with your stack. Note thefollowing values which you need to send to AWS .

The IAM role ARN from the AWS CloudFormation stack, The private subnet identifiers from the AWS CloudFormation stack, The client IP address from the AWS CloudFormation stack,

You can now proceed to Getting Started with AWS CloudHSM (p. 13).For more information about AWS CloudFormation stacks, see Viewing the Outputs of an AWSCloudFormation Stack in the AWS CloudFormation User Guide.

Preparing For SignupCollect the following information to provide to AWS:

The number of HSMs to have provisioned. Your public SSH key. This is installed on the HSM appliances so that you can use your private SSH

key to connect to them. For more information, see Generating an SSH Key (p. 3). The IAM role ARN from the AWS CloudFormation stack, The private subnet identifiers from the AWS CloudFormation stack, The client IP address from the AWS CloudFormation stack, Choose an available IP address in each private subnet in your VPC to use as the IP addresses of the

HSM appliances.You must choose an IP address that is not in use by any other network device onthe subnet. AWS will allocate your HSM appliances according to Availability Zone availability and letyou know which IP addresses were assigned.

8


Send email to the AWS CloudHSM team with this information. The AWS CloudHSM team creates anelastic network interface (ENI) and assigns one of the IP addresses that you specified to your HSMappliance.You use the SSH private key to connect to your HSM appliance.

Proceed to Getting Started with AWS CloudHSM (p. 13).

Manually Setting Up Your AWS CloudHSMEnvironmentThe procedures below demonstrate how to set up your environment manually for use with the AWSCloudHSM service.

Topics Prerequisites (p. 9) Creating the VPC (p. 9) Creating the Private Subnets (p. 10) Creating the Security Group (p. 10) Launching a Control Instance (p. 11) Creating the IAM Role (p. 11) Preparing For Signup (p. 12)

PrerequisitesBefore you can start this process, you need the following:

Your AWS account must have one VPC available to be created in the selected region. A virtual private cloud (VPC) with the following:

One public subnet. A public subnet is a subnet with an Internet gateway attached to it. The controland client instances are attached to the public subnet.

One private subnet in each Availability Zone in the region. The HSM appliance is attached to one ofthe private subnets.

A security group that contains the following rules: Inbound TCP access to port 22 (SSH) from your site. This allows computers located on your site

to connect to EC2 instances in your VPC using SSH. Inbound TCP access to port 22 (SSH) from your HSM VPC. This allows control instances in your

VPC to connect to the HSM appliance using SSH. Inbound TCP access to port 3389 (RDP) from your site. This allows computers located on your

site to connect to instances in your VPC using RDP. Inbound TCP access to port 1792 from your HSM VPC. This allows client instances in your VPC

to connect to the HSM appliance using NTLS. An SSH key. The public portion of this key is installed on the HSM appliance, which allows you to

authenticate with the HSM appliance using the private key. For more information about creating thiskey, see Generating an SSH Key (p. 3).

An IAM role that grants the AWS CloudHSM service permission to perform certain tasks on your behalf.

Creating the VPCPerform the following procedure to create a VPC for use with AWS CloudHSM.

9

AWS CloudHSM Getting Started GuideManual Setup

To create a VPC and security group rules

1. Open the Amazon VPC console at https://console.aws.amazon.com/vpc/.2. Select one of the following regions where AWS CloudHSM is currently supported:

US East (Northern Virginia) Region EU (Ireland) Region US West (Oregon) Region Asia Pacific (Sydney) Region

3. Create a VPC with a single subnet and an Internet gateway. The most straightforward method is touse the VPC wizard that does this for you. For more information, see Step 1: Set Up the VPC andInternet Gateway in the Amazon Virtual Private Cloud Getting Started Guide.You only need toperform step 1 of the guide. The remaining steps are performed below.

Creating the Private SubnetsYou need to create a private subnet (a subnet with no Internet gateway attached) in every AvailabilityZone in the region.This is necessary to allow the AWS CloudHSM team flexibility in choosing the AvailabilityZone in which to install the HSM appliance.

To create the private subnets in your HSM VPC

1. In the VPC console, make sure you have the same region selected that your HSM VPC resides in.2. Select Subnets in the navigation pane and click Create Subnet.3. In the Create Subnet dialog box, select your HSM VPC, select the Availability Zone, enter the desired

CIDR block for the subnet, and click Yes, Create.4. Repeat these steps for the remaining Availability Zones in the region.

Creating the Security GroupYou need to create a security group for use with AWS CloudHSM.

NoteThe security group rules provided here are the minimum set of rules that you need to get startedwith AWS CloudHSM. For production deployments, you should define appropriate rules toconstrain network traffic according to your security policies and best practices.

To create your security group for use with AWS CloudHSM

1. In the VPC console, make sure you have the same region selected that your HSM VPC resides in.2. Create a security group in your HSM VPC and give it an identifiable name, such as CloudHSM_SG.

For more information about creating a security group, see Creating a Security Group in the AmazonElastic Compute Cloud User Guide.

3. Add an inbound rule that allows TCP traffic on port 22 (SSH) from your site. For more informationabout adding security group rules, see Adding Rules to a Security Group in the Amazon ElasticCompute Cloud User Guide.

a. On the Inbound tab, in the Create a new rule: list, select SSH, and enter the IP address rangeof the sites from which you will connect to your VPC.

b. Click Add Rule, then click Apply Rule Changes.

10


4. Add an inbound rule that allows TCP traffic on port 22 (SSH) from your VPC.a. On the Inbound tab, in the Create a new rule: list, select SSH, and enter the CIDR address

range of your VPC.b. Click Add Rule, then click Apply Rule Changes.

5. Add an inbound rule that allows TCP traffic on port 3389 (RDP) from your site.a. On the Inbound tab, in the Create a new rule: list, select RDP, and enter the IP address range

of the sites from which you will connect to your VPC.b. Click Add Rule, then click Apply Rule Changes.

6. Add an inbound rule that allows TCP traffic on port 1792 from your VPC.

a. On the Inbound tab, in the Create a new rule: list, select Custom TCP rule. In the Port range:field, enter 1792. In the Source: field, enter the CIDR address range of your VPC.

b. Click Add Rule, then click Apply Rule Changes.

Launching a Control InstanceWhen you sign up for AWS CloudHSM, you receive an IP address for each HSM appliance. Becausethis IP address is only accessible from an instance within the same VPC that the HSM appliance is in,you need to launch an instance in the same VPC that you will use to connect to and manage the HSMappliance. Throughout this guide, this instance is referred to as the control instance.

To launch an instance in your HSM VPC, follow the steps in Launching Your Instance from an AMI in theAmazon Elastic Compute Cloud User Guide. The following are the specific settings for launching aninstance in your HSM VPC.

In step 2, select the region in which your VPC is located. In step 4, select the Community AMIs tab, search for CloudHSM, and select the CloudHSM Client

AMI. This AMI launches a pre-configured Amazon Linux instance that already has the SafeNet clientsoftware installed.

In step 6, on the Configure Instance Details page, enter the following: Under Network, select your HSM VPC. Under Subnet, select your public subnet. Under Public IP, select Automatically assign a public IP address to your instances.

In step 9, on the Configure Security Group page, select the security group you created for your HSMVPC.

After the control instance is running, you can connect to it using SSH.

Creating the IAM RoleThe AWS CloudHSM service must have permission to perform certain actions on your behalf, such aslisting your VPCs and creating an ENIs to attach to the HSM appliance. To allow this, you have to createan IAM role that grants the AWS CloudHSM service permission to perform these actions on your behalf.

To create an IAM role

1. Sign in to the AWS Management Console using the sign-in page.

11


2. Under Deployment and Management, select IAM.3. Select Roles, and then click Create New Role to start the wizard.4. Enter a unique name for your role in the Role Name field and click Continue. The name must be

unique and cannot contain spaces.5. Under Select Role Type, select AWS Service Roles, and then click Select next to AWS CloudHSM.

6. Review the policy statement to confirm that you are granting permission to the AWS CloudHSMservice to perform the actions listed. These actions are required in order for the AWS CloudHSMservice to list your resources and attach an ENI in your VPC. After reviewing and accepting the policyand permissions, click Continue.

7. Review the role information and click Create Role.8. In the IAM console, select the role you just created, select the Summary tab, and note the value for

the Role ARN.You need to provide the role ARN to AWS to set up your HSM appliance.

Preparing For SignupCollect the following information to provide to AWS:

The number of HSMs to have provisioned. Your public SSH key. This is installed on the HSM appliances so that you can use your private SSH

key to connect to them. For more information, see Generating an SSH Key (p. 3). Choose an available IP address in each private subnet in your VPC to use as the IP addresses of the

HSM appliances.You must choose an IP address that is not in use by any other network device onthe subnet. AWS allocates your HSM appliances according to Availability Zone availability and will letyou know which IP addresses were assigned.

The ARN of the AWS CloudHSM IAM role created in the previous section. The identifier of the security group created above.

Send email to the AWS CloudHSM team with this information. The AWS CloudHSM team creates anelastic network interface (ENI) on the subnet that you specified, and assigns one of the IP addresses thatyou specified to your HSM appliance.You use the SSH private key to connect to your HSM appliance.

Proceed to Getting Started with AWS CloudHSM (p. 13).

12


Getting Started with AWS CloudHSMThe following diagram and procedures demonstrate how to set up AWS CloudHSM. After you completethe procedures, you will have a running application that uses an HSM for cryptographic operations andkey storage.

This list summarizes the procedures needed to get up and running with AWS CloudHSM. Step-by-stepinstructions are detailed in the sections below.

To get started with AWS CloudHSM

1. If you have not already done so, follow the steps in Before You Begin (p. 2) to set up your HSMenvironment.

2. Initialize and configure HSM appliances (p. 14).3. (Optional) Initialize, connect and configure your on-premise HSM appliances (p. 16).4. Configure your HSM client (p. 16).5. Configure HA (p. 23).6. Select from the following two options:

Integrate AWS CloudHSM with third-party software applications. For more information, seeIntegrating Third-Party Applications with AWS CloudHSM (p. 40).

Sample Application (p. 41) to prepare to Building Your Own Applications (p. 43).

ImportantThis guide provides an abbreviated set of instructions that allow you to get started quickly withyour AWS CloudHSM service. To secure production deployments, be sure to read the detaileddescriptions and background information provided in the SafeNet Luna SA documentation inorder to get a deeper understanding of the operation of the HSM. This guide does not attemptto provide those important details, which are essential for secure operation of the HSM.

13

AWS CloudHSM Getting Started GuideGetting Started

Configuring Your HSM ApplianceWhen you set up and configure your HSM appliance, you may find it useful to keep track of yourconfiguration information. For more information, go to Worksheet for Luna Appliance and HSM Setup inthe SafeNet Luna SA documentation. When you are finished, store the completed worksheet in a securelocation for future reference. It is also recommended that you store at least one copy of the worksheet insecure offsite storage.

When you sign up for AWS CloudHSM, you receive an IP address for each HSM appliance. Becausethis IP address is only accessible from an instance within the same VPC that the HSM appliance is in,you need to use the control instance to connect to and manage the HSM appliance. The controlinstance was launched in Launching a Control Instance (p. 11).

To initialize and configure HSM appliances

Use the following procedures to initialize the HSM appliance and configure the HSM client. Repeat asneeded for each appliance or client.

1. After AWS connects your HSM to your VPC, confirm that the elastic network interface (ENI) existsand confirm its IP address.To find the ENI that is attached to the HSM appliance, perform the followingsteps.

a. Open the Amazon EC2 console and select the region that the HSM appliance was provisionedin.

b. Select Network Interfaces in the console navigation pane.c. In the Viewing menu, select All VPC Network Interfaces. The list of ENIs contains an ENI that

has the same private IP address as the HSM appliance and has CloudHSM NetworkInterface for the Description.

2. Apply the security group that you created earlier to the ENI that is attached to your HSM.NoteIf you completed the steps in Automatically Setting Up Your AWS CloudHSM EnvironmentUsing AWS CloudFormation (p. 5), the proper Security Groups were created and configuredautomatically.

a. Right-click the row containing the ENI attached to the HSM appliance, select Change SecurityGroups, then select the security group you created for your VPC.

b. (Optional) To aid in troubleshooting network connectivity to your HSM appliance, add incomingand outgoing rules to your security group for ICMP Echo Request and Echo Reply. These allowyou to ping the HSM appliance, and allows the HSM appliance to respond.

3. If needed, copy your SSH private key file to the control instance. This is the private portion of thekey that you provided to AWS to use to connect to the HSM appliance. For more information, seeCopying the Private Key (p. 4).

4. From the control instance, connect to your HSM appliance over SSH. If your instance is a Windowsinstance, use PuTTY or a similar SSH client for Windows to connect to the HSM and perform thesteps below.

$ ssh manager@[hsm_ip_address]

5. (Optional) Set a password for the manager by executing the following command.This step is optional.You can continue to use the SSH key pair to connect to the HSM over SSH if you desire.

14

AWS CloudHSM Getting Started GuideConfiguring Your HSM Appliance

lunash:> user password

You are prompted to enter the new password twice. For more information, go to password in theUser Commands Menu section of the SafeNet Luna SA documentation. Note the new password onyour worksheet.

6. Check the time zone, date, and time on the HSM with the status date command.

lunash:> status date

Fri Feb 7 20:09:20 UTC 2014

Command Result : 0 (Success)

If the time zone is not correct, set the time zone with the sysconf timezone set command. If thedate and/or time are not correct, set them with the sysconf time command. For more information,go to Set System Date and Time in the SafeNet Luna SA documentation.

NoteAWS configures the time of each HSM to use the UTC time zone. This is also the defaultsetting for Amazon Linux AMIs. Only change the time zone if your HSM client uses a differenttime zone than UTC.If you change the time zone, you must change it before setting the system date and time;otherwise, the time zone change adjusts the time you just set.

7. To monitor the HSM via syslog, you cannot add the IP address of your syslog collector directly inthe HSM configuration. Contact AWS Support and provide the IP addresses of your syslog monitoringservers. AWS will then perform the required configuration to set up syslog monitoring, and let youknow when the setup is complete. Remember to add a rule to your security group to allow syslogtraffic on port 514.

8. Initialize the HSM by executing the following:

lunash:> hsm init -label [luna_name]

The name [luna_name] must be a unique name without spaces or special characters.NoteIf you plan to use HA and load balancing among multiple HSM appliances, as recommendedby AWS, see Configuring High Availability and Load Balancing (p. 23) for additionalinstructions.

For more information, go to Use hsm-init to Initialize an HSM in the SafeNet Luna SA documentation.Initializing an HSM permanently deletes the keys and entire cryptographic domain on the HSM. Afterinitializing the HSM, any previously existing keys are destroyed.

Initializing an HSM also creates the HSM administrator account (also known as the security officer)and requires that a password be created and assigned to that account. Make a note of the passwordon your worksheet and do not lose it. It is also recommended that you store at least one copy of theworksheet in secure offsite storage. AWS does not have the ability to recover your key material froman HSM for which you do not have the proper HSM security officer credentials.

9. Create a key pair for the HSM server. This generates a certificate from the public key.

lunash:> sysconf regenCert

For more information, go to Generate a New HSM Server Certificate in the SafeNet Luna SAdocumentation.

15

AWS CloudHSM Getting Started GuideConfiguring Your HSM Appliance

10. Make an association between the HSM appliance and an NTLS interface by executing the following:

lunash:> ntls bind eth0

For more information, go to the ntls bind Command in the SafeNet Luna SA documentation.11. Execute the following commands to log in to the HSM using the HSM administrator password, and

then create a partition:

lunash:> hsm login

lunash:> partition create -partition [partition_name]

The name [partition_name] must be a unique name without spaces or special characters.12. When prompted, type proceed.13. Supply the new partition password when prompted. Write down this password, as it is used in the

following situations:

To authenticate the administrator performing partition management tasks via lunash. To authenticate client applications that want to use the HSM appliance.

For more information, go to Create an HSM partition in the SafeNet Luna SA documentation.

To initialize, connect, and configure your on-premises HSM appliances

(Optional) Connect your on-premise SafeNet Luna SA HSM appliances in your data center to yourAWS instances using VPN or AWS Direct Connect. For more information, see the AWS DirectConnect detail page.

Configuring Your HSM ClientWhen you configure your HSM client, you install the client software and accept the license agreement.

Topics Configuring a Linux HSM Client (p. 16) Configuring a Windows HSM Client (p. 19)

Configuring a Linux HSM ClientThe AWS CloudHSM team has created a custom AMI that can be used to launch an Amazon Linuxinstance that is pre-configured with the SafeNet client software.To use this AMI when running the LaunchInstance wizard, select the Community AMIs tab, search for CloudHSM, and select the CloudHSMClient AMI. If you used this AMI, you can skip to Creating a Network Trust Link Between a Linux Clientand the HSM Appliance (p. 17).

To configure a Linux HSM client

These instructions are for the Amazon Linux x86 64-bit AMI, and may require changes based on yoursystem architecture.

1. Connect to the Linux client instance that is running in your VPC.

16

AWS CloudHSM Getting Started GuideConfiguring Your HSM Client

2. Install the Luna SA client tools on the client instance. For more information, go to Installing the LunaSoftware in the SafeNet Luna SA documentation.

3. Use the following links to download the HSM client software and the client patch to the home directoryon your client instance:

Client software Client patch

4. From the client instance command prompt, extract and install the HSM client software and answeryes to all prompts:

$ tar -xvf Luna_5.1_Client_Software.tar

$ cd 610-011477-003/linux/x86/64/

$ sudo sh install.sh

NoteIn the second command above, 610-011477-003 changes with each version of the clientsoftware.

5. Install the client patch and answer yes to all prompts:

$ cd ~

$ tar -xvf Luna_5.1.1_Client_Patch.tar

$ cd 630-010275-001/linux/x86/64/

$ sudo sh install.sh

Creating a Network Trust Link Between a Linux Client andthe HSM ApplianceTo create a network trust Link between the client and the HSM appliance

These instructions are for the Amazon Linux x86 64-bit AMI, and may require changes based on yoursystem architecture.

1. Copy the server certificate from the HSM to the client instance by entering the following commandon the client. For more information, go to Importing the server certificate onto the client in the SafeNetLuna SA documentation.

$ cd /usr/lunasa/bin

$ sudo scp -i ~/.ssh/[private_key_file] manager@[hsm_ip_address]:server.pem .

[private_key_file] is the name of the SSH private key file used to connect to the HSM appliance.

The dot (.) at the end of the command is required and causes scp to copy the resulting file to thecurrent directory.

17

AWS CloudHSM Getting Started GuideConfiguring a Linux HSM Client

2. Register the HSM certificate with the client:

$ sudo ./vtl addServer -n [hsm_ip_address] -c server.pem

The following confirmation message appears:

New server [hsm_ip_address] successfully added to server list.

3. Create a client certificate for your client instance:

$ sudo ./vtl createCert -n [client_name]

Private Key created and written to: /usr/lunasa/cert/client/[client_name]Key.pem Certificate created and written to: /usr/lunasa/cert/client/[client_name].pem

[client_name] can be any name that is unique and does not contain any spaces or specialcharacters.

NoteYou can also create certificates to be shared among multiple instances. For more information,see Creating an AMI with the HSM Client Configuration (p. 38).

4. Copy the client certificate to the HSM. For more information, go to Export a Client Certificate to anHSM Appliance (UNIX) in the SafeNet Luna SA documentation.

$ scp /usr/lunasa/cert/client/[client_name].pem manager@[hsm_ip_address]:

NoteThe colon (:) after the destination is required.Without it, scp does not recognize the supplieddestination as a remote server.

5. Connect to your HSM appliance over SSH and register the client. For more information, go to Registerthe Client Certificate to an HSM Server in the SafeNet Luna SA documentation.

$ ssh manager@[hsm_ip_address]

lunash:> client register -client [client_id] -hostname [client_name]

'client register' successful.

[client_name] must be the same name used for the createCert command above. [client_id]can be any name that is unique and does not contain any spaces or special characters. To preventconfusion, we suggest you keep these two names the same.

NoteYou can create certificates to be shared among multiple instances. For more information,see Creating an AMI with the HSM Client Configuration (p. 38).

6. Assign the client to a partition.

18

AWS CloudHSM Getting Started GuideConfiguring a Linux HSM Client

lunash:> client assignPartition -client [client_id] -partition [parti tion_name]

For more information, go to Assign a client to a Luna HSM partition in the SafeNet Luna SAdocumentation.

For more information about creating a partition, see Configuring Your HSM Appliance (p. 14).7. Verify that the partition is assigned to the client:

lunash:> client show -client [client_id]

8. Log in to the client, and verify that it has been properly configured by executing the following:

$ vtl verify

The response should be similar to the following:

Slot Serial # Label==== ======== =====

1 serial_number partition_name

If you get an error message, some part of the configuration may not have been properly completed.Retrace the procedure.

Configuring a Windows HSM ClientTo configure a Windows HSM client

1. Connect to the AWS instance that is running in your VPC.2. Install the Luna SA client tools. For more information, go to Installing the Luna Software in the SafeNet

Luna SA documentation.3. Use the following links to download the HSM client software to your home directory and client patch

to your EC2 instance:

Client software Client patch

4. Extract the software to a local directory using an unzip utility.

5. Browse to the appropriate subdirectory and install the HSM client software.

19

AWS CloudHSM Getting Started GuideConfiguring a Windows HSM Client

6. Accept the license agreement and click Next.

7. Choose the default installation directory.8. Choose the default installation directory, choose a Complete setup, and then click Next.

9. Click Install to proceed with the installation, then click Finish to exit the installer.10. Extract the latest client software patch to a local directory using an unzip utility.

11. Browse to the appropriate subdirectory and repeat the steps above to install the Luna SA clientsoftware patch.

20


Creating a Network Trust Link Between a Windows Clientand the HSM ApplianceTo create a Network Trust Link between a Windows client and the HSM appliance

1. Copy the server certificate from the HSM to the client instance using the pscp utility on the client.For more information, go to Importing the server certificate onto the client in the SafeNet Luna SAdocumentation.

C:> cd \Program Files\LunaSA\

c:\Program Files\LunaSA> pscp -i [private_key_file].ppk manager@[hsm_ip_ad dress]:server.pem .server.pem 100%|*******************************************************| 92800:00

[private_key_file] is the path and file name of the PuTTY private key file used to connect tothe HSM appliance.

NoteThe dot (.) at the end of the command is required and causes pscp to copy the resultingfile to the current directory.

2. Verify that the server certificate has arrived on the client:

C:\Program Files\LunaSA> dir server.pem

3. Move the server certificate to the cert\server directory:

C:\Program Files\LunaSA> move server.pem cert\server

4. Register the HSM server certificate with the client.ImportantYou must execute this command as an administrator. To do this, right-click the cmd.exewindow and select Run as Administrator.

C:\Program Files\LunaSA> vtl addServer -n [hsm_ip_address] -c cert\serv er\server.pem

This allows the client to create a secure connection with the HSM server.

The vtl executable is located in C:\Program Files\LunaSA, unless you changed the defaultinstallation directory.

5. Create a client certificate.ImportantYou must execute this command as an administrator. To do this, right-click the cmd.exewindow and select Run as Administrator.

C:\Program Files\LunaSA> vtl createCert -n [client_name]

21


[client_name] can be any name that is unique and does not contain any spaces or specialcharacters.

6. Copy the client certificate to the HSM. For more information, see Export a Client Certificate to anHSM Appliance (Windows) in the SafeNet Luna SA documentation.

C:\Program Files\LunaSA> pscp -i [private_key_file].ppk cert\client\[cli ent_name].pem manager@[hsm_ip_address]:

[private_key_file] is the path and file name of the PuTTY private key file used to connect tothe HSM appliance.

NoteThe colon (:) after the destination is required. Without it, pscp does not recognize thesupplied destination as a remote server.

The file arriving at the HSM is automatically placed in the appropriate directory. Do not specify adirectory for the destination.

7. Connect to your HSM using PuTTY and register the client.

lunash:> client register -client [client_id] -hostname [client_name]


[client_name] must be the same name used for the createCert command above. [client_id]can be any name that is unique and does not contain any spaces or special characters. To preventconfusion, we suggest you keep these two names the same.

For more information, go to Register the Client Certificate to an HSM Server in the SafeNet Luna SAdocumentation.

8. Assign the client to a partition.

lunash:> client assignPartition -client [client_id] -partition [parti tion_name]

For more information, go to Assign a client to a Luna HSM partition in the SafeNet Luna SAdocumentation.

9. Verify that the partition is assigned to the client:

lunash:> client show -client [client_id]

10. On your client computer, open a command-line console, go to the LunaSA directory as shown below,and verify that the client has been properly configured by executing the following command.

ImportantYou must execute this command as an administrator. To do this, right-click the cmd.exewindow and select Run as Administrator.

C:\Program Files\LunaSA> vtl verify

The response should be similar to the following:

22


Slot Serial # Label==== ======== =====

1 serial_number partition_name

If you get an error message, some part of the configuration may not have been properly completed.Retrace the procedure.

Operations and MaintenanceAWS monitors your HSM appliances, and may correct minor configuration issues related to availabilityof the appliance. Such operations do not interfere with your use of the HSM appliance.

If a management operation must be performed which could disrupt service, then AWS provides 24 hours'notice before performing the operation.

It is possible that, in unforeseen circumstances, AWS might have to perform maintenance on an emergencybasis without prior notice.We try to avoid this situation. However, if availability is a concern, AWS stronglyrecommends that you use two or more HSM appliances in separate Availability Zones in a high availabilityconfiguration.The failure of a single HSM appliance in a non-HA configuration can result in the permanentloss of keys and data.

AWS does not perform routine maintenance on HSM appliances in multiple Availability Zones within thesame region within the same 24-hour period.

For information about how to set up a high availability configuration, see Configuring High Availability andLoad Balancing (p. 23).For information about administration and maintenance of your HSM appliance, go to Administering YourLuna SA in the SafeNet Luna SA documentation.

Configuring High Availability and LoadBalancing

Topics HA Failover and Auto-Recovery (p. 27) Best Practices for High Availability and Load Balancing (p. 28)

AWS recommends that you use two or more HSM appliances, in separate Availability Zones and in ahigh availability (HA) configuration, to avoid data loss in the event that an Availability Zone becomesunavailable.

ImportantThe failure of a single HSM appliance in a non-HA configuration can result in the permanentloss of keys and data.

HA allows multiple HSM appliances to be grouped together to form one virtual device or logical unit asseen from the client, similar to clustering or RAID technologies. In an HA configuration, service is maintainedeven if one or several HSM appliances are unavailable. For example, if three HSM appliances are combinedinto an HA group, service is maintained even if two HSM appliances are offline.

When configured for HA, each HSM appliance joins an HA group, managed through the HSM client. ToHSM clients, the HA group appears as a single HSM appliance. However, from an operational perspective,

23

AWS CloudHSM Getting Started GuideOperations and Maintenance

the members in the HA group share the transaction load, synchronize data with each other, and gracefullyredistribute the processing capacity in the event of failure in a member machine, to maintain uninterruptedservice to clients. HA provides load balancing across all HSM members in the HA group to increaseperformance and response time, while providing the assurance of high-availability service. All HSMmembers in the HA group are active (rather than one active and the rest passive). Calls are passed fromeach client application through the HSM client-side software (library) to one of the HSM members in theHA group on a least-busy basis. However, operation requests directed at the virtual slot are served bythe primary appliance (the first member in the client's list) until that member reaches its capacity; at thatpoint, operations are directed to other members in the HA group.

For more information, go to HA with Luna SA in the SafeNet Luna SA documentation.

To configure HA redundancy and load balancing among your HSM appliances

1. Set up the network on your HSM appliances that will be used in the HA group. For more information,go to Preparing to configure appliance network settings in the SafeNet Luna SA documentation.

2. Create the policy settings needed for HA by verifying that Enable cloning and Enable networkreplication are set to Allowed in hsm showPolicies, as shown in the excerpt below. If they arenot set to Allowed, change them with hsm changePolicy -policy [policyCode] -value[policyValue].

[myluna] lunash:> hsm showPoliciesHSM Label: myhsm

Serial #: 700022

Firmware: 6.2.1

The following capabilities describe this HSM, and cannot be altered except via firmware or capability updates.

Description Value=========== =====

Enable cloning Allowed .

.

.

Enable network replication Allowed .

.

.

The following policies describe the current configuration of this HSM and may by changed by the HSM Administrator.

Changing policies marked "destructive" will zeroize (erase completely) the entire HSM.Description Value Code Destructive =========== ===== ==== ===========

.

Allow cloning On 7 Yes.

.

Allow network replication On 16 No.

.

24

AWS CloudHSM Getting Started GuideConfiguring High Availability and Load Balancing

.Command Result : 0 (Success)[myluna] lunash:>

NoteCloning to a hardware token is the backup method for which your HSM appliances areconfigured. All HSM appliances in an HA group must use the same backup method.

3. Initialize the HSM appliances into a common cloning domain. For password-authenticated appliances,they must share the same domain string.

WarningInitializing an HSM permanently deletes the keys and entire cryptographic domain on theHSM. After initializing the HSM, any previously existing keys are destroyed. For moreinformation, go to Use hsm-init to Initialize an HSM in the SafeNet Luna SA documentation.Note

If you have already configured your HSM appliance in Configuring Your HSM Client (p. 16),the following steps help you reconfigure your HSM appliance for HA.

Three of the values are required, but the only one that you should type at the commandline is a label for the HSM (-label). Typing the password and the cloning domain at thecommand line makes them visible to anyone who can see the computer screen, or toanyone who later scrolls back in your console or ssh session buffer. If you omit thepassword and the cloning domain, lunash prompts you for them, and hides your inputwith ******** characters.This is preferable from a security standpoint. Additionally, youare prompted to re-enter each string, thus helping to ensure that the string you type isthe one you meant to type.

lunash:> hsm -init -label [my_luna]> Please enter a password for the security officer> ********

Please re-enter password to confirm:> ********

Please enter the cloning domain to use for initializing thisHSM (press to use the default domain):> ********

Please re-enter domain to confirm:> ********

CAUTION: Are you sure you wish to re-initialize this HSM?All partitions and data will be erased.Type 'proceed' to initialize the HSM, or 'quit' to quit now.> proceedhsm - init successful.

4. On each HSM appliance, create a partition.

lunash:> partition create -partition [my_partition]

The partition ([my_partition]) should be given a unique name without spaces or special characters.For more information, go to Create an HSM partition in the SafeNet Luna SA documentation.

5. When prompted, type proceed.6. Supply the appropriate HSM partition password when prompted.

25


7. Change the partitions' passwords so that they match. The partitions do not need to have the samelabels, but they must have the same password.

lunash:> partition changePw -partition [-cu] [-newpw ] [-oldpw ]

8. Record partition serial numbers and passwords, and store this information in a secure place.

lunash:> partition show

9. Proceed with a normal client setup as described in Configuring Your HSM Client (p. 16).10. Register your client computer with each partition that will be part of the HA group. On each HSM

appliance, assign the partition to its respective HSM client; repeat for each HSM appliance in the HAgroup.

lunash:> client assignPartition -client [client_name] -partition [Partition1]lunash:> client assignPartition -client [client_name] -partition [Partition2]

11. Create a new HA group on the client, which consists of the following:

A unique label for the group. The serial number of the primary partition (Partition1). The password for the primary partition.

When you create this new HA group, the vtl utility also generates and assigns a serial number toit.

ImportantYou must execute the next command as an administrator. To do this, right-click the cmd.exewindow and select Run as Administrator.

bash-2.05# ./vtl haAdmin -newGroup -serialNum 65003001 -label myHAgroup -password userpinNew group with label "myHAgroup" created at group number 742276409.Group configuration is:HA Group Number: 742276409HA Group Label: myHAgroupGroup Members: 65003001Needs sync: no

12. Your chrystoki.conf (Linux/UNIX) or crystoki.ini (Windows) file should now have a new section:

VirtualToken = {VirtualToken00Members = 65003001;VirtualToken00SN = 742276409;VirtualToken00Label = myHAgroup;}

ImportantDo not insert tab characters into the chrystoki.conf or crystoki.ini file.

13. Add another member to the HA group (Partition2 on the second appliance).

26


ImportantYou must execute the next command as an administrator. To do this, right-click the cmd.exewindow and select Run as Administrator.

bash-2.05# ./vtl haAdmin -addMember -group 742276409-serialNum 65005001 -password userpinMember 65005001 successfully added to group 742276409.New group configuration is:HA Group Number: 742276409HA Group Label: myHAgroupGroup Members: 65003001, 65005001Needs sync: noPlease use the command 'vtl haAdmin -synchronize' when you are ready to replicate data between all members of the HA group.(If you have additional members to add, you may wish to wait until you have added them before synchronizing to save time by avoiding multiple synchron izations.)

For more information, as well as additional optional checking and verification steps, go to CreateClient HA Group in the SafeNet Luna SA documentation.

14. Verify your setup, then point your client application at the HSM, referring to that HSM by the HAgroup label that you assigned.

/usr/lunasa/bin/vtl haAdmin -show

15. When an HA group is shared by multiple clients, the best practice is for these clients to select differentprimary members.This provides better fault tolerance and load balancing of cryptographic operations.

HA Failover and Auto-RecoveryConfiguring HA FailoverAWS and SafeNet recommend keeping the default 20-second failover timeout. This is configurable byexecuting the following command:

/usr/lunasa/bin/configurator setValue -s "LunaSA Client" -e ReceiveTimeout -v

Enabling Auto-RecoveryAutomatic recovery (autoRecovery) is disabled by default.

To enable auto-recovery

To enable autoRecovery, execute the following command:

/usr/lunasa/bin/vtl haAdmin -autoRecovery -retry

27

AWS CloudHSM Getting Started GuideHA Failover and Auto-Recovery

Configuring the Retry IntervalTo configure the retry interval

To configure the retry interval, execute the following command:

/usr/lunasa/bin/vtl haAdmin -autoRecovery -interval

Best Practices for High Availability and LoadBalancingGeneral Best PracticesAWS recommends the following best practices for high availability (HA) and load balancing your HSMappliances.

When an HA group is shared by multiple AWS CloudHSM clients, the best practice is for these clientsto select different primary HA members, for better fault tolerance and more equal distribution of theworkload of cryptographic operations.

For more information, see the following topics in the SafeNet Luna SA documentation:

Overview of Luna High Availability and Load Balancing HA with Luna SA

Best Practices for Loss and RecoveryHA RecoveryHA recovery is hands-off resumption by failed HA group members. Prior to the introduction of this function,the HA feature provided redundancy and performance, but required that a failed/lost group member bemanually reinstated. If the HA recovery feature is not switched on, HA still requires manual interventionto reinstate members. A member of an HA group may fail for the following reasons:

The HSM appliance loses power, but regains power in less than the two hours that the HSM appliancepreserves its activation state.

The network connection is lost.

HA recovery works if the following are true:

HA autoRecovery is enabled. The HA group has at least two nodes. The HA node is reachable (connected) at startup. The HA node recover retry limit is not reached. If it is reached or exceeded, the only option to restore

the downed connections is a manual recovery.

If all HA nodes fail (there are no links from the HSM client), recovery is not possible.

28

AWS CloudHSM Getting Started GuideBest Practices for High Availability and Load Balancing

The HA recovery logic in the library makes its first attempt at recovering a failed member when yourapplication makes a call to its HSM appliance (the HA group). In other words, an idle HSM client doesnot attempt a recovery.

However, a busy HSM client would notice a slight pause every minute, as the library attempts to recovera dropped HA group members until the members are reinstated, or until the retry period has beenreached/exceeded and it stops trying.Therefore, set the retry period according to your normal operationalsituation; for example, the types and durations of network interruptions you experience.

HA autoRecovery is not on by default. It must be explicitly enabled by executing the following commandfrom your HSM client:

lunash:> vtl haAdmin -autoRecovery

For more information on HA and autoRecovery, go to the following topics in the SafeNet Luna SAdocumentation:

Configuring HA Client - Create HA Group

Recovering From the Loss of a Subset of HA MembersIf there is a loss of a subset of HA members, AWS recommends the following procedure to recover groupmembers.

To recover group members manually

1. When you are notified by AWS that the connection has been recovered, execute the followingcommand to reintroduce disconnected members to the HA group:

/usr/lunasa/bin/vtl haAdmin -recover -group

2. AWS also recommends retrying the connection for a short period of time, so that any disconnectionscaused by transient network outages can be automatically recovered. For example, retry theconnection 5 times, at an interval of one try every minute, as shown below.

/usr/lunasa/bin/vtl haAdmin -autoRecovery -interval 60/usr/lunasa/bin/vtl haAdmin -autoRecovery -retry 5

3. Reintroduce disconnected members to the group when notified by AWS of the connection recovery.

/usr/lunasa/bin/vtl haAdmin -recover -group

If you don't want to recover the group members manually, but still want to minimize the overhead causedby automatic recovery, use the following steps:

To recover group members and minimize recovery overhead

Retry the connection once every 3 minutes, until the connection is successful.

29

AWS CloudHSM Getting Started GuideBest Practices for High Availability and Load Balancing

/usr/lunasa/bin/vtl haAdmin -autorecovery -interval 180/usr/lunasa/bin/vtl haAdmin -autoRecovery -retry -1

To recover group members with a special cryptographic application

For special cryptographic applications, discuss with SafeNet or AWS on a case-by-case basis.

Recovering From the Loss of All HA MembersIf there is a loss of all HA members (there is a complete loss of communication with all the members ofyour HA group), you can use LunaSlotManager.reinitialize(). If you useLunaSlotManager.reinitialize(), you do not have to restart your applications. Alternately, youcan restart your applications and use manual recovery.

For more information about LunaSlotManager.reinitialize(), see LunaProvider: Recovering fromthe Loss of all HA Members Using LunaSlotManager.reinitialize() in the SafeNet Luna SA TechnicalNotes.

Important

LunaHAStatus.isOK() returns true only when all HA members are present. This method returnsfalse when at least one HA member is missing, and throws an exception when all HA members aremissing.

The HA-only option has to be enabled to keep the HA slot number unchanged.

Resynchronizing HSM AppliancesTopics

Resynchronizing HSM Appliances Using Linux/UNIX (p. 30) Resynchronizing HSM Appliances Using Windows (p. 31)

This section explains how to resynchronize two HSM appliances after the HSM client loses connectivityto one HSM appliance. If network connectivity is lost, the HSM client permanently stops trying to connectto the HSM appliance after the retry period is exceeded. The retry period is number-of-retries *retry-interval, where the default/recommended configuration is to retry 10 times with an interval of60 seconds, for a total of 10 minutes. After the retry period is exceeded, the HSM client removes thedisconnected HSM appliance from the HA group, and it must be manually added back. Follow theinstructions below to recover a downed HSM appliance.

ImportantDo not perform a manual resynchronization between the members of the HA group. For moreinformation, see Best Practices for Loss and Recovery (p. 28).

Resynchronizing HSM Appliances UsingLinux/UNIXTo resynchronize HSM appliances using Linux/UNIX

Execute the following command:

30

AWS CloudHSM Getting Started GuideResynchronizing HSM Appliances

[ec2-user@client-ip bin]$ vtl haAdmin recover group [group_name] -serialNum [PartitionSerial]

For more information, go to HA Operational Notes in the SafeNet Luna SA documentation.

Resynchronizing HSM Appliances Using WindowsTo resynchronize HSM appliances using Windows

Execute the following command:

C:\Program Files\LunaSA> vtl haAdmin recover group [group_name] -serialNum [PartitionSerial]

Backing Up and Restoring HSM Data to a LunaSA Backup HSM

In addition to the AWS recommendation that you use two or more HSM appliances in a high availability(HA) configuration to prevent the loss of keys and data, you can also perform a remote backup/restoreof a Luna SA 5.1 partition if you have purchased a Luna Backup HSM. For more information on the LunaBackup HSM, download the Luna Backup HSM Product Brief.

The Luna Backup HSM ensures that your sensitive cryptographic material remains strongly protected inhardware even when it is not being used.You can easily back up and duplicate keys securely to the LunaBackup HSM for safekeeping in case of emergency, failure, or disaster.

The remote backup capabilities allow administrators to move copies of their sensitive cryptographicmaterial securely to other SafeNet HSMs. With a single Luna Backup HSM, an administrator can backup and restore keys to and from up to 20 Luna HSM appliances.

The Luna Backup HSM is attached to a client machine directly via USB. The client machine is either aWindows or a Linux machine that is outside of AWS, that has the SafeNet Luna client software installedon it. The client machine must also have IP connectivity to the CloudHSM.

Backing Up HSM Data Using WindowsTo back up HSM data using Windows

1. Connect the Luna Backup HSM to your Windows computer using USB. For more information aboutthe Luna Backup HSM, see the Luna Backup HSM Product Brief.

2. Install the Luna Remote Backup Driver (610-011646-001) from the following location:http://c3.safenet-inc.com/downloads/F/E/FEAB55E0-5B3F-4DFD-8DEF-B068C5531AED/610-011646-001.tar

3. From your Windows computer's Control Panel, open Device Manager, select Luna G5 Device, thenright-click and select Update Driver Software.

31

AWS CloudHSM Getting Started GuideResynchronizing HSM Appliances Using Windows

4. Complete the steps in Configuring Your HSM Appliance (p. 14) and Configuring Your HSMClient (p. 16).

5. Use your login credentials to connect to your HSM over SSH:

ssh manager@[hsm_ip_address]

6. Execute the following command on your HSM to display the details of the HSM appliance:

lunash:> hsm show

7. Execute the following command on your HSM to display the contents of the partition:

lunash:> par showc -par pm

32

AWS CloudHSM Getting Started GuideBacking Up HSM Data Using Windows

8. Establish an NTLS connection by executing the following command from the Windows commandprompt:

C:\Program Files\LunaSA> vtl ver

9. List the available slots by executing the following command:

C:\Program Files\LunaSA> vtl listslots

10. Restore the Luna Backup HSM appliance to its factory settings by executing the following command:

C:\Program Files\LunaSA> vtl backup token factoryreset -target 2

11. Type yes to confirm.

12. Initialize the Luna Backup HSM appliance by executing the following command:

C:\Program Files\LunaSA> vtl backup token init -target 2 -label BackupHSM

13. Type yes when prompted to initialize the HSM, and no when prompted to use PED authentication.ImportantIt is important that your HSM uses password authentication.

14. Execute the remote backup command:

C:\Program Files\LunaSA> vtl backup -source 1 -target 2 -partition pm_backup

33

AWS CloudHSM Getting Started GuideBacking Up HSM Data Using Windows

15. Type yes when prompted to create the new backup.16. If you want to check the details of the backup, execute the following command:

C:\Program Files\LunaSA> vtl backup token show -target 2

Restoring HSM Data from a Luna Backup HSMTo restore HSM data

1. Clear the contents of the partition by executing the following from your HSM:

lunash:> partition clear -partition pm

2. When prompted, enter your password for this partition.3. When prompted, type proceed.4. Verify that the partition is cleared by executing the following command:

lunash:> partition showcontents -partition pm

34

AWS CloudHSM Getting Started GuideRestoring HSM Data from a Luna Backup HSM

5. Confirm that no objects exist on the HSM partition by executing the following command from theWindows command prompt:

C:\Program Files\LunaSA> cmu li

6. Initiate the restore by executing the following command:

C:\Program Files\LunaSA> vtl backup restore -source 2 -partition pm_backup -target 1

7. Enter the passwords when prompted.

8. Confirm that the restore was successful by executing the following from the HSM:

lunash:> partition showcontents -partition pm

9. Enter your password when prompted.

10. Confirm that the restore operation was successful by executing the following command:

C:\Program Files\LunaSA> cmu li

35

AWS CloudHSM Getting Started GuideRestoring HSM Data from a Luna Backup HSM

How to Stop Using an HSMAWS does not ordinarily de-provision an HSM appliance that contains key material. This protects you,as well as AWS, from risks associated with accidentally destroying key material that is still in use.

ImportantIf you need to stop using an HSM appliance (such as when your subscription ends), back up thecontents of the HSM to another HSM that you control, or confirm that the keys stored within theHSM are no longer needed.

Complete the following steps to stop using an HSM appliance.

To stop using an HSM appliance

1. Delete all HSM partitions from the HSM appliance by executing the following, replacing[HSM-partition-name] with the name of the partition that you want to delete (do not include the brackets"[]"). If you are not sure of the partition name, use the partition list command.

partition delete -partition [HSM-partition-name]

NoteTo delete an HSM partition, you must be logged into the HSM appliance command shell(lunash) as admin, and you must be logged in to the onboard HSM as HSM Admin.

When a partition is deleted, the partition is cleared from the HSM and all contents are deleted. Thisalso implies that the partition is revoked from any clients that were registered to it. For moreinformation, go to Removing Partitions and partition delete command in the SafeNet Luna SAdocumentation.

2. Declassify the HSM appliance by first executing the following command to rotate all logs.

lunash:> syslog rotate

3. Delete all logs.

lunash:> syslog cleanup

4. Contact AWS Support with a request to terminate service.

AWS will review the HSM. If the HSM appliance is in an uninitialized state, then AWS de-provisions itand your subscription to the HSM is terminated. If the HSM appliance still contains any HSM partitions,AWS will contact you with a request to remove the partitions from the appliance.

AWS reserves the right to terminate service and reinitialize an HSM in the case of non-payment.

Best Practices Use a high availability configuration. AWS recommends that you use two or more HSM appliances, in

separate Availability Zones, in a high availability configuration, to avoid data loss in the case that anAvailability Zone becomes unavailable. For more information about how to set up a high availabilityconfiguration, see Configuring High Availability and Load Balancing (p. 23).

36

AWS CloudHSM Getting Started GuideHow to Stop Using an HSM

Initializing an HSM irrevocably destroys the key material inside the HSM. Never initialize the HSMunless you are certain that the keys have been backed up somewhere else or that the keys are nolonger required.

Do not apply software patches or updates to the appliance. Contact AWS Support if you need thesoftware updated.

Do not change the network configuration of the appliance. Do not remove or change the syslog forwarding configuration that is provided on the appliance.You

may add additional destinations for syslog messages, as long as you do not change or remove theones that are already there.

Do not change or remove any SNMP configuration that is provided on the appliance.You may addadditional SNMP configuration as long as you do not disturb the configuration that is already present.

Do not change the NTP configuration that is provided on the appliance.

Best Practices for Passwords Make a note of the HSM administrator (also known as the security officer) password on your worksheet

and do not lose the worksheet. It is also recommended that you store at least one copy of the worksheetin secure offsite storage. AWS does not have the ability to recover your key material from an HSM forwhich you do not have the proper HSM security officer credentials.

Do not change the HSM appliance administrator password. AWS uses this password for service delivery. You should use an SSH key for the manager account login. For more information, see Generating an

SSH Key (p. 3). AWS can re-create the manager account if you lose access to the account.You canoptionally set a password for the manager account if you prefer.

HSM partition passwords must be coordinated with clients and applications that depend on thepasswords. For information about using IAM roles to distribute passwords, see the Using IAM roles todistribute non-AWS credentials to your EC2 instances blog post.

TroubleshootingFor frequently asked questions about AWS CloudHSM, see AWS CloudHSM FAQs.

Q: My HSM isn't working. What do I do?

Contact AWS Support.Your incident will be routed to the team that supports AWS CloudHSM.

AppendicesTopics

Connecting Multiple Client Instances to AWS CloudHSM with One Certificate (p. 38) Integrating Third-Party Applications with AWS CloudHSM (p. 40) Sample Application (p. 41) Building Your Own Applications (p. 43)

37

AWS CloudHSM Getting Started GuideBest Practices for Passwords

Connecting Multiple Client Instances to AWSCloudHSM with One CertificateWhen you use multiple servers with AWS CloudHSM, normally each server generates a unique certificateusing that instance's IP address and registers this certificate with AWS CloudHSM; additional steps mustthen be taken to allow this instance access to the HSM appliance. However, you can avoid the need tocreate unique certificates per server by creating either an AMI with the HSM client configuration or anAmazon S3 bucket. Either of these solutions can be used with Auto Scaling groups to allow client instancesto scale up and down. This allows you to have a scalable services layer that integrates with AWSCloudHSM.

Topics Creating an AMI with the HSM Client Configuration (p. 38) Create an Amazon S3 Bucket and Roles (p. 39)

Creating an AMI with the HSM Client ConfigurationCreate an AMI with the client configuration, and then create multiple instances from the AMI.You canuse a name instead of an IP address when creating the certificate on the HSM client, and you can createmultiple instances from the same AMI without re-creating or changing the certificate.

NoteIf you use a name instead of an IP address when creating the certificate on the HSM client, makesure that the registered client name on the HSM appliance matches exactly.

To create an AMI with the client configuration and prepare the HSM client

1. Execute the following commands on the HSM client, where ClientCertName is the name you havechosen for the certificate on the HSM client.

C:\Program Files\LunaSA>vtl createCert -n ClientCertNamePrivate Key created and written to: C:\Program Files\LunaSA\cert\client\Cli entCertNameKey.pemCertificate created and written to: C:\Program Files\LunaSA\cert\client\Cli entCertName.pem

C:\Program Files\LunaSA>pscp "%programfiles%\LunaSA\cert\client\ClientCert Name.pem" [email protected]:[email protected]'s password:

ClientCertName.pem | 1 kB | 1.1 kB/s | ETA: 00:00:00 | 100%

2. Execute the following commands on the HSM, where ClientName is the name of your HSM clientand ClientCertName is your certificate name.

[hsm6105.iad6] lunash:>c reg -c ClientName -h ClientCertName


Command Result : 0 (Success)[hsm6105.iad6] lunash:>c l

38

AWS CloudHSM Getting Started GuideConnecting Multiple Client Instances to AWS CloudHSM

with One Certificate

registered client 1: ClientName

3. After completing the steps above, create an AMI that includes the client configuration, then createone or more Amazon EC2 instances from the AMI. Each Amazon EC2 instance can connect to theHSM appliance using the same certificate, and instances started from Auto Scaling groups canestablish a secure connection to AWS CloudHSM.

For more information about creating AMIs, see Creating Your Own AMIs in the Amazon ElasticCompute Cloud User Guide.

For more information about creating instances from AMIs, see Launch Your Instance in the AmazonElastic Compute Cloud User Guide.

Create an Amazon S3 Bucket and RolesIf you prefer not to create an AMI, you can create an Amazon S3 bucket with the certificates and keys inthem, then create a role with an attached policy that allows read-only access to that bucket, and use therole when launching the instance for your application (including with Auto Scaling). Then you can writescripts in the instance to access the files from Amazon S3.

To create an Amazon S3 bucket and roles

1. Create an Amazon S3 bucket. For more information, see Create a Bucket in the Amazon SimpleStorage Service Getting Started Guide.

2. Change permissions on the Amazon S3 bucket to reduce permissions to the minimum set of peoplenecessary.

3. Upload the certificates into the Amazon S3 bucket.4. Create a role for your application. For more information, see Creating a Role in the Using IAM.5. As part of creating the role, modify the role's policy to allow read-only access to the Amazon S3

bucket; for example, "Resource": ["arn:aws:S3:::bucket/*"].6. Use the role when launching your application.7. Write scripts on the application instance to download the certificate files from the Amazon S3 bucket.

This allows you to update the certificates from time to time, and also does not require you to figureout how to secure your AMI to prevent credential leakage.

To learn more about using IAM roles with Amazon S3 buckets, see Using IAM roles to distribute non-AWScredentials to your EC2 instances in the AWS Security blog or Using IAM Roles for EC2 Instances withthe SDK for Java in the AWS SDK for Java Developer Guide.

39

AWS CloudHSM Getting Started GuideConnecting Multiple Client Instances to AWS CloudHSM

with One Certificate

Integrating Third-Party Applications with AWSCloudHSMThis chapter describes how to use third-party applications with AWS CloudHSM.

Topics Transparent Data Encryption with AWS CloudHSM (p. 40) Volume Encryption for Amazon Elastic Block Store (p. 41) Encryption with Amazon Simple Storage Service (S3) and SafeNet KeySecure (p. 41) Setting Up SSL Termination on an Apache Web Server with Private Keys Stored in AWS

CloudHSM (p. 41)

If the application for which you are looking is not listed, contact AWS Support or see HSM Interoperability.

Transparent Data Encryption with AWS CloudHSMTransparent Data Encryption (TDE) reduces the risk of confidential data theft by encrypting sensitivedata, such as credit card numbers, stored in application table columns or tablespaces (the containers forall objects stored in a database).The following topic describes how to configure an Oracle or Microsoft SQL Server database using TDEwhile storing the master encryption key in AWS CloudHSM.

Oracle Database TDE with AWS CloudHSMThese instructions guide security administrators through how to integrate an Oracle database and yourLunaSA/PCI/HSM appliance, and als

Date post:	14-Oct-2015
Category:	Documents
Upload:	perumal9884166233
View:	70 times
Download:	0 times

hsm-gsg

Documents