Search

Page tree

Contents

You can integrate a Grid with third-party, network-attached Hardware Security Modules (HSMs) for secure private key storage and generation, and zone-signing off-loading. Infoblox appliances support integration with either SafeNet HSMs or Thales HSMs. When using a network-attached HSM, you can provide tight physical access control, allowing only selected security personnel to physically access the HSM that stores the DNSSEC keys. When you enable this feature, the HSM performs DNSSEC zone signing, key generation, and key safe keeping.
Note that if you migrate from using the Grid Master to HSMs, HSM signing starts at the next key rollover. Only a superuser can configure this feature. To configure HSM signing in a Grid, do the following:

  1. Create the HSM group and add HSMs to the group. You can create either a SafeNet HSM group or a Thales HSM group. You can use only one group at a time. After you add the HSM group, the Add icon and Add button in the Toolbar are greyed out.

Note that if you delete an HSM or an HSM group, it is permanently deleted. It is not stored in the Recycle Bin.

2. Enable HSM signing. For information, see Enabling HSM Signing.

After you enable this feature, you can monitor the HSM group, as described in Monitoring the HSM Group. In addition, the Grid sends SNMP traps when zone signing succeeds or fails. For information about these traps, see Processing and Software Failure Traps.
Note that NIOS does not provide key life cycle management functions; these are handled by the HSM and must be configured via the HSM's administrative interface to adhere to corporate policies on key management. The keys (ZSK and KSK) used for DNSSEC are stored securely on the HSM and are not deleted by NIOS when the key is no longer required by the DNSSEC function. However, references to the keys are removed from the appliance.

Configuring a SafeNet HSM Device

You can integrate a Grid with a SafeNet HSM group. The SafeNet HSM group can contain either SafeNet Luna SA 4, Luna SA 5, or Luna SA 6 devices in standalone or HA mode; the group cannot contain a mix of both models. You must first configure each HSM device, as described in Configuring a SafeNet HSM Device, and then create the group and add the devices to the group, as described in Adding a SafeNet HSM Group.

Configuring a SafeNet HSM Device

Do the following for each SafeNet HSM device that you are adding to the group:

  1. On the Grid, generate a client certificate for the Grid Master and Grid Master Candidate. For information, see About Client Certificates.
  2.  On the SafeNet HSM, do the following:
    • Assign the Grid Master and Grid Master Candidate to a partition on the HSM to avoid any service interruptions, in case the Grid Master Candidate is promoted to Grid Master.
    • Upload the certificates of the Grid Master and Grid Master Candidate to the HSM and register the certificates in the HSM's list of clients. The certificates of the Grid Master and Grid Master Candidate are linked to their IP addresses. Therefore, if any of their IP addresses change, you must generate a new client certificate and register it with the HSM.
      Note that if the HSM is configured and you replace an appliance that was a Grid Master or Grid Master Candidate and you backed up the database of the old appliance and restored it on the replacement appliance, the certificates remain intact. Therefore, you do not need to regenerate a new certificate for the replacement, as long as the IP address does not change.
    • If you are upgrading from a previous version of SafeNet HSM to a later version, such as from Luna SA5 to Luna SA6, you must complete the following before adding the new SA6 configuration to NIOS:
      • Remove the previous certificate registration from the HSM server and then re-register the Grid Master and Grid Master Candidate certificates.
      • Generate a new HSM certificate if you want to retain the current IP settings for the Grid Master.
    • Download the HSM certificate.

Note

Make sure that the common name used in the certificates is distinct when you configure HSM servers in HA mode.


For additional information, refer to your SafeNet HSM documentation.

Adding a SafeNet HSM Group

When you configure a SafeNet HSM group, add the SafeNet HSM devices to the group and upload their certificates to the Grid. You can add only one HSM group. To add a SafeNet HSM Group:

  1. From the Grid tab, select the HSM Group tab.
  2. Click the Add drop-down list and select HSM SafeNet Group.
  3. In the Add HSM SafeNet Group wizard, complete the following and click Next:
    • Name: Enter a name for the HSM group.
    • Partition Password: Enter the partition password, and re-enter it in the Confirm Partition Password field.
    • Version: Select the SafeNet HSM version, which is either LUNA SA 4, LUNA SA 5, or LUNA SA 6.
    • Comment: You can enter additional information about the HSM.
  4. Click the Add icon to add a SafeNet HSM device, and complete the following:
    • Name or IP Address: Enter the hostname or IP address of the HSM device.
    • Partition SN: Enter the partition serial number (PSN) of the HSM. The Partition ID field automatically displays the ID after the configuration is saved and the appliance has successfully connected to the device.
    • Disabled: Select this check box to disable use of this HSM.
    • Server Certificate: Upload the certificate of the SafeNet HSM.
  5. Save the configuration.

After you add the HSM group, the Add icon and Add button in the Toolbar are greyed out. Note that if the HSM is configured in FIPS 140-2 compliant mode, certain key algorithms and key sizes are disallowed. Requests for those key algorithms or key sizes result in an error. The following algorithms are FIPS 140-2 compliant: DSA, DSA/NSEC3, RSA/SHA1, RSA/SHA1/NSEC3, RSA/SHA-256, and RSA/SHA-512. For additional information about selecting key algorithms, see About the DNSKEY Algorithm.
You can verify whether the Grid Master Candidate is properly registered with the HSM by navigating to the Grid -> Grid Manager -> Members page. It's Status icon is yellow if it is not registered with the HSM.
If DNS service is enabled, you can also verify whether the Grid Master was able to contact the SafeNet HSMs by navigating to the Data Management > DNS > Members page. If the Grid Master status is yellow, check the status of the HSMs in the Grid > HSM Group page. (For more information, see Monitoring the HSM Group.) If the status is not green, check the configuration of the HSMs and restart the DNS service.

Adding and Managing a Thales HSM Group

On the Thales HSM, configure the Grid Master and Grid Master Candidate as HSM clients. Enroll the IP addresses of both the Grid Master and Grid Master Candidate to avoid any service interruptions, in case the Grid Master Candidate is promoted to Grid Master. If the Grid Master and Grid Master Candidates are HA pairs, you must enroll their VIPs.

Note

In the unlikely event that the Grid Master Candidate was registered with the Thales HSM after the Grid Master promotion, you must restart the DNS service on the newly promoted Grid Master.


In addition, you must also set up client cooperation to allow both the Grid Master and Grid Master Candidate access to the Remote File Server (RFS). Note that anytime you add a new Grid Master Candidate, you must enroll its IP address and set up a client cooperation to allow it access to the RFS. For more information on these procedures, refer to your HSM documentation.
Note that DSA cannot be used as the DNSSEC cryptographic algorithm for Thales HSMs. Therefore, migrating to Thales HSMs is not allowed if the Grid Master uses DSA as the DNSSEC cryptographic algorithm.
You can create one Thales HSM group in the Grid, and then add HSMs to the group. The appliance tries to connect to each of the HSMs in the order that they are listed.
To add a Thales HSM group:

  1. From the Grid tab, select the HSM Group tab and click the Add icon.
  2. In the Add HSM Group wizard complete the following, and then click Next:
    • Name: Enter a name for the HSM group.
    • Protection: Select the level of protection that the HSM group uses for the DNSSEC key data.
      • Module: Select this if the HSM group uses a module-protected key. You do not have to enter a password phrase for this type of key.
      • Softcard: Select this if the HSM group uses a softcard-protected key. You must then specify the card name and password.
    • Card Name: Enter a name for the softcard.
    • Password Phrase: Enter the password and re-enter it in the Confirm Password Phrase field.
    • RFS IP Address: Enter the remote file server (RFS) IP address. Note that you must ensure that you enter a valid RFS IP address for the Security World. Validation is limited to IP address checking. Infoblox recommends that you use Test HSM Group to check the HSM group configuration before proceeding.
    • RFS Port: Specify the port of the RFS.
    • Comment: Optionally, enter additional information about the group.
  3. To add modules to the group, click the Add icon and complete the following:
    • Remote IP: Enter the IP address of the HSM.
    • Remote Port: Specify the destination port on the HSM. The firewall must be configured to allow connection to this port.
    • Disabled: Select this check box to disable use of this HSM.
    • Keyhash: Enter the keyhash, which is displayed on the console of the HSM. It can be obtained through an out of band mechanism from the HSM administrator. Note that the appliance validates the keyhash. If the entry is correct, the appliance displays the Electronic Serial Number (ESN) of the HSM when the editor is next launched. If the keyhash is incorrect, the appliance does not connect to the HSM.
    • ESN: This is a read-only field that displays the ESN of the HSM after you save the configuration and relaunch the editor. Infoblox strongly recommends that you verify the ESN displayed by the appliance with the one obtained from the HSM administrator to ensure that the appliance is communicating with the correct HSM.

     4. Save the configuration.

Monitoring the HSM Group

You can monitor the status of the HSM group and of individual modules in the group by navigating to the Grid tab > HSM Group panel. To view the status of each HSM, click the arrow beside the group name. This panel displays the following information:

  • Name: The name of the HSM group or module.
  • Status: The HSM group status displays the status for all the HSMs in the group. The status icon can be one of the following:

    Green: All the HSMs in the group are functioning properly. 
    Yellow: At least one HSM in the group is not functioning properly.
    Red: All the HSMs in the group are not functioning properly.
    Black: The status of the HSM devices is unknown.

    The status icon for each HSM can be one of the following:
    Green: The HSM is functioning properly. For SafeNet Luna SA 5 or SA 6 devices, the status icon can also display x%used which refers to the storage capacity of the HSM partition that is assigned to the Grid. Note that when the capacity reaches 100%, new zone signings and key rollovers for existing zones cannot be performed.
    Red: The HSM is not functioning properly. For a SafeNet HSM, this indicates that the Grid Master was able to connect to the HSM, but no partition was assigned to the Grid Master.
    Black: The status of the HSM device is unknown.
  • FIPS: This applies to a SafeNet HSM only. It indicates if the HSM is in FIPS compliant mode.
  • Comment: Any comments that were entered about the HSM group.

You can also do the following in this tab:

  • Sort the data in ascending or descending order by column.
  • Print and export the data in this tab.

Enabling HSM Signing

When you enable HSM signing, the HSM starts generating the DNSSEC keys at the next key rollover. For information about key rollovers, see About Key Rollovers. You can enable this feature at the Grid level only.
To enable HSM signing:

  1. From the Data Management tab -> DNS tab, expand the Toolbar and click Grid DNS Properties.
  2. In the Grid DNS Properties editor, Click Toggle Expert Mode, if the editor is in Basic mode, and then select the DNSSEC tab.
  3. In the DNSSEC tab, select the Enable DNSSEC check box, if it is not selected, and then select the HSM Signing check box.
  4. Complete the other fields described in Configuring DNSSEC Parameters. Note that Thales HSMs do not support DSA.
  5. Save the configuration.

Testing the HSM Group

After you configure the HSM group, you can test the HSM signing functionality of the group. Click Test HSM Group in the Toolbar, and then click Yes when the confirmation dialog displays. The appliance then executes the command to perform a signing test. The feedback panel displays the status of the test in the Grid Manager feedback panel.

Synchronizing the HSM Group

You can click Resync HSM Group in the Toolbar to do any of the following:

  • For a Thales HSM group, if the RFS security settings change use this function to have the appliance perform an RFS synchronization.
  • For a SafeNet HSM group, use this function to synchronize the keys of the HSM members in the group.

This page has no comments.