Document toolboxDocument toolbox

About HSM Signing

Owned by Panna .
Last updated: Aug 21, 2023 by Jyothi KP
9 min read

You can integrate a Grid with third-party, network-attached Hardware Security Modules (HSMs) for secure private key storage and generation, and zone-signing off-loading. Infoblox appliances support integration with either Thales Luna HSMs or Entrust nShield HSMs. When using a network-attached HSM, you can provide tight physical access control, allowing only selected security personnel to physically access the HSM that stores the DNSSEC keys. When you enable this feature, the HSM performs DNSSEC zone signing, key generation, and key safe keeping.
Note that if you migrate from using the Grid Master to HSMs, HSM signing starts at the next key rollover. Only a superuser can configure this feature. To configure HSM signing in a Grid, do the following:

  1. Create the HSM group and add HSMs to the group. You can create either a Thales Luna HSM group or an Entrust nShield HSM group. You can use only one group at a time. After you add the HSM group, the Add icon and Add button in the Toolbar are greyed out.

    • For information on adding a Thales Luna HSM group, see Configuring a Thales Luna HSM Device below.

    • For information on adding an Entrust nShield HSM group, see Adding and Managing an Entrust nShield HSM Group below.

  2. Enable HSM signing. For information, see Enabling HSM Signing below.

Note

If you delete an HSM or an HSM group, it is permanently deleted. It is not stored in the Recycle Bin.

After you enable this feature, you can monitor the HSM group, as described in Monitoring the HSM Group below. In addition, the Grid sends SNMP traps when zone signing succeeds or fails. For information about these traps, see Processing and Software Failure Traps.
Note that NIOS does not provide key life cycle management functions; these are handled by the HSM and must be configured via the HSM's administrative interface to adhere to corporate policies on key management. The keys (ZSK and KSK) used for DNSSEC are stored securely on the HSM and are not deleted by NIOS when the key is no longer required by the DNSSEC function. However, references to the keys are removed from the appliance.

Configuring a Thales Luna HSM Device

You can integrate a Grid with a Thales Luna HSM group. The Thales Luna HSM group can contain either Thales Luna 4, Luna 5, or Luna 6 devices in standalone or HA mode; the group cannot contain a mix of both models. You must first configure each HSM device, and then create the group and add the devices to the group, as described in Adding a Thales Luna HSM Group below.

Configuring a Thales Luna HSM Device

Do the following for each Thales Luna HSM device that you are adding to the group:

  1. On the Grid, generate a client certificate for the Grid Master and Grid Master Candidate. For information, see About Client Certificates. If you are upgrading the Thales Luna HSM from Luna 5 or 6 to Luna 7 CPL, you must generate a new client certificate.

  2.  On the Thales Luna HSM, do the following:

    • Assign the Grid Master and Grid Master Candidate to a partition on the HSM to avoid any service interruptions, in case the Grid Master Candidate is promoted to Grid Master.

    • Upload the certificates of the Grid Master and Grid Master Candidate to the HSM and register the certificates in the HSM's list of clients. The certificates of the Grid Master and Grid Master Candidate are linked to their IP addresses. Therefore, if any of their IP addresses change, you must generate a new client certificate and register it with the HSM.
      Note that if the HSM is configured and you replace an appliance that was a Grid Master or Grid Master Candidate and you backed up the database of the old appliance and restored it on the replacement appliance, the certificates remain intact. Therefore, you do not need to regenerate a new certificate for the replacement, as long as the IP address does not change.

    • If you are upgrading from a previous version of Thales Luna HSM to a later version, such as from Luna 6 to Luna 7 CPL, you must complete the following before adding the new Luna configuration to NIOS:

      • Remove the previous certificate registration from the HSM server and then re-register the Grid Master and Grid Master Candidate certificates.

      • Generate a new HSM certificate if you want to retain the current IP settings for the Grid Master.

    • Download the HSM certificate.

Note

  • Make sure that the common name used in the certificates is distinct when you configure HSM servers in HA mode.

  • To configure Thales Luna on an HA pair, add a static route with the virtual IP address of the Grid to the HSM server.

For additional information, refer to your Thales Luna HSM documentation.

Adding a Thales Luna HSM Group

When you configure a Thales Luna HSM group, add the Thales Luna HSM devices to the group and upload their certificates to the Grid. You can add only one HSM group. To add a Thales Luna HSM Group:

  1. From the Grid tab, select the HSM Group tab.

  2. Click the Add drop-down list and select Thales Luna Group.

  3. In the Add Thales Luna Group wizard, complete the following and click Next:

    • Name: Enter a name for the HSM group.

    • Partition Password: Enter the partition password, and re-enter it in the Confirm Partition Password field.

    • Version: Select the Thales Luna HSM version, which is either Luna 4, Luna 5, Luna 6, or Luna 7 CPL.

    • Comment: You can enter additional information about the HSM.

  4. Click the Add icon to add a Thales Luna HSM device, and complete the following:

    • Name or IP Address: Enter the hostname or IP address of the HSM device.

    • Partition SN: Enter the partition serial number (PSN) of the HSM. The Partition ID field automatically displays the ID after the configuration is saved and the appliance has successfully connected to the device.

    • Disabled: Select this checkbox to disable use of this HSM.

    • Server Certificate: Upload the certificate of the Thales Luna HSM.

  5. Save the configuration.

After you add the HSM group, the Add icon and Add button in the Toolbar are greyed out. Note that if the HSM is configured in FIPS 140-2 compliant mode, certain key algorithms and key sizes are disallowed. Requests for those key algorithms or key sizes result in an error. The following algorithms are FIPS 140-2 compliant: DSA, DSA/NSEC3, RSA/SHA1, RSA/SHA1/NSEC3, RSA/SHA-256, and RSA/SHA-512. For additional information about selecting key algorithms, see About the DNSKEY Algorithm.
You can verify whether the Grid Master Candidate is properly registered with the HSM by navigating to the Grid -> Grid Manager -> Members page. It's Status icon is yellow if it is not registered with the HSM.
If DNS service is enabled, you can also verify whether the Grid Master was able to contact the Thales Luna HSMs by navigating to the Data Management > DNS > Members page. If the Grid Master status is yellow, check the status of the HSMs in the Grid > HSM Group page. (For more information, see Monitoring the HSM Group below.) If the status is not green, check the configuration of the HSMs and restart the DNS service.

Adding and Managing an Entrust nShield HSM Group

On the Entrust nShield HSM, configure the Grid Master and Grid Master Candidate as HSM clients. Enroll the IP addresses of both the Grid Master and Grid Master Candidate to avoid any service interruptions, in case the Grid Master Candidate is promoted to Grid Master. If the Grid Master and Grid Master Candidates are HA pairs, you must enroll their VIPs.

Note

In the unlikely event that the Grid Master Candidate was registered with the Entrust nShield HSM after the Grid Master promotion, you must restart the DNS service on the newly promoted Grid Master.

In addition, you must also set up client cooperation to allow both the Grid Master and Grid Master Candidate access to the Remote File Server (RFS). Note that anytime you add a new Grid Master Candidate, you must enroll its IP address and set up a client cooperation to allow it access to the RFS. For more information on these procedures, refer to your HSM documentation.
Note that DSA cannot be used as the DNSSEC cryptographic algorithm for Entrust nShield HSMs. Therefore, migrating to Entrust nShield HSMs is not allowed if the Grid Master uses DSA as the DNSSEC cryptographic algorithm.
You can create one Entrust nShield HSM group in the Grid, and then add HSMs to the group. The appliance tries to connect to each of the HSMs in the order that they are listed.
To add an Entrust nShield HSM group:

  1. From the Grid tab, select the HSM Group tab and click the Add icon.

  2. In the Add HSM Group wizard complete the following, and then click Next:

    • Name: Enter a name for the HSM group.

    • Protection: Select the level of protection that the HSM group uses for the DNSSEC key data.

      • Module: Select this if the HSM group uses a module-protected key. You do not have to enter a password phrase for this type of key.

      • Softcard: Select this if the HSM group uses a softcard-protected key. You must then specify the card name and password.

    • Card Name: Enter a name for the softcard.

    • Password Phrase: Enter the password and re-enter it in the Confirm Password Phrase field.

    • RFS IP Addressb Enter the remote file server (RFS) IP address. Note that you must ensure that you enter a valid RFS IP address for the Security World. Validation is limited to IP address checking. Infoblox recommends that you use Test HSM Group to check the HSM group configuration before proceeding.

    • RFS Port: Specify the port of the RFS.

    • Comment: Optionally, enter additional information about the group.

  3. To add modules to the group, click the Add icon and complete the following:

    • Remote IP: Enter the IP address of the HSM.

    • Remote Port: Specify the destination port on the HSM. The firewall must be configured to allow connection to this port.

    • Disabled: Select this checkbox to disable use of this HSM.

    • Keyhash: Enter the keyhash, which is displayed on the console of the HSM. It can be obtained through an out of band mechanism from the HSM administrator. Note that the appliance validates the keyhash. If the entry is correct, the appliance displays the Electronic Serial Number (ESN) of the HSM when the editor is next launched. If the keyhash is incorrect, the appliance does not connect to the HSM.

    • ESN: This is a read-only field that displays the ESN of the HSM after you save the configuration and relaunch the editor. Infoblox strongly recommends that you verify the ESN displayed by the appliance with the one obtained from the HSM administrator to ensure that the appliance is communicating with the correct HSM.

  4. Save the configuration.

Monitoring the HSM Group

You can monitor the status of the HSM group and of individual modules in the group by navigating to the Grid tab > HSM Group panel. To view the status of each HSM, click the arrow beside the group name. This panel displays the following information:

  • Name: The name of the HSM group or module.

  • Status: The HSM group status displays the status for all the HSMs in the group.

    • The status icon of the group can be one of the following:

      • Green: All the HSMs in the group are functioning properly. 

      • Yellow: At least one HSM in the group is not functioning properly.

      • Red: All the HSMs in the group are not functioning properly.

      • Black: The status of the HSM devices is unknown.

    • The status icon for each HSM can be one of the following:

      • Green: The HSM is functioning properly. For Thales Luna 5 or 6 devices, the status icon can also display x%used which refers to the storage capacity of the HSM partition that is assigned to the Grid. Note that when the capacity reaches 100%, new zone signings and key rollovers for existing zones cannot be performed.

      • Red: The HSM is not functioning properly. For a Thales Luna HSM, this indicates that the Grid Master was able to connect to the HSM, but no partition was assigned to the Grid Master.

      • Black: The status of the HSM device is unknown.

  • FIPS: This applies to a Thales Luna HSM only. It indicates if the HSM is in FIPS compliant mode.

  • Comment: Any comments that were entered about the HSM group.

You can also do the following in this tab:

  • Sort the data in ascending or descending order by column.

  • Print and export the data in this tab.

Enabling HSM Signing

When you enable HSM signing, the HSM starts generating the DNSSEC keys at the next key rollover. For information about key rollovers, see About Key Rollovers. You can enable this feature at the Grid level only.
To enable HSM signing:

  1. From the Data Management tab -> DNS tab, expand the Toolbar and click Grid DNS Properties.

  2. In the Grid DNS Properties editor, Click Toggle Advanced Mode, if the editor is in Basic mode, and then select the DNSSEC tab.

  3. In the DNSSEC tab, select the Enable DNSSEC checkbox, if it is not selected, and then select the Enable HSM Signing checkbox.

  4. Complete the other fields described in Configuring DNSSEC Parameters. Note that Entrust nShield HSMs do not support DSA.

  5. Save the configuration.

Testing the HSM Group

After you configure the HSM group, you can test the HSM signing functionality of the group. Click Test HSM Group in the Toolbar, and then click Yes when the confirmation dialog displays. The appliance then executes the command to perform a signing test. The feedback panel displays the status of the test in the Grid Manager feedback panel.

Synchronizing the HSM Group

You can click Resync HSM Group in the Toolbar to do any of the following:

  • For an Entrust nShield HSM group, if the RFS security settings change use this function to have the appliance perform an RFS synchronization.

  • For a Thales Luna HSM group, use this function to synchronize the keys of the HSM members in the group.