Avi Vantage Integration with AWS CloudHSM V2

Overview

AWS CloudHSM is cloud-based, SSL/TLS key generation and encryption/decryption service
CloudHSM can store keys associated with SSL/TLS resources configured for an Avi virtual service. Starting with Avi Vantage release 17.2.7, AWS CloudHSM V2 is supported on Avi Vantage. This article discusses integration of Avi Vantage with AWS CloudHSM V2.

Prerequisites

The following are the prerequisite configuration for AWS Cloud HSM V2 integration:
On AWS

  • Create CloudHSM cluster with at least one HSM on AWS.
  • Activate CloudHSM cluster using the steps on the AWS Activate the Cluster page.
  • Attach the cluster’s security group to all Avi Controller AWS instances and existing Avi Service Engines.

On Avi Vantage

  • Check if the cluster’s security group has been added to Management vNic Custom Security Group in the settings of an SE group which has CloudHSM v2-enabled virtual services. This ensures any SEs spawned by the Avi Controller for those virtual services will have the correct security group on the AWS instance.

  • Ensure there is a HSM Cluster Certificate for creating the HSM group in Avi Vantage.

    cloud-hsm-v2

Integrating AWS CloudHSM V2

This section covers the following configuration details for integrating AWS Cloud HSM V2 with Avi Vantage:

  1. Importing CloudHSM Software
  2. Enabling CloudHSM V2 support on Avi Vantage
  3. Associating HSM Group with an SE Group
  4. Adding the Application Certificates and Keys
  5. Enabling HSM Support on a Virtual Service

Importing CloudHSM Software

Upload the client software bundle to the Avi Controller. This enables support for CloudHSM. Give the name cloudhsm.tar and follow the steps below for its preparation:

  1. Download the RPM file using the AWS CloudHSM Client and Software Version History.
    Note: You need to download only AWS CloudHSM Client and OpenSSL Dynamic Engine for Ubuntu 16.04 LTS

    For CloudHSMv2 client and command line tools, refer to wget.

  2. Create a tar ball using the following command: tar -cvf cloudhsm.tar cloudhsm-client-dyn-latest.x86_64.rpm cloudhsm-client-latest.x86_64.rpm

  3. Login to Avi UI, and navigate to Administration > Settings > Upload HSM Packages to upload the HSM package.

    If not using Avi UI, execute the following command from shell mode.

    
 upload hsmpackage filename cloudhsm.tar

This steps mentioned above upload and install the package onto the Avi Controller or onto all three nodes in the case of an Avi Controller cluster. Upon completion of the above commands, the HSM package uploaded successfully message appears.

  1. For the HSM-related SE group settings to take effect, Avi SEs in the group need a one-time reboot for auto-installation of the HSM packages. Reboot the Avi SE using the following command:

    
reboot serviceengine <se_name>

Enabling CloudHSM V2 support on Avi Vantage

Configure the Avi Controller to create an HSM group using the following:

  • Username and Password – These fields correspond to the crypto users credentials. They will be used to access the keys on the HSM.

  • HSM Cluster Certificate – Issuing certificate used while initiating/activating the HSM cluster. Only one HSM IP address is required in the registration step. If there is more than one HSM in the cluster, other IPs are discovered during HSMGroup creation.

enabling-cloud-hsm-v2

Associating HSM Group with an SE Group

The HSM group must be added to the SE group that will be used by the virtual service(s).

  1. Login to Avi UI and switch to the appropriate tenant.
  2. Navigate to Infrastructure > Cloud > Default-Cloud > Service Engine Group. Bring up the SE group editor for the desired SE group. Click on the Advanced tab. Select the desired HSM group from the drop-down and click on Save.

associating

During this step, all the SEs in the SE group are rebooted. This ensures that the necessary CloudHSM configuration is synced with the SE and OpenSSL is linked with cloudHSM engines.

Adding the Application Certificates and Keys

The Avi Controller is set up as a client of HSM and can be used to create keys and certificates on the HSM. Both the RSA and EC type of keys/Certificates creation is supported.

Login to Avi UI (Avi Controller’s management IP address). If Avi Vantage is deployed as a 3-node Controller cluster, navigate to the management IP address of the cluster. Use this procedure to create keys and certificates. The creation process is similar to any other key/certificate creation. For a key/certificate bound to HSM, select the HSM group while creating the object. The below screenshot illustrates the creation of a self-signed certificate bound to a HSM group.

Navigate to Templates > Security > SSL/TLS Certificates, and click on Create > Application Certificate.

adding-cert

Note: The HSM group cloudhsm is selected. This is the HSM group that was created earlier. Clicking on Save creates the self-signed RSA cert on the HSM provided in cloudhsm.

Enabling HSM Support on a Virtual Service

  1. Navigate to Applications > Virtual Services on the Avi UI. Click on New or Edit. If configuring a new virtual service, enter the name of the VIP.

  2. Select the HSM certificate from the SSL Certificate drop-down list. Enter the virtual service name and VIP address. In the Service Port section, enable SSL.

  3. Click on Advanced. On the Advanced tab, select the SE group to which the HSM group was added. Click on Save.

The virtual service is now ready to handle SSL/TLS traffic using the encryption/decryption services of the CloudHSM device.