Configure the hardserver to export the module for guest VM usage

This feature is not available on nToken models, but works with all other local HSM models. If you previously configured this feature using rserverperm, you may wish to update to using these instructions using the config file to specify the permissions for guest VMs to access the HSMs in a persistent manner.

  1. Configure the host hardserver to permit guest VM hardservers to share access to the module:

    1. Edit the host hardserver config file NFAST_KMDATA/config/config (Linux) or NFAST_KMDATA\config\config (Windows).

    2. Add a new entry in the hs_clients section to contain the details of the client to be added.

      If your config file does not already contain a hs_clients section you may add it yourself with a line containing only [hs_clients].

      The addr and clientperm fields are required for each client, and keyhash is recommended for authentication: :

      [hs_clients]
addr=<client_IP>
clientperm=permission_type
keyhash=software_keyhash

      Where:

      <client_IP> can be either the IP address of the guest VM or any of 0.0.0.0, ::, or blank if the host hardserver is to accept clients identified by their key hash instead of their IP address.

      If you set both the <client_IP> field (the guest VM’s IP address) and the key hash, client connections will be restricted based on both values.

      permission_type defines the type of commands the client can issue (unpriv for unprivileged only, priv for privileged or priv_lowport for privileged connections restricted to low port numbers).

      software_keyhash is the hash of the software-generated authentication key that the client should authenticate itself with.

      If there is more than one client being configured, the fields for each client must be separated by line consisting of one or more hyphens (e.g. ----).

      It is recommended that the firewall on the host be configured so that only connections from intended network interfaces can be made to the host hardserver on its Impath port (port 9004 by default).

    3. Load the updated configuration file in the host hardserver. To do this, run the following command:

      hsc_nethsmexports
      This command only needs to be run when the config is added or modified. The permissions for guest VMs will be re-applied automatically when the host hardserver is restarted.

  2. Configure the hardserver in the guest VM to enroll to the host hardserver with an IP address using the virtual switch. Enter the following command for each guest hardserver that should have unprivileged access:

    nethsmenroll <host-hardserver-ip>

    Run the following command if the guest hardserver should have privileged access for mode change and administration:

    Not all administration operations will be permitted from a privileged guest VM, such as firmware updates, which must be carried out from the host. 
    nethsmenroll -p <host-hardserver-ip>

    You will be asked to confirm your entries. You should then see the following message:

    OK configuring hardserver's nethsm imports

  3. Confirm the connection from the guest VMs by running enquiry.