Configure the hardserver to export the module for guest VM usage
This feature is not available on nToken models, but works with all other local HSM models. If you previously configured this feature using rserverperm, you may wish to update to using these instructions using the config file to specify the permissions for guest VMs to access the HSMs in a persistent manner. |
-
Configure the host hardserver to permit guest VM hardservers to share access to the module:
-
Edit the host hardserver config file
NFAST_KMDATA/config/config
(Linux) orNFAST_KMDATA\config\config
(Windows). -
Add a new entry in the
hs_clients
section to contain the details of the client to be added.If your config file does not already contain a hs_clients
section you may add it yourself with a line containing only[hs_clients]
.The
addr
andclientperm
fields are required for each client, andkeyhash
is recommended for authentication: :[hs_clients] addr=<client_IP> clientperm=permission_type keyhash=software_keyhash
Where:
<client_IP>
can be either the IP address of the guest VM or any of0.0.0.0
,::
, or blank if the host hardserver is to accept clients identified by their key hash instead of their IP address.If you set both the
<client_IP>
field (the guest VM’s IP address) and the key hash, client connections will be restricted based on both values.permission_type
defines the type of commands the client can issue (unpriv
for unprivileged only,priv
for privileged orpriv_lowport
for privileged connections restricted to low port numbers).software_keyhash
is the hash of the software-generated authentication key that the client should authenticate itself with.If there is more than one client being configured, the fields for each client must be separated by line consisting of one or more hyphens (e.g.
----
).It is recommended that the firewall on the host be configured so that only connections from intended network interfaces can be made to the host hardserver on its Impath port (port 9004 by default). -
Load the updated configuration file in the host hardserver. To do this, run the following command:
hsc_nethsmexports
This command only needs to be run when the config is added or modified. The permissions for guest VMs will be re-applied automatically when the host hardserver is restarted.
-
-
Configure the hardserver in the guest VM to enroll to the host hardserver with an IP address using the virtual switch. Enter the following command for each guest hardserver that should have unprivileged access:
nethsmenroll <host-hardserver-ip>
Run the following command if the guest hardserver should have privileged access for mode change and administration:
Not all administration operations will be permitted from a privileged guest VM, such as firmware updates, which must be carried out from the host. nethsmenroll -p <host-hardserver-ip>
You will be asked to confirm your entries. You should then see the following message:
OK configuring hardserver's nethsm imports
-
Confirm the connection from the guest VMs by running
enquiry
.