CP 003 Avi
This article describes how to configure Avi Vantage to use the key generation and encryption/decryption services provided by Thales Luna Network HSM. This enables use of Thales Luna Network HSM to store keys associated with SSL/TLS resources configured on a virtual service.
CP 003 avi
By default, Avi Service Engines and Controllers use their respective management interfaces for HSM communication. On CSP, Avi Vantage supports the use of a dedicated Service Engine data interface for HSM interaction. Also, on the CSP platform, you can use dedicated Controller interface for HSM communication.
The user may choose to create the HSM group in the admin tenant with all the Service Engines spread across multiple tenants. This way, HSM can be enabled on a per-SE-group basis by attaching the HSM group to the corresponding SE group. In this mode, the configuration to choose between a dedicated interface and a management interface for HSM communication is done in the admin tenant; all other tenants are forced to use that configuration.
Alternatively, you can create HSM groups in their respective tenants. The configuration choice of a dedicated or management interface for HSM communication is determined at the tenant level. In this mode, Controller IPs can overlap in every HSM group. Internally, the certificate for these overlapping clients is created once and reused for any subsequent HSM group creation.
After creation, update or deletion of an HSM group requires reloading of a new Thales Luna configuration, which can only be achieved by restarting the Avi SEs. Restart of Avi SEs temporarily disrupts traffic.
The contents of these certificates are used while creating the HSM Group. Avi Vantage supports trusted authentication for all nodes in the system. This can be done by providing IP addresses of Controller(s) and Service Engine(s) which will interact with HSM. Use the below options of the HSM Group editor. The Thales Luna server certificates can also be provided by the Security team managing the Thales Luna appliances. In either case, having access to these certificates is a pre-requisite to creating any HSM configuration in Avi Vantage.
By default, SEs use the management network to interact with the HSM. On CSP, Avi Vantage also supports the use of a dedicated network for HSM interaction. Also, on the CSP platform, you can use a dedicated interface on the Controllers for HSM communication.
Select the network to be used to communicate with HSM and Add client IPs If any dedicated SE or Controller interfaces have been configured for HSM communication, check Dedicated Interface box and verify the IPs listed are those of the desired dedicated interfaces on the Service Engines and/or Controllers.
Note: NSX Advanced Load Balancer Controllers and all Service Engines associated with the SE group should have at least 1 IP address in the list to ensure access to the HSMs. This step is extremely important because Thales Luna appliances will not allow communications from un-registered client-IP addresses.
The clients in this case are the NSX Advanced Load Balancer Controllers and Service Engines and the generated client certificates need to be registered with the Thales Luna appliances for purposes of mutual authentication. This can be done directly per steps 3 and 4 below or by sending the client certificates to the concerned security team managing the HSM appliances.
Note: Step 6 must only be performed after all client certificates are registered on all HSM appliances configured above to verify the registration. First ensure the (partition) password is populated in the HSM group by editing the same.
Avi Vantage automates configuration of HA across HSM devices. Before configuring HA, ensure that the clients are registered with the HSM using listSlots command. This command provides details about the HSM devices to be set up. The serial number provided in the output of this command is needed to set up HA across these devices. Verify that the partition serial numbers listed below match the ones set up on the Thales Luna appliances or the ones provided by the security team. This should also match with the configuration in the HSM group object. Internally, the serial number is used to configure HA if the client is registered on more than one partition on the HSM.
Switch to appropriate tenant. Navigate to Infrastructure > Cloud Resources > Service Engine Group. Bring up the SE group editor for the desired SE group. Click on Advanced tab. Select the desired HSM group from the pulldown and click on Save.
From the NSX Advanced Load Balancer UI, navigate to Templates > Security > SSL/TLS Certificates, and click on Create > Application Certificate.
Under Certificate, click Import Private Key to HSM. Note: The option to enable private key import to HSM when importing the certificate is available starting with NSX Advanced Load Balancer version 22.1.3.
To import the certificate, via the CLI, set the field import_key_to_hsm to true to enable SSL private key import to Thales Luna HSM application using the NSX Advanced Load Balancer.Note: Ensure that the format is SSL_PEM, the type is ssl_certificate_type_virtualservice and the correct hardware security module group is referred.
Crestron Virtual Control streamlines deployment and maintenance by allowing a single program to be deployed across multiple rooms. Support for C#, SIMPL, and SIMPL#Pro programming languages gives programmers design flexibility and enables programs to be shared with hardware-based control systems.4 Crestron Virtual Control also employs enterprise-grade security to ensure maximum reliability and privacy.
This product may be purchased from select authorized Crestron dealers and distributors. To find a dealer or distributor, please contact the Crestron sales representative for your area. A list of sales representatives is available online at www.crestron.com/How-To-Buy/Find-a-Representative or contact us for additional information by visiting www.crestron.com/contact/our-locations for your local contact.
Crestron, the Crestron logo, .AV Framework, Cresnet, DM, DM NVX, infiNET EX, and XiO Cloud are either trademarks or registered trademarks of Crestron Electronics, Inc. in the United States and/or other countries. Kensington is either a trademark or registered trademark of Acco Brands Corporation in the United States and/or other countries. AlmaLinux OS is either a trademark or a registered trademark of the AlmaLinux OS Foundation in the United States and/or other countries. Dell and OptiPlex are either trademarks or registered trademarks of Dell, Inc. in the United States and/or other countries. HDMI is either a trademark or registered trademark of HDMI Licensing LLC in the United States and/or other countries. Intel and Intel Core are either trademarks or registered trademarks of Intel Corporation in the United States and/or other countries. Linux is either a trademark or a registered trademark of Linus Torvalds in the United States and/or other countries. USB Type-C is either a trademark or registered trademark of USB Implementers Forum, Inc. in the United States and/or other countries. VESA and DisplayPort are either trademarks or registered trademarks of Video Electronics Standards Association in the United States and/or other countries. Other trademarks, registered trademarks, and trade names may be used in this document to refer to either the entities claiming the marks and names or their products. Crestron disclaims any proprietary interest in the marks and names of others. Crestron is not responsible for errors in typography or photography. Specifications are subject to change without notice. 2023 Crestron Electronics, Inc. 041b061a72