Iqsol Hsa User manual

HSA User Manual

HSA V050, 14. September 2018

Page 2of 50

Index

1 HSA Quick Start Guide........................................................................................................................ 6

LEDs and buttons. .................................................................................................................... 6

How to power on. .................................................................................................................... 7

How to access the HSA............................................................................................................. 7

How to completely power off (for storage or shipping). ......................................................... 7

Recommended PuTTY settings................................................................................................. 8

Manual Download.................................................................................................................... 8

2 Setup Wizard .................................................................................................................................... 10

Starting the Wizard ................................................................................................................ 10

Changing IP............................................................................................................................. 10

2.2.1 Select Interface.......................................................................................................... 11

2.2.2 Enter IP ...................................................................................................................... 11

2.2.3 Gateway .................................................................................................................... 12

2.2.4 Confirm settings and reconnect................................................................................ 12

Changing DNS......................................................................................................................... 12

Setting the correct time ......................................................................................................... 13

2.4.1 Setting timezone ....................................................................................................... 13

2.4.2 Enter date.................................................................................................................. 14

2.4.3 Enter time.................................................................................................................. 14

Changing NTP ......................................................................................................................... 15

Chaning password.................................................................................................................. 15

Setup of a new YubiHSM........................................................................................................ 15

2.7.1 Creating a wrapping key............................................................................................ 15

2.7.2 Creating the admin authentication key..................................................................... 16

Creating a PKI authentication key.......................................................................................... 18

2.8.1 Authentication key ID................................................................................................ 19

2.8.2 Authentication key label ........................................................................................... 20

2.8.3 Authentication key domain....................................................................................... 20

2.8.4 Choose a password.................................................................................................... 21

Page 3of 50

2.8.5 PKI authentication key stored on the YubiHSM........................................................ 21

Creating a new connector certificate..................................................................................... 21

Wizard completed.................................................................................................................. 23

3 The main menu................................................................................................................................. 24

4 The network menu ........................................................................................................................... 25

hostname ............................................................................................................................... 25

interface................................................................................................................................. 25

4.2.1 Edit interface ............................................................................................................. 26

DNS......................................................................................................................................... 26

addRoute................................................................................................................................ 26

listRoute ................................................................................................................................. 26

NTP......................................................................................................................................... 26

5 The yubiHSM menu .......................................................................................................................... 27

info ......................................................................................................................................... 27

setup ...................................................................................................................................... 27

authkey................................................................................................................................... 27

backup.................................................................................................................................... 27

readBackup ............................................................................................................................ 27

shell ........................................................................................................................................ 28

deviceinfo............................................................................................................................... 28

connector ............................................................................................................................... 28

5.8.1 restartCon.................................................................................................................. 28

5.8.2 rmSN.......................................................................................................................... 28

5.8.3 writeSN...................................................................................................................... 28

5.8.4 manSN ....................................................................................................................... 29

5.8.5 restartNginx............................................................................................................... 29

5.8.6 cert ............................................................................................................................ 29

5.8.7 allowIP....................................................................................................................... 29

5.8.8 listIP........................................................................................................................... 29

6 The HSA menu .................................................................................................................................. 29

Page 4of 50

users....................................................................................................................................... 30

time ........................................................................................................................................ 30

update .................................................................................................................................... 30

backup.................................................................................................................................... 30

restore.................................................................................................................................... 30

wizard..................................................................................................................................... 31

LinuxCLI .................................................................................................................................. 31

reboot..................................................................................................................................... 31

shutdown ............................................................................................................................... 31

7 The logging menu ............................................................................................................................. 31

Syslog ..................................................................................................................................... 31

7.1.1 local ........................................................................................................................... 32

7.1.2 remote....................................................................................................................... 32

7.1.3 server......................................................................................................................... 32

7.1.4 TLS ............................................................................................................................. 32

7.1.5 filter........................................................................................................................... 32

SNMP...................................................................................................................................... 34

7.2.1 enable/disable........................................................................................................... 34

7.2.2 OID............................................................................................................................. 34

7.2.3 port............................................................................................................................ 34

7.2.4 sysLocation................................................................................................................ 34

7.2.5 sysContact ................................................................................................................. 34

7.2.6 user............................................................................................................................ 34

7.2.7 listUser....................................................................................................................... 35

8 YubiHSM setup on a PKI Server........................................................................................................ 36

Installing the connector certificate........................................................................................ 36

Installing the YubiHSM Key Storage Privider. ........................................................................ 37

Add the CA Role ..................................................................................................................... 39

Configure Active Directory Certificate Services ..................................................................... 41

9 Troubleshooting ............................................................................................................................... 46

Page 5of 50

Active Directory Certificate Services...................................................................................... 46

Page 6of 50

1HSA Quick Start Guide

LEDs and buttons.

PWR

Reset

Harddrive active (green)

Power on (yellow)

Power supply connected (red)

USB LAN HDMI DC in 24 V 1120 mA

Page 7of 50

How to power on.

Plug in the power supply and the HSA will start automatically (indicated by power on LED).

If the red LED is on but the yellow LED not, you can press the PWR button to power on.

Please do not connect the HSA to your network before changing the IP address.

How to access the HSA

You can connect to the HSA box via SSH using PuTTY or another SSH client.

Or with an HDMI monitor and a USB keyboard.

Default IP/Netmask: 192.168.0.1/24

Default Gateway: 192.168.0.254

Default DNS: 192.168.0.254

Default user and password:

deviceadmin

When you log in for the first time, the Setup Wizard starts, and you can specify the most important settings.

More detailed setup information can be found in the “HSA Setup Manual”, which you can download directly

from the HSA as described in Manual Download on the next page.

How to completely power off (for storage or shipping).

The HSA is equipped with a battery.

If you want to ship the device or store it for a longer period of time, please follow these steps to completely

power off.

In the menu

Go to The HSA menu > shutdown

On the CLI

Enter: sudo shutdown now

Or press the PWR button.

After the yellow LED turns off, unplug the power supply and press the Reset button for 5 seconds.

If everything is completely powered off, the PWR button doesn't work and you should only be able to power

on the HSA by plugging in the power supply.

Page 8of 50

Recommended PuTTY settings

By default, the numeric keypad does not enter numbers in the HSA menu, but is used as the directional keys

when using PuTTY.

To change that, do the following:

Open PuTTY and click on “Terminal” > “Functions”.

Enable “Disable application key mode”.

It is also recommended to change the window and

text size for readability.

“Window” - “Columns” and “Rows”

“Window” > “Appearance”- “Font Settings”

The font “Consolas” works very well for terminals.

To save this as the default settings klick on

“Session”, in the “Saved Sessions” textfield enter

“Default Settings” and klick “Save”.

Manual Download

The Quick Start Guide is included in printed form in the HSA package.

The more detailed manual is only available as PDF.

You can download it directly from the HSA as follows. After the first login the wizard starts, select “Yes”.

Page 9of 50

The wizard asks if you want to download the HSA User Manual. Select “Yes”.

Open a web browser and enter the IP of your HSA (displayed in the “Download” window) in the address bar.

Right klick on “HSA User Manual.pdf” and select “Save target as ...”.

After downloading, make sure that you can open and read the HSA User Manual and click “OK”.

Alternatively, you can download the HSA User Manual online via FTP:

ftp://customer:FZig[email protected]/6-IQSol-Customer/HSA/

The HSA Quick Start Guide ends here.

Follow the instructions in Setup Wizard in the HSA User Manual PDF

you just downloaded to continue setting up the HSA.

Page 10 of 50

2Setup Wizard

Please read the “HSA Quick Start Guide” before starting with the Setup Wizard.

Starting the Wizard

When you log on to the HSA for the first time, the setup wizard will start and guide you through the most

important settings.

Select “Yes” to start the wizard or “No” if you already know all the important steps and want to select them

manually in the menu.

This guide assumes that you are using the wizard.

Changing IP

First you will be asked if you want to change the IP.

You can do this now and then log in to the new IP address to proceed with the wizard, or select “No” to

change the IP address at the end in the menu, after everything else has been configured.

Page 11 of 50

This guide assumes that you have selected “Yes”.

2.2.1 Select Interface

Now select the network interface on which you want to make changes.

On a standard HSA, only one should be present, just press “OK”.

2.2.2 Enter IP

Enter the new IP followed by the subnet mask like shown above.

You can enter the subnet mask as Classless Inter-Domain Routing (CIDR) suffix (example: 24) or dotted decimal

notation (example: 255.255.255.0).

Page 12 of 50

More info about this:

https://en.wikipedia.org/wiki/Classless_Inter-Domain_Routing

https://en.wikipedia.org/wiki/Dot-decimal_notation

2.2.3 Gateway

In the next step you will be asked to enter your gateway IP.

Click “OK”. The settings will now be displayed again for confirmation.

2.2.4 Confirm settings and reconnect

If everything looks fine select “Yes”. If you are connected using SSH you will per design lose your connection.

Now you can open a new SSH session to the new IP and proceed the wizard.

After logging in again and getting " Would you like to start the setup wizard now?" displayed, select “Yes”.

The wizard won't ask again if you want to change the IP, but will continue to the next step.

Changing DNS

Select “Yes” if you want to use a specific DNS Server and proceed with the wizard.

Page 13 of 50

Setting the correct time

2.4.1 Setting timezone

Enter the number of your location and hit Enter.

For example, if you want to set “Europe/Vienna” as your time zone, input 7 and 4 in country selectin which is

appearing after selecting a continent.

Confirm the settings by entering 1.

Page 14 of 50

2.4.2 Enter date

Now enter the current date or just select “Cancel” if it is already correct.

If you selected “Cancel” you will be asked “No valid date was entered. Retry?” Select “No”.

2.4.3 Enter time

Same as with date. You can select “Cancel” if the time is already correct.

Note: The time in this screen is not updated live, but stays as it was when the screen first appeared. Time is

still running in the background and will continue to do so if you choose Cancel.

Page 15 of 50

Changing NTP

If you want to use a specific NTP server, select “Yes” and continue with the wizard.

Chaning password

This is important for the HSA to be secure. Choose a secure password!

First for the default user “deviceadmin”, this user will mainly be used to configure the HSA.

The default password is: deviceadmin

Next you will be asked to change the root password. The root user will rarely be used and is only needed for

some updates. This user should have a very strong password as it is allowed to do anything on the HSA.

The default password is: deviceadmin

Note: The YubiHSM module has its own passwords and is not affected by these settings.

Setup of a new YubiHSM

2.7.1 Creating a wrapping key

Now you will be asked to create a wrap key.

A Wrapkey is a secret key used to wrap and unwrap Objects during the export and import process.

Page 16 of 50

Select “Yes”

You now will get a randomly generated wrapping key similar looking to the one shown above.

You will need this information to be able to make backups of your YubiHSM!

Note: You can use up to 16 separated PKI servers on one YubiHSM, with this wrapping you can backup all of

them at once.

To confirm you have the correct wrap key you will be asked to input it in the next screen.

Note: If you use PuTTY, you can highlight text to copy it and right-click to insert it.

After successfully confirming the wrap key it will be stored on the YubiHSM and you will see the following

message:

2.7.2 Creating the admin authentication key

Now you will create the admin auth key. This is comparable with a user account and it has an ID (similar to a

username) and a password to login.

Page 17 of 50

An Authkey or Authentication Key, is one of the most fundamental Objects there is. Authentication Keys can

be used to establish Sessions with a YubiHSM device.

Basically, you can treat authentication keys as users with different rights and abilities.

More info about the different Objects can be found here:

https://developers.yubico.com/YubiHSM2/Concepts/Object.html

After kicking “OK” you will see this:

You should choose a very secure (randomly generated) password as this is the admin auth key and is allowed

to do almost everything on the YubiHSM.

After you confirmed the password you should see this screen:

Now the admin authentication key is saved on the YubiHSM and you can create authentication keys for your

PKI servers.

Page 18 of 50

Creating a PKI authentication key

The wizard will automatically start this for the first key. If you want to create more than one PKI authentication

key, you can do so in The yubiHSM menu after completing the wizard.

Select “Yes”.

You can handle the PKI auth keys like user accounts (on the YubiHSM) for your PKI servers.

Now enter the password for the admin authentication key you created earlier.

The admin authentication key is the only key that can create new authentication keys for PKI servers.

Note: You can right-click to insert text if you use PuTTY.

Page 19 of 50

2.8.1 Authentication key ID

Now you can select an ID for your new PKI auth key. The ID is like a user name.

You can enter a decimal value or a hexadecimal value starting with 0x. Without 0x it is considered as a decimal

value.

The range starts at 0x0004 (or just 4 in decimal) to 0xFFFF (65535 in decimal).

With the Windows Calculator in programmer mode (can be changed from the “View” drop-down menu), you

can easily convert between decimal and hexadecimal values.

Select “Hex” and input a Hexadecimal number and then select “Dec” to convert it to Decimal. Or the other way

around.

Some more info: https://en.wikipedia.org/wiki/Hexadecimal

After you entered a ID hit “OK”.

Page 20 of 50

2.8.2 Authentication key label

Now you can enter a label (name) for the authentication key to easier identify it later.

This can be anything but it is suggested to use the name of the PKI server, followed by “auth key”.

For example: “some-name-01 auth key”.

In the next step you can choose a domain for the authentication key.

2.8.3 Authentication key domain

You should select a different domain for each PKI server, otherwise they will have access to the keys from each

other.

Choose “1” for the first PKI server, “2” for the second PKI server and so on.

Table of contents

Popular Server manuals by other brands

IBM

IBM 8832 Deployment guide

Excito

Excito B3 user manual

Xantech

Xantech XMUSICWP user guide

Harmonic

Harmonic Spectrum X installation guide

ESI

ESI ESI-1000 installation manual

AAxeon

AAxeon STW-601C user manual

ZyXEL Communications

ZyXEL Communications NSA series user guide

PiXORD

PiXORD PV6901 user manual

Lantronix

Lantronix XPort Integration guide

Dell EMC

Dell EMC PowerEdge R740 Installation and service manual

Compaq

Compaq AlphaServer GS140 Getting started

US Robotics

US Robotics Total Control NETServer/16 Command reference

SEH

SEH dongleserver Pro Quick installation guide

Lenovo

Lenovo ThinkServer 1098 user guide

Lenovo

Lenovo ThinkServer RD350 User guide and hardware maintenance manual

BEA

BEA WebLogic Server 7 Upgrade guide

IBM

IBM 990 reference guide

VSCOM

VSCOM ModGate Plus user manual

iQSol HSA User manual

Popular Server manuals by other brands