Connecting to you IBM Cloud Hardware Security Module
The following steps outline how to connect the Hardware Security Module (HSM) VPN to your customer account. You can also connect from a server on your account that has connectivity to the private VLAN on which the HSM is provisioned.
-
Log in to your HSM by using the user ID and password that is provided on Device Details through your VPN or to a server that is on the same private VLAN. The following command is an example. The IP address that you use might differ.
#ssh hsm_admin@10.1.1.101 -
Change the HSM
customer_adminpassword:#user password -
Enable public key infrastructure (PKI)-based authentication:
#ssh-keygen -b 2048 -t rsa Generating public/private rsa key pair. Enter file in which to save the key (/root/.ssh/id_rsa): Enter passphrase (empty for no passphrase): Enter same passphrase again: Your identification has been saved in /root/.ssh/id_rsa. Your public key has been saved in /root/.ssh/id_rsa.pub. The key fingerprint is: 6e:7a:73:e1:2a:54:8f:99:3e:6a:56:f8:38:22:fb:a6 root@hostTwo files are created. The first is a private key file, which stays on the connecting host, and a public key file that is sent to the HSM appliance.
-
Use Secure Copy Protocol (SCP) to send the public to the appliance
scp /root/.ssh/id_rsa.pub hsm_admin@<IP address>:.customer_admin@10.1.1.101 customer_admin@appliance password: id_rsa.pub 100% |****************| 220 00:00 -
On the appliance, verify the default settings of the Public Key Authentication service.
[myLuna] lunash:>sysconf -ssh show SSH is unrestricted. Password authentication is enabled Public key authentication is enabled Command Result : 0 (Success) -
Verify that no public keys are entered by default.
[myLuna] lunash:>sysconf -ssh my public-key SSH Public Keys for user 'admin': Name Type Bits Fingerprint Command Result : 0 (Success) -
Check that the fingerprint that is reported matches the fingerprint that was originally generated on the connecting host.