您现在访问的是微软AZURE全球版技术文档网站,若需要访问由世纪互联运营的MICROSOFT AZURE中国区技术文档网站,请访问 https://docs.azure.cn.

教材 - 使用 PowerShell 将 HSM 部署到现有虚拟网络中Tutorial – Deploying HSMs into an existing virtual network using PowerShell

Azure 专用 HSM 服务提供供单个客户使用的物理设备,由客户对设备进行完全的管理控制并承担完全的管理责任。The Azure Dedicated HSM Service provides a physical device for sole customer use, with complete administrative control and full management responsibility. 由于提供物理硬件,因此 Microsoft 必须控制这些设备的分配,确保对容量进行有效的管理。Due to providing physical hardware, Microsoft must control how those devices are allocated to ensure capacity is managed effectively. 因此,在 Azure 订阅中,专用 HSM 服务通常不可见,不可用于资源预配。As a result, within an Azure subscription, the Dedicated HSM service will not normally be visible for resource provisioning. Azure 客户如果需要访问专用 HSM 服务,必须首先联系其 Microsoft 客户主管,提交专用 HSM 服务注册请求。Any Azure customer requiring access to the Dedicated HSM service, must first contact their Microsoft account executive to request registration for the Dedicated HSM service. 只有在此流程成功完成以后,才可以进行预配。Only once this process completes successfully will provisioning be possible. 本教程的目的是介绍一个典型的预配过程,其中:This tutorial aims to show a typical provisioning process where:

  • 客户已经有一个虚拟网络A customer has a virtual network already
  • 客户有一个虚拟机They have a virtual machine
  • 客户需将 HSM 资源添加到现有环境中。They need to add HSM resources into that existing environment.

典型的高可用性多区域部署体系结构看起来如下所示:A typical, high availability, multi-region deployment architecture may look as follows:

多区域部署

本教程重点介绍一对 HSM 和必需的 ExpressRoute 网关(参见上面的子网 1),该网关会集成到现有的虚拟网络(参见上面的 VNET 1)中。This tutorial focuses on a pair of HSMs and the required ExpressRoute Gateway (see Subnet 1 above) being integrated into an existing virtual network (see VNET 1 above). 所有其他资源都是标准的 Azure 资源。All other resources are standard Azure resources. 同一集成过程可以用于上述 VNET 3 上的子网 4 中的 HSM。The same integration process can be used for HSMs in subnet 4 on VNET 3 above.

备注

本文进行了更新,以便使用新的 Azure PowerShell Az 模块。This article has been updated to use the new Azure PowerShell Az module. 你仍然可以使用 AzureRM 模块,至少在 2020 年 12 月之前,它将继续接收 bug 修补程序。You can still use the AzureRM module, which will continue to receive bug fixes until at least December 2020. 若要详细了解新的 Az 模块和 AzureRM 兼容性,请参阅新 Azure Powershell Az 模块简介To learn more about the new Az module and AzureRM compatibility, see Introducing the new Azure PowerShell Az module. 有关 Az 模块安装说明,请参阅安装 Azure PowerShellFor Az module installation instructions, see Install Azure PowerShell.

先决条件Prerequisites

Azure 专用 HSM 目前在 Azure 门户中不可用,因此与该服务的所有交互将通过命令行或 PowerShell 进行。Azure Dedicated HSM is not currently available in the Azure portal, therefore all interaction with the service will be via command-line or using PowerShell. 本教程将在 Azure Cloud Shell 中使用 PowerShell。This tutorial will use PowerShell in the Azure Cloud Shell. 如果不熟悉 PowerShell,请按以下入门说明操作:Azure PowerShell 入门If you are new to PowerShell, follow getting started instructions here: Azure PowerShell Get Started.

假设:Assumptions:

  • 已完成 Azure 专用 HSM 注册过程,并已获允使用此服务。You have been through the Azure Dedicated HSM registration process and been approved for use of the service. 否则,请与 Microsoft 客户代表联系,了解详细信息。If not, then contact your Microsoft account representative for details.
  • 已为这些资源创建一个资源组,在本教程中部署的新资源将加入该组。You have created a Resource Group for these resources and the new ones deployed in this tutorial will join that group.
  • 已根据上图创建必需的虚拟网络、子网和虚拟机,现在需将 2 个 HSM 集成到该部署中。You have already created the necessary virtual network, subnet, and virtual machines as per the diagram above and now want to integrate 2 HSMs into that deployment.

下面的所有说明假定你已导航到 Azure 门户并打开 Cloud Shell(选择门户右上角的“>_”)。All instructions below assume that you have already navigated to the Azure portal and you have opened the Cloud Shell (select “>_” towards the top right of the portal).

预配专用 HSMProvisioning a Dedicated HSM

可以通过 ExpressRoute 网关预配 HSM 并将其集成到现有虚拟网络中,这一操作将通过 ssh 命令行工具进行验证,确保 HSM 设备的可访问性和基本的可用性,以便进行进一步的配置活动。Provisioning the HSMs and integrating into an existing virtual network via ExpressRoute Gateway will be validated using the ssh command-line tool to ensure reachability and basic availability of the HSM device for any further configuration activities. 以下命令将使用资源管理器模板创建 HSM 资源和关联的网络资源。The following commands will use a Resource Manager template to create the HSM resources and associated networking resources.

验证功能注册Validating Feature Registration

如上所述,任何预配活动都要求为订阅注册专用 HSM 服务。As mentioned above, any provisioning activity requires that the Dedicated HSM service is registered for your subscription. 若要对此进行验证,请在 Azure 门户 Cloud Shell 中运行以下 PowerShell 命令。To validate that, run the following PowerShell command in the Azure portal cloud shell.

Get-AzProviderFeature -ProviderNamespace Microsoft.HardwareSecurityModules -FeatureName AzureDedicatedHsm

以下命令验证专用 HSM 服务所需的网络功能。The following command verifies the networking features required for the Dedicated HSM service.

Get-AzProviderFeature -ProviderNamespace Microsoft.Network -FeatureName AllowBaremetalServers

两个命令都应该返回“已注册”状态(如下所示),然后才能执行下一步的操作。Both commands should return a status of “Registered” (as shown below) before you proceed any further. 如果需要注册此服务,请与 Microsoft 客户代表联系。If you need to register for this service, contact your Microsoft account representative.

订阅状态

创建 HSM 资源Creating HSM resources

HSM 设备预配到客户的虚拟网络中。An HSM device is provisioned into a customers’ virtual network. 这意味着子网的要求。This implies the requirement for a subnet. HSM 依赖 ExpressRoute 网关在虚拟网络和物理设备之间通信。最终如果需要使用 Gemalto 客户端软件来访问 HSM 设备,则虚拟机是必需的。A dependency for the HSM to enable communication between the virtual network and physical device is an ExpressRoute Gateway, and finally a virtual machine is required to access the HSM device using the Gemalto client software. 这些资源已收集到一个带有相应参数文件的模板文件中,以方便使用。These resources have been collected into a template file, with corresponding parameter file, for ease of use. 若要获取这些文件,请通过 HSMrequest@Microsoft.com 直接联系 Microsoft。The files are available by contacting Microsoft directly at HSMrequest@Microsoft.com.

有了这些文件以后,必须编辑该参数文件,插入资源的首选名称。Once you have the files, you must edit the parameter file to insert your preferred names for resources. 这意味着使用“值”: “”格式编辑行。This means editing lines with “value”: “”.

  • namingInfix HSM 资源名称的前缀namingInfix Prefix for names of HSM resources
  • ExistingVirtualNetworkName 用于 HSM 的虚拟网络的名称ExistingVirtualNetworkName Name of the virtual network used for the HSMs
  • DedicatedHsmResourceName1 数据中心戳 1 中 HSM 资源的名称DedicatedHsmResourceName1 Name of HSM resource in datacenter stamp 1
  • DedicatedHsmResourceName2 数据中心戳 2 中 HSM 资源的名称DedicatedHsmResourceName2 Name of HSM resource in datacenter stamp 2
  • hsmSubnetRange HSM 的子网 IP 地址范围hsmSubnetRange Subnet IP Address range for HSMs
  • ERSubnetRange VNET 网关的子网 IP 地址范围ERSubnetRange Subnet IP Address range for VNET gateway

这些更改的示例如下所示:An example of these changes is as follows:

{
"$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json",
  "contentVersion": "1.0.0.0",
  "parameters": {
    "namingInfix": {
      "value": "MyHSM"
    },
    "ExistingVirtualNetworkName": {
      "value": "MyHSM-vnet"
    },
    "DedicatedHsmResourceName1": {
      "value": "HSM1"
    },
    "DedicatedHsmResourceName2": {
      "value": "HSM2"
    },
    "hsmSubnetRange": {
      "value": "10.0.2.0/24"
    },
    "ERSubnetRange": {
      "value": "10.0.255.0/26"
    },
  }
}

关联的资源管理器模板文件将根据以下信息创建 6 个资源:The associated Resource Manager template file will create 6 resources with this information:

  • 指定 VNET 中的 HSM 的子网A subnet for the HSMs in the specified VNET
  • 虚拟网关的子网A subnet for the virtual network gateway
  • 将 VNET 连接到 HSM 设备的虚拟网关A virtual network gateway that connects the VNET to the HSM devices
  • 网关的公共 IP 地址A public IP address for the gateway
  • 戳 1 中的 HSMAn HSM in stamp 1
  • 戳 2 中的 HSMAn HSM in stamp 2

设置参数值以后,需将文件上传到 Azure 门户 Cloud Shell 文件共享以供使用。Once parameter values are set, the files need to be uploaded to Azure portal cloud shell file share for use. 在 Azure 门户中单击右上角的“>_”Cloud Shell 符号,这样就会使屏幕的底部成为一个命令环境。In the Azure portal, click the “>_” cloud shell symbol top right and this will make the bottom portion of the screen a command environment. 此处的选项为 BASH 和 PowerShell,应该选择 BASH(如果尚未设置)。The options for this are BASH and PowerShell and you should select BASH if not already set.

命令 shell 在工具栏上有一个上传/下载选项。应该选择该选项,将模板和参数文件上传到文件共享:The command shell has an upload/download option on the toolbar and you should select this to upload the template and parameter files to your file share:

文件共享

上传文件以后,即可创建资源。Once the files are uploaded, you are ready to create resources. 在创建新的 HSM 资源之前,应确保某些先决条件资源到位:Prior to creating new HSM resources there are some pre-requisite resources you should ensure are in place. 必须有一个子网范围适用于计算、HSM 和网关的虚拟网络。You must have a virtual network with subnet ranges for compute, HSMs, and gateway. 以下命令以示例方式说明了如何才能创建此类虚拟网络。The following commands serve as an example of what would create such a virtual network.

$compute = New-AzVirtualNetworkSubnetConfig `
  -Name compute `
  -AddressPrefix 10.2.0.0/24
$delegation = New-AzDelegation `
  -Name "myDelegation" `
  -ServiceName "Microsoft.HardwareSecurityModules/dedicatedHSMs"

$hsmsubnet = New-AzVirtualNetworkSubnetConfig ` 
  -Name hsmsubnet ` 
  -AddressPrefix 10.2.1.0/24 ` 
  -Delegation $delegation 


$gwsubnet= New-AzVirtualNetworkSubnetConfig `
  -Name GatewaySubnet `
  -AddressPrefix 10.2.255.0/26


New-AzVirtualNetwork `
  -Name myHSM-vnet `
  -ResourceGroupName myRG `
  -Location westus `
  -AddressPrefix 10.2.0.0/16 `
  -Subnet $compute, $hsmsubnet, $gwsubnet

备注

此虚拟网络需要注意的最重要配置,是 HSM 设备的子网必须将委托设置为“Microsoft.HardwareSecurityModules/dedicatedHSMs”。The most important configuration to note for the virtual network, is that the subnet for the HSM device must have delegations set to “Microsoft.HardwareSecurityModules/dedicatedHSMs”. 否则,HSM 预配将不起作用。The HSM provisioning will not work without this.

所有先决条件都已准备到位以后,请运行使用资源管理器模板所需的以下命令,确保已使用唯一名称(至少已使用资源组名称)更新值:Once all pre-requisites are in place, run the following command to use the Resource Manager template ensuring you have updated values with your unique names (at least the resource group name):


New-AzResourceGroupDeployment -ResourceGroupName myRG `
     -TemplateFile .\Deploy-2HSM-toVNET-Template.json `
     -TemplateParameterFile .\Deploy-2HSM-toVNET-Params.json `
     -Name HSMdeploy -Verbose

完成此命令应该需要大约 20 分钟。This command should take approximately 20 minutes to complete. 所使用的“-verbose”选项会确保状态持续显示。The “-verbose” option used will ensure status is continually displayed.

预配状态

成功完成以后,会显示“provisioningState”:“成功”,此时可以登录到现有的虚拟机,并使用 SSH 确保 HSM 设备的可用性。When completed successfully, shown by “provisioningState”: “Succeeded”, you can sign in to your existing virtual machine and use SSH to ensure availability of the HSM device.

验证部署Verifying the Deployment

若要验证设备是否已预配并查看设备属性,请运行以下命令集。To verify the devices have been provisioned and see device attributes, run the following command set. 确保资源组已正确设置且资源名称与参数文件中的名称完全一样。Ensure the resource group is set appropriately and the resource name is exactly as you have in the parameter file.


$subid = (Get-AzContext).Subscription.Id
$resourceGroupName = "myRG"
$resourceName = "HSM1"  
Get-AzResource -Resourceid /subscriptions/$subId/resourceGroups/$resourceGroupName/providers/Microsoft.HardwareSecurityModules/dedicatedHSMs/$resourceName

预配状态

现在也可通过 Azure 资源浏览器来查看资源。You will also now be able to see the resources using the Azure resource explorer. 进入浏览器中以后,请依次展开左侧的“订阅”、专用 HSM 的特定订阅、“资源组”、所使用的资源组,最后选择“资源”项。Once in the explorer, expand “subscriptions” on the left, expand your specific subscription for Dedicated HSM, expand “resource groups”, expand the resource group you used and finally select the “resources” item.

测试部署Testing the Deployment

测试部署就是先连接到能够访问 HSM 的虚拟机,然后直接连接到 HSM 设备。Testing the deployment is a case of connecting to a virtual machine that can access the HSM(s) and then connecting directly to the HSM device. 上述操作将确认 HSM 是否可以访问。These actions will confirm the HSM is reachable. ssh 工具用于连接到虚拟机。The ssh tool is used to connect to the virtual machine. 命令将如下所示,但使用在参数中指定的管理员名称和 dns 名称。The command will be similar to the following but with the administrator name and dns name you specified in the parameter.

ssh adminuser@hsmlinuxvm.westus.cloudapp.azure.com

要使用的密码是参数文件中的密码。The password to use is the one from the parameter file. 登录到 Linux VM 以后,则可使用在门户中发现的资源 <prefix>hsm_vnic 的专用 IP 地址登录到 HSM。Once logged on to the Linux VM you can log in to the HSM using the private IP address found in the portal for the resource <prefix>hsm_vnic.


(Get-AzResource -ResourceGroupName myRG -Name HSMdeploy -ExpandProperties).Properties.networkProfile.networkInterfaces.privateIpAddress

有了 IP 地址以后,请运行以下命令:When you have the IP address, run the following command:

ssh tenantadmin@<ip address of HSM>

如果成功,系统会提示你输入密码。If successful you will be prompted for a password. 默认密码为 PASSWORD。The default password is PASSWORD. HSM 会要求你更改密码。因此,请设置一个强密码,并使用组织首选的机制来存储密码,防止丢失。The HSM will ask you to change your password so set a strong password and use whatever mechanism your organization prefers to store the password and prevent loss.

重要

如果丢失此密码,则需重置 HSM,这意味着丢失密钥。if you lose this password, the HSM will have to be reset and that means losing your keys.

使用 ssh 连接到 HSM 设备以后,请运行以下命令,确保 HSM 可以正常运行。When you are connected to the HSM device using ssh, run the following command to ensure the HSM is operational.

hsm show

输出应如下图所示:The output should look like the image shown below:

预配状态

目前已为一个高度可用的双 HSM 型部署分配了所有资源,并验证了访问权限和运行状态。At this point, you have allocated all resources for a highly available, two HSM deployment and validated access and operational state. 进一步的配置或测试涉及更多针对 HSM 设备本身的工作。Any further configuration or testing involves more work with the HSM device itself. 因此,应该按照《Gemalto Luna 网络 HSM 7 管理指南》第 7 章中的说明操作,以便初始化 HSM 并创建分区。For this, you should follow the instructions in the Gemalto Luna Network HSM 7 Administration Guide chapter 7 to initialize the HSM and create partitions. 在 Gemalto 客户支持门户中注册并获得客户 ID 以后,即可直接从 Gemalto 下载所有文档和软件。All documentation and software are available directly from Gemalto for download once you are registered in the Gemalto Customer Support Portal and have a Customer ID. 下载客户端软件 7.2 版即可获取所有必需的组件。Download Client Software version 7.2 to get all required components.

删除或清理资源Delete or clean up resources

如果已完成 HSM 设备的操作,则可将其作为资源删除,并让其返回到可用池中。If you have finished with just the HSM device, then it can be deleted as a resource and returned to the free pool. 执行该操作时,最需要关注的问题是设备上的敏感客户数据。The obvious concern when doing this is any sensitive customer data that is on the device. 若要删除敏感客户数据,应通过 Gemalto 客户端对设备进行出厂重置。To remove sensitive customer data the device should be factory reset using the Gemalto client. 请参阅适用于 SafeNet 网络 Luna 7 设备的 Gemalto 管理员指南,并考虑按顺序执行以下命令。Refer to the Gemalto administrators guide for the SafeNet Network Luna 7 device and consider the following commands in order.

  1. hsm factoryReset -f
  2. sysconf config factoryReset -f -service all
  3. network interface delete -device eth0
  4. network interface delete -device eth1
  5. network interface delete -device eth2
  6. network interface delete -device eth3
  7. my file clear -f
  8. my public-key clear -f
  9. syslog rotate

备注

如果有 Gemalto 设备配置的问题,则应联系 Gemalto 客户支持if you have issue with any Gemalto device configuration you should contact Gemalto customer support.

如果已完成此资源组中资源的相关操作,则可使用以下命令将其全部删除:If you have finished with resources in this resource group, then you can remove them all with the following command:


$subid = (Get-AzContext).Subscription.Id
$resourceGroupName = "myRG" 
$resourceName = "HSMdeploy"  
Remove-AzResource -Resourceid /subscriptions/$subId/resourceGroups/$resourceGroupName/providers/Microsoft.HardwareSecurityModules/dedicatedHSMs/$resourceName 

后续步骤Next steps

完成本教程中的步骤以后,你就预配好了专用 HSM 资源,可以在虚拟网络中使用它了。After completing the steps in the tutorial, Dedicated HSM resources are provisioned and available in your virtual network. 现在可以根据首选部署体系结构的要求,使用更多资源来补充此部署了。You are now in a position to compliment this deployment with more resources as required by your preferred deployment architecture. 若要详细了解如何进行部署规划,请参阅概念文档。For more information on helping plan your deployment, see the Concepts documents. 建议在进行设计时,在主要区域使用两个 HSM 解决机架级可用性问题,在次要区域使用两个 HSM 解决区域可用性问题。A design with two HSMs in a primary region addressing availability at the rack level, and two HSMs in a secondary region addressing regional availability is recommended. 在本教程中使用的模板文件可以轻松地用作双 HSM 型部署的基础,但你需要根据自己的要求对其参数进行修改。The template file used in this tutorial can easily be used as a basis for a two HSM deployment but needs to have its parameters modified to meet your requirements.