Adding a HSM Token to a VM

There are a couple of issues when using a SafeNet token from inside a VSphere virtual machine.

USB Controller

First, we must have a v3.0 USB controller configured for the virtual machine. A v2.0 USB controller has been tried, and not worked.
If both v2.0 and v3.0 USB controllers are configured it is not certain that the USB-Passthrough logic will reliably the 3.0 controller for the USB key.
So, be sure to only configure a v3.0 USB controller.

USB Device

The USB token must be attached to the ESX host, and be visible by it.
This can be checked by opening an SSH session to the ESX host and performing the command, lsusb.
The token should appear in the list, like this one:

USB Passthrough Problems

By default, ESXi >= 6.5 will not permit pass through connection of CCID USB devices such as the Aladdin Knowledge Token JC to the guest VM.
This is because smartcard pass through is disabled by default to support DCUI login with smart cards.
So, HSM tokens such as Aladdin Knowledge Token JC, or SafeNet tokens will encounter errors when mapping them into a virtual machine on VSphere.

NOTE: CCID (chip card interface device) is a USB protocol that allows a smartcard to be connected to a computer via a card reader using a standard USB interface.

The problem presents itself as an error on connect attempt:

Failed to reconfigure virtual machine Win10x64. Cannot connect 'vid:0529 pid:0620 path:0/1/7/1' to this virtual machine. The device was not found.

To correct this…

Enable USB CCID Device Connection in VM

1.Shut-down the VM
2.VM > Edit settings > VM Options
3.Advanced > Configuration Parameters > Edit Configuration
4.+ Add Parameter and add following Key and Value
usb.generic.allowCCID TRUE

Connect Aladdin Knowledge Token JC to VM

1.Power-up VM
2.VM > Edit settings > Virtual Hardware
3.Add other device > USB device
4.Select Aladdin Knowledge Token JC > Save

Or, the VMX file can be hand-edited with the following steps to add this line to the VMX file of the virtual machine:

usb.generic.allowCCID = "TRUE"

Power down the guest VM where it will connect.
Remove the guest VM from inventory.
Download the vmx file of the guest VM from the datastore where it resides.
Open the VMX file in a text editor, and add the following line:
usb.generic.allowCCID = "TRUE"
Save the updated file.
Upload the vmx file back to the datastore.
Register the VM in inventory.
Power up the VM, and confirm the token is available in the guest OS.

Linux Network Monitoring

Validating AD Machine Account

SSH Key Naming Convention

How to Get Host SSH Key Fingerprints

Creating SSH Keys in Windows

Authenticating to Linux Server with SSH Keys

Linux: Disabling Password Authentication

Adding SSH Keys with ssh-copy-id

Adding SSH Keys with CAT

Linux SSH Key Management

Ubuntu Host Setup

Ubuntu: Setup SSH Server

Ubuntu: Setup Static IP Address

Ubuntu: Set Hostname

Linux: Manually Installing SSH Keys

How to Setup SSH Key Authentication to Linux

SSRS: Export Reports Without WebPortal

SSRS Links

SSRS Server Pages

SSRS SSL Certificates

Adding a HSM Token to a VM

Code Signing Cert Setup

Generate Certificates with Hashicorp Vault

Hashicorp Vault Setup

Clustering HashiCorp Vault

HashiCorp Vault Cluster Unseal

Vault Wrapping Tokens

Vault Token Administration

Vault Single-Node Unseal

Vault Administrative Setup

Vault as Root CA

Vault as Intermediate CA

Handling Vault Node Restart

Adding a HSM Token to a VM

USB Controller

USB Device

USB Passthrough Problems

Enable USB CCID Device Connection in VM

Connect Aladdin Knowledge Token JC to VM

No Comments