You are here: Administration & Maintenance Manual > Appliance Administration > HA and Load Balancing > Configure HA - Setup Appliances & Register Clients

Administration & Maintenance - HA & Load Balancing

Configuring HA

 

Set up Appliances for HA

For this section you need at least two Luna SA appliances with PED (Trusted Path) Authentication, or two with Password Authentication. You may not use Password Authenticated Luna SA and Trusted Path Authenticated Luna SA simultaneously in an HA group.

  1. Perform the network setup on your two HA units (for a description of the standard procedure, refer to section "Preparing to configure appliance network settings" in the Configuration Manual). For this example the appliances are designated Luna1 and Luna2.
  1. Ensure that Allow Cloning and Allow Network Replication are “On” in hsm showPolicies (and if not, then set them with hsm setPolicy). If your HSMs do not have the cloning option, then they will use the SIM or Key Export functionality to backup to (and restore from) a file, rather than a hardware Backup token). If one HSM in an HA group uses cloning (to a hardware token) for backup, then all units in the group must use that method; if one HSM uses Key Export (backup to file), then all units in the group must use that method. These are factory settings; you must purchase Luna SA configured for one backup method or the other.
  2. Initialize the HSMs on your Luna SA appliances ( "About Initializing a Password-Authenticated HSM" or "Initializing a PED-Authenticated HSM" or "hsm init Command"); they must have the same cloning domain – that is, they must share the same red, domain PED Key if they are PED Authenticated [Trusted Path] units, or they must share the same domain string if they are Password Authenticated units.
  3. Create a Partition on each Luna SA. They need not have the same labels; they must have the same password. For this example, the Partitions are Partition1 (on LunaSA1) and Partition2 (on LunaSA2).
  4. Use the partition changePw command to change the Partitions' passwords so that they match (for example, both set to 'btqx-EFGH-3456-7/K9').

    NOTE: The partition changePw command presents you with 4 options:
    1. change the Partition Owner (black) PED Key data
    2. generate a new random password for the partition owner (16 random mixed characters)
    3. specify a new password for the partition owner (a "user-friendly" or memorable password)
    4. both options 1 and 2
    You are prompted for further action at the command line, to supply the existing partition password (the text challenge secret). Then you are directed to the PED, where you must present the black key for this partition.

    By making the client partition challenge password the same on both partitions (on both Luna SA appliances), you allow your clients to use that one secret when addressing the virtual partition (which includes both real partitions).
  5. Make a note of the serial number of each Partition created on each Luna SA (use partition show).
    For this example:
    LunaSA1 - Partition1 - serial number 65003001 - password userpin
    LunaSA2 - Partition2 - serial number 65005001 - password userpin.
  6. [OPTION] Ensure that each Partition is Activated and AutoActivated (see "About Activation & AutoActivation " - applies to Luna SA with PED Authentication), so that it can retain/resume its "Activate" (persistent login) state through any brief power failure or other interruption.
    If you prefer to leave PEDs connected to each appliance with the appropriate black PED Keys inserted and ready, then there is no need to invoke AutoActivation, and high availability is preserved. This is less convenient than invoking autoActivation and removing the PEDs and PED Keys, but the option is provided, in case your security policies demand it.

Register Clients with Luna SA HA

Proceed with normal client setup (see "Prepare the Client for Network Trust Link"). Register your Client computer with both Luna SAs (this example is using just two HSM appliances; obviously, you would configure and register however many HSM appliances you wish to use in your own situation).  

  1. On LunaSA1, assign Partition1 to ClientX (you would replace "ClientX" with the actual name of your Client computer).
  2. On LunaSA2, assign Partition2 to ClientX, as well (repeat if you have more Luna SAs and Partitions to include in the HA group).

At this point, you have completed a normal single-client, multiple HSM appliance setup. Now proceed with the HA setup on the next page "Client - Create HA Group".