Show the Table of Contents
Administration & Maintenance - HA & Load Balancing
Configuring HA
Set up Appliances for HA
For this section you need at least two Luna SA appliances with PED (Trusted
Path) Authentication, or two with Password Authentication. You may not use Password
Authenticated Luna SA and Trusted Path Authenticated Luna SA simultaneously
in an HA group.
- Perform the network
setup on your two HA units (for a description of the standard procedure,
refer to section "Preparing to configure appliance network settings" in the Configuration Manual).
For this example the appliances are designated Luna1 and Luna2.
- Ensure that Allow
Cloning and Allow Network Replication are “On” in hsm
showPolicies (and
if not, then set them with
hsm setPolicy). If your HSMs do not have the cloning option, then they will use the SIM or Key Export functionality to backup to (and restore from) a file, rather than a hardware Backup token). If one HSM in an HA group uses cloning (to a hardware token) for backup, then all units in the group must use that method; if one HSM uses Key Export (backup to file), then all units in the group must use that method. These are factory settings; you must purchase Luna SA configured for one backup method or the other.
- Initialize the
HSMs on your Luna SA appliances ( "About Initializing a Password-Authenticated HSM" or "Initializing a PED-Authenticated HSM" or "hsm init Command"); they must have the same cloning domain
– that is, they must share the same red, domain PED Key if they are PED Authenticated [Trusted
Path] units, or they must share the same domain string if they are Password
Authenticated units.
- Create a Partition
on each Luna SA. They need not have the same labels; they must have the
same password. For this example, the Partitions are Partition1 (on LunaSA1)
and Partition2 (on LunaSA2).
- Use the partition changePw
command to change the Partitions' passwords so that they match (for example,
both set to 'btqx-EFGH-3456-7/K9').
NOTE: The partition changePw command presents you with 4 options:
1. change the Partition Owner (black) PED Key data
2. generate a new random password for the partition owner (16 random mixed characters)
3. specify a new password for the partition owner (a "user-friendly" or memorable password)
4. both options 1 and 2
You are prompted for further action at the command line, to supply the existing partition password (the text challenge secret). Then you are directed to the PED, where you must present the black key for this partition.
By making the client partition challenge password the same on both partitions (on both Luna SA appliances), you allow your clients to use that one secret when addressing the virtual partition (which includes both real partitions).
- Make a note of the serial number of each Partition
created on each Luna SA (use partition
show).
For this example:
LunaSA1 - Partition1 - serial number 65003001 - password userpin
LunaSA2 - Partition2 - serial number 65005001 - password userpin.
- [OPTION] Ensure
that each Partition is Activated and AutoActivated
(see "About Activation & AutoActivation " - applies to Luna SA with PED Authentication), so that it can
retain/resume its "Activate" (persistent login) state through
any brief power failure or other interruption.
If you prefer to leave PEDs connected to each appliance with the
appropriate black PED Keys inserted and ready, then there is no need to
invoke AutoActivation, and high availability is preserved. This is less
convenient than invoking autoActivation and removing the PEDs and PED
Keys, but the option is provided, in case your security policies demand
it.
Register Clients with Luna SA HA
Proceed with normal client
setup (see "Prepare the Client for Network Trust Link"). Register your Client computer with both Luna SAs (this
example is using just two HSM appliances; obviously, you would configure
and register however many HSM appliances you wish to use in your own
situation).
- On LunaSA1, assign
Partition1 to ClientX (you would replace "ClientX" with the
actual name of your Client computer).
- On LunaSA2, assign
Partition2 to ClientX, as well (repeat if you have more Luna SAs and Partitions
to include in the HA group).
At this point, you have completed a normal single-client, multiple HSM appliance setup. Now proceed with the HA setup on the next page "Client - Create HA Group".
Show the Table of Contents