|
Home > |
|---|
This section provides some basic instructions to create and use an HA group.
The minimum HA Group is two HSM cards in one computer. For this example, we assume two HSMs:
lunacm
LunaCM V2.3.3 - Copyright (c) 2006-2013 SafeNet, Inc.
Available HSM's:
Slot Id -> 1
Tunnel Slot Id -> 3
HSM Label -> nick
HSM Serial Number -> 150032
HSM Model -> K6 Base
HSM Firmware Version -> 6.10.1
HSM Configuration -> Luna PCI (PED) Signing With Cloning Mode
Slot Id -> 2
Tunnel Slot Id -> 4
HSM Label -> joe
HSM Serial Number -> 951327
HSM Model -> K6 Base
HSM Firmware Version -> 6.10.1
HSM Configuration -> Luna PCI (PED) Signing With Cloning Mode
Current Slot Id: 1
lunacm:>
1.Enable activation for each partition.
lunacm:>par changepo -p 22 -v 1
Command Result : No Error
lunacm:>par changepo -p 23 -v 1
Command Result : No Error
lunacm:>
2.Create an HA group.
lunacm:>haGroup createGroup -serialNumber 150032 -l myHA -password userpin
New group with label "myHA" created with group number 150032.
Group configuration is:
HA Group Label: myHA
HA Group Number: 150032
Group Members: 150032
Needs sync: no
It is recommended that you restart LunaCM to refresh
the list of available slots.
Command Result : No Error
lunacm:>
3.Start a new lunacm session, to verify that the virtual slot now exists:
lunacm
LunaCM V2.3.3 - Copyright (c) 2006-2010 SafeNet, Inc.
Available HSM's:
Slot Id -> 1
Tunnel Slot Id -> 3
HSM Label -> nick
HSM Serial Number -> 150032
HSM Model -> K6 Base
HSM Firmware Version -> 6.10.1
HSM Configuration -> Luna PCI (PED) Signing With Cloning Mode
Slot Id -> 2
Tunnel Slot Id -> 4
HSM Label -> joe
HSM Serial Number -> 951327
HSM Model -> K6 Base
HSM Firmware Version -> 6.10.1
HSM Configuration -> Luna PCI (PED) Signing With Cloning Mode
Slot Id -> 5
HSM Label -> myHA
HSM Serial Number -> 150032
HSM Model -> LunaVirtual
HSM Firmware Version -> 6.10.1
HSM Configuration -> Luna Virtual HSM (PED) Signing With Cloning Mode
Current Slot Id: 1
lunacm:>
4.So far, the newly-created HA group has one member.
Add a second member, and verify.
lunacm:>hagroup addMember -serialNumber 951327 -group myHA -password userpin
Member 951327 successfully added to group myHA. New group
configuration is:
HA Group Label: myHA
HA Group Number: 150032
Group Members: 150032, 951327
Needs sync: no
Please use the command "ha synchronize" when you are ready
to replicate data between all members of the HA group.
(If you have additional members to add, you may wish to wait
until you have added them before synchronizing to save time by
avoiding multiple synchronizations.)
Command Result : No Error
lunacm:>
lunacm:>hagroup listGroups
If you would like to see synchronization data for group myHA,
please enter the password for the group members. Sync info
not available in HA Only mode.
Enter the password: *******
HA Group Label: myHA
HA Group Number: 150032
Group Members: 150032, 951327
Needs sync: no
Command Result : No Error
lunacm:>
lunacm:>partition contents
The User is currently logged in. Looking for objects in the
User's partition.
Object list:
Label: Generated DES3 Key
Handle: 18
Object Type: Symmetric Key
Object UID: fa00000035010000104a0200
Number of objects: 1
Command Result : No Error
lunacm:>
By default all members in an HA group are treated as active. That is, they are both kept current with key material and used to load-balance cryptographic services. In some deployment scenarios it makes sense to define some members as standby. Standby members are registered just like active members except, after they are added to the HA group, they are defined as “standby”. For Luna G5 and Luna PCI-E, where all HA members are connected to a single host computer, no geographical dispersion of standby members is possible (for that scenario, consider Luna SA, our networked HSM appliance).
In this mode, only the non-standby HSMs are used for active load-balancing. However, as key material is created, it is automatically replicated to both the active units and standby unit. In the event of a failure of all active members the standby unit is automatically promoted to active status. The primary reason for using this feature is to reduce costs while improving reliability.
1.Configure it as previously described, and add it to the HA group.
2.Set the member to standby status. lunacm:> haAdgroup -addStandby -group 165010001 -serialnumber 66010002
See "HA Operational Notes" for more information.