|
Home > |
|---|
For this section you need at least two Luna SA appliances with PED Authentication, or two with Password Authentication. You may not use Password Authenticated Luna SA and PED Authenticated Luna SA simultaneously in an HA group.
Follow these steps to set up an HA group:
1.Perform the network setup on your two HA units (for a description of the standard procedure, see "Configuring the Luna Appliance Network Settings"elsewhere in the Configuration Guide). For this example the appliances are designated Luna1 and Luna2.
2.Ensure that Allow Cloning and Allow Network Replication are βOnβ in hsm showPolicies (and if not, then set them with hsm setPolicy). If your HSMs do not have the cloning option, then they will use the SIM or Key Export functionality to backup to (and restore from) a file, rather than a hardware Backup token)..
3.Initialize the HSMs on your Luna SA appliances ("About Initializing a Password-Authenticated HSM" or "Initializing a PED-Authenticated HSM" or ); they must have the same cloning domain β that is, they must share the same red, domain PED Key if they are PED Authenticated [Trusted Path] units, or they must share the same domain string if they are Password Authenticated units.
4.Create a Partition on each Luna SA. They need not have the same labels; they must have the same password. For this example, the Partitions are Partition1 (on LunaSA1) and Partition2 (on LunaSA2).
5.Use the partition changePw
command to change the Partitions' passwords so that they match (for example,
both set to 'btqx-EFGH-3456-7/K9').
NOTE: The partition changePw command presents you with 4 options:
1. change the Partition Owner (black) PED Key data
2. generate a new random password for the partition owner (16 random mixed characters)
3. specify a new password for the partition owner (a "user-friendly" or memorable password)
4. both options 1 and 2
You are prompted for further action at the command line, to supply the existing partition password (the text challenge secret). Then you are directed to the PED, where you must present the black key for this partition.
By making the client partition challenge password the same on both partitions (on both Luna SA appliances), you allow your clients to use that one secret when addressing the virtual partition (which includes both real partitions).
6.Make a note of the serial number of each Partition
created on each Luna SA (use partition
show).
For this example:
LunaSA1 - Partition1 - serial number 65003001 - password userpin
LunaSA2 - Partition2 - serial number 65005001 - password userpin.
7.[OPTION] Ensure
that each Partition is Activated and AutoActivated
(see "About Activation and Auto-Activation " - applies to Luna SA with PED Authentication), so that it can
retain/resume its "Activate" (persistent login) state through
any brief power failure or other interruption.
Proceed with normal client setup (see "Create a Network Trust Link Between the Client and the Appliance" in the Configuration Guide). Register your Client computer with both Luna SAs (this example is using just two HSM appliances; obviously, you would configure and register however many HSM appliances you wish to use in your own situation).
8.On LunaSA1, assign Partition1 to ClientX (you would replace "ClientX" with the actual name of your Client computer).
9.On LunaSA2, assign Partition2 to ClientX, as well (repeat if you have more Luna SAs and Partitions to include in the HA group).
At this point, you have completed a normal single-client, multiple HSM appliance setup.
Now proceed with the HA setup on the next page "Client - Create HA Group".