|
Home > |
|---|
Before getting into replacing HSMs in an HA group, this first section describes relevant system conditions and settings to have a Luna SA configured and in an authenticated relationship with a client computer. In particular, we are interested in the client-side config file and the client's certificate folder in ordinary, single-appliance mode, and then in HA. You would already have set up the a Luna SA as described in the configuration manual, for network setup and creation of the appliance-side certificate (see "Generate a New HSM Server Certificate").
[Chrystoki2] LibNT=C:\Program Files\SafeNet\LunaClient\cryptoki.dll [LunaSA Client] SSLConfigFile=C:\Program Files\SafeNet\LunaClient\openssl.cnf ReceiveTimeout=20000 NetClient=1 ServerCAFile=C:\Program Files\SafeNet\LunaClient\cert\server\CAFile.pem ClientCertFile=C:\Program Files\SafeNet\LunaClient\cert\client\ClientNameCert.pem ClientPrivKeyFile=C:\Program Files\SafeNet\LunaClient\cert\client\ClientNameKey.pem [Luna] DefaultTimeOut=500000 PEDTimeout1=100000 PEDTimeout2=200000 PEDTimeout3=10000 [CardReader] RemoteCommand=1
Create client-side certs (see "vtl createCert " in the Utilities Reference Guide ).
[Chrystoki2] LibNT=C:\Program Files\SafeNet\LunaClient\cryptoki.dll [LunaSA Client] SSLConfigFile=C:\Program Files\SafeNet\LunaClient\openssl.cnf ReceiveTimeout=20000 NetClient=1 ServerCAFile=C:\Program Files\SafeNet\LunaClient\cert\server\CAFile.pem ClientCertFile=C:\Program Files\SafeNet\LunaClient\cert\client\20.1.1.20.pem ClientPrivKeyFile=C:\Program Files\SafeNet\LunaClient\cert\client\20.1.1.20.pem [Luna] DefaultTimeOut=500000 PEDTimeout1=100000 PEDTimeout2=200000 PEDTimeout3=10000 [CardReader] RemoteCommand=1
Copy Luna SA server.pem to client.
Note: At this point there are still no certificates in cert\server directory.
Use “vtl addserver” to register the Luna SA with the client.
CAFile.pem is generated in the cert\server directory.
[Chrystoki2]
LibNT=C:\Program Files\SafeNet\LunaClient\cryptoki.dll
[LunaSA Client]
SSLConfigFile=C:\Program Files\SafeNet\LunaClient\openssl.cnf
ReceiveTimeout=20000
NetClient=1
ServerCAFile=C:\Program Files\SafeNet\LunaClient\cert\server\CAFile.pem
ClientCertFile=C:\Program Files\SafeNet\LunaClient\cert\client\20.1.1.20.pem
ClientPrivKeyFile=C:\Program Files\SafeNet\LunaClient\cert\client\20.1.1.20.pem
ServerName00=20.1.1.20
ServerPort00=1792
[Luna]
DefaultTimeOut=500000
PEDTimeout1=100000
PEDTimeout2=200000
PEDTimeout3=10000
[CardReader]
RemoteCommand=1 C:\Program Files\SafeNet\LunaClient>vtl verify The following Luna SA Slots/Partitions were found: Slot Serial # Label ==== ======== ===== 1 154702010 p1 C:\Program Files\SafeNet\LunaClient>
For an existing HA group, bring in a replacement Luna SA.
1.Change the IP of the new appliance to match the one that was removed.
2.Perform RegenCert on the new Luna SA.
Note: “vtl verify” on client at this time would fail because the cert that the client has is for the old, removed Luna SA.
3.Execute “vtl deleteserver –n <original IP>
C:\Program Files\SafeNet\LunaClient>vtl listservers Server: 20.1.1.20 C:\Program Files\SafeNet\LunaClient>vtl deleteserver -n 20.1.1.20 Server: 20.1.1.20 successfully removed from server list. C:\Program Files\SafeNet\LunaClient>
4.Copy new server.pem to client
C:\Program Files\SafeNet\LunaClient>pscp admin@20.1.1.20:server.pem . admin@20.1.1.20's password: server.pem | 1 kB | 1.1 kB/s | ETA: 00:00:00 | 100%
5.Run vtl addserver using new server.pem
C:\Program Files\SafeNet\LunaClient>vtl addserver -n 20.1.1.20 -c server.pem New server: 20.1.1.20 successfully added to server list. C:\Program Files\SafeNet\LunaClient>
6.Run vtl verify.
C:\Program Files\SafeNet\LunaClient>vtl verify The following Luna SA Slots/Partitions were found: Slot Serial # Label ==== ======== ===== 1 154702010 p1 C:\Program Files\SafeNet\LunaClient>
If a Luna SA must be replaced, the old IP can be used, but the Luna SA certificate must be regenerated. The IP must be removed from the server list on the client and then added back using the new “server.pem”
•Use vtl deleteserver to remove IP from list and delete CAFile.pem from cert\server
•Copy “new” server.pem to client
•Use vtl addserver to re-add IP and create CAFile.pem
Note HA partition serial numbers
C:\Program Files\SafeNet\LunaClient>vtl verify The following Luna SA Slots/Partitions were found: Slot Serial # Label ==== ======== ===== 1 154702011 HA1 1 154702012 HA2 C:\Program Files\SafeNet\LunaClient>
Run "vtl haAdmin -newGroup..."
A group is created with HA1 as Primary.
C:\Program Files\SafeNet\LunaClient>vtl haadmin -newGroup -label SomeHAGrp -serial 154702011 -password userpin New group with label "SomeHAGrp" created at group number 1154702011. Group configuration is: HA Group label: SomeHAGrp HA Group Number: 1154702011 HA Group Slot #: unknown Synchronization: enabled Group Members: 154702011 Standby Members: <none> In Sync: yes C:\Program Files\SafeNet\LunaClient>
[Chrystoki2]
LibNT=C:\Program Files\SafeNet\LunaClient\cryptoki.dll
[LunaSA Client]
SSLConfigFile=C:\Program Files\SafeNet\LunaClient\openssl.cnf
ReceiveTimeout=20000
NetClient=1
ServerCAFile=C:\Program Files\SafeNet\LunaClient\cert\server\CAFile.pem
ClientCertFile=C:\Program Files\SafeNet\LunaClient\cert\client\20.1.1.20.pem
ClientPrivKeyFile=C:\Program Files\SafeNet\LunaClient\cert\client\20.1.1.20.pem
ServerName00=20.1.1.20
ServerPort00=1792
[Luna]
DefaultTimeOut=500000
PEDTimeout1=100000
PEDTimeout2=200000
PEDTimeout3=10000
[CardReader]
RemoteCommand=1
[VirtualToken]
VirtualToken00Label=SomeHAGrp
VirtualToken00SN=1154702011
VirtualToken00Members=154702011
[HASynchronize]
SomeHAGrp=1
Add a secondary Luna SA partition to the HA group with vtl haAdmin - addMember.
C:\Program Files\SafeNet\LunaClient>vtl haadmin -addMember -group SomeHAGrp -serialNum 154702012 -password userpin New group with label "SomeHAGrp" created at group number 1154702011. Group configuration is: HA Group label: SomeHAGrp HA Group Number: 1154702011 HA Group Slot #: 6 Synchronization: enabled Group Members: 154702011, 154702012 Standby Members: <none> In Sync: yes Please use the command 'vtl haAdmin -synchronize' when you are ready to replicate data among all members of the HA grou. (If you have additional members to add, you might wish to wait until you have added them before synchronizing to save time by avoiding multiple synchronizations.) C:\Program Files\SafeNet\LunaClient>
[Chrystoki2]
LibNT=C:\Program Files\SafeNet\LunaClient\cryptoki.dll
[LunaSA Client]
SSLConfigFile=C:\Program Files\SafeNet\LunaClient\openssl.cnf
ReceiveTimeout=20000
NetClient=1
ServerCAFile=C:\Program Files\SafeNet\LunaClient\cert\server\CAFile.pem
ClientCertFile=C:\Program Files\SafeNet\LunaClient\cert\client\20.1.1.20.pem
ClientPrivKeyFile=C:\Program Files\SafeNet\LunaClient\cert\client\20.1.1.20.pem
ServerName00=20.1.1.20
ServerPort00=1792
[Luna]
DefaultTimeOut=500000
PEDTimeout1=100000
PEDTimeout2=200000
PEDTimeout3=10000
[CardReader]
RemoteCommand=1
[VirtualToken]
VirtualToken00Label=SomeHAGrp
VirtualToken00SN=1154702011
VirtualToken00Members=154702011, 154702012
[HASynchronize]
SomeHAGrp=1
[Chrystoki2]
LibNT=C:\Program Files\SafeNet\LunaClient\cryptoki.dll
[LunaSA Client]
SSLConfigFile=C:\Program Files\SafeNet\LunaClient\openssl.cnf
ReceiveTimeout=20000
NetClient=1
ServerCAFile=C:\Program Files\SafeNet\LunaClient\cert\server\CAFile.pem
ClientCertFile=C:\Program Files\SafeNet\LunaClient\cert\client\20.1.1.20.pem
ClientPrivKeyFile=C:\Program Files\SafeNet\LunaClient\cert\client\20.1.1.20.pem
ServerName00=20.1.1.20
ServerPort00=1792
[Luna]
DefaultTimeOut=500000
PEDTimeout1=100000
PEDTimeout2=200000
PEDTimeout3=10000
[CardReader]
RemoteCommand=1
[VirtualToken]
VirtualToken00Label=SomeHAGrp
VirtualToken00SN=1154702011
VirtualToken00Members=154702011, 154702012
[HASynchronize]
SomeHAGrp=1
[HAConfiguration]
HAOnly=1
[Chrystoki2] LibNT=C:\Program Files\SafeNet\LunaClient\cryptoki.dll [LunaSA Client] SSLConfigFile=C:\Program Files\SafeNet\LunaClient\openssl.cnf ReceiveTimeout=20000 NetClient=1 ServerCAFile=C:\Program Files\SafeNet\LunaClient\cert\server\CAFile.pem ClientCertFile=C:\Program Files\SafeNet\LunaClient\cert\client\20.1.1.20.pem ClientPrivKeyFile=C:\Program Files\SafeNet\LunaClient\cert\client\20.1.1.20.pem ServerName00=20.1.1.20 ServerPort00=1792 [Luna] DefaultTimeOut=500000 PEDTimeout1=100000 PEDTimeout2=200000 PEDTimeout3=10000 [CardReader] RemoteCommand=1 [VirtualToken] VirtualToken00Label=SomeHAGrp VirtualToken00SN=1154702011 VirtualToken00Members=154702011, 154702012 [HASynchronize] SomeHAGrp=1 [HAConfiguration] HAOnly=1 reconnAtt=500
Show HA configuration results with vtl haAdmin -show
C:\Program Files\SafeNet\LunaClient>vtl haadmin -show ================== HA Global Configuration Settings ============ HA Auto Recovery: enabled Maximum Auto Recovery Retry: 500 Auto Recovery Poll Interval: 60 seconds HA Logging: disabled Only Show HA Slots: yes ================== HA Group and Member Information ============ HA Group label: SomeHAGrp HA Group Number: 1154702011 HA Group Slot #: 1 Synchronization: enabled Group Members: 154702011, 154702012 Standby Members: <none> Slot # Member S/N Member Label Status ====== ======== ============ ====== - 154702011 HA1 alive - 154702012 HA2 alive C:\Program Files\SafeNet\LunaClient> >
When the Luna SA to be replaced, in an HA Group, is a secondary member, the process is similar to above.You must delete the secondary from the HA Group and re-add it with the new partition serial number. It is not necessary to delete and recreate the group.
If a Luna SA must be replaced, the old IP address can be used, but the Luna SA certificate must be regenerated. The IP address must be removed from the server list on the client and then added back using the new “server.pem” received from the replacement Luna SA.
If the Luna SA being replaced is the Primary, you must delete the HA Group and recreate it using the new Primary Luna SA partition serial number and then add the original Secondary Luna SA partition serial number - the cert from the original Secondary is already in place on the client, and no change is needed to that.