|
Home > |
|---|
For this section you need at least two SafeNet Network HSM appliances with PED Authentication, or two with Password Authentication. You may not use Password Authenticated SafeNet Network HSM and PED Authenticated SafeNet Network HSM simultaneously in an HA group.
Partitions that are to take part in an HA group do not need to be identical (see below for the example that mixes several differences), but they should have the same firmware version and generally similar Policy settings, to avoid conflicts. For example, you would not want to have a group with a mix of partitions, some with FIPS mode switched on and some with FIPS mode switched off, because a call for a non-FIPS-approved operation would fail on any member that is not allowed to perform that operation, and attempts to synchronize the contents of group members would fail to replicate objects that were not permitted on some members. The library is not aware of individual member settings; only whether the members are available when needed, or not.
Note: You must Activate individual HSM partitions directly and individually - you cannot perform Activation on a virtual HA partition.
In general, when an HA group is established, you (or your applications) can interact with the virtual partition to perform crypto operations, and the library decides which physical partitions are involved - based on load and other considerations - but administrative activities must be performed directly on individual physical HSM partitions.
Now proceed to create the HA group.
Note: Your LunaCM instance needs to update the Chrystoki.conf (Linux/UNIX) or crystoki.ini file (Windows) when setting up or reconfiguring HA. Ensure that you have sufficient privileges.
After creating partitions
•on (at least) two SafeNet appliances, and setting up NTLS between those partitions and your client, or
•on two HSMs on the local host, or
•on a mix of local and remote application partitions,
use LunaCM to configure HA on your client.
For this example, assume
•two local HSMs,
•two remote HSM appliances (one partition from each)
•a mix of PSO partitions and legacy partitions (not required, just mentioning so the slot list distribution is obvious, and to show that it is possible to mix - HA is not affected),
•a mix of firmware versions (illustrating that it is possible to mix f/w versions in HA - but remember that the group has the capabilities of the oldest firmware, not any newer)
•each partition has the same password/challenge secret (previously set by command role changePW -oldpw <pw> -newpw with the old and new partition challenge/password secrets specified in the command, to invoke changing the secondary credentials),
•each partition is activated (the partition has Policies 22 and 23 turned on, and an Owner/Crypto Officer (or Crypto User) authentication has been performed)
C:\Program Files\SafeNet\LunaClient>lunacm
LunaCM v15.11.16-135. Copyright (c) 2006-2016 SafeNet, Inc.
Available HSMs:
Slot Id -> 0
Label -> mylegacypar1
Serial Number -> 16298193222735
Model -> LunaSA 6.2.0
Firmware Version -> 6.24.0
Configuration -> Luna User Partition, No SO (PED) Signing With Cloning Mode
Slot Description -> Net Token Slot
Slot Id -> 1
Label -> mysapsopar1
Serial Number -> 16298193222734
Model -> LunaSA 6.2.0
Firmware Version -> 6.24.0
Configuration -> Luna User Partition With SO (PED) Signing With Cloning Mode
Slot Description -> Net Token Slot
Slot Id -> 2
Tunnel Slot Id -> 4
Label -> parwithpso
Serial Number -> 349297122742
Model -> K6 Base
Firmware Version -> 6.24.0
Configuration -> Luna User Partition With SO (PED) Signing With Cloning Mode
Slot Description -> User Token Slot
Slot Id -> 3
Tunnel Slot Id -> 4
Label -> mypcie6
Serial Number -> 150022
Model -> K6 Base
Firmware Version -> 6.24.0
Configuration -> Luna HSM Admin Partition (PED) Signing With Cloning Mode
Slot Description -> Admin Token Slot
HSM Configuration -> Luna HSM Admin Partition (PED)
HSM Status -> OK
Slot Id -> 5
Label -> myG5par
Serial Number -> 16302360890475
Model -> G5Base
Firmware Version -> 6.22.0
Configuration -> Luna User Partition With SO (PED) Signing With Cloning Mode
Slot Description -> User Token Slot
Slot Id -> 6
Label -> SafeG5
Serial Number -> 7001812
Model -> G5Base
Firmware Version -> 6.22.0
Configuration -> Luna HSM Admin Partition (PED) Signing With Cloning Mode
Slot Description -> Admin Token Slot
HSM Configuration -> Luna HSM Admin Partition (PED)
HSM Status -> OK
Current Slot Id: 0
Command Result : No Error
lunacm:>
1.Use the hagroup createGroup command , to create the HA group with one member.
lunacm:> hagroup createGroup -serialNumber 349297122742 -label myhagroup -p someuserpin
New group with label "myhagroup" created with group number 1349297122742.
Group configuration is:
HA Group Label: myhagroup
HA Group Number: 1349297122742
HA Group Slot ID: Not Available
Synchronization: enabled
Group Members: 349297122742
Needs sync: no
Standby Members: <none>
Slot # Member S/N Member Label Status
====== ========== ============ ======
------ 349297122742 parwithpso alive
Command Result : No Error
LunaCM v15.11.16-135. Copyright (c) 2006-2015 SafeNet, Inc.
Available HSMs:
Slot Id -> 0
Label -> mylegacypar1
Serial Number -> 16298193222735
Model -> LunaSA 6.2.0
Firmware Version -> 6.24.0
Configuration -> Luna User Partition, No SO (PED) Signing With Cloning Mode
Slot Description -> Net Token Slot
Slot Id -> 1
Label -> mysapsopar1
Serial Number -> 16298193222734
Model -> LunaSA 6.2.0
Firmware Version -> 6.24.0
Configuration -> Luna User Partition With SO (PED) Signing With Cloning Mode
Slot Description -> Net Token Slot
Slot Id -> 2
Tunnel Slot Id -> 4
Label -> parwithpso
Serial Number -> 349297122742
Model -> K6 Base
Firmware Version -> 6.24.0
Configuration -> Luna User Partition With SO (PED) Signing With Cloning Mode
Slot Description -> User Token Slot
Slot Id -> 3
Tunnel Slot Id -> 4
Label -> mypcie6
Serial Number -> 150022
Model -> K6 Base
Firmware Version -> 6.24.0
Configuration -> Luna HSM Admin Partition (PED) Signing With Cloning Mode
Slot Description -> Admin Token Slot
HSM Configuration -> Luna HSM Admin Partition (PED)
HSM Status -> OK
Slot Id -> 5
Label -> myG5par
Serial Number -> 16302360890475
Model -> G5Base
Firmware Version -> 6.22.0
Configuration -> Luna User Partition With SO (PED) Signing With Cloning Mode
Slot Description -> User Token Slot
Slot Id -> 6
Label -> SafeG5
Serial Number -> 7001812
Model -> G5Base
Firmware Version -> 6.22.0
Configuration -> Luna HSM Admin Partition (PED) Signing With Cloning Mode
Slot Description -> Admin Token Slot
HSM Configuration -> Luna HSM Admin Partition (PED)
HSM Status -> OK
Slot Id -> 10
HSM Label -> myhagroup
HSM Serial Number -> 1349297122742
HSM Model -> LunaVirtual
HSM Firmware Version -> 6.24.0
HSM Configuration -> Luna Virtual HSM (PED) Signing With Cloning Mode
HSM Status -> N/A - HA Group
Current Slot Id: 0
lunacm:>
Note: For PED-authenticated HSMs, have a SafeNet PED connected, the partition already activated, and provide the partition challenge secret as the password (must be the same for all members). For Password-authenticated HSMs, the partition password is the challenge, and must be common to all members.
The group is represented by the virtual partition, which must have the same authentication.
Note: You cannot mix PED-authenticated and Password-authenticated HSM partitions in an HA group, because the different authentication methods prevent them having the same cloning domain, which is required for HA synchronization.
2.Your chrystoki.conf/crystoki.ini file should now have a new section:
VirtualToken = {
VirtualToken00Members = 65003001;
VirtualToken00SN = 742276409;
VirtualToken00Label = myHAgroup;
}
CAUTION: Never insert TAB characters into the chrystoki.ini (Windows) or crystoki.conf (UNIX) file.
So far, we have an HA group with one member, which is the SafeNet PCIe HSM user partition from the original slot list. Next we would add additional HSM partitions (slots) to the group, to make it a true, functional HA group.
3.Use the hagroup addmember command to add another member to the HA group, that member being the SafeNet USB HSM user partition from the original list:
lunacm:> hagroup addMember -slot 5 -group myhagroup -password someuserpin
Member 16302360890475 successfully added to group myhagroup. New group
configuration is:
HA Group Label: myhagroup
HA Group Number: 1349297122742
HA Group Slot ID: 10
Synchronization: enabled
Group Members: 349297122742, 16302360890475
Needs sync: no
Standby Members: <none>
Slot # Member S/N Member Label Status
====== ========== ============ ======
------ 349297122742 parwithpso alive
------ 16302360890475 myG5par alive
Please use the command "ha synchronize" when you are ready
to replicate data between all members of the HA group.
(If you have additional members to add, you may wish to wait
until you have added them before synchronizing to save time by
avoiding multiple synchronizations.)
Command Result : No Error
lunacm:>
4.Check Chrystoki.conf/crystoki.ini again, the VirtualToken section should now look like this:
VirtualToken = {
VirtualToken01Label = myhagroup
VirtualToken01SN = 1349297122742;
VirtualToken01Members = 349297122742,16302360890475;
}
5.To extend the example, we can add one of the SafeNet Network HSM remote partitions to the group, again with command hagroup addMember:
lunacm:> hagroup addMember -slot 0 -group myhagroup -password someuserpin
Member 16298193222735 successfully added to group myhagroup. New group
configuration is:
HA Group Label: myhagroup
HA Group Number: 1349297122742
HA Group Slot ID: 10
Synchronization: enabled
Group Members: 349297122742, 16302360890475, 16298193222735
Needs sync: no
Standby Members: <none>
Slot # Member S/N Member Label Status
====== ========== ============ ======
------ 349297122742 parwithpso alive
------ 16302360890475 myG5par alive
------ 16298193222735 mylegacypar1 alive
Please use the command "ha synchronize" when you are ready
to replicate data between all members of the HA group.
(If you have additional members to add, you may wish to wait
until you have added them before synchronizing to save time by
avoiding multiple synchronizations.)
Command Result : No Error
lunacm:>
6.Use the command hagroup synchronize -group <grouplabel> -password <password> -enable when you are ready to replicate data between/among all members of the HA group.
lunacm:> hagroup synchronize -group myhagroup -password someuserpin -enable
HA Synchronization is already enabled
No synchronization performed/needed.
Command Result : No Error
lunacm:>
If you have additional members to add, you might wish to wait until you have added them before synchronizing to save time by avoiding multiple synchronizations. The 'synchronize' command replicates all objects on all partitions across all other partitions. As there are no objects on our newly created partitions yet, we do not need to run this command.
Note: Do not use this command when recovering a group member that has failed (or was taken down for maintenance). Use the command hagroup recover -group <grouplabel>.
7.We have the two physical slots on SafeNet HSM sa175 and SafeNet HSM sa172, and now a third virtual slot which points at both physical slots at once, via load balancing. To test your HA setup, run multitoken against slot 3:
./multitoken -mode rsasigver -key 1024 -slots 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3
Note: (Each of the “3”s in the above sample invokes one thread performing the selected signing operation.)
If you are satisfied that your HA setup is working, then you can begin using your application against the HA "slot" label (which, in the example above, was "myhagroup"). If you have included more SafeNet HSM application Partitions in your HA group, then the virtual slot assignment will differ accordingly, but that doesn't matter to your application, because the application should be invoking the label, not a particular slot-number.
If you wish to add an additional member that will be designated a standby member, and not a regular participant in the group, see Standby Members.