Home >

SDK Reference Guide > Design Considerations > Using SIM in a Multi-HSM Environment

Using Scalable Key Storage in a Multi-HSM Environment

Here are the basic steps to follow when setting up to use Scalable Key Storage with two SafeNet appliance units.

1.Initialize the first SafeNet appliance. Refer to the Configuration section of this Help. The domain created during this initialization (a text string for Password Authenticated SafeNet appliance, or a red PED Key for PED Authenticated SafeNet appliance) will be used as the domain for backup tokens and for the second SafeNet appliance.

2.Create the partition on the first SafeNet appliance.

3.Connect the backup HSM to the appliance USB port.

4.Insert the token into SafeNet Dock2, which is connected to the appliance USB port.

5.Initialize the backup HSM or token using token backup init lush command, with the same domain. Follow the on-screen prompts. Use the domain from step 1.

6.Initialize the second SafeNet appliance. Use the same cloning domain as was used on the first SafeNet appliance .

7.Create the partition on the second SafeNet appliance.

8.Connect the backup HSM to the appliance USB port.

9. Insert the token into SafeNet Dock2, which is connected to the appliance USB port.

10.Perform hsm restore from the admin shell. Once this is completed, you now have both SafeNet appliances able to mask and unmask keys using the same “master” key.

11.Set up your Clients and register both SafeNet appliances with each Client. In ckdemo, if you select option 14 (Slot List) and select “Only slots with token present”, you should see two LunaNet slots.

12.When the lunaSign::Login function executes it will always login to slot 1 and slot 1 will always be there as long as at least 1 SafeNet appliance is operational and accessible. The Login function returns the number of slots with “tokens” present (in other words the number of accessible SafeNet appliance partitions). In normal operation in the above case the value should be 2. If it returns with less than 2, then there is an added function that can be called that will return the identity of the still live unit.