Home >

Administration Guide > High-Availability (HA) Configuration and Operation > Configuring HA

Configuring HA

For this section you need at least two SafeNet Network HSM appliances with PED Authentication, or two with Password Authentication. You may not use Password Authenticated SafeNet Network HSM and PED Authenticated SafeNet Network HSM simultaneously in an HA group.

Set up Appliances for HA

Follow these steps to set up an HA group:

1.Perform the network setup on your two HA units (for a description of the standard procedure, see Configuring the SafeNet Appliance Network Settings in the Configuration Guide). For this example, the appliances are designated sa1751 and sa172 and their HSMs have the same names, respectively.

2.Ensure that the Allow Cloning and Allow Network Replication policies are “On” in hsm showPolicies (and if not, then set them with hsm setPolicy). If your HSMs do not have the cloning option, then they will use the SIM or Key Export functionality to backup to (and restore from) a file, rather than a hardware Backup token).

3.Initialize the HSMs on your SafeNet Network HSM appliances (About Initializing a Password-Authenticated HSM or Initializing a PED-Authenticated HSM in the Configuration Guide). They must have the same cloning domain – that is, they must share the same red, domain PED Key if they are PED-authenticated , or they must share the same domain string if they are password-authenticated.

4.Create a partition on each SafeNet Network HSM. They need not have the same labels, but must have the same password. For this example, the Partitions are sa175legpar1 (on sa175) and sa172legpar1(on sa172).

5.Use the partition changePw command to change the Partitions' passwords so that they match.

By making the client partition challenge password the same on both partitions (on both SafeNet Network HSM appliances), you allow your clients to use that one secret when addressing the virtual partition (which includes both real partitions).

6.Make a note of the serial number of each Partition created on each SafeNet Network HSM (use partition show). For this example:

sa175 - sa175legpar1 - serial number 65003001 - password userpin

sa172 - sa172legpar1 - serial number 65005001 - password userpin.

7.[OPTION] Ensure that each Partition is Activated and AutoActivated (see About Activation and Auto-Activation - applies to SafeNet Network HSM with PED Authentication), so that it can retain/resume its "Activate" (persistent login) state through any brief power failure or other interruption.

Register Clients with SafeNet Network HSM HA

Proceed with normal client setup (see Create a Network Trust Link Between the Client and the Appliance in the Configuration Guide). Register your client computer with both SafeNet Enterprise HSMs (this example is using just two HSM appliances; obviously, you would configure and register however many HSM appliances you wish to use in your own situation).  

On sa175, assign sa175legpar1 to ClientX (you would replace "ClientX" with the actual name of your Client computer).

On sa172, assign sa172legpar1 to ClientX, as well (repeat if you have more SafeNet Enterprise HSMs and Partitions to include in the HA group).

At this point, you have completed a normal single-client, multiple HSM appliance setup.

Now proceed to create the HA group.

Create the HA Group

Note:  Your LunaCM instance needs to update the Chrystoki.conf (Linux/UNIX) or crystoki.ini file (Windows) when setting up or reconfiguring HA. Ensure that you have sufficient privileges.

After creating partitions on (at least) two SafeNet appliances, and setting up NTLS between those partitions and your client, use LunaCM to configure HA on your client.

1.Use the hagroup addmember command to create a new HA group on the client, which requires:

a Label for the group (do NOT call the group just "HA").

the Serial number of the first partition OR the slot number of the first partition.

the password for the partition.

Lunacm also generates and assigns a Serial Number to the group itself:

lunacm:> hagroup addMember -group myHAgroup -serialNumber 65003001 -label -password userpin
New group with label "myHAgroup" created with group number 742276409.
Group configuration is: HA Group Label: myHAgroup
HA Group Number:  742276409 HA Group Slot ID: Not Available Synchronization: enabled
Group Members:  65003001
Needs sync:  no Slot # Member S/N Member Label Status ====== ========== ============ ====== 0 65003001 sa175legpar1 alive Command Result : No Error LunaCM v6.0.0 - Copyright (c) 2006-2015 SafeNet, Inc. Available HSMs: Slot Id -> 0 Label -> sa175legpar1 Serial Number -> 65003001 Model -> LunaSA Firmware Version -> 6.22.0 Configuration -> Luna User Partition, No SO (PW) Signing With Cloning Mode Slot Description -> Net Token Slot Slot Id -> 1 Label -> sa172legpar1 Serial Number -> 65005001 Model -> LunaSA Firmware Version -> 6.22.0 Configuration -> Luna User Partition, No SO (PW) Signing With Cloning Mode Slot Description -> Net Token Slot Slot Id -> 3 HSM Label -> myHAgroup HSM Serial Number -> 742276409 HSM Model -> LunaVirtual HSM Firmware Version -> 6.22.0 HSM Configuration -> Luna Virtual HSM (PW) Signing With Cloning Mode HSM Status -> N/A - HA Group
 
        Current Slot Id: 0

Note:  The above is for Password-authenticated SafeNet HSMs. For PED-authenticated HSMs, have a SafeNet PED connected, the partition already activated, and provide the partition challenge secret as the password (must be the same for all members).

2.Your chrystoki.conf/crystoki.ini file should now have a new section:

VirtualToken = {
VirtualToken00Members = 65003001;
VirtualToken00SN = 742276409;
VirtualToken00Label = myHAgroup;
}  

CAUTION:  Never insert TAB characters into the chrystoki.ini (Windows) or crystoki.conf (UNIX) file.

3.Use the hagroup addmember command to add another member to the HA group, that member being Partition2 on Luna2:

lunacm:> hagroup addMember -group myHAgroup -serialNumber 65005001 -password userpin

Member 65005001 successfully added to group 742276409.
New group configuration is:
HA Group Number:  742276409
HA Group Label:  myHAgroup
Group Members:  65003001, 65005001
Needs sync:  no Group configuration is: HA Group Label: myHAgroup
HA Group Number:  742276409 HA Group Slot ID: Not Available Synchronization: enabled
Group Members:  65003001, 65005001
Needs sync:  no Slot # Member S/N Member Label Status ====== ========== ============ ====== 0 65003001 sa175legpar1 alive 1 65005001 sa172legpar1 alive Command Result : No Error LunaCM v6.0.0 - Copyright (c) 2006-2015 SafeNet, Inc. Available HSMs: Slot Id -> 0 Label -> sa175legpar1 Serial Number -> 65003001 Model -> LunaSA Firmware Version -> 6.22.0 Configuration -> Luna User Partition, No SO (PW) Signing With Cloning Mode Slot Description -> Net Token Slot Slot Id -> 1 Label -> sa172legpar1 Serial Number -> 65005001 Model -> LunaSA Firmware Version -> 6.22.0 Configuration -> Luna User Partition, No SO (PW) Signing With Cloning Mode Slot Description -> Net Token Slot Slot Id -> 3 HSM Label -> myHAgroup HSM Serial Number -> 742276409 HSM Model -> LunaVirtual HSM Firmware Version -> 6.22.0 HSM Configuration -> Luna Virtual HSM (PW) Signing With Cloning Mode HSM Status -> N/A - HA Group Current Slot Id: 0
 
                

4.Check Chrystoki.conf/crystoki.ini again, the VirtualToken section should now look like this:

VirtualToken = {
VirtualToken00Members = 65003001, 65005001;
VirtualToken00SN = 742276409;
VirtualToken00Label = myHAgroup;
}
 

5.Use the command hagroup synchronize -group <grouplabel> -password <password> -enable when you are ready to replicate data between/among all members of the HA group.

If you have additional members to add, you might wish to wait until you have added them before synchronizing to save time by avoiding multiple synchronizations. The 'synchronize' command replicates all objects on all partitions across all other partitions. As there are no objects on our newly created partitions yet, we do not need to run this command.

Note:  Do not use this command when recovering a group member that has failed (or was taken down for maintenance). Use the command hagroup recover -group <grouplabel>.

Verification Steps

6.We have the two physical slots on SafeNet HSM sa175 and SafeNet HSM sa172, and now a third virtual slot which points at both physical slots at once, via load balancing. To test your HA setup, run multitoken against slot 3:

./multitoken -mode rsasigver -key 1024 -slots 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3

Note:  (Each of the “3”s in the above sample invokes one thread performing the selected signing operation.)

If you are satisfied that your HA setup is working, then you can begin using your application against the HA "slot" label (which, in the example above, was "myHAgroup").  If you have included more SafeNet HSM application Partitions in your HA group, then the virtual slot assignment will differ accordingly, but that doesn't matter to your application, because the application should be invoking the label, not a particular slot-number.

HA Standby Mode [optional]

If you wish to add an additional member that will be designated a standby member, and not a regular participant in the group, see Standby Members.