Frequently Asked Questions

Home >	Administration Guide > High-Availability (HA) Configuration and Operation > Frequently Asked Questions

Frequently Asked Questions

This section provides additional information by answering questions that are frequently asked by our customers.

Can we manage NTLS connections through a load balancer (like NetScaler, Barracuda, A10, etc.)?

No. NTLS will not work through a load-balancer because it is an end-to-end TLS pipe between client and SafeNet Network HSM.

We want to use a backup application server that would operate in standby mode until awakened by a failure of our primary application server. Can we use a virtual IP in the SafeNet Network HSM setup, so that both primary and secondary are accepted for NTLS as the same client by SafeNet Network HSM?

Yes. At the client, generate the client cert with the command " vtl createCert -n <any IP address, real or virtual> "

Both client computers must have the SafeNet Network HSM appliance's server cert in their client-side server-cert folders.

The SafeNet Network HSM appliance must have the client certificate (built with the virtual IP address)

Also the following lines in the Chrystoki.conf file must point to the same cert and Keyfile on the clustered application servers:

      LunaSA Client ={

       ClientCertFile=\usr\LunaClient\cert\client\<your-cert-filename>.pem

       ClientPrivKeyFile=\usr\LunaClient\cert\client\<your-filename>Key.pem

Our application keeps the HSM full. Can we double the capacity by creating an HA group and having a second HSM?

No. HA provides redundancy and can increase performance, but not capacity. Every HSM in an HA group gets synchronized with the other member[s], which means that the content of any one HSM in an HA group must be a clone of the content of any other member of that group. So, with more HA group members, you get more copies, not more space.