Home >

Administration Guide > High-Availability (HA) Configuration and Operation > Configuring HA

Configuring HA

For this section you need at least two SafeNet Network HSM appliances with PED Authentication, or two with Password Authentication. You may not use Password Authenticated SafeNet Network HSM and PED Authenticated SafeNet Network HSM simultaneously in an HA group.

Partitions that are to take part in an HA group do not need to be identical (see below for the example that mixes several differences), but they should have the same firmware version and generally similar Policy settings, to avoid conflicts. For example, you would not want to have a group with a mix of partitions, some with FIPS mode switched on and some with FIPS mode switched off, because a call for a non-FIPS-approved operation would fail on any member that is not allowed to perform that operation, and attempts to synchronize the contents of group members would fail to replicate objects that were not permitted on some members. The library is not aware of individual member settings; only whether the members are available when needed, or not.

Set up Appliances for HA

Follow these steps to set up an HA group:

1.Perform the network setup on your two HA units (for a description of the standard procedure, see Configuring the SafeNet Appliance Network Settings in the Configuration Guide). For this example, the appliances are designated sa1751 and sa172 and their HSMs have the same names, respectively.

2.Ensure that the Allow Cloning and Allow Network Replication policies are “On” in hsm showPolicies (and if not, then set them with hsm setPolicy). If your HSMs do not have the cloning option, then they will use the SIM or Key Export functionality to backup to (and restore from) a file, rather than a hardware Backup token).

3.Initialize the HSMs on your SafeNet Network HSM appliances (About Initializing a Password-Authenticated HSM or Initializing a PED-Authenticated HSM in the Configuration Guide). They must have the same cloning domain – that is, they must share the same red, domain PED Key if they are PED-authenticated , or they must share the same domain string if they are password-authenticated.

4.Create a partition on each SafeNet Network HSM. They need not have the same labels, but must have the same password. For this example, the Partitions are sa175legpar1 (on sa175) and sa172legpar1(on sa172).

5.Use the partition changePw command to change the Partitions' passwords so that they match.

By making the client partition challenge password the same on both partitions (on both SafeNet Network HSM appliances), you allow your clients to use that one secret when addressing the virtual partition (which includes both real partitions).

6.Make a note of the serial number of each Partition created on each SafeNet Network HSM (use partition show). For this example:

sa175 - sa175legpar1 - serial number 65003001 - password userpin

sa172 - sa172legpar1 - serial number 65005001 - password userpin.

7.[OPTION] Ensure that each Partition is Activated and AutoActivated (see About Activation and Auto-Activation - applies to SafeNet Network HSM with PED Authentication), so that it can retain/resume its "Activate" (persistent login) state through any brief power failure or other interruption.

Register Clients with SafeNet Network HSM HA

Proceed with normal client setup (see [Step 7] Create a Network Trust Link Between the Client and the Appliance in the Configuration Guide). Register your client computer with both SafeNet Enterprise HSMs (this example is using just two HSM appliances; obviously, you would configure and register however many HSM appliances you wish to use in your own situation).  

On sa175, assign sa175legpar1 to ClientX (you would replace "ClientX" with the actual name of your Client computer).

On sa172, assign sa172legpar1 to ClientX, as well (repeat if you have more SafeNet Enterprise HSMs and Partitions to include in the HA group).

At this point, you have completed a normal single-client, multiple HSM appliance setup.

Note:  You must Activate individual HSM partitions directly and individually - you cannot perform Activation on a virtual HA partition.

In general, when an HA group is established, you (or your applications) can interact with the virtual partition to perform crypto operations, and the library decides which physical partitions are involved - based on load and other considerations - but administrative activities must be performed directly on individual physical HSM partitions.

Now proceed to create the HA group.

Create the HA Group

Note:  Your LunaCM instance needs to update the Chrystoki.conf (Linux/UNIX) or crystoki.ini file (Windows) when setting up or reconfiguring HA. Ensure that you have sufficient privileges.

After creating partitions

on (at least) two SafeNet appliances, and setting up NTLS between those partitions and your client, or

on two HSMs on the local host, or

on a mix of local and remote application partitions,

use LunaCM to configure HA on your client.

For this example, assume

two local HSMs,

two remote HSM appliances (one partition from each)

a mix of PSO partitions and legacy partitions (not required, just mentioning so the slot list distribution is obvious, and to show that it is possible to mix - HA is not affected),

a mix of firmware versions (illustrating that it is possible to mix f/w versions in HA - but remember that the group has the capabilities of the oldest firmware, not any newer)

each partition has the same password/challenge secret (previously set by command role changePW -oldpw <pw> -newpw with the old and new partition challenge/password secrets specified in the command, to invoke changing the secondary credentials),

each partition is activated (the partition has Policies 22 and 23 turned on, and an Owner/Crypto Officer (or Crypto User) authentication has been performed)

 

C:\Program Files\SafeNet\LunaClient>lunacm
LunaCM v15.11.16-135. Copyright (c) 2006-2016 SafeNet, Inc.

        Available HSMs:

        Slot Id ->              0
        Label ->                mylegacypar1
        Serial Number ->        16298193222735
        Model ->                LunaSA 6.2.0
        Firmware Version ->     6.24.0
        Configuration ->        Luna User Partition, No SO (PED) Signing With Cloning Mode
        Slot Description ->     Net Token Slot

        Slot Id ->              1
        Label ->                mysapsopar1
        Serial Number ->        16298193222734
        Model ->                LunaSA 6.2.0
        Firmware Version ->     6.24.0
        Configuration ->        Luna User Partition With SO (PED) Signing With Cloning Mode
        Slot Description ->     Net Token Slot

        Slot Id ->              2
        Tunnel Slot Id ->       4
        Label ->                parwithpso
        Serial Number ->        349297122742
        Model ->                K6 Base
        Firmware Version ->     6.24.0
        Configuration ->        Luna User Partition With SO (PED) Signing With Cloning Mode
        Slot Description ->     User Token Slot

        Slot Id ->              3
        Tunnel Slot Id ->       4
        Label ->                mypcie6
        Serial Number ->        150022
        Model ->                K6 Base
        Firmware Version ->     6.24.0
        Configuration ->        Luna HSM Admin Partition (PED) Signing With Cloning Mode
        Slot Description ->     Admin Token Slot
        HSM Configuration ->    Luna HSM Admin Partition (PED)
        HSM Status ->           OK

        Slot Id ->              5
        Label ->                myG5par
        Serial Number ->        16302360890475
        Model ->                G5Base
        Firmware Version ->     6.22.0
        Configuration ->        Luna User Partition With SO (PED) Signing With Cloning Mode
        Slot Description ->     User Token Slot

        Slot Id ->              6
        Label ->                SafeG5
        Serial Number ->        7001812
        Model ->                G5Base
        Firmware Version ->     6.22.0
        Configuration ->        Luna HSM Admin Partition (PED) Signing With Cloning Mode
        Slot Description ->     Admin Token Slot
        HSM Configuration ->    Luna HSM Admin Partition (PED)
        HSM Status ->           OK


        Current Slot Id: 0


Command Result : No Error

lunacm:> 

 

1.Use the hagroup createGroup command , to create the HA group with one member.

 

lunacm:> hagroup createGroup -serialNumber 349297122742 -label myhagroup -p someuserpin

        New group with label "myhagroup" created with group number 1349297122742.
        Group configuration is:

         HA Group Label:  myhagroup
        HA Group Number:  1349297122742
       HA Group Slot ID:  Not Available
        Synchronization:  enabled
          Group Members:  349297122742
             Needs sync:  no
        Standby Members:  <none>


Slot #    Member S/N                      Member Label    Status
======    ==========                      ============    ======
------  349297122742                        parwithpso     alive


Command Result : No Error
LunaCM v15.11.16-135. Copyright (c) 2006-2015 SafeNet, Inc.

        Available HSMs:

        Slot Id ->              0
        Label ->                mylegacypar1
        Serial Number ->        16298193222735
        Model ->                LunaSA 6.2.0
        Firmware Version ->     6.24.0
        Configuration ->        Luna User Partition, No SO (PED) Signing With Cloning Mode
        Slot Description ->     Net Token Slot

        Slot Id ->              1
        Label ->                mysapsopar1
        Serial Number ->        16298193222734
        Model ->                LunaSA 6.2.0
        Firmware Version ->     6.24.0
        Configuration ->        Luna User Partition With SO (PED) Signing With Cloning Mode
        Slot Description ->     Net Token Slot

        Slot Id ->              2
        Tunnel Slot Id ->       4
        Label ->                parwithpso
        Serial Number ->        349297122742
        Model ->                K6 Base
        Firmware Version ->     6.24.0
        Configuration ->        Luna User Partition With SO (PED) Signing With Cloning Mode
        Slot Description ->     User Token Slot

        Slot Id ->              3
        Tunnel Slot Id ->       4
        Label ->                mypcie6
        Serial Number ->        150022
        Model ->                K6 Base
        Firmware Version ->     6.24.0
        Configuration ->        Luna HSM Admin Partition (PED) Signing With Cloning Mode
        Slot Description ->     Admin Token Slot
        HSM Configuration ->    Luna HSM Admin Partition (PED)
        HSM Status ->           OK

        Slot Id ->              5
        Label ->                myG5par
        Serial Number ->        16302360890475
        Model ->                G5Base
        Firmware Version ->     6.22.0
        Configuration ->        Luna User Partition With SO (PED) Signing With Cloning Mode
        Slot Description ->     User Token Slot

        Slot Id ->              6
        Label ->                SafeG5
        Serial Number ->        7001812
        Model ->                G5Base
        Firmware Version ->     6.22.0
        Configuration ->        Luna HSM Admin Partition (PED) Signing With Cloning Mode
        Slot Description ->     Admin Token Slot
        HSM Configuration ->    Luna HSM Admin Partition (PED)
        HSM Status ->           OK

        Slot Id ->              10
        HSM Label ->            myhagroup
        HSM Serial Number ->    1349297122742
        HSM Model ->            LunaVirtual
        HSM Firmware Version -> 6.24.0
        HSM Configuration ->    Luna Virtual HSM (PED) Signing With Cloning Mode
        HSM Status ->           N/A - HA Group

        Current Slot Id: 0

lunacm:>

 

Note:  For PED-authenticated HSMs, have a SafeNet PED connected, the partition already activated, and provide the partition challenge secret as the password (must be the same for all members). For Password-authenticated HSMs, the partition password is the challenge, and must be common to all members.

The group is represented by the virtual partition, which must have the same authentication.

Note:  You cannot mix PED-authenticated and Password-authenticated HSM partitions in an HA group, because the different authentication methods prevent them having the same cloning domain, which is required for HA synchronization.

2.Your chrystoki.conf/crystoki.ini file should now have a new section:

VirtualToken = {
VirtualToken00Members = 65003001;
VirtualToken00SN = 742276409;
VirtualToken00Label = myHAgroup;
}  

CAUTION:  Never insert TAB characters into the chrystoki.ini (Windows) or crystoki.conf (UNIX) file.

So far, we have an HA group with one member, which is the SafeNet PCIe HSM user partition from the original slot list. Next we would add additional HSM partitions (slots) to the group, to make it a true, functional HA group.

3.Use the hagroup addmember command to add another member to the HA group, that member being the SafeNet USB HSM user partition from the original list:

lunacm:> hagroup addMember -slot 5 -group myhagroup -password someuserpin
        Member 16302360890475 successfully added to group myhagroup. New group
        configuration is:

         HA Group Label:  myhagroup
        HA Group Number:  1349297122742
       HA Group Slot ID:  10
        Synchronization:  enabled
          Group Members:  349297122742, 16302360890475
             Needs sync:  no
        Standby Members:  <none>


Slot #    Member S/N                      Member Label    Status
======    ==========                      ============    ======
------  349297122742                        parwithpso     alive
------  16302360890475                         myG5par     alive


        Please use the command "ha synchronize" when you are ready
        to replicate data between all members of the HA group.
        (If you have additional members to add, you may wish to wait
        until you have added them before synchronizing to save time by
        avoiding multiple synchronizations.)

Command Result : No Error

lunacm:>
 
                

4.Check Chrystoki.conf/crystoki.ini again, the VirtualToken section should now look like this:

VirtualToken = {
VirtualToken01Label = myhagroup VirtualToken01SN = 1349297122742; VirtualToken01Members = 349297122742,16302360890475;
}
 

5.To extend the example, we can add one of the SafeNet Network HSM remote partitions to the group, again with command hagroup addMember:

 

lunacm:> hagroup addMember -slot 0 -group myhagroup -password someuserpin
        Member 16298193222735 successfully added to group myhagroup. New group
        configuration is:

         HA Group Label:  myhagroup
        HA Group Number:  1349297122742
       HA Group Slot ID:  10
        Synchronization:  enabled
          Group Members:  349297122742, 16302360890475, 16298193222735
             Needs sync:  no
        Standby Members:  <none>


Slot #    Member S/N                      Member Label    Status
======    ==========                      ============    ======
------  349297122742                        parwithpso     alive
------  16302360890475                         myG5par     alive
------  16298193222735                    mylegacypar1     alive


        Please use the command "ha synchronize" when you are ready
        to replicate data between all members of the HA group.
        (If you have additional members to add, you may wish to wait
        until you have added them before synchronizing to save time by
        avoiding multiple synchronizations.)

Command Result : No Error

lunacm:>

 

6.Use the command hagroup synchronize -group <grouplabel> -password <password> -enable when you are ready to replicate data between/among all members of the HA group.

 

lunacm:> hagroup synchronize -group myhagroup -password someuserpin -enable

        HA Synchronization is already enabled

        No synchronization performed/needed.

Command Result : No Error

lunacm:>

 

If you have additional members to add, you might wish to wait until you have added them before synchronizing to save time by avoiding multiple synchronizations. The 'synchronize' command replicates all objects on all partitions across all other partitions. As there are no objects on our newly created partitions yet, we do not need to run this command.

Note:  Do not use this command when recovering a group member that has failed (or was taken down for maintenance). Use the command hagroup recover -group <grouplabel>.

Verification Steps

7.We have the two physical slots on SafeNet HSM sa175 and SafeNet HSM sa172, and now a third virtual slot which points at both physical slots at once, via load balancing. To test your HA setup, run multitoken against slot 3:

./multitoken -mode rsasigver -key 1024 -slots 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3

Note:  (Each of the “3”s in the above sample invokes one thread performing the selected signing operation.)

8.Verify that the network lights on both SafeNet Network HSM units are flashing. Verify that performance on multitoken is approximately 2400 signatures/second. Fewer than ten threads might be insufficient to exercise the SafeNet Enterprise HSMs fully. Therefore, experiment with additional threads until you see the expected performance.

If you are satisfied that your HA setup is working, then you can begin using your application against the HA "slot" label (which, in the example above, was "myhagroup").  If you have included more SafeNet HSM application Partitions in your HA group, then the virtual slot assignment will differ accordingly, but that doesn't matter to your application, because the application should be invoking the label, not a particular slot-number.

HA Standby Mode [optional]

If you wish to add an additional member that will be designated a standby member, and not a regular participant in the group, see Standby Members.