Home > |
---|
For this section you need at least two SafeNet Network HSM appliances with PED Authentication, or two with Password Authentication. You may not use Password Authenticated SafeNet Network HSM and PED Authenticated SafeNet Network HSM simultaneously in an HA group.
Partitions that are to take part in an HA group do not need to be identical (see below for the example that mixes several differences), but they should have the same firmware version and generally similar Policy settings, to avoid conflicts. For example, you would not want to have a group with a mix of partitions, some with FIPS mode switched on and some with FIPS mode switched off, because a call for a non-FIPS-approved operation would fail on any member that is not allowed to perform that operation, and attempts to synchronize the contents of group members would fail to replicate objects that were not permitted on some members. The library is not aware of individual member settings; only whether the members are available when needed, or not.
Follow these steps to set up an HA group:
1.Perform the network setup on your two HA units (for a description of the standard procedure, see Configuring the SafeNet Appliance Network Settings in the Configuration Guide). For this example, the appliances are designated sa1751 and sa172 and their HSMs have the same names, respectively.
2.Ensure that the Allow Cloning and Allow Network Replication policies are “On” in hsm showPolicies (and if not, then set them with hsm setPolicy). If your HSMs do not have the cloning option, then they will use the SIM or Key Export functionality to backup to (and restore from) a file, rather than a hardware Backup token).
3.Initialize the HSMs on your SafeNet Network HSM appliances (About Initializing a Password-Authenticated HSM or Initializing a PED-Authenticated HSM in the Configuration Guide). They must have the same cloning domain – that is, they must share the same red, domain PED Key if they are PED-authenticated , or they must share the same domain string if they are password-authenticated.
4.Create a partition on each SafeNet Network HSM. They need not have the same labels, but must have the same password. For this example, the Partitions are sa175legpar1 (on sa175) and sa172legpar1(on sa172).
5.Use the partition changePw command to change the Partitions' passwords so that they match.
By making the client partition challenge password the same on both partitions (on both SafeNet Network HSM appliances), you allow your clients to use that one secret when addressing the virtual partition (which includes both real partitions).
6.Make a note of the serial number of each Partition created on each SafeNet Network HSM (use partition show). For this example:
–sa175 - sa175legpar1 - serial number 65003001 - password userpin
–sa172 - sa172legpar1 - serial number 65005001 - password userpin.
7.[OPTION] Ensure
that each Partition is Activated and AutoActivated
(see About Activation and Auto-Activation - applies to SafeNet Network HSM with PED Authentication), so that it can
retain/resume its "Activate" (persistent login) state through
any brief power failure or other interruption.
Proceed with normal client setup (see [Step 7] Create a Network Trust Link Between the Client and the Appliance in the Configuration Guide). Register your client computer with both SafeNet Enterprise HSMs (this example is using just two HSM appliances; obviously, you would configure and register however many HSM appliances you wish to use in your own situation).
•On sa175, assign sa175legpar1 to ClientX (you would replace "ClientX" with the actual name of your Client computer).
•On sa172, assign sa172legpar1 to ClientX, as well (repeat if you have more SafeNet Enterprise HSMs and Partitions to include in the HA group).
At this point, you have completed a normal single-client, multiple HSM appliance setup.
Note: You must Activate individual HSM partitions directly and individually - you cannot perform Activation on a virtual HA partition.
In general, when an HA group is established, you (or your applications) can interact with the virtual partition to perform crypto operations, and the library decides which physical partitions are involved - based on load and other considerations - but administrative activities must be performed directly on individual physical HSM partitions.
Now proceed to create the HA group.
Note: Your LunaCM instance needs to update the Chrystoki.conf (Linux/UNIX) or crystoki.ini file (Windows) when setting up or reconfiguring HA. Ensure that you have sufficient privileges.
After creating partitions
•on (at least) two SafeNet appliances, and setting up NTLS between those partitions and your client, or
•on two HSMs on the local host, or
•on a mix of local and remote application partitions,
use LunaCM to configure HA on your client.
For this example, assume
•two local HSMs,
•two remote HSM appliances (one partition from each)
•a mix of PSO partitions and legacy partitions (not required, just mentioning so the slot list distribution is obvious, and to show that it is possible to mix - HA is not affected),
•a mix of firmware versions (illustrating that it is possible to mix f/w versions in HA - but remember that the group has the capabilities of the oldest firmware, not any newer)
•each partition has the same password/challenge secret (previously set by command role changePW -oldpw <pw> -newpw with the old and new partition challenge/password secrets specified in the command, to invoke changing the secondary credentials),
•each partition is activated (the partition has Policies 22 and 23 turned on, and an Owner/Crypto Officer (or Crypto User) authentication has been performed)
C:\Program Files\SafeNet\LunaClient>lunacm LunaCM v15.11.16-135. Copyright (c) 2006-2016 SafeNet, Inc. Available HSMs: Slot Id -> 0 Label -> mylegacypar1 Serial Number -> 16298193222735 Model -> LunaSA 6.2.0 Firmware Version -> 6.24.0 Configuration -> Luna User Partition, No SO (PED) Signing With Cloning Mode Slot Description -> Net Token Slot Slot Id -> 1 Label -> mysapsopar1 Serial Number -> 16298193222734 Model -> LunaSA 6.2.0 Firmware Version -> 6.24.0 Configuration -> Luna User Partition With SO (PED) Signing With Cloning Mode Slot Description -> Net Token Slot Slot Id -> 2 Tunnel Slot Id -> 4 Label -> parwithpso Serial Number -> 349297122742 Model -> K6 Base Firmware Version -> 6.24.0 Configuration -> Luna User Partition With SO (PED) Signing With Cloning Mode Slot Description -> User Token Slot Slot Id -> 3 Tunnel Slot Id -> 4 Label -> mypcie6 Serial Number -> 150022 Model -> K6 Base Firmware Version -> 6.24.0 Configuration -> Luna HSM Admin Partition (PED) Signing With Cloning Mode Slot Description -> Admin Token Slot HSM Configuration -> Luna HSM Admin Partition (PED) HSM Status -> OK Slot Id -> 5 Label -> myG5par Serial Number -> 16302360890475 Model -> G5Base Firmware Version -> 6.22.0 Configuration -> Luna User Partition With SO (PED) Signing With Cloning Mode Slot Description -> User Token Slot Slot Id -> 6 Label -> SafeG5 Serial Number -> 7001812 Model -> G5Base Firmware Version -> 6.22.0 Configuration -> Luna HSM Admin Partition (PED) Signing With Cloning Mode Slot Description -> Admin Token Slot HSM Configuration -> Luna HSM Admin Partition (PED) HSM Status -> OK Current Slot Id: 0 Command Result : No Error lunacm:>
1.Use the hagroup createGroup command , to create the HA group with one member.
lunacm:> hagroup createGroup -serialNumber 349297122742 -label myhagroup -p someuserpin New group with label "myhagroup" created with group number 1349297122742. Group configuration is: HA Group Label: myhagroup HA Group Number: 1349297122742 HA Group Slot ID: Not Available Synchronization: enabled Group Members: 349297122742 Needs sync: no Standby Members: <none> Slot # Member S/N Member Label Status ====== ========== ============ ====== ------ 349297122742 parwithpso alive Command Result : No Error LunaCM v15.11.16-135. Copyright (c) 2006-2015 SafeNet, Inc. Available HSMs: Slot Id -> 0 Label -> mylegacypar1 Serial Number -> 16298193222735 Model -> LunaSA 6.2.0 Firmware Version -> 6.24.0 Configuration -> Luna User Partition, No SO (PED) Signing With Cloning Mode Slot Description -> Net Token Slot Slot Id -> 1 Label -> mysapsopar1 Serial Number -> 16298193222734 Model -> LunaSA 6.2.0 Firmware Version -> 6.24.0 Configuration -> Luna User Partition With SO (PED) Signing With Cloning Mode Slot Description -> Net Token Slot Slot Id -> 2 Tunnel Slot Id -> 4 Label -> parwithpso Serial Number -> 349297122742 Model -> K6 Base Firmware Version -> 6.24.0 Configuration -> Luna User Partition With SO (PED) Signing With Cloning Mode Slot Description -> User Token Slot Slot Id -> 3 Tunnel Slot Id -> 4 Label -> mypcie6 Serial Number -> 150022 Model -> K6 Base Firmware Version -> 6.24.0 Configuration -> Luna HSM Admin Partition (PED) Signing With Cloning Mode Slot Description -> Admin Token Slot HSM Configuration -> Luna HSM Admin Partition (PED) HSM Status -> OK Slot Id -> 5 Label -> myG5par Serial Number -> 16302360890475 Model -> G5Base Firmware Version -> 6.22.0 Configuration -> Luna User Partition With SO (PED) Signing With Cloning Mode Slot Description -> User Token Slot Slot Id -> 6 Label -> SafeG5 Serial Number -> 7001812 Model -> G5Base Firmware Version -> 6.22.0 Configuration -> Luna HSM Admin Partition (PED) Signing With Cloning Mode Slot Description -> Admin Token Slot HSM Configuration -> Luna HSM Admin Partition (PED) HSM Status -> OK Slot Id -> 10 HSM Label -> myhagroup HSM Serial Number -> 1349297122742 HSM Model -> LunaVirtual HSM Firmware Version -> 6.24.0 HSM Configuration -> Luna Virtual HSM (PED) Signing With Cloning Mode HSM Status -> N/A - HA Group Current Slot Id: 0 lunacm:>
Note: For PED-authenticated HSMs, have a SafeNet PED connected, the partition already activated, and provide the partition challenge secret as the password (must be the same for all members). For Password-authenticated HSMs, the partition password is the challenge, and must be common to all members.
The group is represented by the virtual partition, which must have the same authentication.
Note: You cannot mix PED-authenticated and Password-authenticated HSM partitions in an HA group, because the different authentication methods prevent them having the same cloning domain, which is required for HA synchronization.
2.Your chrystoki.conf/crystoki.ini file should now have a new section:
VirtualToken = {
VirtualToken00Members = 65003001;
VirtualToken00SN = 742276409;
VirtualToken00Label = myHAgroup;
}
CAUTION: Never insert TAB characters into the chrystoki.ini (Windows) or crystoki.conf (UNIX) file.
So far, we have an HA group with one member, which is the SafeNet PCIe HSM user partition from the original slot list. Next we would add additional HSM partitions (slots) to the group, to make it a true, functional HA group.
3.Use the hagroup addmember command to add another member to the HA group, that member being the SafeNet USB HSM user partition from the original list:
lunacm:> hagroup addMember -slot 5 -group myhagroup -password someuserpin Member 16302360890475 successfully added to group myhagroup. New group configuration is: HA Group Label: myhagroup HA Group Number: 1349297122742 HA Group Slot ID: 10 Synchronization: enabled Group Members: 349297122742, 16302360890475 Needs sync: no Standby Members: <none> Slot # Member S/N Member Label Status ====== ========== ============ ====== ------ 349297122742 parwithpso alive ------ 16302360890475 myG5par alive Please use the command "ha synchronize" when you are ready to replicate data between all members of the HA group. (If you have additional members to add, you may wish to wait until you have added them before synchronizing to save time by avoiding multiple synchronizations.) Command Result : No Error lunacm:>
4.Check Chrystoki.conf/crystoki.ini again, the VirtualToken section should now look like this:
VirtualToken = {
VirtualToken01Label = myhagroup VirtualToken01SN = 1349297122742; VirtualToken01Members = 349297122742,16302360890475;
}
5.To extend the example, we can add one of the SafeNet Network HSM remote partitions to the group, again with command hagroup addMember:
lunacm:> hagroup addMember -slot 0 -group myhagroup -password someuserpin Member 16298193222735 successfully added to group myhagroup. New group configuration is: HA Group Label: myhagroup HA Group Number: 1349297122742 HA Group Slot ID: 10 Synchronization: enabled Group Members: 349297122742, 16302360890475, 16298193222735 Needs sync: no Standby Members: <none> Slot # Member S/N Member Label Status ====== ========== ============ ====== ------ 349297122742 parwithpso alive ------ 16302360890475 myG5par alive ------ 16298193222735 mylegacypar1 alive Please use the command "ha synchronize" when you are ready to replicate data between all members of the HA group. (If you have additional members to add, you may wish to wait until you have added them before synchronizing to save time by avoiding multiple synchronizations.) Command Result : No Error lunacm:>
6.Use the command hagroup synchronize -group <grouplabel> -password <password> -enable when you are ready to replicate data between/among all members of the HA group.
lunacm:> hagroup synchronize -group myhagroup -password someuserpin -enable HA Synchronization is already enabled No synchronization performed/needed. Command Result : No Error lunacm:>
If you have additional members to add, you might wish to wait until you have added them before synchronizing to save time by avoiding multiple synchronizations. The 'synchronize' command replicates all objects on all partitions across all other partitions. As there are no objects on our newly created partitions yet, we do not need to run this command.
Note: Do not use this command when recovering a group member that has failed (or was taken down for maintenance). Use the command hagroup recover -group <grouplabel>.
7.We have the two physical slots on SafeNet HSM sa175 and SafeNet HSM sa172, and now a third virtual slot which points at both physical slots at once, via load balancing. To test your HA setup, run multitoken against slot 3:
./multitoken -mode rsasigver -key 1024 -slots 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3
Note: (Each of the “3”s in the above sample invokes one thread performing the selected signing operation.)
8.Verify that the network lights on both SafeNet Network HSM units are flashing. Verify that performance on multitoken is approximately 2400 signatures/second. Fewer than ten threads might be insufficient to exercise the SafeNet Enterprise HSMs fully. Therefore, experiment with additional threads until you see the expected performance.
If you are satisfied that your HA setup is working, then you can begin using your application against the HA "slot" label (which, in the example above, was "myhagroup"). If you have included more SafeNet HSM application Partitions in your HA group, then the virtual slot assignment will differ accordingly, but that doesn't matter to your application, because the application should be invoking the label, not a particular slot-number.
If you wish to add an additional member that will be designated a standby member, and not a regular participant in the group, see Standby Members.