|
Home > |
Administration Guide > High-Availability (HA) Configuration and Operation > Managing and Troubleshooting Your HA Groups
|
|---|
You can use VTL and the LunaCM hagroup commands to monitor and manage your HA groups.
The client-side utility command "vtl listslot" or the LunaCM slot list command shows all detected slots, including HSM partitions on the primary HSM, partitions on connected external HSMs, and HA virtual slots. Here is an example:
bash-3.2# ./vtl listslot
Number of slots: 11
The following slots were found:
Slot # Description Label Serial # Status
slot #1 LunaNet Slot - - Not present
slot #2 LunaNet Slot sa76_p1 150518006 Present
slot #3 LunaNet Slot sa77_p1 150475010 Present
slot #4 LunaNet Slot G5179 700179008 Present
slot #5 LunaNet Slot pki1 700180008 Present
slot #6 LunaNet Slot CA4223 300223001 Present
slot #7 LunaNet Slot CA4129 300129001 Present
slot #8 HA Virtual Card Slot - - Not present
slot #9 HA Virtual Card Slot - - Not present
slot #10 HA Virtual Card Slot ha3 343610292 Present
slot #11 HA Virtual Card Slot G5_HA 1700179008 Present
Note: - The deploy/undeploy of a PKI device increments/decrements the SafeNet Network HSM client slot enumeration list (slots appear or disappear from the list, and the slot numbers adjust for the change). HA group virtual slots always appear toward the end of the list, following the physical slots. The actual slot number can vary based on the currently connected external HSMs (tokens, G5).
Due to the above behavior, we generally recommend that you run the lunacm:> haGroup haonly command, or the vtl haAdmin HAOnly enable command, so that only the HA slot is visible and any confusion or improper slot use is eliminated.
Use the “ntls show” command.
CA extension call “CA_GetHAState” lists all active devices. The LunaCM hagroup listgroup command also lists members.
If you create an object on your HA slot, and then duplicate that object in some fashion (for example, by Scalable Key Storage'ing [wrapping] it off and then back on again, or performing a backup/restore with the 'add' option), that object will be seen as only one object on the HA slot because HA uses the object's fingerprint to build an object list. Two objects will in fact exist on each of the physical slots and could be seen by a non-HA utility/query to the HSM.
There are TWO implications from this situation:
•One implication is that repeated duplication (perhaps an application that performs periodic backups, and restores using the 'add' option rather than 'replace') could cause the Partition to reach the maximum number of Partition objects while seemingly having fewer objects. If the system ever tells you that your Partition is full, but HA says otherwise, then use a tool like ckdemo that can view the "physical" slots directly (as opposed to the HA slot) on the HSM, and delete any objects that are unnecessary.
•A second implication is that the HA feature uses object fingerprints to match different instances of an object on different physical HSMs. This can result in error messages if your application does not properly create and destroy session objects, and perhaps creates an object identical to one which has been removed in a separate concurrent session. The problem is self-correcting, but the flurry of error messages could be worrying if you don't understand where they are coming from.