Configuring HA
To create an HA group, you need at least two SafeNet Luna Network HSMs with PED Authentication, or two with Password Authentication. You cannot use Password -Authenticated and PED-Authenticated SafeNet Luna Network HSMs simultaneously in an HA group. This section describes how to set up an HA group with partitions on different HSMs. It consists of the following major steps:
Prerequisites
You must complete these procedures before setting up an HA group. The prerequisite steps are divided into tasks performed by different roles.
HSM SO Prerequisites
1.Perform the network setup on two or more SafeNet Luna Network HSM appliances (see Configure the SafeNet Luna Network HSM for Your Network in the Configuration Guide).
2.Ensure that HSM policies 7: Allow Cloning and 16: Allow Network Replication are "on" (see Set the HSM Policies in the Configuration Guide). If your HSMs do not have the cloning option, then they will use the Key Export functionality to backup to (and restore from) a file, rather than a hardware Backup token.
3.Initialize the HSMs (see HSM Initialization in the Configuration Guide).
4.Create a partition on each SafeNet Luna Network HSM. They do not need to have the same label.
5.Allow one or more clients to access the partitions using NTLS or STC links (see Enable the Client to Access a Partition in the Configuration Guide).
Partition SO Prerequisites
1.Ensure that all the partitions to be included in the HA group are visible in LunaCM
2.Initialize all the partitions to be included in the HA group (see Configure Application Partitions in the Configuration Guide). The partitions do not need to have the same label, but they must be initialized with the same cloning domain:
•PED-authenticated HSMs must share the same red domain PED key
•Password-authenticated partitions must share the same domain string
In this example, the partitions have been initialized as HApartition00 (SN 154438865297) and HApartition01 (SN 1238700701520).
3.[OPTIONAL] If you are setting up a PED-authenticated HA group, ensure that each Partition is Activated and AutoActivated (see Activation and Auto-Activation on PED-Authenticated Partitions), so that it can retain/resume its "Activate" (persistent login) state through any brief power failure or other interruption.
4.Initialize the Crypto Officer role on all the partitions.
role init -name co
Crypto Officer Prerequisites
1.Login to each partition as Crypto Officer and change the initial primary credential (password or black PED key). Use the same Crypto Officer credential for each partition to be included in the HA group.
role login -name co
role changepw -name co
2.If you are setting up a PED-authenticated HA group, change the initial secondary credential (challenge password). Use the same challenge password for each partition to be included in the HA group.
role login -name co
role changepw -name co -oldpw <old_challenge> -newpw <new_challenge>
Create the HA Group
NOTE Your LunaCM instance needs to update the Chrystoki.conf (Linux/UNIX) or crystoki.ini file (Windows) when setting up or reconfiguring HA. Ensure that you have sufficient privileges.
After satisfying the prerequisites, use LunaCM to create an HA group on your client, and add member partitions. This procedure is completed by the Crypto Officer.
1.Use the hagroup creategroup command to create a new HA group on the client, which requires:
•a Label for the group (do NOT call the group just "HA").
• the Serial number OR the slot number of the primary partition.
•the Crypto Officer password for the partition.
hagroup creategroup -label <label> {-slot <slotnum> | -serialnumber <serialnum>}
LunaCM generates and assigns a serial number to the group itself.
For example:
lunacm:> hagroup creategroup -slot 0 -label myHAgroup
Enter the password: ********
New group with label "myHAgroup" created with group number 1154438865297.
Group configuration is:
HA Group Label: myHAgroup
HA Group Number: 1154438865297
HA Group Slot ID: Not Available
Synchronization: enabled
Group Members: 154438865297
Needs sync: no
Standby Members: <none>
Slot # Member S/N Member Label Status
====== ========== ============ ======
0 154438865297 HApartition00 alive
Command Result : No Error
LunaCM v7.0.0. Copyright (c) 2006-2017 SafeNet.
Available HSMs:
Slot Id -> 0
Label -> HApartition00
Serial Number -> 154438865297
Model -> LunaSA 7.0.0
Firmware Version -> 7.0.1
Configuration -> Luna User Partition With SO (PW) Signing With Cloning Mode
Slot Description -> Net Token Slot
Slot Id -> 1
Label -> HApartition01
Serial Number -> 1238700701520
Model -> LunaSA 7.0.0
Firmware Version -> 7.0.1
Configuration -> Luna User Partition With SO (PW) Signing With Cloning Mode
Slot Description -> Net Token Slot
Slot Id -> 5
HSM Label -> myHAgroup
HSM Serial Number -> 1154438865297
HSM Model -> LunaVirtual
HSM Firmware Version -> 7.0.1
HSM Configuration -> Luna Virtual HSM (PW) Signing With Cloning Mode
HSM Status -> N/A - HA Group
Current Slot Id: 0
NOTE The example above was generated using Password-authenticated SafeNet Luna Network HSMs. For PED-authenticated HSMs, have a Luna PED connected, the partition already activated, and provide the partition challenge secret as the password (must be the same for all members).
2.Your chrystoki.conf/crystoki.ini file should now have a new section:
[VirtualToken]
VirtualToken00Label=myHAgroup
VirtualToken00SN=1154438865297
VirtualToken00Members=154438865297
CAUTION! Never insert TAB characters into the chrystoki.ini (Windows) or crystoki.conf (UNIX) file.
3.Add another partition to the HA group (HApartition01 on sa40).
hagroup addmember -group <grouplabel> {-slot <slotnum> | -serialnumber <serialnum>}
For example:
lunacm:> hagroup addmember -group myHAgroup -slot 1
Enter the password: ********
Member 1238700701520 successfully added to group myHAgroup. New group
configuration is:
HA Group Label: myHAgroup
HA Group Number: 1154438865297
HA Group Slot ID: 5
Synchronization: enabled
Group Members: 154438865297, 1238700701520
Needs sync: no
Standby Members: <none>
Slot # Member S/N Member Label Status
====== ========== ============ ======
0 154438865297 HApartition00 alive
1 1238700701520 HApartition01 alive
Please use the command "ha synchronize" when you are ready
to replicate data between all members of the HA group.
(If you have additional members to add, you may wish to wait
until you have added them before synchronizing to save time by
avoiding multiple synchronizations.)
Command Result : No Error
4.Check Chrystoki.conf/crystoki.ini again, the VirtualToken section should now look like this:
[VirtualToken]
VirtualToken00Label=myHAgroup
VirtualToken00SN=1154438865297
VirtualToken00Members=154438865297,1238700701520
5.Use the following command when you are ready to replicate data between/among all members of the HA group.
hagroup synchronize -group <grouplabel>
If you have additional members to add to the group, do this first to save time by avoiding multiple synchronizations. The 'synchronize' command replicates all objects on all partitions across all other partitions. As there are no objects on our newly-created partitions yet, we do not need to run this command.
NOTE Do not use this command when recovering a group member that has failed (or was taken down for maintenance). Use the command hagroup recover -group <grouplabel>.
Verification
In LunaCM, we now have three slots available: two physical slots (a partition on each HSM) and a third virtual slot that points at both physical slots at once, via load balancing. To test your HA setup, perform the following steps:
1.Exit LunaCM and run multitoken against the HA group slot number (slot 5 in the example) to create some objects on the HA group partitions.
./multitoken -mode rsakeygen -key 4096 -nodestroy -slots 5
You can hit "Enter" at any time to stop the process before the partitions fill up completely. Any number of created objects will be sufficient to show that the HA group is functioning.
2.Run LunaCM and use partition showinfo on the two physical slots. Check the object count under "Partition Storage":
Current Slot Id: 0
lunacm:> partition showinfo
...(clip)...
Partition Storage:
Total Storage Space: 325896
Used Storage Space: 9480
Free Storage Space: 316416
Object Count: 206
Overhead: 9648
Command Result : No Error
lunacm:> slot set slot 1
Current Slot Id: 1 (Luna User Slot 7.0.1 (PW) Signing With Cloning Mode)
Command Result : No Error
lunacm:> partition showinfo
...(clip)...
Partition Storage:
Total Storage Space: 325896
Used Storage Space: 9480
Free Storage Space: 316416
Object Count: 206
Overhead: 9648
Command Result : No Error
3.To remove the test objects, login to the HA virtual slot and clear the virtual partition.
slot set slot 5
partition login
partition clear
If you are satisfied that your HA setup is working, you can begin using your application against the HA virtual slot ("myHAgroup" in the example). The virtual slot assignment will change depending on how many more application partitions are added to your client configuration. This will not matter to your application, which invokes the HA group label, not a particular slot number.
HA Standby Mode [Optional]
If you wish to add an additional partition that will be designated a standby member, and not a regular participant in the group, see Standby Members.