Managing and Troubleshooting Your HA Groups
You can use vtl and the LunaCM hagroup commands to monitor and manage your HA groups.
Slot Enumeration
The client-side utility command vtl listslot or the LunaCM slot list command shows all detected slots, including HSM partitions on the primary HSM, partitions on connected external HSMs, and HA virtual slots. Here is an example:
bash-3.2# ./vtl listslot
Number of slots: 11
The following slots were found:
Slot # Description Label Serial # Status
slot #1 LunaNet Slot - - Not present
slot #2 LunaNet Slot sa76_p1 150518006 Present
slot #3 LunaNet Slot sa77_p1 150475010 Present
slot #4 LunaNet Slot G5179 700179008 Present
slot #5 LunaNet Slot pki1 700180008 Present
slot #6 LunaNet Slot CA4223 300223001 Present
slot #7 LunaNet Slot CA4129 300129001 Present
slot #8 HA Virtual Card Slot - - Not present
slot #9 HA Virtual Card Slot - - Not present
slot #10 HA Virtual Card Slot ha3 343610292 Present
slot #11 HA Virtual Card Slot G5_HA 1700179008 Present
NOTE - The deploy/undeploy of a PKI device increments/decrements the SafeNet Luna Network HSM client slot enumeration list (slots appear or disappear from the list, and the slot numbers adjust for the change). HA group virtual slots always appear toward the end of the list, following the physical slots. The actual slot number can vary based on the currently connected external HSMs (tokens, G5).
Due to the above behavior, we generally recommend that you run the lunacm:> haGroup haonly command so that only the HA slot is visible and any confusion or improper slot use is eliminated.
Determining Which Device is in Use
Use the ntls show or stc status command.
Determining Which Devices are Active
CA extension call “CA_GetHAState” lists all active devices. The LunaCM hagroup listgroup command also lists members.
Duplicate Objects
If you create an object on your HA slot, and then duplicate that object in some fashion (for example, by SIM'ing [wrapping] it off and then back on again, or performing a backup/restore with the 'add' option), that object will be seen as only one object on the HA slot because HA uses the object's fingerprint to build an object list. Two objects will in fact exist on each of the physical slots and could be seen by a non-HA utility/query to the HSM.
There are TWO implications from this situation:
>One implication is that repeated duplication (perhaps an application that performs periodic backups, and restores using the 'add' option rather than 'replace') could cause the partition to reach the maximum number of partition objects while seemingly having fewer objects. If the system ever tells you that your partition is full, but HA says otherwise, then use a tool like CKDemo that can view the "physical" slots directly (as opposed to the HA slot) on the HSM, and delete any objects that are unnecessary.
>A second implication is that the HA feature uses object fingerprints to match different instances of an object on different physical HSMs. This can result in error messages if your application does not properly create and destroy session objects, and perhaps creates an object identical to one which has been removed in a separate concurrent session. The problem is self-correcting, but the flurry of error messages could be worrying if you don't understand where they are coming from.
Frequently Asked Questions
This section provides additional information by answering questions that are frequently asked by our customers.
Can we manage NTLS connections through a load balancer (like NetScaler, Barracuda, A10, etc.)?
No. NTLS will not work through a load-balancer because it is an end-to-end TLS pipe between client and SafeNet Luna Network HSM.
We want to use a backup application server that would operate in standby mode until awakened by a failure of our primary application server. Can we use a virtual IP in the SafeNet Luna Network HSM setup, so that both primary and secondary are accepted for NTLS as the same client by SafeNet Luna Network HSM?
Yes. At the client, generate the client cert with the command vtl createCert -n <any IP address, real or virtual>.
Both client computers must have the SafeNet Luna Network HSM appliance's server cert in their client-side server-cert folders.
The SafeNet Luna Network HSM appliance must have the client certificate (built with the virtual IP address)
Also the following lines in the Chrystoki.conf file must point to the same cert and Keyfile on the clustered application servers:
LunaSA Client ={
ClientCertFile=\usr\LunaClient\cert\client\<your-cert-filename>.pem
ClientPrivKeyFile=\usr\LunaClient\cert\client\<your-filename>Key.pem
Our application keeps the HSM full. Can we double the capacity by creating an HA group and having a second HSM?
No. HA provides redundancy and can increase performance, but not capacity. Every HSM in an HA group gets synchronized with the other member(s), which means that the content of any one HSM in an HA group must be a clone of the content of any other member of that group. So, with more HA group members, you get more copies, not more space.