Adding, Removing, Replacing, or Reconnecting HA Group Members

This section describes how to add a new member to an HA group, reconnect an offline member, or replace a failed unit.

Adding or Removing an HA Group Member

Use the following LunaCM commands to add or remove a normal or standby member to or from an HA group:

>hagroup addmember

>hagroup addstandby

>hagroup removemember

>hagroup removestandby

See hagroup in the LunaCM Command Reference Guide for detailed descriptions and syntax for each hagroup command.

NOTE   You must restart the application to have the added or removed member recognized.

Reconnecting an Offline Unit

In HA mode, if an HSM appliance goes off-line or drops-out (due to failure, maintenance, or some other reason), the application load is spread over the remaining members of the HA group. When the appliance is restarted, the application does not need to be stopped and restarted before the re-introduced appliance can be used by the application. For the unit that was withdrawn (or for a replacement unit), if it was powered off for more than a short outage, you must re-activate the partitions before they can be re-included into the HA Group.

The following reconnection scenarios are available:

To recover the same group member

1.Restart the failed member and verify that it has started properly.

2.Do not perform a manual re-synchronization between the members. Instead, use the following LunaCM command:

hagroup recover -group <group_name>

Replacing a Failed SafeNet Luna Network HSM

Before getting into replacing HSMs in an HA group, this first section describes relevant system conditions and settings to have a SafeNet Luna Network HSM configured and in an authenticated relationship with a client computer. In particular, we are interested in the client-side config file and the client's certificate folder in ordinary, single-appliance mode, and then in HA. You would already have set up the a SafeNet Luna Network HSM as described in the configuration manual, for network setup and creation of the appliance-side certificate (see "Generate a New HSM Server Certificate").

Chrystoki.ini before client-side certificate creation
[Chrystoki2]
LibNT=C:\Program Files\SafeNet\LunaClient\cryptoki.dll

[LunaSA Client]
SSLConfigFile=C:\Program Files\SafeNet\LunaClient\openssl.cnf
ReceiveTimeout=20000
NetClient=1
ServerCAFile=C:\Program Files\SafeNet\LunaClient\cert\server\CAFile.pem
ClientCertFile=C:\Program Files\SafeNet\LunaClient\cert\client\ClientNameCert.pem
ClientPrivKeyFile=C:\Program Files\SafeNet\LunaClient\cert\client\ClientNameKey.pem

[Luna]
DefaultTimeOut=500000
PEDTimeout1=100000
PEDTimeout2=200000
PEDTimeout3=10000

[CardReader]
RemoteCommand=1    

 

1.Create client-side certs (see vtl createCert in the Utilities Reference Guide).

Generated client certificates

Chrystoki.ini after client-side certificate creation

[Chrystoki2]
LibNT=C:\Program Files\SafeNet\LunaClient\cryptoki.dll

[LunaSA Client]
SSLConfigFile=C:\Program Files\SafeNet\LunaClient\openssl.cnf
ReceiveTimeout=20000
NetClient=1
ServerCAFile=C:\Program Files\SafeNet\LunaClient\cert\server\CAFile.pem
ClientCertFile=C:\Program Files\SafeNet\LunaClient\cert\client\20.1.1.20.pem
ClientPrivKeyFile=C:\Program Files\SafeNet\LunaClient\cert\client\20.1.1.20.pem

 

2.Copy the SafeNet Luna PCIe HSM server.pem to the client.

NOTE   At this point there are still no certificates in the cert\server directory.

3.Use vtl addserver to register the SafeNet Luna Network HSM with the client.

CAFile.pem is generated in the cert\server directory.

Cert\server directory after CAFile.pem is generated

Crystoki.ini after "vtl addserver"

[Chrystoki2]
LibNT=C:\Program Files\SafeNet\LunaClient\cryptoki.dll

[LunaSA Client]
SSLConfigFile=C:\Program Files\SafeNet\LunaClient\openssl.cnf
ReceiveTimeout=20000
NetClient=1
ServerCAFile=C:\Program Files\SafeNet\LunaClient\cert\server\CAFile.pem
ClientCertFile=C:\Program Files\SafeNet\LunaClient\cert\client\20.1.1.20.pem
ClientPrivKeyFile=C:\Program Files\SafeNet\LunaClient\cert\client\20.1.1.20.pem 
ServerName00=20.1.1.20
ServerPort00=1792
   

vtl verify results

C:\Program Files\SafeNet\LunaClient>vtl verify

The following SafeNet Luna Network HSM Slots/Partitions were found:

Slot	Serial # 	Label
====	========	=====
1	154702010	p1

C:\Program Files\SafeNet\LunaClient>     

Replace a SafeNet Luna PCIe HSM Using the Same IP

For an existing HA group, bring in a replacement SafeNet Luna PCIe HSM.

1.Change the IP of the new appliance to match the one that was removed.   

2.Perform RegenCert on the new SafeNet Luna Network HSM.

NOTE   vtl verify on client at this time would fail because the cert that the client has is for the old, removed SafeNet Luna Network HSM.   

3.Execute vtl deleteserver –n <original IP>

Deleting old SafeNet Luna Network HSM from Client

C:\Program Files\SafeNet\LunaClient>vtl listservers
Server: 20.1.1.20

C:\Program Files\SafeNet\LunaClient>vtl deleteserver -n 20.1.1.20
Server: 20.1.1.20 successfully removed from server list.

C:\Program Files\SafeNet\LunaClient>
 

Contents of cert\server after “deleteserver” (CAFile.pem has been deleted)

4.Copy new server.pem to client.

Copying new server.pem to client

C:\Program Files\SafeNet\LunaClient>pscp admin@20.1.1.20:server.pem . 
admin@20.1.1.20's password:  
server.pem		| 1 kB | 1.1 kB/s | ETA: 00:00:00 | 100%
 

5.Run vtl addserver using new server.pem

vtl addserver using new server.pem

C:\Program Files\SafeNet\LunaClient>vtl addserver -n 20.1.1.20 -c server.pem
New server: 20.1.1.20 successfully added to server list.
 

6.Run vtl verify.

vtl verify results

C:\Program Files\SafeNet\LunaClient>vtl verify

The following SafeNet Luna Network HSM Slots/Partitions were found:

Slot	Serial # 	Label
====	========	=====
1	154702010	p1   

Summary

If a SafeNet Luna Network HSM must be replaced, the old IP can be used, but the SafeNet Luna Network HSM certificate must be regenerated. The IP must be removed from the server list on the client and then added back using the new server.pem.

Client side requirements review:

>Use vtl deleteserver to remove IP from list and delete CAFile.pem from cert\server.

>Copy new server.pem to client

>Use vtl addserver to re-add IP and create CAFile.pem.

Client-side - Reconfigure HA If a SafeNet Luna Network HSM Must Be Replaced

1.Note HA partition serial numbers

C:\Program Files\SafeNet\LunaClient>vtl verify
The following SafeNet Luna Network HSM Slots/Partitions were found:
Slot	Serial # 	Label
====	========	=====
1	154702011	HA1
1	154702012	HA2     

 

2.Run hagroup creategroup -serialnumber -password with lunacm:>

A group is created with HA1 as Primary.

lunacm:>hagroup creategroup -serialnumber 154702011 -label SomeHAGrp -password PassWd
 
Command Result: No Error

Crystoki.ini after HA group is created

[Chrystoki2]
LibNT=C:\Program Files\SafeNet\LunaClient\cryptoki.dll

[LunaSA Client]
SSLConfigFile=C:\Program Files\SafeNet\LunaClient\openssl.cnf
ReceiveTimeout=20000
NetClient=1
ServerCAFile=C:\Program Files\SafeNet\LunaClient\cert\server\CAFile.pem
ClientCertFile=C:\Program Files\SafeNet\LunaClient\cert\client\20.1.1.20.pem
ClientPrivKeyFile=C:\Program Files\SafeNet\LunaClient\cert\client\20.1.1.20.pem 
ServerName00=20.1.1.20
ServerPort00=1792

[Luna]
DefaultTimeOut=500000
PEDTimeout1=100000
PEDTimeout2=200000
PEDTimeout3=10000

[CardReader]
RemoteCommand=1   

[VirtualToken]   
VirtualToken00Label=SomeHAGrp  
VirtualToken00SN=1154702011   
VirtualToken00Members=154702011 

[HASynchronize]   
SomeHAGrp=1  
 

3.Add a secondary SafeNet Luna Network HSM partition to the HA group with lunacm:> hagroup addmember -serialnumber -group -password.

lunacm:> hagroup addmember -serialnumber 154702012 -group SomeHAGrp -password PassWd
 
Command Result: No Error

Crystoki.ini after second HA member is added

[Chrystoki2]
LibNT=C:\Program Files\SafeNet\LunaClient\cryptoki.dll

[LunaSA Client]
SSLConfigFile=C:\Program Files\SafeNet\LunaClient\openssl.cnf
ReceiveTimeout=20000
NetClient=1
ServerCAFile=C:\Program Files\SafeNet\LunaClient\cert\server\CAFile.pem
ClientCertFile=C:\Program Files\SafeNet\LunaClient\cert\client\20.1.1.20.pem
ClientPrivKeyFile=C:\Program Files\SafeNet\LunaClient\cert\client\20.1.1.20.pem 
ServerName00=20.1.1.20
ServerPort00=1792

[Luna]
DefaultTimeOut=500000
PEDTimeout1=100000
PEDTimeout2=200000
PEDTimeout3=10000

[CardReader]
RemoteCommand=1   

[VirtualToken]   
VirtualToken00Label=SomeHAGrp  
VirtualToken00SN=1154702011   
VirtualToken00Members=154702011, 154702012  

[HASynchronize]   
SomeHAGrp=1   
   

Crystoki.ini after HA Only is enabled

[Chrystoki2]
LibNT=C:\Program Files\SafeNet\LunaClient\cryptoki.dll

[LunaSA Client]
SSLConfigFile=C:\Program Files\SafeNet\LunaClient\openssl.cnf
ReceiveTimeout=20000
NetClient=1
ServerCAFile=C:\Program Files\SafeNet\LunaClient\cert\server\CAFile.pem
ClientCertFile=C:\Program Files\SafeNet\LunaClient\cert\client\20.1.1.20.pem
ClientPrivKeyFile=C:\Program Files\SafeNet\LunaClient\cert\client\20.1.1.20.pem 
ServerName00=20.1.1.20
ServerPort00=1792

[Luna]
DefaultTimeOut=500000
PEDTimeout1=100000
PEDTimeout2=200000
PEDTimeout3=10000

[CardReader]
RemoteCommand=1   

[VirtualToken]   
VirtualToken00Label=SomeHAGrp  
VirtualToken00SN=1154702011   
VirtualToken00Members=154702011, 154702012  

[HASynchronize]   
SomeHAGrp=1   

[HAConfiguration]   
HAOnly=1 
 

Crystoki.ini after "autorecovery" is enabled

[Chrystoki2]
LibNT=C:\Program Files\SafeNet\LunaClient\cryptoki.dll

[LunaSA Client]
SSLConfigFile=C:\Program Files\SafeNet\LunaClient\openssl.cnf
ReceiveTimeout=20000
NetClient=1
ServerCAFile=C:\Program Files\SafeNet\LunaClient\cert\server\CAFile.pem
ClientCertFile=C:\Program Files\SafeNet\LunaClient\cert\client\20.1.1.20.pem
ClientPrivKeyFile=C:\Program Files\SafeNet\LunaClient\cert\client\20.1.1.20.pem 
ServerName00=20.1.1.20
ServerPort00=1792

[Luna]
DefaultTimeOut=500000
PEDTimeout1=100000
PEDTimeout2=200000
PEDTimeout3=10000

[CardReader]
RemoteCommand=1   

[VirtualToken]   
VirtualToken00Label=SomeHAGrp  
VirtualToken00SN=1154702011   
VirtualToken00Members=154702011, 154702012  

[HASynchronize]   
SomeHAGrp=1   

[HAConfiguration]   
HAOnly=1 
reconnAtt=500    
   

4.Show HA configuration results with hagroup listgroups in lunacm:>

lunacm:> hagroup listgroups
 
If you would like to see synchronization data for group myHAgroup,
please enter the password for the group members. Sync info
not available in HA Only mode.
 
Enter the password: *******
 
HA auto recovery: disabled
HA recovery mode: activeBasic
Maximum auto recovery retry: 0
Auto recovery poll interval: 65 seconds
HA logging: enabled
HA log _file: /luna_ha_temp/haErrorLog.txt
Maximum HA log file length: 300000 bytes
Only Show HA Slots: no
 
HA Group Label: SomeHAGrp
HA Group Number: 1364882803566
HA Group Slot ID: 5
Synchronization: enabled
Group Members: 154702011, 154702012
Needs sync: no
Standby Members: <none>
Slot #  Member S/N Member Label Status
======  ========== ============ ======
0        154702011         HA1  alive
1        154702012         HA2  alive
 
Command Result : No Error

 

Replacing the Secondary HA Group Member

When the SafeNet Luna Network HSM to be replaced, in an HA Group, is a secondary member, the process is similar to above. You must delete the secondary from the HA Group and re-add it with the new partition serial number. It is not necessary to delete and recreate the group.

If a SafeNet Luna Network HSM must be replaced, the old IP address can be used, but the SafeNet Luna Network HSM certificate must be regenerated. The IP address must be removed from the server list on the client and then added back using the new “server.pem” received from the replacement SafeNet Luna Network HSM.   

If the SafeNet Luna Network HSM being replaced is the Primary, you must delete the HA Group and recreate it using the new Primary SafeNet Luna Network HSM partition serial number and then add the original Secondary SafeNet Luna Network HSM partition serial number - the cert from the original Secondary is already in place on the client, and no change is needed to that.