Managing and Troubleshooting Your HA Groups

You can use vtl and the LunaCM hagroup commands to monitor and manage your HA groups.

Slot Enumeration

The client-side utility command vtl listslot or the LunaCM slot list command shows all detected slots, including HSM partitions on the primary HSM, partitions on connected external HSMs, and HA virtual slots. Here is an example:

bash-3.2# ./vtl listslot

Number of slots: 11

The following slots were found: 

Slot # 	        Description 	        Label 	        Serial # 	Status
slot #1 	LunaNet Slot 	        - 	        - 	        Not present
slot #2 	LunaNet Slot 	        sa76_p1 	150518006 	Present
slot #3 	LunaNet Slot 	        sa77_p1 	150475010 	Present
slot #4 	LunaNet Slot 	        G5179 	        700179008 	Present
slot #5 	LunaNet Slot 	        pki1 	        700180008 	Present
slot #6 	LunaNet Slot 	        CA4223 	        300223001 	Present
slot #7 	LunaNet Slot 	        CA4129 	        300129001 	Present
slot #8 	HA Virtual Card Slot 	- 	        -    	        Not present
slot #9 	HA Virtual Card Slot    -    	        - 	        Not present
slot #10 	HA Virtual Card Slot    	ha3 	343610292 	Present
slot #11 	HA Virtual Card Slot    	G5_HA 	1700179008 	Present
 

NOTE   - The deploy/undeploy of a PKI device increments/decrements the SafeNet Luna Network HSM client slot enumeration list (slots appear or disappear from the list, and the slot numbers adjust for the change).  HA group virtual slots always appear toward the end of the list, following the physical slots. The actual slot number can vary based on the currently connected external HSMs (tokens, G5).

Due to the above behavior, we generally recommend that you run the lunacm:> haGroup haonly command so that only the HA slot is visible and any confusion or improper slot use is eliminated.

Determining Which Device is in Use

Use the ntls show or stc status command.

Determining Which Devices are Active

CA extension call “CA_GetHAState” lists all active devices. The LunaCM hagroup listgroup command also lists members.

Duplicate Objects

If you create an object on your HA slot, and then duplicate that object in some fashion (for example, by SIM'ing [wrapping] it off and then back on again, or performing a backup/restore with the 'add' option), that object will be seen as only one object on the HA slot because HA uses the object's fingerprint to build an object list. Two objects will in fact exist on each of the physical slots and could be seen by a non-HA utility/query to the HSM.

There are TWO implications from this situation:

>One implication is that repeated duplication (perhaps an application that performs periodic backups, and restores using the 'add' option rather than 'replace') could cause the partition to reach the maximum number of partition objects while seemingly having fewer objects. If the system ever tells you that your partition is full, but HA says otherwise, then use a tool like CKDemo that can view the "physical" slots directly (as opposed to the HA slot) on the HSM, and delete any objects that are unnecessary.

>A second implication is that the HA feature uses object fingerprints to match different instances of an object on different physical HSMs. This can result in error messages if your application does not properly create and destroy session objects, and perhaps creates an object identical to one which has been removed in a separate concurrent session. The problem is self-correcting, but the flurry of error messages could be worrying if you don't understand where they are coming from.

Frequently Asked Questions

This section provides additional information by answering questions that are frequently asked by our customers.

Can we manage NTLS connections through a load balancer (like NetScaler, Barracuda, A10, etc.)?

No. NTLS will not work through a load-balancer because it is an end-to-end TLS pipe between client and SafeNet Luna Network HSM.

We want to use a backup application server that would operate in standby mode until awakened by a failure of our primary application server. Can we use a virtual IP in the SafeNet Luna Network HSM setup, so that both primary and secondary are accepted for NTLS as the same client by SafeNet Luna Network HSM?

Yes. At the client, generate the client cert with the command vtl createCert -n <any IP address, real or virtual>.

Both client computers must have the SafeNet Luna Network HSM appliance's server cert in their client-side server-cert folders.

The SafeNet Luna Network HSM appliance must have the client certificate (built with the virtual IP address)

Also the following lines in the Chrystoki.conf file must point to the same cert and Keyfile on the clustered application servers:

      LunaSA Client ={ 
       ClientCertFile=\usr\LunaClient\cert\client\<your-cert-filename>.pem 
       ClientPrivKeyFile=\usr\LunaClient\cert\client\<your-filename>Key.pem
Our application keeps the HSM full. Can we double the capacity by creating an HA group and having a second HSM?

No. HA provides redundancy and can increase performance, but not capacity. Every HSM in an HA group gets synchronized with the other member(s), which means that the content of any one HSM in an HA group must be a clone of the content of any other member of that group. So, with more HA group members, you get more copies, not more space.


Customer Support Portal

SafeNet Luna PCIe HSM 7.1 Product Documentation  13 December 2019  Copyright 2001-2019 Thales Group. All rights reserved.