Replacing an HA Group Member

Sometimes an HSM failure is permanent (from the perspective of the HA group). For example, if the HSM is re-initialized, the member partition is erased and must be recreated. In this case, you can recreate a partition on the same HSM or another HSM, and deploy the new member to the group. You do not need to pause your application to replace an HA group member.

Prerequisites

The Crypto Officer must complete this procedure, but any new member partition must first be created and assigned to the client by the HSM SO, and initialized by the Partition SO. All the prerequisites listed in Setting Up an HA Group must be met.

To replace an HA group member

1.[Optional] Display the HA group to see the failed member (hagroup listgroups). You are prompted for the Crypto Officer password/challenge secret.

lunacm:>hagroup listgroups

lunacm:> hagroup listgroups
 
        If you would like to see synchronization data for group myHAgroup,
        please enter the password for the group members. Sync info
        not available in HA Only mode.
 
 
        Enter the password: ********
 
 
              HA auto recovery:  enabled
              HA recovery mode:  activeEnhanced
   Maximum auto recovery retry:  500
   Auto recovery poll interval:  60 seconds
                    HA logging:  disabled
            Only Show HA Slots:  yes
 
 
         HA Group Label:  myHAgroup
        HA Group Number:  1154438865287
       HA Group Slot ID:  5
       Synchronization: enabled
          Group Members:  154438865287, 1238700701509
             Needs sync:  no
        Standby Members:  <none>
 
 
Slot #    Member S/N                      Member Label    Status
======    ==========                      ============    ======
------  154438865287                              par0     alive
------  1238700701509                      ------------      down

2.Prepare the new HA group member, whether that means creating a new partition on the original HSM or configuring a new SafeNet Luna Network HSM, and assign the new partition to the HA client. Ensure that the new member partition and the HSM on which it resides meet the prerequisites outlined in Setting Up an HA Group and is visible in LunaCM.

lunacm (64-bit) v7.3.0-74. Copyright (c) 2018 SafeNet. All rights reserved.
 
 
        Available HSMs:
 
        Slot Id ->              0
        Label ->                par0
        Serial Number ->        154438865287
        Model ->                LunaSA 7.3.0
        Firmware Version ->     7.3.0
        Configuration ->        Luna User Partition With SO (PW) Key Export With Cloning Mode
        Slot Description ->     Net Token Slot
 
        Slot Id ->              1
        Label ->                par1
        Serial Number ->        1238700701510
        Model ->                LunaSA 7.3.0
        Firmware Version ->     7.3.0
        Configuration ->        Luna User Partition With SO (PW) Key Export With Cloning Mode
        Slot Description ->     Net Token Slot
 
        Slot Id ->              5
        HSM Label ->            myHAgroup
        HSM Serial Number ->    1154438865287
        HSM Model ->            LunaVirtual
        HSM Firmware Version -> 7.3.0
        HSM Configuration ->    Luna Virtual HSM (PW) Key Export With Cloning Mode
        HSM Status ->           N/A - HA Group
 
 
Current Slot Id: 0

3.Add the new partition to the HA group by specifying either the slot or the serial number (hagroup addmember). You are prompted for the Crypto Officer password/challenge secret.

lunacm:> hagroup addmember -group <label> {-slot <slotnum> | -serial <serialnum>}

lunacm:> hagroup addmember -group myHAgroup -slot 1
 
        Enter the password: ********
        Member 1238700701510 successfully added to group myHAgroup. New group
        configuration is:
 
         HA Group Label:  myHAgroup
        HA Group Number:  1154438865287
       HA Group Slot ID:  5
       Synchronization: enabled
          Group Members:  154438865287, 1238700701509, 1238700701510
             Needs sync:  no
        Standby Members:  <none>
 
 
Slot #    Member S/N                      Member Label    Status
======    ==========                      ============    ======
     0  154438865287                              par0     alive
------  1238700701509                      ------------      down
     1  1238700701510                              par1     alive
 
 
        Please use the command "ha synchronize" when you are ready
        to replicate data between all members of the HA group.
        (If you have additional members to add, you may wish to wait
        until you have added them before synchronizing to save time by
        avoiding multiple synchronizations.)
 
Command Result : No Error

The new partition is now an active member of the HA group. If you have an application currently running, cryptographic objects are automatically replicated to the new member and it is assigned operations according to the load-balancing algorithm.

4.Remove the old partition from the group by specifying the serial number (hagroup removemember).

lunacm:> hagroup removemember -group <label> -serial <serialnum>

lunacm:> hagroup removemember -group myHAgroup -serial 1238700701509
 
        Member 1238700701509 successfully removed from group myHAgroup.
 
Command Result : No Error

LunaCM restarts.

5.[Optional] If you do not currently have an application running, you can manually synchronize the contents of the HA group (hagroup synchronize).

CAUTION!   Never use manual synchronization if you have an application running. The HA group performs this automatically. Using this command on an HA group that is running an application could create conflicting key versions.

lunacm:>hagroup synchronize -group <label>

lunacm:> hagroup synchronize -group myHAgroup
 
        Enter the password: ********
 
        Synchronization completed.
 
Command Result : No Error

6.[Optional] If you intend to have the new partition serve as a standby member, see Setting an HA Group Member to Standby.