Setting Up an HA Group

Use LunaCM to create an HA group from partitions assigned to your client. This procedure is completed by the Crypto Officer. Ensure that you have met all necessary prerequisites before proceeding with group creation. For a detailed description of HA functionality, see How HA Works.

NOTE   Your LunaCM instance needs to update the Chrystoki.conf (Linux/UNIX) or crystoki.ini file (Windows) when setting up or reconfiguring HA. Ensure that you have Administrator privileges on the client workstation.

Prerequisites

HA groups are set up in LunaCM by the Crypto Officer. Before the CO can perform this setup, however, all HSMs and member partitions must meet the following prerequisites, completed by the HSM and Partition Security Officers.

HSMs

The HSM SO must ensure that all HSMs containing HA group member partitions meet the following prerequisites:

>All HSMs must be the same hardware type (a mix of Network and PCIe HSMs is not supported) and use the same authentication method (Password/PED).

>All must be running one of the supported software/firmware versions. Generally, Thales recommends using HSMs with the same software/firmware for HA. However, mixed-version HA groups containing Luna 6 and 7 member partitions are supported. See Luna 6/7 Mixed-Version HA Groups for more information.

>Network setup must be complete and the appliances must be accessible via SSH.

>HSM policies 7: Allow Cloning and 16: Allow Network Replication must be set to 1 (see Set the HSM Policies in the Configuration Guide).

>HSM policies must be consistent across all HSMs, particularly 12: Allow non-FIPS algorithms. Do not attempt to use an HA group combining HSMs with FIPS mode on and others with FIPS mode off.

>The client must be able to access all the application partitions using NTLS or STC links (see Enable the Client to Access a Partition in the Configuration Guide).

Partitions

The Partition SO must ensure that all partitions in an HA group meet the following prerequisites:

>The partitions must be created on different HSMs; partitions on a single HSM cannot provide failover for each other, as they have a single point of failure.

>All partitions must be visible in LunaCM on the client workstation.

>All partitions must be initialized with the same cloning domain:

Password-authenticated partitions must share the same domain string.

PED-authenticated partitions must share the same red domain PED key.

>Partition policies 0: Allow private key cloning and 4: Allow secret key cloning must be set to 1 on all partitions.

>Partition policies must be consistent across all member partitions.

>The Crypto Officer role on each partition must be initialized with the same CO credential (password or black PED key).

>PED-authenticated partitions must have partition policies 22: Allow activation and 23: Allow auto-activation set to 1. All partitions must be activated and have auto-activation enabled, so that they can retain their login state after failure/recovery. Each partition must have the same activation challenge secret set (see Activation and Auto-Activation on PED-Authenticated Partitions)

NOTE   If HSM policy 21: Force user PIN change after set/reset is set to 1 (the default setting), the Crypto Officer must change the initial CO credential before using the partition for cryptographic operations. This applies to the activation challenge secret as well (see role changepw in the LunaCM Command Reference Guide).

To set up an HA group

1.Create a new HA group, specifying the following information (see hagroup creategroup):

the group label (do not call the group "HA")

the Serial number OR the slot number of the first member partition

the Crypto Officer password or challenge secret for the partition

lunacm:>hagroup creategroup -label <label> {-slot <slotnum> | -serialnumber <serialnum>}

lunacm:> hagroup creategroup -label myHAgroup -slot 0
 
        Enter the password: ********
 
        New group with label "myHAgroup" created with group number 1154438865287.
        Group configuration is:
 
         HA Group Label:  myHAgroup
        HA Group Number:  1154438865287
       HA Group Slot ID:  Not Available
        Synchronization:  enabled
          Group Members:  154438865287
             Needs sync:  no
        Standby Members:  <none>
 
 
Slot #    Member S/N                      Member Label    Status
======    ==========                      ============    ======
     0  154438865287                              par0     alive
 
 
Command Result : No Error

LunaCM generates a serial number for the HA group (by adding a "1" before the partition serial number), assigns it a virtual slot number, and automatically restarts.

lunacm (64-bit) v7.3.0-74. Copyright (c) 2018 SafeNet. All rights reserved.
 
 
        Available HSMs:
 
        Slot Id ->              0
        Label ->                par0
        Serial Number ->        154438865287
        Model ->                LunaSA 7.3.0
        Firmware Version ->     7.3.0
        Configuration ->        Luna User Partition With SO (PW) Key 
                                Export With Cloning Mode
        Slot Description ->     Net Token Slot
 
        Slot Id ->              1
        Label ->                par1
        Serial Number ->        1238700701509
        Model ->                LunaSA 7.3.0
        Firmware Version ->     7.3.0
        Configuration ->        Luna User Partition With SO (PW) Key 
                                Export With Cloning Mode
        Slot Description ->     Net Token Slot
 
        Slot Id ->              5
        HSM Label ->            myHAgroup
        HSM Serial Number ->    1154438865287
        HSM Model ->            LunaVirtual
        HSM Firmware Version -> 7.3.0
        HSM Configuration ->    Luna Virtual HSM (PW) Key Export With 
                                Cloning Mode
        HSM Status ->           N/A - HA Group
 
 
Current Slot Id: 0

2.Add another partition to the HA group, specifying either the slot or the serial number (hagroup addmember) If the new member contains cryptographic objects, you are prompted to decide whether to replicate the objects within the HA group, or delete them.

lunacm:>hagroup addmember -group <grouplabel> {-slot <slotnum> | -serialnumber <serialnum>}

lunacm:> hagroup addmember -group myHAgroup -slot 1
 
 
        Enter the password: ********
 
 
Warning:  There are objects currently on the new member.
          Do you wish to propagate these objects within the HA
          group, or remove them?
 
          Type 'copy' to keep and propagate the existing
          objects, 'remove' to remove them before continuing,
          or 'quit' to stop adding this new group member.
          >  copy
 
        Member 1238700701509 successfully added to group myHAgroup. New group
        configuration is:
 
         HA Group Label:  myHAgroup
        HA Group Number:  1154438865287
       HA Group Slot ID:  5
        Synchronization:  enabled
          Group Members:  154438865287, 1238700701509
             Needs sync:  no
        Standby Members:  <none>
 
 
Slot #    Member S/N                      Member Label    Status
======    ==========                      ============    ======
     0  154438865287                              par0     alive
     1  1238700701509                             par1     alive
 
 
        Please use the command "ha synchronize" when you are ready
        to replicate data between all members of the HA group.
        (If you have additional members to add, you may wish to wait
        until you have added them before synchronizing to save time by
        avoiding multiple synchronizations.)
 
Command Result : No Error

Repeat this step for each additional HA group member.

3.If you are adding member partitions that already have cryptographic objects stored on them, initiate a manual synchronization. You can tell whether this step is required by checking the line Needs Sync : yes/no in the HA group output. This will also confirm that the HA group is functioning correctly (hagroup synchronize).

lunacm:>hagroup synchronize -group <grouplabel>

4.[Optional] If you created an HA group out of empty partitions, and you want to verify that the group is functioning correctly, see Verifying an HA Group.

5.Specify which member partitions, if any, will serve as standby members.

See Setting an HA Group Member to Standby.

6.Set up and configure auto-recovery (recommended). If you choose to use manual recovery, you will have to execute a recovery command whenever a group member fails.

See Configuring HA Auto-Recovery.

7.[Optional] Enable HA Only mode (recommended).

See Enabling/Disabling HA Only Mode.

8.[Optional] Configure HA logging.

See HA Logging for procedures and information on reading HA logs.

The HA group is now ready for your application.