Replacing an HA Group Member
Sometimes an HSM failure is permanent (from the perspective of the HA group). For example, if the HSM is re-initialized, the member partition is erased and must be recreated. In this case, you can recreate a partition on the same HSM or another HSM, and deploy the new member to the group. You do not need to pause your application to replace an HA group member.
Prerequisites
The Crypto Officer must complete this procedure, but any new member partition must first be created and assigned to the client by the HSM SO, and initialized by the Partition SO. All the prerequisites listed in Setting Up an HA Group must be met.
To replace an HA group member
1.[Optional] Display the HA group to see the failed member (hagroup listgroups). You are prompted for the Crypto Officer password/challenge secret.
lunacm:>hagroup listgroups
lunacm:> hagroup listgroups
If you would like to see synchronization data for group myHAgroup,
please enter the password for the group members. Sync info
not available in HA Only mode.
Enter the password: ********
HA auto recovery: enabled
HA recovery mode: activeEnhanced
Maximum auto recovery retry: 500
Auto recovery poll interval: 60 seconds
HA logging: disabled
Only Show HA Slots: yes
HA Group Label: myHAgroup
HA Group Number: 1154438865287
HA Group Slot ID: 5
Synchronization: enabled
Group Members: 154438865287, 1238700701509
Needs sync: no
Standby Members: <none>
Slot # Member S/N Member Label Status
====== ========== ============ ======
------ 154438865287 par0 alive
------ 1238700701509 ------------ down
2.Prepare the new HA group member, whether that means creating a new partition on the original HSM or configuring a new SafeNet Luna PCIe HSM, and assign the new partition to the HA client. Ensure that the new member partition and the HSM on which it resides meet the prerequisites outlined in Setting Up an HA Group and is visible in LunaCM.
lunacm (64-bit) v7.3.0-74. Copyright (c) 2018 SafeNet. All rights reserved.
Available HSMs:
Slot Id -> 0
Label -> par0
Serial Number -> 154438865287
Model -> LunaSA 7.3.0
Firmware Version -> 7.3.0
Configuration -> Luna User Partition With SO (PW) Key Export With Cloning Mode
Slot Description -> Net Token Slot
Slot Id -> 1
Label -> par1
Serial Number -> 1238700701510
Model -> LunaSA 7.3.0
Firmware Version -> 7.3.0
Configuration -> Luna User Partition With SO (PW) Key Export With Cloning Mode
Slot Description -> Net Token Slot
Slot Id -> 5
HSM Label -> myHAgroup
HSM Serial Number -> 1154438865287
HSM Model -> LunaVirtual
HSM Firmware Version -> 7.3.0
HSM Configuration -> Luna Virtual HSM (PW) Key Export With Cloning Mode
HSM Status -> N/A - HA Group
Current Slot Id: 0
3.Add the new partition to the HA group by specifying either the slot or the serial number (hagroup addmember). You are prompted for the Crypto Officer password/challenge secret.
lunacm:> hagroup addmember -group <label> {-slot <slotnum> | -serial <serialnum>}
lunacm:> hagroup addmember -group myHAgroup -slot 1
Enter the password: ********
Member 1238700701510 successfully added to group myHAgroup. New group
configuration is:
HA Group Label: myHAgroup
HA Group Number: 1154438865287
HA Group Slot ID: 5
Synchronization: enabled
Group Members: 154438865287, 1238700701509, 1238700701510
Needs sync: no
Standby Members: <none>
Slot # Member S/N Member Label Status
====== ========== ============ ======
0 154438865287 par0 alive
------ 1238700701509 ------------ down
1 1238700701510 par1 alive
Please use the command "ha synchronize" when you are ready
to replicate data between all members of the HA group.
(If you have additional members to add, you may wish to wait
until you have added them before synchronizing to save time by
avoiding multiple synchronizations.)
Command Result : No Error
The new partition is now an active member of the HA group. If you have an application currently running, cryptographic objects are automatically replicated to the new member and it is assigned operations according to the load-balancing algorithm.
4.Remove the old partition from the group by specifying the serial number (hagroup removemember).
lunacm:> hagroup removemember -group <label> -serial <serialnum>
lunacm:> hagroup removemember -group myHAgroup -serial 1238700701509
Member 1238700701509 successfully removed from group myHAgroup.
Command Result : No Error
LunaCM restarts.
5.[Optional] If you do not currently have an application running, you can manually synchronize the contents of the HA group (hagroup synchronize).
CAUTION! Never use manual synchronization if you have an application running. The HA group performs this automatically. Using this command on an HA group that is running an application could create conflicting key versions.
lunacm:>hagroup synchronize -group <label>
lunacm:> hagroup synchronize -group myHAgroup
Enter the password: ********
Synchronization completed.
Command Result : No Error
6.[Optional] If you intend to have the new partition serve as a standby member, see Setting an HA Group Member to Standby.
