Adding/Removing an HA Group Member

You can add a new member to an HA group at any time using LunaCM, even if your application is running. Cryptographic objects will be replicated on the new partition and operations will be scheduled according to the load-balancing algorithm (see Load Balancing).

Likewise, you can remove a member at any time, and currently-scheduled operations will fail over to the rest of the group members (see Failover).

NOTE   If you remove the partition that was used to create the group, the HA group serial number changes to reflect this. This is to prevent another HA group from being assigned the same serial number as the original. If your application queries the HA group serial number, it must redirect operations to the new serial.

Prerequisites

The new member partition must:

>be assigned to the client and visible in LunaCM

>be initialized with the same domain string/red domain PED key as the other partitions in the group

>have the Crypto Officer role initialized with the same credentials as the other partitions in the group

>be activated and have auto-activation enabled (PED-authenticated)

To add an HA group member

1.Open LunaCM on the client workstation and ensure that the new partition is visible.

lunacm (64-bit) v7.3.0-165. Copyright (c) 2018 SafeNet. All rights reserved.
 
 
        Available HSMs:
 
        Slot Id ->              0
        Label ->                par0
        Serial Number ->        154438865287
        Model ->                LunaSA 7.3.0
        Firmware Version ->     7.3.0
        Configuration ->        Luna User Partition With SO (PW) Key Export With Cloning Mode
        Slot Description ->     Net Token Slot
 
        Slot Id ->              1
        Label ->                par1
        Serial Number ->        1238700701509
        Model ->                LunaSA 7.3.0
        Firmware Version ->     7.3.0
        Configuration ->        Luna User Partition With SO (PW) Key Export With Cloning Mode
        Slot Description ->     Net Token Slot
 
        Slot Id ->              2
        Label ->                par2
        Serial Number ->        2855496365544
        Model ->                LunaSA 7.3.0
        Firmware Version ->     7.3.0
        Configuration ->        Luna User Partition With SO (PW) Key Export With Cloning Mode
        Slot Description ->     Net Token Slot
 
        Slot Id ->              5
        HSM Label ->            myHAgroup
        HSM Serial Number ->    1154438865287
        HSM Model ->            LunaVirtual
        HSM Firmware Version -> 7.3.0
        HSM Configuration ->    Luna Virtual HSM (PW) Key Export With Cloning Mode
        HSM Status ->           N/A - HA Group
        HSM Certificates ->     *** Test Certs ***
 
 
Current Slot Id: 0

2.Add the new partition to the HA group by specifying either the slot or the serial number (hagroup addmember). You are prompted for the Crypto Officer password/challenge secret.

lunacm:> hagroup addmember -group <label> {-slot <slotnum> | -serial <serialnum>}

lunacm:> hagroup addmember -group myHAgroup -slot 2
 
        Enter the password: ********
        Member 2855496365544 successfully added to group myHAgroup. New group
        configuration is:
 
         HA Group Label:  myHAgroup
        HA Group Number:  1154438865287
       HA Group Slot ID:  5
       Synchronization: enabled
          Group Members:  154438865287, 1238700701509, 2855496365544
             Needs sync:  no
        Standby Members:  <none>
 
 
Slot #    Member S/N                      Member Label    Status
======    ==========                      ============    ======
     0  154438865287                              par0     alive
     1  1238700701509                              par1     alive
     2  2855496365544                              par2     alive
 
 
        Please use the command "ha synchronize" when you are ready
        to replicate data between all members of the HA group.
        (If you have additional members to add, you may wish to wait
        until you have added them before synchronizing to save time by
        avoiding multiple synchronizations.)
 
Command Result : No Error
To remove an HA group member

1.Remove the partition from the group by specifying either the slot or the serial number (hagroup removemember).

lunacm:> hagroup removemember -group <label> {-slot <slotnum> | -serial <serialnum>}

lunacm:> hagroup removemember -group myHAgroup -slot 0
 
        Member 154438865287 successfully removed from group myHAgroup.
 
 
        Note: Serial number for the group changed to 11238700701509.
Command Result : No Error

NOTE   If you remove the partition that was used to create the group, the HA group serial number changes to reflect this. This is to prevent another HA group from being assigned the same serial number as the original. If your application queries the HA group serial number, it must redirect operations to the new serial.

LunaCM restarts.

lunacm (64-bit) v7.3.0-165. Copyright (c) 2018 SafeNet. All rights reserved.
 
 
        Available HSMs:
 
        Slot Id ->              0
        Label ->                par0
        Serial Number ->        154438865287
        Model ->                LunaSA 7.3.0
        Firmware Version ->     7.3.0
        Configuration ->        Luna User Partition With SO (PW) Key Export With Cloning Mode
        Slot Description ->     Net Token Slot
 
        Slot Id ->              1
        Label ->                par1
        Serial Number ->        1238700701509
        Model ->                LunaSA 7.3.0
        Firmware Version ->     7.3.0
        Configuration ->        Luna User Partition With SO (PW) Key Export With Cloning Mode
        Slot Description ->     Net Token Slot
 
        Slot Id ->              2
        Label ->                par2
        Serial Number ->        2855496365544
        Model ->                LunaSA 7.3.0
        Firmware Version ->     7.3.0
        Configuration ->        Luna User Partition With SO (PW) Key Export With Cloning Mode
        Slot Description ->     Net Token Slot
 
        Slot Id ->              5
        HSM Label ->            myHAgroup
        HSM Serial Number ->    11238700701509
        HSM Model ->            LunaVirtual
        HSM Firmware Version -> 7.3.0
        HSM Configuration ->    Luna Virtual HSM (PW) Key Export With Cloning Mode
        HSM Status ->           N/A - HA Group
 
 
Current Slot Id: 0

2.[Optional] Check that the partition was removed from the group (hagroup listgroups).

lunacm:> hagroup listgroups

lunacm:> hagroup listgroups
 
        If you would like to see synchronization data for group myHAgroup,
        please enter the password for the group members. Sync info
        not available in HA Only mode.
 
        Enter the password: ********
 
 
              HA auto recovery:  disabled
              HA recovery mode:  activeBasic
   Maximum auto recovery retry:  0
   Auto recovery poll interval:  60 seconds
                    HA logging:  disabled
            Only Show HA Slots:  no
 
                HA Group Label:  myHAgroup
               HA Group Number:  11238700701509
              HA Group Slot ID:  5
              Synchronization: enabled
                Group Members:  1238700701509, 2855496365544
                   Needs sync:  no
              Standby Members:  <none>
 
 
Slot #    Member S/N                      Member Label    Status
======    ==========                      ============    ======
     1  1238700701509                              par1     alive
     2  2855496365544                              par2     alive
 
 
Command Result : No Error