Cloning Using an HA Group

High Availability (HA) groups duplicate key material between the HSMs in the group. This function can be used to copy all cryptographic key material from a 5.x/6.x PCIe or USB HSM partition to a new 7.x PCIe HSM partition.

The new configuration's operating system must be compatible with both the new 7.x and the old 5.x/6.x hardware. Consult the 5.x/6.x CRN for a list of compatible operating systems.

To clone cryptographic keys from one HSM to another, the HSMs must share the same cloning domain. For password-authenticated HSMs, this domain should have been specified when the partition was initialized . For PED-authenticated HSMs, the red key determines the cloning domain. You will need the same red key that was imprinted during 5.x/6.x partition creation to initialize the 7.x partition (see HSM Initialization).

The 7.x client software should be installed, and the connection to both the source and destination HSM partitions verified, before attempting this procedure (see SafeNet Luna HSM Client Software Installation for details). The source and destination partitions must both be assigned to the client machine issuing the cloning commands. Use slot list to ensure both partitions are visible to the client.

NOTE   It is not recommended to maintain an HA group with different versions of the SafeNet Luna Network HSM hardware.

Preconditions

The following instructions assume that:

>the 7.x client software has been installed

>an uninitialized partition has been created on the 7.x Network HSM

>the source and destination partitions are both registered with the client (visible)

In the following examples:

>Slot 0 = the source 5.x/6.x partition

>Slot 1 = the destination 7.x partition

NOTE   Partition login name requirements have changed between hardware versions. With release 7.x, you can log in using the abbreviated po (Partition Security Officer) or co (Crypto Officer).

To clone cryptographic keys from a 5.x/6.x partition to a 7.x partition using an HA group

Follow these steps to copy cryptographic material from an 5.x/6.x partition to a new 7.x partition by creating an HA group that includes both partitions.

1.Run LunaCM, set the current slot to the SA7 partition, and initialize the Partition SO role.

slot set -slot 1

partition init -label <7.x_partition_label>

a.If you are cloning a PED-authenticated 5.x/6.x partition, use the 5.x/6.x partition's red key when prompted.

b.If you are cloning a password-authenticated 5.x/6.x partition, enter the same cloning domain when prompted.

2.Log in as the po (Partition Security Officer) and initialize the co (Crypto Officer) role.

role login -name po

role init -name co

If you are cloning a PED-authenticated 5.x/6.x partition, create a challenge secret for the Crypto Officer. This is required to set an HA activation policy.

role createchallenge -name co -challengesecret <password>

3.Set the current slot to the source 5.x/6.x slot, log in as the Crypto Officer.

slot set -slot 0

NOTE   Be mindful of whether you’re working with pre-PPSO or PPSO firmware and use the partition login or role login commands as specified below. Also, with PPSO firmware 6.22.0 and up, be careful with user names, i.e., type Crypto Officer in full (is case sensitive) and not co.

a.If you are cloning a release 5.x or 6.x pre-PPSO partition (up to and including Firmware 6.21.2), use:

partition login

b.If you are cloning a release 6.x PPSO partition (Firmware 6.22.0 and up) , use:

role login -name Crypto Officer

4.Optional: To verify the objects in the 5.x/6.x partition to be cloned, use:

partition contents

5.Using LunaCM, create an HA group of the 5.x/6.x slot and the 7.x slot.

NOTE   HA requires that all members have an activation policy set. See Activation and Auto-Activation on PED-Authenticated Partitions for details.

a.Via LunaSH, log in as Security Officer and set policy 22 on the 5.x/6.x partition:

partition changepolicy -partition <5.x_partition_label> -policy 22 -value 1

b. In LunaCM, log in to the 7.x partition as Partition Security Officer, and set the activation policy from the client machine:

slot set -slot 1

role login -name po

partition changepolicy -policy 22 -value 1

c.Create the HA group with the 5.x/6.x partition as the primary partition. Select the "copy" option to preserve objects.

hagroup creategroup -label <group_label> -slot 0 -password <password>

d.Add the 7.x partition slot to the HA group. Repeat this step to add multiple 7.x partitions to the group.

hagroup addmember -group <group_label> -slot 1 -password <password>

6.Synchronize the group to clone the objects to the 7.x member(s).

hagroup synchronize -group <group_label> -password <password>

7.Check synchronization status of the group.

hagroup listgroups

Notice the entry "Needs sync: no". This means that the objects have been successfully cloned among all members of the HA group. You can also log in to the 7.x slot as the Crypto Officer and check the partition contents.


Customer Support Portal

SafeNet Luna PCIe HSM 7.3 Product Documentation  13 December 2019  Copyright 2001-2019 Thales. All rights reserved.