Adding/Removing an HA Group Member
You can add a new member to an HA group at any time using LunaCM, even if your application is running. Cryptographic objects will be replicated on the new partition and operations will be scheduled according to the load-balancing algorithm (see Load Balancing).
Likewise, you can remove a member at any time, and currently-scheduled operations will fail over to the rest of the group members (see Failover).
NOTE If you remove the partition that was used to create the group, the HA group serial number changes to reflect this. This is to prevent another HA group from being assigned the same serial number as the original. If your application queries the HA group serial number, it must redirect operations to the new serial.
Prerequisites
The new member partition must:
>be assigned to the client and visible in LunaCM
>be initialized with the same domain string/red domain PED key as the other partitions in the group
>have the Crypto Officer role initialized with the same credentials as the other partitions in the group
>be activated and have auto-activation enabled (PED-authenticated)
NOTE Back up the SMK in any partition where that SMK is likely to be overwritten, if that SMK is ever likely to be needed to insert (decrypt) any SKS blobs.
If an SMK is cloned from one partition to another (such as must be done when adding members to an HA group), a pre-existing SMK already in the target partition is overwritten by the incoming SMK. Any blobs still encrypted with it are lost, unless a backup exists.
To add an HA group member
1.Open LunaCM on the client workstation and ensure that the new partition is visible.
lunacm (64-bit) v7.3.0. Copyright (c) 2018 SafeNet. All rights reserved.
Available HSMs:
Slot Id -> 0
Label -> par0
Serial Number -> 154438865287
Model -> LunaSA 7.3.0
Firmware Version -> 7.3.0
Configuration -> Luna User Partition With SO (PW) Key Export With Cloning Mode
Slot Description -> Net Token Slot
Slot Id -> 1
Label -> par1
Serial Number -> 1238700701509
Model -> LunaSA 7.3.0
Firmware Version -> 7.3.0
Configuration -> Luna User Partition With SO (PW) Key Export With Cloning Mode
Slot Description -> Net Token Slot
Slot Id -> 2
Label -> par2
Serial Number -> 2855496365544
Model -> LunaSA 7.3.0
Firmware Version -> 7.3.0
Configuration -> Luna User Partition With SO (PW) Key Export With Cloning Mode
Slot Description -> Net Token Slot
Slot Id -> 5
HSM Label -> myHAgroup
HSM Serial Number -> 1154438865287
HSM Model -> LunaVirtual
HSM Firmware Version -> 7.3.0
HSM Configuration -> Luna Virtual HSM (PW) Key Export With Cloning Mode
HSM Status -> N/A - HA GroupCurrent Slot Id: 0
2.Add the new partition to the HA group by specifying either the slot or the serial number. You are prompted for the Crypto Officer password/challenge secret.
lunacm:> hagroup addmember -group <label> {-slot <slotnum> | -serial <serialnum>}
lunacm:> hagroup addmember -group myHAgroup -slot 2
Enter the password: ********
Member 2855496365544 successfully added to group myHAgroup. New group
configuration is:
HA Group Label: myHAgroup
HA Group Number: 1154438865287
HA Group Slot ID: 5
Synchronization: enabled
Group Members: 154438865287, 1238700701509, 2855496365544
Needs sync: no
Standby Members: <none>
Slot # Member S/N Member Label Status
====== ========== ============ ======
0 154438865287 par0 alive
1 1238700701509 par1 alive
2 2855496365544 par2 alive
Please use the command "ha synchronize" when you are ready
to replicate data between all members of the HA group.
(If you have additional members to add, you may wish to wait
until you have added them before synchronizing to save time by
avoiding multiple synchronizations.)
Command Result : No Error
To remove an HA group member
1.Remove the partition from the group by specifying either the slot or the serial number.
lunacm:> hagroup removemember -group <label> {-slot <slotnum> | -serial <serialnum>}
lunacm:> hagroup removemember -group myHAgroup -slot 0
Member 154438865287 successfully removed from group myHAgroup.
Note: Serial number for the group changed to 11238700701509.
Command Result : No Error
NOTE If you remove the partition that was used to create the group, the HA group serial number changes to reflect this. This is to prevent another HA group from being assigned the same serial number as the original. If your application queries the HA group serial number, it must redirect operations to the new serial.
LunaCM restarts.
lunacm (64-bit) v7.3.0. Copyright (c) 2018 SafeNet. All rights reserved.
Available HSMs:
Slot Id -> 0
Label -> par0
Serial Number -> 154438865287
Model -> LunaSA 7.3.0
Firmware Version -> 7.3.0
Configuration -> Luna User Partition With SO (PW) Key Export With Cloning Mode
Slot Description -> Net Token Slot
Slot Id -> 1
Label -> par1
Serial Number -> 1238700701509
Model -> LunaSA 7.3.0
Firmware Version -> 7.3.0
Configuration -> Luna User Partition With SO (PW) Key Export With Cloning Mode
Slot Description -> Net Token Slot
Slot Id -> 2
Label -> par2
Serial Number -> 2855496365544
Model -> LunaSA 7.3.0
Firmware Version -> 7.3.0
Configuration -> Luna User Partition With SO (PW) Key Export With Cloning Mode
Slot Description -> Net Token Slot
Slot Id -> 5
HSM Label -> myHAgroup
HSM Serial Number -> 11238700701509
HSM Model -> LunaVirtual
HSM Firmware Version -> 7.3.0
HSM Configuration -> Luna Virtual HSM (PW) Key Export With Cloning Mode
HSM Status -> N/A - HA Group
Current Slot Id: 0
2.[Optional] Check that the partition was removed from the group.
lunacm:> hagroup listgroups
