HA Troubleshooting
If you encounter problems with an HA group, refer to this section.
Administration Tasks on HA Groups
Do not attempt to run administrative tasks on an HA group virtual slot (such as changing the CO password or altering partition policies). These virtual slots are intended for cryptographic operations only. It is not possible to use an HA group to make administrative changes to all partitions in the group simultaneously.
Unique Object IDs (OUID)
If two applications using the same HA group modify the same object using different members, the object fingerprint might conflict.
| Network HSM | Potential HA member partition "A" (serial# 1312151770919) | Potential HA member partition "B" (serial# 1462751259592) |
|---|---|---|
| Appliance software | 7.7.1 | pre-7.7.0 |
| HSM firmware version | 7.7.1 | pre-7.7.0 |
| FIPS status | non-FIPS | non-FIPS |
| Network HSM | Potential HA member partition "A" (serial# 1462751259592) | Potential HA member partition "B" (serial# 1312151770919) |
|---|---|---|
| Appliance software | pre-7.7.0 | 7.7.1 |
| HSM firmware version | pre-7.7.0 | 7.7.1 |
| FIPS status | non-FIPS | non-FIPS |
| Network HSM | Potential HA member partition "A" (serial# 1312151770919) | Potential HA member partition "B" (serial# 1462751259592) |
|---|---|---|
| Appliance software | 7.7.1 | pre-7.7.0 |
| HSM firmware version | 7.7.1 | pre-7.7.0 |
| FIPS status | non-FIPS | non-FIPS |
| Network HSM | Potential HA member partition "A" (serial# 1462751259592) | Potential HA member partition "B" (serial# 1312151770919) |
|---|---|---|
| Appliance software | pre-7.7.0 | 7.7.1 |
| HSM firmware version | pre-7.7.0 | 7.7.1 |
| FIPS status | non-FIPS | non-FIPS |
If two applications using the same HA group modify the same object using different members, the object fingerprint may conflict.
Client-Side Limitations
New features or abilities, or new cryptographic mechanisms added by firmware update, or previously usable mechanisms that become restricted for security reasons, can have an impact on the working of an HA group, when the Client version is older. Luna Clients are "universal" in the sense that they are able to work fully with current Luna HSMs/partitions, and with earlier versions, as well as with cloud crypto solutions (DPoD Luna Cloud HSM service), but a client version cannot be aware of HSM versions that were not yet developed when the Client was released.
Client-Side Failures
Any failure of the client (such as operating system problems) that does not involve corruption or removal of files, should resolve itself when the client is rebooted.
If the client workstation seems to be working fine otherwise, but you have lost visibility of the HSMs in LunaCM or your client, try the following remedies:
>verify that the Thales drivers are running, and retry
>reboot the client workstation
>restore your client configuration from backup
>re-install Luna HSM Client and re-configure the HA group
For Luna PCIe HSM, the client is the HSM host. If HA has been working, any sudden failure is likely to be OS or driver related (restart) or file corruption (re-install). If a re-installation is necessary, you must recreate and reconfigure the HA group.
Effect of PED Operations
PED operations can block some cryptographic operations, so that while a member of an HA group is performing a PED operation, it could appear to the HA group as a failed member. When the PED operation is complete, failover and recovery HA logic are invoked to return the member to normal operation.
