Adding/Removing an HA Group Member

You can add a new member to an HA group at any time using LunaCM, even if your application is running. Cryptographic objects will be replicated on the new partition and operations will be scheduled according to the load-balancing algorithm (see Load Balancing).

Likewise, you can remove a member at any time, and currently-scheduled operations will fail over to the rest of the group members (see Failover).

NOTE   If you remove the partition that was used to create the group, the HA group serial number changes to reflect this. This is to prevent another HA group from being assigned the same serial number as the original. If your application queries the HA group serial number, it must redirect operations to the new serial.

Prerequisites

The new member partition must:

>be assigned to the client and visible in LunaCM

>be initialized with the same domain string/red domain PED key as the other partitions in the group

>have the Crypto Officer role initialized with the same credentials as the other partitions in the group

>be activated and have auto-activation enabled (PED-authenticated)

NOTE   Back up the SMK in any partition where that SMK is likely to be overwritten, if that SMK is ever likely to be needed to insert (decrypt) any SKS blobs.

If an SMK is cloned from one partition to another (such as must be done when adding members to an HA group), a pre-existing SMK already in the target partition is overwritten by the incoming SMK. Any blobs still encrypted with it are lost, unless a backup exists.

To add an HA group member

1.Open LunaCM on the client workstation and ensure that the new partition is visible.

lunacm (64-bit) v7.3.0. Copyright (c) 2018 SafeNet. All rights reserved.


        Available HSMs:

        Slot Id ->              0
        Label ->                par0
        Serial Number ->        154438865287
        Model ->                LunaSA 7.3.0
        Firmware Version ->     7.3.0
        Configuration ->        Luna User Partition With SO (PW) Key Export With Cloning Mode
        Slot Description ->     Net Token Slot

        Slot Id ->              1
        Label ->                par1
        Serial Number ->        1238700701509
        Model ->                LunaSA 7.3.0
        Firmware Version ->     7.3.0
        Configuration ->        Luna User Partition With SO (PW) Key Export With Cloning Mode
        Slot Description ->     Net Token Slot

        Slot Id ->              2
        Label ->                par2
        Serial Number ->        2855496365544
        Model ->                LunaSA 7.3.0
        Firmware Version ->     7.3.0
        Configuration ->        Luna User Partition With SO (PW) Key Export With Cloning Mode
        Slot Description ->     Net Token Slot

        Slot Id ->              5
        HSM Label ->            myHAgroup
        HSM Serial Number ->    1154438865287
        HSM Model ->            LunaVirtual
        HSM Firmware Version -> 7.3.0
        HSM Configuration ->    Luna Virtual HSM (PW) Key Export With Cloning Mode
        HSM Status ->           N/A - HA Group


Current Slot Id: 0

2.Add the new partition to the HA group by specifying either the slot or the serial number. You are prompted for the Crypto Officer password/challenge secret.

lunacm:> hagroup addmember -group <label> {-slot <slotnum> | -serial <serialnum>}

lunacm:> hagroup addmember -group myHAgroup -slot 2

        Enter the password: ********
        Member 2855496365544 successfully added to group myHAgroup. New group
        configuration is:

         HA Group Label:  myHAgroup
        HA Group Number:  1154438865287
       HA Group Slot ID:  5
       Synchronization: enabled
          Group Members:  154438865287, 1238700701509, 2855496365544
             Needs sync:  no
        Standby Members:  <none>


Slot #    Member S/N                      Member Label    Status
======    ==========                      ============    ======
     0  154438865287                              par0     alive
     1  1238700701509                              par1     alive
     2  2855496365544                              par2     alive


        Please use the command "ha synchronize" when you are ready
        to replicate data between all members of the HA group.
        (If you have additional members to add, you may wish to wait
        until you have added them before synchronizing to save time by
        avoiding multiple synchronizations.)

Command Result : No Error
To remove an HA group member

1.Remove the partition from the group by specifying either the slot or the serial number.

lunacm:> hagroup removemember -group <label> {-slot <slotnum> | -serial <serialnum>}

lunacm:> hagroup removemember -group myHAgroup -slot 0

        Member 154438865287 successfully removed from group myHAgroup.


        Note: Serial number for the group changed to 11238700701509.
Command Result : No Error

NOTE   If you remove the partition that was used to create the group, the HA group serial number changes to reflect this. This is to prevent another HA group from being assigned the same serial number as the original. If your application queries the HA group serial number, it must redirect operations to the new serial.

LunaCM restarts.

lunacm (64-bit) v7.3.0. Copyright (c) 2018 SafeNet. All rights reserved.


        Available HSMs:

        Slot Id ->              0
        Label ->                par0
        Serial Number ->        154438865287
        Model ->                LunaSA 7.3.0
        Firmware Version ->     7.3.0
        Configuration ->        Luna User Partition With SO (PW) Key Export With Cloning Mode
        Slot Description ->     Net Token Slot

        Slot Id ->              1
        Label ->                par1
        Serial Number ->        1238700701509
        Model ->                LunaSA 7.3.0
        Firmware Version ->     7.3.0
        Configuration ->        Luna User Partition With SO (PW) Key Export With Cloning Mode
        Slot Description ->     Net Token Slot

        Slot Id ->              2
        Label ->                par2
        Serial Number ->        2855496365544
        Model ->                LunaSA 7.3.0
        Firmware Version ->     7.3.0
        Configuration ->        Luna User Partition With SO (PW) Key Export With Cloning Mode
        Slot Description ->     Net Token Slot

        Slot Id ->              5
        HSM Label ->            myHAgroup
        HSM Serial Number ->    11238700701509
        HSM Model ->            LunaVirtual
        HSM Firmware Version -> 7.3.0
        HSM Configuration ->    Luna Virtual HSM (PW) Key Export With Cloning Mode
        HSM Status ->           N/A - HA Group


Current Slot Id: 0

2.[Optional] Check that the partition was removed from the group.

lunacm:> hagroup listgroups