Installing and Configuring the Cluster Package
The following procedures will allow you to install the lnh_cluster secure package on the Luna Network HSM 7, and configure the appliance for a cluster, using REST API calls or LunaSH. This procedure must be completed whether you are creating a new cluster (see Creating a Cluster), or joining an existing cluster (see Adding a New Member to an Existing Cluster).
NOTE Thales requires minimum Luna Appliance Software 7.8.5 with the lnh_cluster-1.0.4 package, Luna HSM Firmware 7.8.4, and Luna HSM Client 10.7.2 to use clusters in production environments.
REST API
Prerequisites
>The Luna Network HSM 7 must be configured and accessible over the network. All members of a cluster must be able to communicate bi-directionally with all other members. Refer to Configuring IP and Network Parameters.
>If you are setting up a cluster on a multifactor quorum-authenticated HSM, you require a local or remote Luna PED. Refer to Multifactor Quorum Authentication for setup procedures.
>If you plan to use REST API to work with clusters, set up the webserver service so that the appliance can accept calls from your web application.
Refer to Webserver Setup.
After configuring the webserver service, you must synchronize the HSM time with the time on the appliance.
lunash:> hsm time sync
>The Luna Network HSM 7 must be initialized.
>Thales requires minimum Luna Appliance Software 7.8.5 with the lnh_cluster-1.0.4 package, Luna HSM Firmware 7.8.4, and Luna HSM Client 10.7.2 to use clusters in production environments.
Refer to:
•Updating the Luna Appliance Software
•Updating the Luna HSM Firmware
>The Luna Network HSM 7 and any clients must have NTP configured, or have their system clocks synchronized manually. Clocks must be synchronized before starting the cluster service:
•Using NTP (actionid: synchronize): POST /api/lunasa/ntp/actions/{actionid}
•Manually: PUT /api/lunasa/time
CAUTION! If the system clock is adjusted after the cluster certificate is created, the certificates might not be valid due to date/time. For example, if the certificate is generated while the system clock is ahead by a few minutes, and the clock is then corrected, the certificate will not be valid until the clock catches up to the time it was set to when the cert was created. If the current system time does not fall within the certificate's range of validity, the cluster service fails to start.
To configure the appliance for clustering
1.Open a session to the Luna REST API on the Luna Network HSM 7.
2.Create a new application partition or provision an existing partition for cluster and keyring creation.
a.Create a new application partition, specifying a V1 partition.
CAUTION! Using a V0 partition to create a cluster can cause undesired behavior and require you to factory reset the cluster service and recreate the partition.
Only one V1 partition can exist on an appliance configured for clustering; do not create more than one V1 partition.
POST /api/lunasa/hsms/{hsmid}/partitions
b.Initialize the partition and the Partition Security Officer (PO) role.
NOTE The partition that will hold the SKS Master Key (SMK) on each cluster member must use the same cloning domain. If you are configuring this appliance to join an existing cluster, ensure that you use the same domain string or PED key that was used to initialize the partition on the primary member.
PUT /api/lunasa/hsms/{hsmid}/partitions/{partitionid}
c.Log in with the new Partition SO credential, and set partition policy 40: Require Per-Key Authorization Data to 0. Confirm the policy change task (actionid: start).
i.POST /api/lunasa/hsms/{hsmid}/partitions/{partitionid}/login
ii.PUT /api/lunasa/hsms/{hsmid}/partitions/{partitionid}/policies/{policyid}
iii.POST /tasks/{taskid}/actions/{actionid}
CAUTION! Changing partition policies after you have created and are using clusters can cause unwanted behavior. Ensure that you have configured all your desired policy settings before you continue. This includes policies for Activation on Multifactor Quorum-Authenticated Partitions.
d.Initialize the Crypto Officer (CO) role (roleid: co). If necessary, change the initial CO credential.
i.PUT /api/lunasa/hsms/{hsmid}/partitions/{partitionid}/roles/{roleid}
NOTE If HSM policy 21: Force user PIN change after set/reset is enabled (this is the default setting), the CO must change the password/PED key from its initial value before any other actions are permitted.
ii.PATCH /api/lunasa/hsms/{hsmid}/partitions/{partitionid}/roles/{roleid}
3.Install the lnh_cluster secure package on the Luna Network HSM 7.
a.Transfer the secure package update file to the Luna Network HSM 7 using pscp or scp.
pscp <path>/lnh_cluster-1.0.#-###.spkg admin@<appliance_host/IP>:
b.Log in as HSM SO.
POST /api/lunasa/hsms/{hsmid}/login
c.[Optional] Verify that the secure package file is present on the Luna Network HSM 7.
d. [Optional] Verify the package file, specifying the authorization code you received from Thales.
POST /api/lunasa/packageFiles?VerifyOnly=true
e.Install the lnh_cluster secure package.
POST /api/lunasa/packageFiles?VerifyOnly=false
4.[Optional] Enable the cluster service on the appliance (serviceid: cluster). Enabling the service means that it will automatically restart in the case of an appliance reboot.
PATCH /api/lunasa/services/{serviceid}
{ "onBoot": true }
5.Set the IP address to use for the core cluster traffic on this member appliance. This must be the same IP address as one of the appliance's network interfaces.
NOTE The core IP address cannot be changed later, except after factory reset.
{ "service": "core", "IpAddress": "127.0.0.1" }
6.Start the cluster service on the appliance (serviceid: cluster, actionid: start).
POST /api/lunasa/services/{serviceid}/actions/{actionid}
NOTE The cluster service cannot be started if a user partition has not yet been created (refer to step 1).
7.Check the status of the cluster service ("onBoot": true
and running). It may take several minutes for the cluster service to start, and the next step will fail if it is still starting up. This resource reports "status": "stopped"
until the cluster service startup has finished.
GET /api/lunasa/services/{serviceid}
8.[Optional] You can also bind the administrative and cryptographic traffic to the cluster to specified network devices, including assigning a port number from a limited range (admin: 50075-50079, crypto: 50055-50059).
{ "service": "crypto", "interface": "eth0", "port": 50075 }
CAUTION! In this release, changing the default port used for crypto operations on the cluster (50052) can cause communication problems between cluster members. Refer to known issue LUNA-26485.
9.[Optional] Check that the network configuration was set correctly.
You can now create a new cluster on the appliance (see Creating a Cluster) or join a cluster on a different appliance (see Adding a New Member to an Existing Cluster).
LunaSH
Prerequisites
>The Luna Network HSM 7 must be configured and accessible over the network. All members of a cluster must be able to communicate bi-directionally with all other members. Refer to Configuring IP and Network Parameters.
>If you are setting up a cluster on a multifactor quorum-authenticated HSM, you require a local or remote Luna PED. Refer to Multifactor Quorum Authentication for setup procedures.
>The Luna Network HSM 7 must be initialized (see Initializing the HSM).
>Thales requires minimum Luna Appliance Software 7.8.5 with the lnh_cluster-1.0.4 package, Luna HSM Firmware 7.8.4, and Luna HSM Client 10.7.2 to use clusters in production environments.
Refer to:
•Updating the Luna Appliance Software
•Updating the Luna HSM Firmware
•Updating the Luna HSM Client Software
>The Luna Network HSM 7 and any clients must have NTP configured, or have their system clocks synchronized manually. Clocks must be synchronized before starting the cluster service. Refer to NTP on Luna Network HSM 7 or Setting the System Date and Time.
CAUTION! If the system clock is adjusted after the cluster certificate is created, the certificates might not be valid due to date/time. For example, if the certificate is generated while the system clock is ahead by a few minutes, and the clock is then corrected, the certificate will not be valid until the clock catches up to the time it was set to when the cert was created. If the current system time does not fall within the certificate's range of validity, the cluster service fails to start.
To configure a partition for clustering
1.Create a new application partition for cluster and keyring creation.
a.Create a new application partition in LunaSH, specifying a V1 partition.
CAUTION! Using a V0 partition to create a cluster can cause undesired behavior and require you to factory reset the cluster service and recreate the partition.
Only one V1 partition can exist on an appliance configured for clustering; do not create more than one V1 partition.
Refer to Creating or Deleting an Application Partition.
b.Initialize the partition and the Partition Security Officer (PO) role in LunaSH, specifying the policy template filename.
NOTE The partition that will hold the SKS Master Key (SMK) on each cluster member must use the same cloning domain. If you are configuring this appliance to join an existing cluster, ensure that you use the same domain string or PED key that was used to initialize the partition on the primary member.
Refer to Initializing an Application Partition.
c.Set partition policy 40: Require Per-Key Authorization Data to 0 (OFF).
Refer to Setting Partition Policies Manually.
d.Initialize the Crypto Officer (CO) role in LunaSH. If necessary, change the initial CO credential.
NOTE If HSM policy 21: Force user PIN change after set/reset is enabled (this is the default setting), the CO must change the password/PED key from its initial value before any other actions are permitted.
Refer to Initializing the Crypto Officer Role and Changing a Partition Role Credential.
2.Install the lnh_cluster secure package on the Luna Network HSM 7.
a.Transfer the secure package update file to the Luna Network HSM 7 using pscp or scp.
pscp <path>/lnh_cluster-1.0.#-###.spkg admin@<appliance_host/IP>:
b.Using a serial or SSH connection, log in to the appliance as admin (see Logging In to LunaSH).
c.Log in as HSM SO (see Logging In as HSM Security Officer).
lunash:> hsm login
d.[Optional] Verify that the secure package file is present on the Luna Network HSM 7.
lunash:> package listfile
e. [Optional] Verify the package file, specifying the authorization code you received from Thales.
lunash:> package verify <filename>.spkg -authcode <code_string>
f.Install the secure package for the cluster service.
lunash:> package update lnh_cluster-1.0.#-###.spkg -authcode <authcode_string>
The new cluster and keyring commands become available when you open a new LunaSH session.
3.Set the IP address to use for the core cluster traffic on this member appliance. This must be the same IP address as one of the appliance's network interfaces.
NOTE The core IP address cannot be changed later, except after factory reset.
lunash:> cluster config -service core -ipaddress <appliance_IP>
4.If you want the service to restart automatically on appliance reboot, enable the cluster service on the appliance. Enabling the service will automatically start it. Otherwise, start the cluster service.
To enable the cluster service:
lunash:> cluster enable
To start the cluster service without enabling it:
lunash:> service start cluster
NOTE The cluster service cannot be started if a user partition has not yet been created (refer to step 1).
5.Check the status of the cluster service (enabled
and/or running
).
lunash:> cluster status
NOTE It can take up to 1-2 minutes for the cluster service to start. Until startup is complete, the status is reported as starting.
6.[Optional] You can also bind the administrative and cryptographic traffic to the cluster to specified network devices, including assigning a port number from a limited range (admin: 50075-50079, crypto: 50055-50059).
lunash:> cluster config -service admin [-interface <netdevice>] [-port <port>]
lunash:> cluster config -service crypto [-interface <netdevice>] [-port <port>]
CAUTION! In this release, changing the default port used for crypto operations on the cluster (50052) can cause communication problems between cluster members. Refer to known issue LUNA-26485.
7.[Optional] Check that the network configuration was set correctly.
lunash:> cluster config show
You can now create a new cluster on the appliance (see Creating a Cluster) or join a cluster on a different appliance (see Adding a New Member to an Existing Cluster).