Configure the cluster network settings. This allows you to direct the cluster network traffic (admin or crypto) through one or another of the appliance's interfaces. The IP specified for the core service must be the same IP address as one of the appliance's network interfaces. This command also allows you to set the identity mode and client assignment mode on the cluster. Refer to Keyring Roles and Identity Modes and Client Assignment Modes for important information about these modes.
NOTE This command requires minimum Luna Appliance Software 7.9.0 with the lnh_cluster-1.0.5 package installed. For older versions, see cluster config.
Thales requires minimum Luna Appliance Software 7.8.5 with the lnh_cluster-1.0.4 package, Luna HSM Firmware 7.8.4, and Luna HSM Client 10.7.2 to use clusters in production environments, or minimum Luna Appliance Software 7.9.0 with the lnh_cluster-1.0.5 package, Luna HSM Firmware 7.8.4, and Luna HSM Client 10.8.0 to migrate keys from Luna application partitions.
TIP Use lunash:> cluster status to ensure that the cluster service is in either the not running or running state before setting or changing the cluster configuration. Using this command while the cluster service is starting or stopping can interrupt the operation and result in a failed state, requiring lunash:> service restart cluster.
REST API: PUT /api/cluster/config
User Privileges
Users with the following privileges can perform this command:
>Admin
Syntax
cluster config set -service <service> [-identity <mode>] [-clientAssignment <mode>] [-ipaddress <ipaddress>] [-interface <netdevice>] [-port <port>]
| Argument(s) | Shortcut | Description |
|---|---|---|
| -clientAssignment <mode> | -c |
Specifies the client assignment mode to use for the cluster. Valid values: auto, manual >Auto-Assignment Mode (default): In this mode, keyrings are automatically assigned to all registered clients; all keyrings on the cluster are visible in LunaCM on any registered client. >Manual Assignment Mode: In this mode, keyrings must be manually assigned to or unassigned from registered clients. Clients are only able to see keyrings which have been assigned to them. Keyrings can be assigned to multiple clients. |
| -interface <netdevice> | -in |
Specifies the network device to bind admin or crypto network traffic to. Valid values: eth0, eth1, eth2, eth3, bond0, bond1, all |
| -identity <mode> | -id |
Specifies the identity mode to use for the cluster. Valid Values: single, dual >Single-Identity Mode (default): In this mode, the KRSO and KRCO roles on each keyring are intended to be held by the same individual, and use the same password. When the password for one role is changed, the change is applied to the other role as well. >Dual-Identity Mode: In this mode, the KRSO and KRCO roles on each keyring use separate passwords, and this separation is enforced using the same rules as standard Luna application partitions. This mode is required if you are migrating keys from standard Luna partitions to keyrings. |
| -ipaddress <ipaddress> | -ip | Specifies the IP address to use for the core cluster traffic. The IP specified for the core traffic must be the same IP address as one of the appliance's network interfaces. |
| -port <port> | -p |
Specifies the port to use for this type of traffic. Valid values: >admin service (default: 50070): 50075-50079 >crypto service (default: 50052): 50055-50059 CAUTION! In this release, changing the default port used for crypto operations on the cluster (50052) can cause communication problems between cluster members. Refer to known issue LUNA-26485. |
| -service <service> | -s |
Specifies the type of network traffic to configure. Valid values: core, admin, crypto |
Example
lunash:>cluster config set -service core -ipaddress 1.2.3.4 -identity dual -clientAssignment manual Command Result : 0 (Success)
