Token Replication

This process replicates tokens across one or more HSMs, required for a system operating in WLD mode. Token replication is not a suitable mechanism to use in place of token export.

Token replication can only be performed on User Tokens (Smart card and Administration Slots are not supported). Refer to The ProtectToolkit-C Model for a description of slot types. Tokens on any User slot can be replicated to any other User slot, on the same HSM or any other in the system. During token replication, all the objects contained within the master token and the master token label are replicated.

CAUTION!   Back up any objects on the target tokens before attempting to replicate a master token, because all objects on the target tokens are erased before the objects from the master token are loaded.

When a system is operating in WLD mode, the token label identifies its associated virtual WLD slot. Refer to Work Load Distribution Model (WLD) and High Availability (HA) for more information.

Once a token has been replicated, any objects created or modified on that token will not be automatically transferred to the replicated tokens. If a token is modified, and token consistency is required, the token replication process must be repeated.

NOTE   WLD requires token consistency, so whenever a token is modified, manual replication to all participating WLD tokens is mandatory.

Replicate tokens by using the following command:

ctkmu rt -d <slotlist> [-s <slot>]

Refer to ctkmu for more information about the preceding command.

The token in the master slot and the replicated tokens must have the same SO and User PINs. When replicating to an uninitialized token, the token's SO PIN is required. If the No Clear PINs flag is set, the User PIN for the importing device's Administration token is also required. Refer to Security Flag Descriptions for more information.

The ctkmu rt command uses slot positional numbers to identify the master and destination slots. The slot positional numbers are dynamically assigned when the command is invoked. If a device goes offline at the moment the command is invoked, the positional device number will be reassigned. This could result in the token being replicated to an incorrect slot. The system should be stable when using this command.

The following examples show how to replicate a token from:

1. the first slot on HSM 0 (slot 0) to the second slot on HSM 1 (slot 5) and the second slot on HSM 2 (slot 9)

2. the second slot on HSM 0 (slot 1) to the first slot on HSM 1 (slot 4) and the third slot on HSM 2 (slot 10)

Replicate Master Tokens to a Single Slot or List of Slots

The following example illustrates replication to a single token and to a list of tokens. This method is recommended for initial configuration.

To replicate Master Tokens to a single slot or list of slots

1.Generate a list of all the slots on the system to find their positional numbers.

Use the ctkmu utility. Refer to ctkmu for more information. For each device, slot positions are assigned in the following order: User slots, Smart card slots, Administration slot. For each slot, the token label is displayed followed by the slot positional number. In the example below, HSM 0 contains 3 User slots, configured with the token labels "WLD_Slot_11" (Slot 0), "WLD_Slot_22" (Slot 1), and "WLD_Slot_33" (Slot 2). These are followed by the Administration slot (Slot 3) with serial number 1197. HSM 1 and HSM 2 each contain 3 slots with uninitialized tokens, followed by the Administration slot. The slot positional number is used to identify the tokens during replication in the next step.

Example:

C:\>ctkmu l
ProtectToolkit C Key Management Utility 5.3.0
Copyright (c) SafeNet, Inc. 2009-2016

Cryptoki Version  = 2.20
Manufacturer      = SafeNet, Inc.
WLD_Slot_11                      (Slot 0)
WLD_Slot_22                      (Slot 1)
WLD_Slot_33                      (Slot 2)
AdminToken (1197)                (Slot 3)
<uninitialized token>            (Slot 4)
<uninitialized token>            (Slot 5)
<uninitialized token>            (Slot 6)
AdminToken (1111)                (Slot 7)
<uninitialized token>            (Slot 8)
<uninitialized token>            (Slot 9)
<uninitialized token>            (Slot 10)
AdminToken (1310)                (Slot 11)

2.Replicate the token.

Use the ctkmu utility with the rt command with two parameters: the slot exporting the token and the list of slots receiving the token (see ctkmu). The exporting slot must have the same SO PIN and User PIN as the receiving slots. When replicating to an uninitialized token, the exporting slot's SO PIN must be entered. If the No Clear PINs flag is set, the User PIN for the receiving device's Administration token is also required. Refer toSecurity Flag Descriptions for more information.

Examples:

Replicate token from slot 0 to slot 5

C:\>ctkmu rt -s 0 -d 5

Replicate token from slot 0 to slot 9

C:\>ctkmu rt -s 0 -d 9

Replicate token from slot 1 to slot 4 and slot 10

C:\>ctkmu rt -s 1 -d 4,10
To replicate a Master Token to many tokens

The following example illustrates token replication from a master token to many tokens. This method permits tokens to be replicated to other tokens that share the same token label. This method can be used to update token after the master token has been modified. This example illustrates the same configuration as in the example above.

1.Generate a list of all the slots on the system to find their positional numbers.

For this method, the receiving slot's token label must be the same as the exporting token. In this example, the tokens in HSM 1 and HSM 2 must be initialized with the appropriate token labels. That is, slot 5 and slot 9 must be initialized with the same token label as slot 0 and slot 4 and slot 10 must be initialized with the same token label as slot 1. Refer to Token Initialization for further details.

Example:

C:\>ctkmu l
ProtectToolkit C Key Management Utility 5.3.0
Copyright (c) SafeNet, Inc. 2009-2016

Cryptoki Version  = 2.20
Manufacturer      = SafeNet, Inc.
WLD_Slot_11                      (Slot 0)
WLD_Slot_22                      (Slot 1)
WLD_Slot_33                      (Slot 2)
AdminToken (1197)                (Slot 3)
WLD_Slot_22             (Slot 4)
WLD_Slot_11             (Slot 5)
<uninitialized token>            (Slot 6)
AdminToken (1111)                (Slot 7)
<uninitialized token>            (Slot 8)
WLD_Slot_11             (Slot 9)
WLD_Slot_22             (Slot 10)
AdminToken (1310)                (Slot 11)

2.Replicate the tokens.

Use the ctkmu utility with the rt command to replicate tokens. When using the all command line parameter, the master token is replicated to all tokens on the system that share the same token label.

Example:

C:\>ctkmu rt -s0 -d all
C:\>ctkmu rt -s1 -d all