Work Load Distribution
This chapter describes some of the benefits and limitations of using Work Load Distribution (WLD) in ProtectToolkit-M.
For more information about this model, see Work Load Distribution model and High Availability.
Benefits of Work Load Distribution
WLD allows work to be balanced across a system by transferring units of work among HSM processing modules during execution. The demand placed on any particular processing module is thereby reduced. This results in an increase in the overall throughput of processing tasks for the system as a whole.
Utilization of multiple HSMs under WLD also provides redundancy in that if a HSM goes down, with the exception of the master HSM, the work will be shared amongst the remaining operational HSMs automatically. If the master HSM goes down this will most likely cause system failure.
Work Load Distribution limitations
Read-only
Using ProtectToolkit-M as a CSP under WLD is severely limited. WLD does not support write/create operations. Therefore, the CSP cannot be used to create certificates when in WLD mode, as this involves creating a key pair. The CSP can, however, be used to sign certificate requests that have been generated by a client, provided the client also generated their own key pair.
Admin Token cannot be distributed - single point of failure
The HSM's admin token contains relevant configuration information. WLD does not allow replication of admin tokens. ProtectToolkit-M has a 'secure configuration', a collection of configuration items stored on a data object on the admin token, readable but not modifiable by anyone other than the administrator. The relevant secure configuration item here is 'clear export'. This specifies whether or not keys can be exported in the clear. Since admin tokens cannot be replicated, it is necessary to expose the admin token of one of the HSMs in the array, called the master HSM. If the master HSM fails, the admin token will no longer be available, most likely causing system failure.