Adding a New Luna HSM to an Existing Luna HSM Configuration
If you have already configured your Cryptographic Security Platform Vault cluster to use a Luna hardware security module (HSM) server, you can add a new Luna HSM server to your configuration at any time. Adding additional HSM servers and configuring an HA Group provides High Availability (HA) if one HSM server should become unreachable.
The following procedure describes how to add an additional Luna HSM when you have already configured one or more Luna HSMs. If you only have a Luna Cloud HSM configured, see Configuring Cryptographic Security Platform Vault as a Luna HSM Client with a Single Cluster Certificate or Configuring CSP Vault as a Luna HSM Client with Individual Node Certificates . If this is the first time you are configuring an HSM server for your Cryptographic Security Platform Vault cluster, see Hardware Security Modules with Cryptographic Security Platform Vault.
Before You Begin
For the new HSM server that you want to connect to Cryptographic Security Platform Vault, make sure you have the following information available:
- The HSM server name.
-
The user name and password for an HSM account with Admin privileges.
-
The HSM partition name and partition password. We recommend that you use a different partition name on each HSM server so that you can tell the servers apart when you are working with the HA group.
Note: Luna requires that the partition password be the same on all servers in an HA group, and that certain configuration options be the same on all HSM servers in the group. For details, see your Luna HSM documentation.
You will also need:
- A Cryptographic Security Platform Vault account with Security Admin privileges.
- Access to the new HSM server via a shell account. The following procedure uses
scpandsshto connect to the server.
Note: The following instructions are specific to the Luna HSM.
Procedure
-
Download the HSM server certificate file
server.pemfrom the new HSM server. We recommend that you rename theserver.pemcertificate file so that you know which HSM server goes with which certificate file.For example, if the new HSM server is
hsm2.my-company.com, you could enter:# scp admin@hsm2.my-company.com:server.pem ./hsm2cert.pem admin@hsm2.my-company.com's password: server.pem 100% 1155 1.1KB/s 00:00
- Log into the Cryptographic Security Platform Vault Management webGUI using an account with Security Admin privileges.
- In the top right, click the Switch to Appliance Management link.
- In the top menu bar, click Settings.
- In the System Settings section, click HSM Server Settings.
- On the HSM Server Settings page, select Thales Luna HSM from the Type drop-down list and click Configure.
-
On the Luna HSM Server Settings tab, select the Luna HSM tab and then specify the options you want to use for the HSM server.
- Change the Hostname to the name of the new HSM server.
- Change the Partition Label or HA Group Name to the partition that Cryptographic Security Platform Vault should use on the new HSM server. We recommend that you use a different partition name on each server so that you can tell which server is which when you are creating the Luna HA group later in this procedure.
- In the Server Certificate field, click Browse and select the server certificate for this HSM server.
- Click Apply, then click Proceed at the prompt. Do not test the connection yet.
Note: Because Luna requires that all HSM servers in a High Availability group have the same password, you do not need to enter the password for any additional HSM servers. Cryptographic Security Platform Vault automatically uses the most recent password entered for all servers in the group.
-
If you do not have the original Cryptographic Security Platform Vault client cluster certificate or node certificates, you need to regenerate them. How you do so depends on the selected Client Mode.
Client Mode Setting
Steps to Regenerate the Certificates
CLUSTER
Select Actions > Generate Client Certificate. Cryptographic Security Platform Vault automatically saves
client-name.pemfile to your browser's default download location.NODE
- Navigate to the Client List tab.
- Select the first node in the list, then select Actions > Generate Client Certificate for node-name.domain-name. Cryptographic Security Platform Vault automatically generates a unique certificate for that node called
node-name.domain-name.pemand downloads it to your browser's default download location. - Repeat step 2 for each node in the cluster until you have a full set of node certificates.
Note: If you regenerate the cluster certificate or node certificates you must upload the new certificate(s) to all the Luna HSM servers.
-
Upload the cluster certificate or the individual node certificates to the root directory on the new HSM server.
Cluster Mode Example
If your Cryptographic Security Platform Vault cluster name is
KC_Clusterand the new HSM server ishsm2.my-company.com, you would enter:# scp KC_Cluster.pem admin@hsm2.my-company.com: admin@hsm2.my-company.com's password: KC_Cluster.pem 100% 1164 1.1KB/s 00:00
Node Mode Example
If you have two Cryptographic Security Platform Vault nodes named
KC-1andKC-2and the new HSM server ishsm2.my-company.com, you would enter:# scp KC-1.my-company.com.pem admin@hsm2.my-company.com: admin@hsm2.my-company.com's password: KC-1.my-company.com.pem 100% 1164 1.1KB/s 00:00 # scp KC-2.my-company.com.pem admin@hsm2.my-company.com: admin@hsm2.my-company.com's password: KC-2.my-company.com.pem 100% 1164 1.1KB/s 00:00
-
Using a shell account, log into the new HSM server and:
-
Register the new Cryptographic Security Platform Vault client using the client name for both the client name and hostname parameters. Use double quotes if the client name includes any periods or spaces.
Tip: If the registration fails because a client of that name already exists, you need to delete the existing client. You cannot change the client name after the initial HSM configuration has been completed.
-
Assign any partitions that you intend to use to the Cryptographic Security Platform Vault client.
Note: This should include the partition specified above, and any others that you intend to use from Vaults.
Cluster Mode Example
For example, if you want the Cryptographic Security Platform Vault client
KC_Clusterto be assigned toKC_partition2onhsm2.my-company.com, you could enter:# ssh admin@hsm2.my-company.com admin@hsm2.my-company.com's password: [hsm2] lunash:>client register -client KC_Cluster -hostname KC_Cluster 'client register' successful Command Result : 0 (Success) [hsm2] lunash:>client assignPartition -client KC_Cluster -partition KC_partition1 'client assignPartition' successful Command Result : 0 (Success) [hsm2] lunash:>exit
Node Mode Example
For example, if you want the Cryptographic Security Platform Vault clients
KC-1andKC-2to be assigned toKC_partition2onhsm2.my-company.com, you could enter:# ssh admin@hsm2.my-company.com admin@hsm2.my-company.com's password: [hsm2] lunash:>client register -client "KC-1.my-company.com" -hostname "KC-1.my-company.com" 'client register' successful Command Result : 0 (Success) [hsm2] lunash:>client register -client "KC-2.my-company.com" -hostname "KC-2.my-company.com" 'client register' successful Command Result : 0 (Success) [hsm2] lunash:>client assignPartition -client "KC-1.my-company.com" -partition KC_partition3 'client assignPartition' successful Command Result : 0 (Success) [hsm2] lunash:>client assignPartition -client "KC-2.my-company.com" -partition KC_partition3 'client assignPartition' successful Command Result : 0 (Success)
-
-
Repeat this procedure for any more Luna HSMs that you wish to add. If you wish to add a Luna Cloud HSM, see Adding a Luna Cloud HSM to an Existing Luna HSM Configuration.
After you have configured all the Luna HSM servers and optionally a Luna Cloud HSM, create a Luna HSM HA group that links the HSM servers together so that all keys will be saved to all servers in the group. For details, see Configuring a Luna HSM HA Group.