Configuring a Luna HSM HA Group

If you want to connect a Cryptographic Security Platform Vault cluster to multiple HSM servers, you must create an HA group for those servers on each Cryptographic Security Platform Vault node in the cluster. That way any Admin Keys or KEKs that Cryptographic Security Platform Vault creates will be stored on all HSM servers in the group and can be accessed from any of the HSM servers by any of the Cryptographic Security Platform Vault nodes.

You can create a group with two or more Luna HSMs, or a single Luna Cloud HSM and one or more Luna HSMs.

Before You Begin 

• Make sure you have configured the HSM servers in the Cryptographic Security Platform Vault webGUI and registered the Cryptographic Security Platform Vault clients with the HSM servers as described in Configuring Cryptographic Security Platform Vault as a Luna HSM Client with a Single Cluster Certificate, Configuring CSP Vault as a Luna HSM Client with Individual Node Certificates, or Adding a New Luna HSM to an Existing Luna HSM Configuration.
• Make sure the Luna HSM servers meet the Luna HSM requirements for membership in an HA group. The partitions you select for the HA Group must have the same CO password and be configured in Cloning Mode. For details about these requirements, see your Luna HSM documentation.

Procedure 

1. Use your hypervisor to access one of the VMs in which Cryptographic Security Platform Vault is running, then log into the Cryptographic Security Platform Vault VM console as htadmin. The Cryptographic Security Platform Vault displays the Entrust Cryptographic Security Platform Vault System Console TUI (Text-based User Interface).
2. From the Entrust Cryptographic Security Platform Vault System Console, select Manage HSM Client Account.
3. From the Manage HSM Client Account page, select Enable and Set Password for HSM Client Account.
4. Acknowledge the password requirements at the prompt.
5. On the Change hsmadmin Password page, specify the password you want to use and select OK.
6. Select Return to Main Menu.
7. From the main Entrust Cryptographic Security Platform Vault System Console, select Log Out.
8. Log into the server as hsmadmin with the password you just specified. Wait until the Cryptographic Security Platform Vault node has retrieved the information about the registered HSM servers and has displayed the lunacm:> prompt. Depending on your network, it may take some time to retrieve this information.

9. Make sure that all HSM servers on which you registered the Cryptographic Security Platform Vault node, and the Luna Cloud HSM if you are using one, are displayed in the list with assigned Slot IDs and the correct partition labels.

   Important: If you do not see all of the HSM servers that you expect to see, do not continue with this step. Instead, use exit to return to the login prompt and then make sure that you have registered the Cryptographic Security Platform Vault node with all of the HSM servers you want to use.

10. Create an HA group according to your Luna HSM documentation. The following steps are shown for your convenience and may need to be changed based on the version of your Luna HSM server. The password you specify must be the password for the Luna HSM partitions you entered in the Cryptographic Security Platform Vault webGUI.

    lunacm:>haGroup createGroup -slot 0 -label hagroup -password HSMPartPswd
    Warning: There are objects currently on the new member. 
    Do you wish to propagate these objects within the HA
    group, or remove them?
    
    Type 'copy' to keep and propagate the existing
    objects, 'remove' to remove them before continuing,
    or 'quit' to stop adding this new group member.
    >copy

    At this point, you should see messages stating that the HA group was created without error. If this succeeds, you can add all other HSMs to the HA group.

    lunacm:>haGroup addMember -slot 1 -group hagroup -password HSMPartPswd
    Warning: There are objects currently on the new member. 
    Do you wish to propagate these objects within the HA
    group, or remove them?
    
    Type 'copy' to keep and propagate the existing
    objects, 'remove' to remove them before continuing,
    or 'quit' to stop adding this new group member.
    >copy
    					
    Disable hagroup logging with
    lunacm:> hagroup halog -disable

    Repeat the haGroup addMember command for each additional HSM server until all HSM servers with which you registered this Cryptographic Security Platform Vault node are members of the HA group.

11. After all members have been added, use the exit command to log out of hsmadmin.
12. Repeat this procedure on all Cryptographic Security Platform Vault nodes in the cluster.

13. After you have created the HA group on all nodes in the cluster, go back to the Cryptographic Security Platform Vault webGUI HSM Server Settings page and do the following:

    1. Change the Partition Label or HA Group Name to be the name of the HA group you created.

       Note: If your HA group contains both the Luna HSM and Luna Cloud HSM, you will need to update this field on both tabs on the Thales HSM Server Settings page. Do not generate a new admin key until both tabs have been updated and you have applied the changes.

    2. Click Apply, then click Proceed at the prompt. You should see a message that the HSM hostname or partition label has changed and that you need to regenerate the Admin key. If this message appears then the connection to all of the HSM servers in the HA group succeeded.

    3. To regenerate the Admin key, go to Settings > General Settings > Admin Key Parts, then click Generate New Key. You should get a message that the Admin Key was successfully generated and distributed. To verify this, go back to Settings > System Settings > Luna HSM Server Settings.  The Admin Key ID field should display a GUID for the new Admin Key.

       Important: If your HA group contains both the Luna HSM and Luna Cloud HSM, do not generate a new admin key until both tabs have been updated and you have applied all of the changes.