Configuring an nShield HSM for High Availability
After you have configured KeyControl as an nShield HSM client, you can add an additional nShield HSM to create a high availability cluster. You can either use a standalone KeyControl node or a KeyControl cluster.
When the KeyControl cluster is configured with multiple HSM servers, the KeyControl cluster uses HSM servers for High Availability (HA) and load sharing purposes. The HSM servers are not affiliated with specific KeyControl node(s), but are configured for and used by ALL members of the KeyControl cluster.
Before You Begin
- Ensure that you have completed Configuring KeyControl as an HSM Client using an nShield HSM.
-
Obtain the Security World Bundle file for the new HSM that you want to add. It must have the same security world as the first HSM server inside of the Security World Bundle file, but the module file must be for the new HSM. Please contact your HSM Administrator to ensure that this is set up correctly.
You cannot establish HA functionality if the servers do not share the same security world.
Tip: For more information, see the 'Security Worlds' and ‘Creating and Managing a Security World’ chapters of your nShield Connect User Guide.
FIPS 140-2 Level 3 – smart card requirement
If your nShield HSMs are configured in a FIPS 140-2 Level 3 compliant Security World environment, an ACS or OCS card must be loaded in all HSMs. When using multiple HSMs for high availability, operations are load balanced between the HSM servers connected to KeyControl. If one HSM fails, traffic is rerouted to another HSM. If a valid card is not located in the HSM, it will continue to receive traffic but operations requiring a FIPS authorization token will fail. A valid card (with a listed serial number, unless ‘Accept all cards’ is selected) must be loaded in the HSM to ensure operations do not fail. For more information regarding nShield HSMs and FIPS 140-2 Level 3, see Hardware Security Modules with KeyControl
Note: If you wish to use OCS cards that were not included in the security world bundle previously uploaded, ensure that the corresponding card files are included in the new bundle.
Procedure
-
Log into the KeyControl Vault Management webGUI using an account with Security Admin privileges.
- In the top menu bar, click Settings.
- In the System Settings section, click HSM Server Settings.
-
On the nShield HSM Server Settings page, click the Client List and copy the IP address and keyhash of the KeyControl nodes.
-
Use the IP address and keyhash to authenticate KeyControl on nShield. Please see your nShield documentation.
Important: For KeyControl clusters, you will need to authenticate the IP address and keyhash for each KeyControl cluster node.
- Copy the Security World Bundle from nShield and place it on your local machine. It should be in the format world.zip.
-
On the Server List tab of the nShield HSM Server Settings page, select Actions > Add New HSM Server.
- After reading the Get Started Screen, click Continue.
-
On the Enrollment screen, complete the following:
Note: All information is from the nShield HSM. The Server Name is used for display purposes and the Server IP/FQDN is used for communication.
Field
Description
Server Name
Enter the FQDN of the nShield HSM.
Server IP/FQDN
Enter the IP address or FQDN for the nShield HSM.
Server ESN
Enter the nShield Electronic Serial Number (ESN).
Server Port
Enter the port used for the nShield HSM.
Server Keyhash
Enter the keyhash of the nShield HSM.
- Click Enroll and Continue.
- On the Security World screen, click Browse and locate the security world bundle that you downloaded from the nShield HSM.
- Click Upload and Continue.
-
If you are using a FIPS 140-2 Level 3 Security World, on the Card List screen, select one of the following:
-
Accept all cards—Accepts all nShield Remote Administration smart cards.
-
Add Specific cards—Accepts specific nShield Remote Administration smart cards. To add a card, click + Add Card, enter the card serial number and optional description, check the Enable checkbox, and click Add. You can add multiple cards at one time.
-
-
If you are using a FIPS 140-2 Level 3 Security World, on the Softcard screen, enter the Softcard Label and Softcard Password that you want to use to link to the HSM server.
You must have entered a valid smart card or selected Accept all cards in order to create a Softcard. The Softcard Label and Softcard Password must meet the following requirements:
Softcard Label
-
At least 8 characters
-
No more than 31 characters
-
Can include uppercase, lowercase, numbers, and special characters
-
No space or tab character
Softcard Password
-
At least 8 characters
-
No more than 127 characters
-
At least 1 uppercase
-
At least 1 lowercase
-
At least 1 number
-
No space or tab character
-
-
Click Complete Setup.
After the setup is complete, you will be returned to the nShield HSM Server Settings page, which now displays the values for both HSMs on the Server List tab.
Note: If the configuration failed, then you can simply remove the HSM by selecting it and then selecting Actions > Remove Server and add it again.