Adding a New HSM to an Existing Single HSM Configuration

If you have already configured your KeyControl cluster to use a hardware security module (HSM) server, you can add a new HSM server to your configuration at any time. Adding additional HSM servers provides High Availability (HA) if one HSM server should become unreachable.

The following procedure describes how to add a second HSM and configure your HA Group. If you already have an HA group configured, see Adding a New HSM to an Existing Single HSM Configuration. If this is the first time you are configuring an HSM server for your KeyControl cluster, see Hardware Security Modules with KeyControl.

Before You Begin

For the new HSM server that you want to connect to KeyControl, make sure you have the following information available:

The HSM server name.
The user name and password for an HSM account with Admin privileges.

The HSM partition name and partition password. We recommend that you use a different partition name on each HSM server so that you can tell the servers apart when you are working with the HA group.

Note:

Safenet requires that the partition password be the same on all servers in an HA group. Safenet also requires that certain configuration options be the same on all HSM servers in the group. For details, see your Safenet LUNA documentation.

You will also need:

A KeyControl account with Security Admin privileges.
Access to the new HSM server via a shell account. The following procedure uses ssh to connect to the server.

Note:

The following instructions are specific to the SafeNet LUNA SA HSM from Gemalto.

Procedure

Download the HSM server certificate file server.pem from the new HSM server. We recommend that you rename the server.pem certificate file so that you know which HSM server goes with which certificate file.

For example, if the new HSM server is hsm2.my-company.com, you could enter:
```
# scp admin@hsm2.my-company.com:server.pem ./hsm2cert.pem
admin@hsm2.my-company.com's password: 

server.pem             100% 1155     1.1KB/s   00:00 
```
Log into the KeyControl webGUI using an account with Security Admin privileges.
In the top menu bar, click Settings.
In the System Settings section, click HSM Server Settings.

On the HSM Server Settings tab, .

Change the Hostname to the name of one of the new HSM server.
Change the Partition Label or HA Group Name to the partition that KeyControl should use on the new HSM server. We recommend that you use a different partition name on each server so that you can tell which server is which when you are creating the Safenet HA group later in this procedure.
In the Server Certificate field, click Browse and select the server certificate for this HSM server.
Click Apply, then click Proceed at the prompt. Do not test the connection yet.

Note:

Because Safenet requires that all HSM servers in a High Availability group have the same password, you do not need to enter the password for any additional HSM servers. KeyControl automatically uses the most recent password entered for all servers in the group.

If you do not have the original KeyControl client cluster certificate or node certificates, you need to regenerated them. How you do so depends on the selected Client Mode.

Client Mode Setting	Steps to Regenerate the Certificates
CLUSTER	Select Actions > Generate Client Certificate. KeyControl automatically saves `client-name.pem` file to your browser's default download location.
NODE	Navigate to the Client List tab. Select the first node in the list, then select Actions > Generate Client Certificate for node-name.domain-name. KeyControl automatically generates a unique certificate for that node called `node-name.domain-name.pem` and downloads it to your browser's default download location. Repeat step 2 for each node in the cluster until you have a full set of node certificates.

Client Mode Setting

Steps to Regenerate the Certificates

CLUSTER

Select Actions > Generate Client Certificate. KeyControl automatically saves client-name.pem file to your browser's default download location.

NODE

Navigate to the Client List tab.
Select the first node in the list, then select Actions > Generate Client Certificate for node-name.domain-name. KeyControl automatically generates a unique certificate for that node called node-name.domain-name.pem and downloads it to your browser's default download location.
Repeat step 2 for each node in the cluster until you have a full set of node certificates.

Upload the cluster certificate or the individual node certificates to the root directory on the new HSM server.

Cluster Mode Example

If your KeyControl cluster name is KC_Cluster and the new HSM server is hsm2.my-company.com, you would enter:

# scp KC_Cluster.pem admin@hsm2.my-company.com:
admin@hsm2.my-company.com's password: 

KC_Cluster.pem             100% 1164     1.1KB/s   00:00

Node Mode Example

If you have two KeyControl nodes named KC-1 and KC-2 and the new HSM server is hsm2.my-company.com, you would enter:

# scp KC-1.my-company.com.pem admin@hsm2.my-company.com:
admin@hsm2.my-company.com's password: 

KC-1.my-company.com.pem             100% 1164     1.1KB/s   00:00 

# scp KC-2.my-company.com.pem admin@hsm2.my-company.com:
admin@hsm2.my-company.com's password: 

KC-2.my-company.com.pem             100% 1164     1.1KB/s   00:00

Using a shell account, log into the new HSM server and:

Register the new KeyControl client using the client name for both the client name and hostname parameters. Use double quotes if the client name includes any periods or spaces.

Tip:

If the registration fails because a client of that name already exists, you need to delete the existing client. You cannot change the client name after the initial HSM configuration has been completed.

Assign a partition to the KeyControl client.

Cluster Mode Example

For example, if you want the KeyControl client KC_Cluster to be assigned to KC_partition2 on hsm2.my-company.com, you could enter:

# ssh admin@hsm2.my-company.com
admin@hsm2.my-company.com's password:

[hsm2] lunash:>client register -client KC_Cluster -hostname KC_Cluster
'client register' successful 
Command Result : 0 (Success)
[hsm2] lunash:>client assignPartition -client KC_Cluster -partition KC_partition1
'client assignPartition' successful
Command Result : 0 (Success)
[hsm2] lunash:>exit

Node Mode Example

For example, if you want the KeyControl clients KC-1 and KC-2 to be assigned to KC_partition2 on hsm2.my-company.com, you could enter:

# ssh admin@hsm2.my-company.com
admin@hsm2.my-company.com's password:

[hsm2] lunash:>client register -client "KC-1.my-company.com" -hostname "KC-1.my-company.com" 
'client register' successful
Command Result : 0 (Success)
[hsm2] lunash:>client register -client "KC-2.my-company.com" -hostname "KC-2.my-company.com"
'client register' successful
Command Result : 0 (Success)
[hsm2] lunash:>client assignPartition -client "KC-1.my-company.com" -partition KC_partition3
'client assignPartition' successful
Command Result : 0 (Success)
[hsm2] lunash:>client assignPartition -client "KC-2.my-company.com" -partition KC_partition3
'client assignPartition' successful
Command Result : 0 (Success)

Create a Safenet HA group that links the two HSM servers together so that all keys will be saved to all servers in the group. For details, see Configuring a Safenet HA Group.