Configuring a Safenet HA Group

If you want to connect a KeyControl cluster to multiple HSM servers, you must create an HA group for those servers on each KeyControl node in the cluster. That way any Admin Keys or KEKs that KeyControl creates will be stored on all HSM servers in the group and can be accessed from any of the HSM servers by any of the KeyControl nodes.

Before You Begin 

• Make sure you have configured the HSM servers in the KeyControl webGUI and registered the KeyControl clients with the HSM servers as described in Configuring KeyControl as an HSM Client with a Single Cluster Certificate, Configuring KeyControl as an HSM Client with Individual Node Certificates, or Adding a New HSM to an Existing Single HSM Configuration.
• Make sure the HSM servers meet the Safenet requirements for membership in an HA group. For details about these requirements, see your Safenet LUNA documentation.

Procedure 

1. Log in as root on a server hosting one of the KeyControl nodes in the cluster.

   KeyControl displays the System Console Menu TUI (Text-based User Interface).

2. From the System Console Menu, select Manage HSM Client Account.
3. From the Manage HSM Client Account page, select Enable and Set Password for HSM Client Account.
4. Acknowledge the password requirements at the prompt.
5. On the Change hsmadmin Password page, specify the password you want to use and select OK.
6. Select Return to Main Menu.
7. From the main System Console Menu, select Log Out.
8. Log into the server as hsmadmin with the password you just specified. Wait until the KeyControl node has retrieved the information about the registered HSM servers and has displayed the lunacm:> prompt. Depending on your network, it may take some time to retrieve this information.

9. Make sure that all HSM servers on which you registered the KeyControl node in the previous steps are displayed in the list with assigned Slot IDs and the correct partition label.

   Important:

   If you do not see all of the HSM servers that you expect to see, do not continue with this step. Instead, use exit to return to the login prompt and then make sure that you have registered the KeyControl node with all of the HSM servers you want to use.

10. Create an HA group according to your Safenet documentation. The following steps are shown for your convenience and may need to be changed based on the version of your Safenet server. The password you specify must be the password for the Safenet partitions you entered in the KeyControl webGUI.

    lunacm:>haGroup createGroup -slot 0 -label hagroup -password HSMPartPswd
    Warning: There are objects currently on the new member. 
    Do you wish to propagate these objects within the HA
    group, or remove them?
    
    Type 'copy' to keep and propagate the existing
    objects, 'remove' to remove them before continuing,
    or 'quit' to stop adding this new group member.
    >copy

    At this point, you should see messages stating that the HA group was created without error. If this succeeds, you can add all other HSMs to the HA group.

    lunacm:>haGroup addMember -slot 1 -group hagroup -password HSMPartPswd
    Warning: There are objects currently on the new member. 
    Do you wish to propagate these objects within the HA
    group, or remove them?
    
    Type 'copy' to keep and propagate the existing
    objects, 'remove' to remove them before continuing,
    or 'quit' to stop adding this new group member.
    >copy

    Repeat the haGroup addMember command for each additional HSM server until all HSM servers with which you registered this KeyControl node are members of the HA group.

11. After all members have been added, use the exit command to log out of hsmadmin.
12. Repeat this procedure on all KeyControl nodes in the cluster.

13. After you have created the HA group on all nodes in the cluster, go back to the KeyControl webGUI HSM Server Settings page and do the following:

    1. Change the Partition Label or HA Group Name to be the name of the HA group you created.
    2. Click Apply, then click Proceed at the prompt. You should see a message that the HSM hostname or partition label has changed and that you need to regenerate the Admin key. If this message appears then the connection to all of the HSM servers in the HA group succeeded.
    3. To regenerate the Admin key, go to Settings > General Settings > Admin Key Parts, then click Generate New Key. You should get a message that the Admin Key was successfully generated and distributed. To verify this, go back to Settings > System Settings > HSM Server Settings.  The Admin Key ID field should display a GUID for the new Admin Key.