Configuring an nCipher nShield HSM for High Availability

After you have configured KeyControl as an nCipher nShield Connect HSM client, you can add an additional nShield HSM to create a high availability cluster. You can either use a standalone KeyControl node or a KeyControl cluster.

Before You Begin 

  • Ensure that you have completed Configuring KeyControl as an HSM Client using nCipher nShield Connect .

  • Obtain the Security World Bundle file for the new HSM that you want to add. It must have the same security world as the first HSM server inside of the Security World Bundle file, but the module file must be for the new HSM. Please contact your  HSM Administrator to ensure that this is set up correctly.

    You cannot establish HA functionality if the servers do not share the same security world.

    Tip: This information can be found in the sections on replacing, adding, or restoring an HSM to the Security World in chapters 2 and 9 of the nShield® Connect User Guide for Unix.

Procedure 

  1. Log into the KeyControl webGUI using an account with Security Admin privileges.

    Note: If you are using a cluster, you only need to use the webGUI for one node.

  2. In the top menu bar, click Settings.
  3. In the System Settings section, click HSM Server Settings.

  4. On the nCipher nShield Connect HSM Server Settings page, click the Client List and copy the IP address and keyhash of the KeyControl nodes.

  5. Use the IP address and keyhash to authenticate KeyControl on nShield. Please see your nShield documentation.

    Important: For KeyControl clusters, you will need to authenticate the IP address and keyhash for each KeyControl cluster node.

  6. Copy the Security World Bundle from nShield and place it on your local machine. It should be in the format world.zip.

  7. On the Basic tab of the nCipher nShield Connect HSM Server Settings page, select Actions > Add New HSM Server.

  8. After reading the Get Started Screen, click Continue.

  9. On the Enrollment screen, complete the following: 

    Note: All information is from the nShield HSM. The Server Name is used for display purposes and the Server IP/FQDN is used for communication.

    Field

    Description

    Server Name

    Enter the FQDN of the nShield HSM.

    Server IP/FQDN

    Enter the IP address or FQDN for the nShield HSM.

    Server ESN

    Enter the nShield Electronic Serial Number (ESN).

    Type

    Select the location of the nShield HSM. This can be On Prem or Cloud.

    Server Port

    Enter the port used for the nShield HSM.

    Server Keyhash

    Enter the keyhash of the nShield HSM.

  10. Click Enroll and Continue.
  11. On the Security World screen, click Load File and locate the security world bundle that you downloaded from the nShield HSM.
  12. Click Upload and Continue.

  13. Click Complete Setup.

    After the setup is complete, you will be returned to the nCipher nShield Connect HSM Server Settings page, which now displays the values for both HSMs.

    Note: If the configuration failed, then you can simply remove the HSM by selecting it and then selecting Actions > Remove Server and add it again.