Replacing an nShield Connect HSM on a KeyControl Cluster
If you have a KeyControl cluster on an nShield Connect HSM, you can replace the HSM while maintaining the cluster. This procedure documents a 2-node cluster. If you have more than two nodes you will need to modify the instructions.
Before You Begin
To replace the nShield Connect HSM, make sure you have the following information available:
- The HSM server name, server IP/FQDN, ESN, Port, and Keyhash for the replacement nShield Connect HSM (HSM-2).
-
The Security World Bundle file for the replacement HSM. Both HSM-1 and HSM-2 must have the same security world inside of the Security World Bundle file. Please contact your HSM Administrator to ensure that this is set up correctly.
Tip: This information can be found in the sections on replacing, adding, or restoring an HSM to the Security World in chapters 2 and 9 of the nShield® Connect User Guide for Unix.
Procedure
-
From the KeyControl webGUI, select Settings > HSM Server Settings.
- On the nCipher nShield Connect HSM Server Settings page, click the Client List tab.
- Copy the KeyControl IP addresses and keyhashes to notepad. You will need the IP address and keyhash of both the KeyControl nodes (node-1 and node-2) to authenticate KeyControl on the replacement nShield HSM (HSM-2).
-
Use the IP address and keyhash to authenticate KeyControl on nShield. Please see your nShield documentation.
Important: For KeyControl clusters, you will need to authenticate the IP address and keyhash for each KeyControl cluster node.
-
Copy the Security World Bundle from the replacement HSM-2 as world.zip and place it on your local machine.
-
On the nCipher nShield Connect HSM Server Settings, click the Server Settings tab and then select HSM-1.
-
Replace the Server Name, Server IP/FQDN, Server ESN, Server Port and Server Keyhash of HSM-1 with the values for HSM-2.
- Click Apply.
- Select Actions > Upload Security World and upload the security world bundle for HSM-2.
-
Test your connection with HSM-2.
