Adding a KeyControl Node to an Existing Luna HSM Configuration

How you add a new KeyControl node to an existing HSM configuration depends on whether you are using a single cluster certificate or individual node certificates.

In both cases, though, you should deploy the node as usual and then join it to the existing cluster. For details on adding an already-deployed node, see Joining or Re-joining a KeyControl Cluster. For details on deploying a new node, see Installation Overview.

Single Cluster Certificate

If you are using a single cluster certificate, you do not need to do anything special to connect the new node to your existing HSM configuration. KeyControl automatically adds to the new node to your existing HSM configuration when you add it to the cluster.

This is true for both single HSM and multiple HSM configurations.

Individual Node Certificates

Before You Begin 

For each hardware security module (HSM) that is currently connected to KeyControl, make sure you have the following information available:

• The HSM server name.
• The user name and password for an HSM account with Admin privileges.
• The HSM partition name and password for the partition to which the existing KeyControl clients have been assigned.

You will also need:

• A KeyControl account with Security Admin privileges.
• Access to the HSM servers via a shell account. The following procedure uses ssh to connect to the servers.

Note: The following instructions are specific to the Luna HSM.

Procedure 

If you are using individual node certificates, you need to do the following after you have added the new node to the cluster:

1. Log into the KeyControl Vault Management webGUI using an account with Security Admin privileges. In the top right, click the Switch to Appliance Management link.
2. In the top menu bar, click Settings.
3. In the System Settings section, click HSM Server Settings.
4. Navigate to the Client List tab. You should see one entry for each KeyControl node in the cluster.

5. Select the new node in the list, then select Actions > Generate Client Certificate for node-name.domain-name. KeyControl automatically generates a unique certificate for that node called node-name.domain-name.pem and downloads it to your browser's default download location.

   For example, if the name of the node is KC-4 and it is running on the domain my-company.com, the certificate file would be called KC-4.my-company.com.pem.

6. Upload the node certificate to the root directory on each HSM server that you want to use. For example, if you have two HSM servers, you would copy the new node certificate to both HSM servers:

   # scp KC-4.my-company.com.pem admin@hsm1.my-company.com:
   admin@hsm1.my-company.com's password: 
   
   KC-4.my-company.com.pem             100% 1164     1.1KB/s   00:00 
   				
   # scp KC-4.my-company.com.pem admin@hsm2.my-company.com:
   admin@hsm2.my-company.com's password: 
   
   KC-4.my-company.com.pem             100% 1164     1.1KB/s   00:00 

7. Using a shell account, log into each HSM server and:

   1. Register the new KeyControl client using "node-name.domain-name" for both the client name and hostname. The double quotes are required because of the period in the client name.

      Tip: If the registration fails because a client of that name already exists, you need to delete the existing client. You cannot change the name of the client pem file that KeyControl generates.

   2. Assign a partition to the KeyControl client.

   For example, if you want the KeyControl client KC-4.my.company.com to be assigned to KC_partition1 on hsm1.my-company.com and to KC_partition2 on hsm2.my-company.com, you could enter:

   # ssh admin@hsm1.my-company.com
   admin@hsm1.my-company.com's password:
   
   [hsm1] lunash:>client register -client "KC-4.my-company.com" -hostname "KC-4.my-company.com"
   'client register' successful
   Command Result : 0 (Success)
   [hsm1] lunash:>client assignPartition -client "KC-4.my-company.com" -partition KC_partition1
   'client assignPartition' successful
   Command Result : 0 (Success)
   [hsm1] lunash:>exit
   					
   # ssh admin@hsm2.my-company.com
   admin@hsm2.my-company.com's password:
   
   [hsm2] lunash:>client register -client "KC-4.my-company.com" -hostname "KC-4.my-company.com"
   'client register' successful
   Command Result : 0 (Success)
   [hsm2] lunash:>client assignPartition -client "KC-4.my-company.com" -partition KC_partition1
   'client assignPartition' successful
   Command Result : 0 (Success)
   [hsm2] lunash:>exit

8. If you want to verify the connection, return to the KeyControl webGUI and navigate to the Server Settings tab, then click Test. You should see a message that says the HSM connection is OK.