Configure HSM for High Availability (HA)

How to configure HSM for high availability.

1. Set up appliances for HA:
   1. Perform the network setup on both HA units: install the SafeNet Luna SA Client software (link below).
   2. In hsm showPolicies, ensure that Allow Cloning=on and Allow Network Replication=on.
   3. Initialize the HSMs on your Luna SA appliances. They must have the same cloning domain (i.e., must share the same red, domain PED Key if they are PED-authenticated) or they must share the same domain string if they are password-authenticated.
   4. Create a partition on each Luna SA. They do not need to have the same labels, but must have the same password.
   5. Record the serial number of each partition created on each Luna SA (use partition show).
2. Register clients with Luna SA HA:
   1. Proceed with normal client setup, “Prepare the Client for Network Trust Link” (link below).
   2. Register your client computer with both Luna SAs.
   3. Verify using ./vtl verify command. It should show the numbers of partitions registered with client.
3. Create the HA GroupNote for your client version:
   • Version 5
   • Version 6
4. Version 5
   1. After creating partitions on (at least) two Luna appliances, and setting up Network Trust Links between those partitions and your client, use LunaCM to configure HA on your client: Go to the directory: /usr/safenet/lunaclient/bin/.
   2. To add members in haadmin, create a new group on the client: ./vtl haAdmin newGroup -serialNum HA Group Number -label Groupname -password password .
      For example: ./vtl haAdmin newGroup -serialNum 156453092 -label myHAgroup -password S@fenet123
   3. Add members into your haadmin: ./vtl haAdmin addMember -group HA Group Number -serialNum serial_number -password password .
      For example: ./vtl haAdmin addMember -group 1156453092 -serialNum 156451030 -password S@fenet123
   4. Enable synchronization of HAadmin Members: ./vtl haAdmin synchronize -group HA Group Number -password password .
      For example: ./vtl haAdmin synchronize -enable -group 1156453092 -password S@fenet123
   5. To Enable HAOnly: ./vtl haAdmin HAOnly -enable.
   6. Check haadmin status after synchronization: ./vtl haAdmin show.

      	Note
      	After synchronization please verify kms master key copied to both partitions registered in hsm ha group. It takes time to copy master key to another partition.

5. Version 6
   1. After creating partitions on (at least) two Luna appliances, and setting up Network Trust Links between those partitions and your client, use LunaCM to configure HA on your client:
      1. Go to directory: /usr/safenet/lunaclient/bin/.
      2. Select Lunacm: ./lunacm.
   2. To add members in hagroup, create a new group on the client: haGroup creategroup -serialNumber serial number -l label -p password .
      For example: lunacm:>haGroup creategroup -serialNumber 1047740028310 -l HAHSM3 -p S@fenet123
   3. Use the hagroup addmember command to add new member into hagroup client: hagroup addMember -group groupname -serialNumber serial number -password password .
      Field descriptions:

      • Label for the group (do NOT call the group just "HA"): groupname
      • The serial number of the first partition OR the slot number of the first partition: serial number
      • The password for the partition: password
      • Lunacm also generates and assigns a Serial Number to the group itself.

        For example: lunacm:>hagroup addMember -group rkmsgroup -serialNumber 1047749341551 -password S@fenet123

   4. Use the hagroup addmember command to add another member to the HA group: hagroup addMember -group groupname -serialNumber serial number -password password .
      For example: lunacm:>hagroup addMember -serialNumber 1047740028310 -g rkmslgroup -password S@fenet123
   5. Check group member in group using "hagroup listGroups" command: hagroup listGroups.
   6. Enable HAOnly: hagroup HAOnly -enable.
   7. Enable synchronization of HAgroup Members: hagroup synchronize -group groupname -password password -enable.
      For example: lunacm:>hagroup synchronize -group rkmslgroup -password S@fenet123 -enable
6. After configuring HSM HA, to run Ranger KMS in HSM HA mode you must specify the virtual group name created above in HSM_PARTITION_NAME property of install.properties and setup and start Ranger KMS. Note: All other configuration for HSM in install.properties of Ranger KMS as mentioned in “Installing Ranger KMS HSM” will remain the same.