• High Availability Failover and Automatic Recovery (p. 109)
• Recovering an HSM (p. 110)
Configure High-Availability
To set up high availability (HA) and load balancing for your HSMs one HSM at a time, complete the following procedure.
Configure HA redundancy and load balancing
1. Set up the network that contains the HSMs that will be used in the HA group.
2. From your control instance, connect to your HSM over SSH. <private_key_file> is the private portion of the SSH key you provided when your HSM was provisioned.
$ ssh -i <private_key_file> manager@<hsm_ip_address>
3. View the policy settings needed for the HSM by issuing the hsm showPolicies command.
lunash:> hsm showPolicies HSM Label: <hsm_label>
Serial #: <hsm_serial>
Firmware: 6.2.1
The following capabilities describe this HSM, and cannot be altered except via firmware or capability updates.
Description Value
=========== =====
Enable cloning Allowed .
..
Enable network replication Allowed ..
High-Availability
.
The following policies describe the current configuration of this HSM and may by changed by the HSM Administrator.
Changing policies marked "destructive" will zeroize (erase completely) the entire HSM.
Description Value Code Destructive
Command Result : 0 (Success)
Make note of the following policy values:
• Enable cloning
• Enable network replication
• Allow cloning
• Allow network replication
If any of these policies are not set to Allowed, change them with the hsm changePolicy command.
lunash:> hsm changePolicy -policy <policy_code> -value <policy_value>
NoteCloning to a hardware token is the backup method for which your HSMs are configured. All HSMs in an HA group must use the same backup method.
4. Initialize your HSMs into a common cloning domain. For password-authenticated appliances, they must share the same cloning domain.
Warning
Initializing an HSM permanently deletes the keys and entire cryptographic domain on the HSM. After initializing the HSM, any previously existing keys are destroyed.
Note
• If you have already configured your HSM appliance in Configuring Your AWS CloudHSM Classic Client (p. 28), the following steps help you reconfigure your HSM appliance for HA.
• Three of the values are required, but the only one that you should type at the command line is a label for the HSM (-label). Typing the password and the cloning domain at the command line makes them visible to anyone who can see the computer screen, or to anyone who later scrolls back in your console or ssh session buffer. If you omit the password and the cloning domain, the Luna shell prompts you for them, and hides your input with ******** characters. This is preferable from a security standpoint. Additionally, you are prompted to re-enter each string, thus helping to ensure that the string you type is the one you meant to type.
lunash:> hsm -init -label <hsm_label>
> Please enter a password for the security officer
> ********
High-Availability
Please re-enter password to confirm:
> ********
Please enter the cloning domain to use for initializing this HSM (press <enter> to use the default domain):
> ********
Please re-enter domain to confirm:
> ********
CAUTION: Are you sure you wish to re-initialize this HSM?
All partitions and data will be erased.
Type 'proceed' to initialize the HSM, or 'quit' to quit now.
> proceed
'hsm - init' successful.
5. On each HSM, perform the following steps:
a. Log into the HSM as the HSM administrator (Security Officer).
lunash:> hsm login
Please enter the HSM Administrators' password:
> ***********
'hsm login' successful.
Command Result : 0 (Success)
b. Create a partition. When prompted, type proceed, and enter the partition password. The partition password and cloning domain must be the same for all partitions that will be part of the same HA group.
lunash:> partition create -partition <partition_name> -domain <cloning_domain>
Please ensure that you have purchased licenses for at least this number of partitions: 3
If you are sure to continue then type 'proceed', otherwise type 'quit'
> proceed Proceeding...
Please enter a password for the partition:
> **********
Please re-enter password to confirm:
> **********
'partition create' successful.
Command Result : 0 (Success)
<partition_name> should be a unique name without spaces or special characters.
c. Record the partition serial numbers and passwords, and store this information in a secure place.
lunash:> partition show
Partition SN: <partition1_serial>
Partition Name: <partition1_name>
Partition Owner Locked Out: no Partition Owner PIN To Be Changed: no
High-Availability
Partition Owner Login Attempts Left: 10 before Owner is Locked Out Legacy Domain Has Been Set: no
Partition Storage Information (Bytes): Total=102701, Used=0, Free=102701 Partition Object Count: 0
Partition SN: <partition2_serial>
Partition Name: <partition2_name>
Partition Owner Locked Out: no Partition Owner PIN To Be Changed: no
Partition Owner Login Attempts Left: 10 before Owner is Locked Out Legacy Domain Has Been Set: no
Partition Storage Information (Bytes): Total=102701, Used=0, Free=102701 Partition Object Count: 0
Command Result : 0 (Success)
d. Proceed with a normal client setup as described in Configuring Your AWS CloudHSM Classic Client (p. 28).
e. Register your client computer with each partition that will be part of the HA group. On each HSM, assign the partition to its respective client. Repeat for each HSM in the HA group.
lunash:> client assignPartition -client <client_name> -partition <partition1_name>
lunash:> client assignPartition -client <client_name> -partition <partition2_name>
6. On the client, create a new HA group with the vtl haAdmin newGroup command. This group uses partition1 as the primary partition.
Important
On Windows clients, you must execute the next command as an administrator. To do this, right-click the cmd.exe window and select Run as Administrator.
>vtl haAdmin newGroup label <partition_group_label> serialNum <partition1_serial> -password <partition1_-password>
New group with label "<partition_group_label>" created at group number <partition_group_serial>.
Group configuration is:
HA Group Label: <partition_group_label>
HA Group Number: <partition_group_serial>
HA Group Slot #: <slot_number>
Synchronization: enabled
Group Members: <partition1_serial>
Standby members: <none>
In Sync: yes
When you create a new HA group, the vtl utility create the serial number for the group.
7. Your Chrystoki.conf (Linux/UNIX)/crystoki.ini (Windows) file should now have a new section:
VirtualToken = {
Do not alter the Chrystoki.conf/crystoki.ini file.
8. Add another member to the HA group (Partition2 on the second appliance) with the vtl haAdmin addMember command.