NetScaler

Configure Safenet HSMs in a high availability setup on the ADC

September 21, 2020

Contributed by:

S S

Configuring SafeNet HSMs in a high availability (HA) ensures uninterrupted service even if all but one of the devices are unavailable. In an HA setup, each HSM joins an HA group in active-active mode. SafeNet HSMs in an HA setup provide load balancing of all the group members to increase performance and response time while providing the assurance of high availability service. For more information, contact SafeNet Sales and Support.

Prerequisites:

Minimum two SafeNet HSM devices. All the devices in an HA group must have either PED (trusted path) authentication or password authentication. A combination of trusted path authentication and password authentication in an HA group is not supported.
Partitions on each HSM device must have the same password even if the label (name) is different.
All partitions in HA must be assigned to the client (NetScaler appliance).

After configuring a SafeNet client on the ADC as described in Configure a SafeNet client on the ADC, perform the following steps to configure Safenet HSMs in HA:

1. On the NetScaler shell prompt, launch “lunacm” (/usr/safenet/lunaclient/bin)

Example:

root@ns# cd /var/safenet/safenet/lunaclient/bin/

root@ns# ./lunacm
<!--NeedCopy-->

2. Identify the slot IDs of the partitions. To list the available slots (partitions), type:

lunacm:> slot list
<!--NeedCopy-->

Example;

        Slot Id ->              0

        HSM Label ->            trinity-p1

        HSM Serial Number ->    481681014

        HSM Model ->            LunaSA 6.2.1

        HSM Firmware Version -> 6.10.9

        HSM Configuration ->    Luna SA Slot (PED) Signing With Cloning Mode

        HSM Status ->           OK

        Slot Id ->              1

        HSM Label ->            trinity-p2

        HSM Serial Number ->    481681018

        HSM Model ->            LunaSA 6.2.1

        HSM Firmware Version -> 6.10.9

        HSM Configuration ->    Luna SA Slot (PED) Signing With Cloning Mode

        HSM Status ->           OK

         Slot Id ->              2

         HSM Label ->            neo-p1

         HSM Serial Number ->    487298014

         HSM Model ->            LunaSA 6.2.1

         HSM Firmware Version -> 6.10.9

         HSM Configuration ->    Luna SA Slot (PED) Signing With Cloning Mode

        HSM Status ->           OK

        Slot Id ->              3

        HSM Label ->            neo-p2

        HSM Serial Number ->    487298018

        HSM Model ->            LunaSA 6.2.1

        HSM Firmware Version -> 6.10.9

        HSM Configuration ->    Luna SA Slot (PED) Signing With Cloning Mode

        HSM Status ->           OK

        Slot Id ->              7

        HSM Label ->            hsmha

        HSM Serial Number ->    1481681014

        HSM Model ->            LunaVirtual

        HSM Firmware Version -> 6.10.9

        HSM Configuration ->    Luna Virtual HSM (PED) Signing With Cloning Mode

        HSM Status ->           N/A - HA Group

        Slot Id ->              8

        HSM Label ->            newha

        HSM Serial Number ->    1481681018

        HSM Model ->            LunaVirtual

        HSM Firmware Version -> 6.10.9

        HSM Configuration ->    Luna Virtual HSM (PED) Signing With Cloning Mode

        HSM Status ->           N/A - HA Group

        Current Slot Id: 0
<!--NeedCopy-->

3. Create the HA group. The first partition is called the primary partition. You can add more than one secondary partitions.

lunacm:> hagroup createGroup -slot <slot number of primary partition> -label <group name> -password <partition password >

    lunacm:> hagroup createGroup -slot 1 -label gp12 -password ******

4. Add the secondary members (HSM partitions). Repeat this step for all partitions to be added to the HA group.

lunacm:> hagroup addMember -slot <slot number of secondary partition to be added> -group <group name> -password <partition password>
<!--NeedCopy-->

Code:

lunacm:> hagroup addMember -slot 2 -group gp12 -password ******
<!--NeedCopy-->

5. Enable HA only mode.

lunacm:> hagroup HAOnly –enable
<!--NeedCopy-->

6. Enable active recovery mode.

lunacm:.>hagroup recoveryMode –mode active
<!--NeedCopy-->

7. Set auto recovery interval time (in seconds). Default is 60 seconds.

lunacm:.>hagroup interval –interval <value in seconds>
<!--NeedCopy-->

Example:

lunacm:.>hagroup interval –interval 120
<!--NeedCopy-->

8. Set recovery retry count. A value of -1 allows infinite number of retries.

lunacm:> hagroup retry -count <xxx>
<!--NeedCopy-->

Example:

lunacm:> hagroup retry -count 2
<!--NeedCopy-->

After configuring SafeNet HSM in HA, see Additional ADC configuration for further configuration on the ADC.

The official version of this content is in English. Some of the Citrix documentation content is machine translated for your convenience only. Citrix has no control over machine-translated content, which may contain errors, inaccuracies or unsuitable language. No warranty of any kind, either expressed or implied, is made as to the accuracy, reliability, suitability, or correctness of any translations made from the English original into any other language, or that your Citrix product or service conforms to any machine translated content, and any warranty provided under the applicable end user license agreement or terms of service, or any other agreement with Citrix, that the product or service conforms with any documentation shall not apply to the extent that such documentation has been machine translated. Citrix will not be held responsible for any damage or issues that may arise from using machine-translated content.

Configure Safenet HSMs in a high availability setup on the ADC

September 21, 2020

Contributed by:

S S

September 21, 2020

Contributed by:

S S

Configure Safenet HSMs in a high availability setup on the ADC

In this article