Product Documentation

Configure Safenet HSMs in a high availability setup on the ADC

Configuring SafeNet HSMs in a high availability (HA) ensures uninterrupted service even if all but one of the devices are unavailable. In an HA setup, each HSM joins an HA group in active-active mode. SafeNet HSMs in an HA setup provide load balancing of all the group members to increase performance and response time while providing the assurance of high availability service. For more information, contact SafeNet Sales and Support.

Prerequisites:

  • Minimum two SafeNet HSM devices. All the devices in an HA group must have either PED (trusted path) authentication or password authentication. A combination of trusted path authentication and password authentication in an HA group is not supported.
  • Partitions on each HSM device must have the same password even if the label (name) is different.
  • All partitions in HA must be assigned to the client (Citrix ADC appliance).

After configuring a SafeNet client on the ADC as described in Configure a SafeNet client on the ADC, perform the following steps to configure Safenet HSMs in HA:

1. On the Citrix ADC shell prompt, launch “lunacm” (/usr/safenet/lunaclient/bin)

Example:

root@ns# cd /var/safenet/safenet/lunaclient/bin/

root@ns# ./lunacm

2. Identify the slot IDs of the partitions. To list the available slots (partitions), type:

lunacm:> slot list

Example;

        Slot Id ->              0
        HSM Label ->            trinity-p1
        HSM Serial Number ->    481681014
        HSM Model ->            LunaSA 6.2.1
        HSM Firmware Version -> 6.10.9
        HSM Configuration ->    Luna SA Slot (PED) Signing With Cloning Mode
        HSM Status ->           OK

        Slot Id ->              1
        HSM Label ->            trinity-p2
        HSM Serial Number ->    481681018
        HSM Model ->            LunaSA 6.2.1
        HSM Firmware Version -> 6.10.9
        HSM Configuration ->    Luna SA Slot (PED) Signing With Cloning Mode
        HSM Status ->           OK

         Slot Id ->              2
         HSM Label ->            neo-p1
         HSM Serial Number ->    487298014
         HSM Model ->            LunaSA 6.2.1
         HSM Firmware Version -> 6.10.9
         HSM Configuration ->    Luna SA Slot (PED) Signing With Cloning Mode
        HSM Status ->           OK

        Slot Id ->              3
        HSM Label ->            neo-p2
        HSM Serial Number ->    487298018
        HSM Model ->            LunaSA 6.2.1
        HSM Firmware Version -> 6.10.9
        HSM Configuration ->    Luna SA Slot (PED) Signing With Cloning Mode
        HSM Status ->           OK

        Slot Id ->              7
        HSM Label ->            hsmha
        HSM Serial Number ->    1481681014
        HSM Model ->            LunaVirtual
        HSM Firmware Version -> 6.10.9
        HSM Configuration ->    Luna Virtual HSM (PED) Signing With Cloning Mode
        HSM Status ->           N/A - HA Group

        Slot Id ->              8
        HSM Label ->            newha
        HSM Serial Number ->    1481681018
        HSM Model ->            LunaVirtual
        HSM Firmware Version -> 6.10.9
        HSM Configuration ->    Luna Virtual HSM (PED) Signing With Cloning Mode
        HSM Status ->           N/A - HA Group

        Current Slot Id: 0

3. Create the HA group. The first partition is called the primary partition. You can add more than one secondary partitions.

lunacm:> hagroup createGroup -slot <slot number of primary partition> -label <group name> -password <partition password >

lunacm:> hagroup createGroup -slot 1 -label gp12 -password ******

4. Add the secondary members (HSM partitions). Repeat this step for all partitions to be added to the HA group.

lunacm:> hagroup addMember -slot <slot number of secondary partition to be added> -group <group name> -password <partition password>

Code:

lunacm:> hagroup addMember -slot 2 -group gp12 -password ******

5. Enable HA only mode.

lunacm:> hagroup HAOnly –enable

6. Enable active recovery mode.

lunacm:.>hagroup recoveryMode –mode active

7. Set auto recovery interval time (in seconds). Default is 60 seconds.

lunacm:.>hagroup interval –interval <value in seconds>

Example:

lunacm:.>hagroup interval –interval 120

8. Set recovery retry count. A value of -1 allows infinite number of retries.

lunacm:> hagroup retry -count <xxx>

Example:

lunacm:> hagroup retry -count 2

After configuring SafeNet HSM in HA, see Additional ADC configuration for further configuration on the ADC.

Configure Safenet HSMs in a high availability setup on the ADC

In this article