Thales nShield® HSM
When integrating with Thales nShield® HSM, do we have to keep in mind any specific configuration when adding the NetScaler appliance to HA?
You must configure the same Thales device(s) on both the nodes in HA. Thales configuration commands don’t synchronize in HA. For information about the prerequisites for Thales nShield® HSM, see http://docs.citrix.com/en-us/netscaler/12/ssl/support_for_thales/thales_prerequsites.html.
Do we have to individually integrate both the appliances with Thales nShield® HSM and RFS? Do we need to do this before or after the HA setup ?
You can complete the integration before or after the HA setup. However, if the integration is done after the HA setup, the keys imported on the primary node prior to configuring the secondary node are not synced to the secondary node. Therefore, Citrix recommends Thales integration before the HA setup.
Do we have to import the key into both the primary and secondary NetScaler appliances, or are the keys synchronized from the primary node to the secondary node?
If Thales is integrated on both devices before forming the HA, the keys are automatically synchronized from RFS in the process of integration.
Given that the HSM is not on the NetScaler appliance, but on Thales, what happens to the keys and certificates when a node fails and is replaced?
If a node fails, it is possible to synchronize the keys and certificates to the new node, by first integrating Thales on the new node and then running the following commands:
- sync ha files ssl
- force ha sync
The certificates are synchronized and added if the keys are synchronized in the process of integrating Thales.