ADC

Configure Thales Luna HSMs in a high availability setup on the ADC

Configuring Thales Luna HSMs in a high availability (HA) ensures uninterrupted service even if all, but one of the devices, are unavailable. In an HA setup, each HSM joins an HA group in active-active mode. Thales Luna HSMs in an HA setup provide load balancing of all the group members to increase performance and response time while providing the assurance of high availability service. For more information, contact Thales Luna Sales and Support.

Prerequisites:

  • Minimum two Thales Luna HSM devices. All the devices in an HA group must have either PED (trusted path) authentication or password authentication. A combination of trusted path authentication and password authentication in an HA group is not supported.
  • Partitions on each HSM device must have the same password even if the label (name) is different.
  • All partitions in HA must be assigned to the client (Citrix ADC appliance).

After configuring a Thales Luna client on the ADC as described in Configure a Thales Luna client on the ADC, perform the following steps to configure Thales Luna HSMs in HA:

  1. On the Citrix ADC shell prompt, launch lunacm (/usr/safenet/lunaclient/bin)

    Example:

    root@ns# cd /var/safenet/safenet/lunaclient/bin/
    
    root@ns# ./lunacm
    <!--NeedCopy-->
    
  2. Identify the slot IDs of the partitions. To list the available slots (partitions), type:

    lunacm:> slot list
    <!--NeedCopy-->
    

    Example:

        Slot Id ->              0
        HSM Label ->            trinity-p1
        HSM Serial Number ->    481681014
        HSM Model ->            LunaSA 6.2.1
        HSM Firmware Version -> 6.10.9
        HSM Configuration ->    Luna SA Slot (PED) Signing With Cloning Mode
        HSM Status ->           OK
    
        Slot Id ->              1
        HSM Label ->            trinity-p2
        HSM Serial Number ->    481681018
        HSM Model ->            LunaSA 6.2.1
        HSM Firmware Version -> 6.10.9
        HSM Configuration ->    Luna SA Slot (PED) Signing With Cloning Mode
        HSM Status ->           OK
    
         Slot Id ->              2
         HSM Label ->            neo-p1
         HSM Serial Number ->    487298014
         HSM Model ->            LunaSA 6.2.1
         HSM Firmware Version -> 6.10.9
         HSM Configuration ->    Luna SA Slot (PED) Signing With Cloning Mode
        HSM Status ->           OK
    
        Slot Id ->              3
        HSM Label ->            neo-p2
        HSM Serial Number ->    487298018
        HSM Model ->            LunaSA 6.2.1
        HSM Firmware Version -> 6.10.9
        HSM Configuration ->    Luna SA Slot (PED) Signing With Cloning Mode
        HSM Status ->           OK
    
        Slot Id ->              7
        HSM Label ->            hsmha
        HSM Serial Number ->    1481681014
        HSM Model ->            LunaVirtual
        HSM Firmware Version -> 6.10.9
        HSM Configuration ->    Luna Virtual HSM (PED) Signing With Cloning Mode
        HSM Status ->           N/A - HA Group
    
        Slot Id ->              8
        HSM Label ->            newha
        HSM Serial Number ->    1481681018
        HSM Model ->            LunaVirtual
        HSM Firmware Version -> 6.10.9
        HSM Configuration ->    Luna Virtual HSM (PED) Signing With Cloning Mode
        HSM Status ->           N/A - HA Group
    
        Current Slot Id: 0
    <!--NeedCopy-->
    
  3. Create the HA group. The first partition is called the primary partition. You can add more than one secondary partitions.

    lunacm:> hagroup createGroup -slot <slot number of primary partition> -label <group name> -password <partition password >
    
    lunacm:> hagroup createGroup -slot 1 -label gp12 -password ******
    <!--NeedCopy-->
    
  4. Add the secondary members (HSM partitions). Repeat this step for all partitions to be added to the HA group.

    lunacm:> hagroup addMember -slot <slot number of secondary partition to be added> -group <group name> -password <partition password>
    <!--NeedCopy-->
    

    Code:

    lunacm:> hagroup addMember -slot 2 -group gp12 -password ******
    <!--NeedCopy-->
    
  5. Enable HA only mode.

    lunacm:> hagroup HAOnly –enable
    <!--NeedCopy-->
    
  6. Enable active recovery mode.

    lunacm:.>hagroup recoveryMode –mode active
    <!--NeedCopy-->
    
  7. Set auto recovery interval time (in seconds). Default is 60 seconds.

    lunacm:.>hagroup interval –interval <value in seconds>
    <!--NeedCopy-->
    

    Example:

    lunacm:.>hagroup interval –interval 120
    <!--NeedCopy-->
    
  8. Set recovery retry count. A value of -1 allows an infinite number of retries.

    lunacm:> hagroup retry -count <xxx>
    <!--NeedCopy-->
    

    Example:

    lunacm:> hagroup retry -count 2
    <!--NeedCopy-->
    
  9. Copy the configuration from Chrystoki.conf to the SafeNet configuration directory.

    cp /etc/Chrystoki.conf /var/safenet/config/
    <!--NeedCopy-->
    
  10. Restart the ADC appliance.

    reboot
    <!--NeedCopy-->
    

After configuring Thales Luna HSM in HA, see Other ADC configuration for further configuration on the ADC.

Configure Thales Luna HSMs in a high availability setup on the ADC