Configure Thales Luna HSMs in a high availability setup on the ADC

Configuring Thales Luna HSMs in a high availability (HA) ensures uninterrupted service even if all but one of the devices are unavailable. In an HA setup, each HSM joins an HA group in active-active mode. Thales Luna HSMs in an HA setup provide load balancing of all the group members to increase performance and response time while providing the assurance of high availability service. For more information, contact Thales Luna Sales and Support.

Prerequisites:

• Minimum two Thales Luna HSM devices. All the devices in an HA group must have either PED (trusted path) authentication or password authentication. A combination of trusted path authentication and password authentication in an HA group is not supported.
• Partitions on each HSM device must have the same password even if the label (name) is different.
• All partitions in HA must be assigned to the client (Citrix ADC appliance).

After configuring a Thales Luna client on the ADC as described inConfigure a Thales Luna client on the ADC, perform the following steps to configure Thales Luna HSMs in HA:

1. On the Citrix ADC shell prompt, launch “lunacm” (/usr/safenet/lunaclient/bin)

Example:

root@ns# cd /var/safenet/safenet/lunaclient/bin/ root@ns# ./lunacm 

2. Identify the slot IDs of the partitions. To list the available slots (partitions), type:

lunacm:> slot list 

Example;

槽Id - > 0 HSM标签- > trinity-p1 HSM连环怒mber -> 481681014 HSM Model -> LunaSA 6.2.1 HSM Firmware Version -> 6.10.9 HSM Configuration -> Luna SA Slot (PED) Signing With Cloning Mode HSM Status -> OK Slot Id -> 1 HSM Label -> trinity-p2 HSM Serial Number -> 481681018 HSM Model -> LunaSA 6.2.1 HSM Firmware Version -> 6.10.9 HSM Configuration -> Luna SA Slot (PED) Signing With Cloning Mode HSM Status -> OK Slot Id -> 2 HSM Label -> neo-p1 HSM Serial Number -> 487298014 HSM Model -> LunaSA 6.2.1 HSM Firmware Version -> 6.10.9 HSM Configuration -> Luna SA Slot (PED) Signing With Cloning Mode HSM Status -> OK Slot Id -> 3 HSM Label -> neo-p2 HSM Serial Number -> 487298018 HSM Model -> LunaSA 6.2.1 HSM Firmware Version -> 6.10.9 HSM Configuration -> Luna SA Slot (PED) Signing With Cloning Mode HSM Status -> OK Slot Id -> 7 HSM Label -> hsmha HSM Serial Number -> 1481681014 HSM Model -> LunaVirtual HSM Firmware Version -> 6.10.9 HSM Configuration -> Luna Virtual HSM (PED) Signing With Cloning Mode HSM Status -> N/A - HA Group Slot Id -> 8 HSM Label -> newha HSM Serial Number -> 1481681018 HSM Model -> LunaVirtual HSM Firmware Version -> 6.10.9 HSM Configuration -> Luna Virtual HSM (PED) Signing With Cloning Mode HSM Status -> N/A - HA Group Current Slot Id: 0 

3. Create the HA group. The first partition is called the primary partition. You can add more than one secondary partitions.

lunacm:> hagroup createGroup -slot  -label  -password  lunacm:> hagroup createGroup -slot 1 -label gp12 -password ****** 

4. Add the secondary members (HSM partitions). Repeat this step for all partitions to be added to the HA group.

lunacm: > hagroup addMember槽<插槽数量的年代econdary partition to be added> -group  -password  

Code:

lunacm:> hagroup addMember -slot 2 -group gp12 -password ****** 

5. Enable HA only mode.

lunacm:> hagroup HAOnly –enable 

6. Enable active recovery mode.

lunacm:.>hagroup recoveryMode –mode active 

7. Set auto recovery interval time (in seconds). Default is 60 seconds.

lunacm:.>hagroup interval –interval  

Example:

lunacm:.>hagroup interval –interval 120 

8. Set recovery retry count. A value of -1 allows infinite number of retries.

lunacm:> hagroup retry -count  

Example:

lunacm:> hagroup retry -count 2 

After configuring Thales Luna HSM in HA, seeAdditional ADC configurationfor further configuration on the ADC.