Synchronization of Key Material
Key material stored in the HSM is not automatically synchronized after the cluster has been set up. Manual synchronization is however possible. Consider the following scenarios:
Pre-cluster Setup Generation of Keys
If it is suitable for your use case, you could generate all keys that will be used during the lifetime of the installation after the first node has been installed. This should be done before starting the cluster configuration for the additional nodes. In this way, all additional cluster nodes are equipped with the complete key material during installation.
This means that no additional manual key synchronization is required.
Post-cluster Setup Generation of Keys
If you generate new keys (or change the key material in any other way) after setting up the cluster, you must synchronize the key material manually.
Note that applications that are connected to the shared database may not work properly if they try to use references to keys that are not yet synchronized.
For example, if a Certificate Authority in EJBCA is renewed with new key generation, other cluster nodes will try to use the new key shortly after the renewal. This will fail because the key generation took place locally on the node on which it was performed.
Synchronize Key Material:
Proceed as follows to synchronize the key material:
On Node1: Generate the key pair(s) on the first node.
On Node1: Go to the HSM tab of the Hardware Appliance WebConf.
Click Download Cluster Key Synchronization Package to download a Cluster Key Synchronization Package.
On Node n: Go to the HSM tab of the Hardware Appliance WebConf.
Upload the Cluster Key Synchronization Package.
Repeat step 4 for each node (n>1).
Configure the application to start using the new key pair(s).
Since node 1 has higher database quorum vote weight, it is generally advisable to generate the keys there to avoid a restart and potential downtime in a two node setup.