Cluster: Key Synchronization in a Cluster
Setup Generation of Keys
All keys that are on the initializing node in a cluster will not be automatically transferred to a node that joins the cluster the first time. This must be done manually on the node that joins the cluster:
Log in to your Next Generation Hardware Appliance that joined the cluster (here Node2).
Open the Security page.
In the HSM Configuration section click on Synchronize HSM.
A pop-up window for synchronizing the HSM is displayed.
Follow the guide to finish the synchronization.
Be aware that PIN Pad interactions are required!
Repeat the steps described above on all other nodes that join the cluster.
Post-cluster Setup Generation of Keys
If you generate new keys (or change the key material in any other way) after setting up the cluster, you must synchronize the key material manually to all other nodes.
Note that applications that are connected to the shared database may not work properly if they try to use references to keys that are not yet synchronized.
For example, if a Certificate Authority in EJBCA is renewed with new key generation, other cluster nodes will try to use the new key shortly after the renewal. This will fail because the key generation took place locally on the node on which it was performed.
See the following to Synchronize Key Material.
Synchronize Key Material
Key material that is stored on the HSM of a node in a cluster needs to be synchronized to all cluster members in case it changes. This needs to be done manually.
Proceed as follows to synchronize the key material:
Log in to your Next Generation Hardware Appliance that has the latest key material you want to synchronize (here Node1).
Open the Security page.
Go to the Key Synchronization section.
Click Download Cluster Key Synchronization Package to download a Cluster Key Synchronization Package.
Switch to the Node to be synchronized (here Node2) by using the cluster menu bar at the top of Webconf, or by a manual login.
Open the Security page.
Go to the Key Synchronization section.
In the Key Synchronization section use the Drag and Drop function or Select a File to upload the Cluster Key Synchronization Package you want to restore from.
Click on Upload to transfer the KSP to the HSM on this Appliance.
Repeat steps 5 to 9 for every other cluster member.