.png){kind=logo}
Cluster: Key Synchronization in a Cluster for Luna S790
Proceed as follows to synchronize the key material:
For the following procedure make sure that an initialized PED and PED Keys are within reach.
The example below shows a 2 node cluster. For the sake of simplicity, the nodes are named as follows in the following sections:
Node1 is the primary node
Node2 is the secondary (or newly connected) node
Node2
To switch to another node click on the appropriate entry for the node in the drop-down list.
The Start page of the appliance appears.
Log into the EJBCA Hardware Appliance.
On the Overview page the Application Overview shows that EJBCA has been stopped.
The HSM Overview shows Alarm: On.Open the Security page.
In the section Luna PCI HSM Configuration a warning indicates: Appliance joined a Cluster and is therefore in Factory Reset Mode.
In the Internal HSM Status list the Alarm is On.Click Synchronize HSM in the warning message.
The HSM Guided Setup window opens. If the entries are correct click Next Step.
If this is not the case (e.g. remote PED not initialized) make the appropriate settings and then continue.
For further information see HSM Initialization for Luna S790.Follow the prompts and attend to the PED. Run through and Finalize the HSM Initialization.
Synchronize Slots
Back on the Security page the list with the general information of HSM starts with the entry:
Description: Database Protection Token
Status: Uninitialized (1/2) or (1/x) depending on how many nodes are connected
Active: Inactive
Actions: Synchronize Slot
Click Synchronize Slot on the Database Protection Token to open the appropriate form.
Enter a Description for the slot.
Check the entry for the PED.
If the entries are coherent continue with Synchronize Slot.
For the HSM Slot Synchronization the setup form opens.
Follow the prompts and attend to the PED.
Run through and Finalize the HSM Slot Synchronization.Back on the Security page the list with the general information of HSM shows:
Description: Database Protection Token
Status: Initialized (2/2)
Active: Active
Actions: Deactivate
Repeat the synchronization for each slot.
Click Synchronize Slot eg. EJBCA Crypto Token #1 to open the appropriate form.Description for the slot is already set: here EJBCA Crypto Token #1.
Authentication: provide the Slot PIN for EJBCA Crypto Token #1.
Check the entry for the PED.
If the entries are coherent continue with Synchronize Slot.
For the HSM Slot Synchronization the setup form opens.
Follow the prompts and attend to the PED.
Run through and Finalize the HSM Slot Synchronization for EJBCA Crypto Token #1.Back on the Security page the list with the general information of HSM shows:
Description: EJBCA Crypto Token #1
Status: Initialized (2/2)
Active: Active
Actions: Decommission
Deactivate
Change PIN
Synchronize
Node1
To switch to another node click on the appropriate entry for the node in the drop-down list.
The Start page of the appliance appears.
Log into the EJBCA Hardware Appliance.
On the Overview page the Application Overview indicates that EJBCA is operational.Cluster Overview list appears.
Node1: This Node, IP address is displayed
Node2: Connected, IP address is displayedClick Admin Web next to EJBCA in Application Overview.
The EJBCA Enterprise page opens.
The installation is displayed.
The node is not initialized.
Create a New CA is already preselected.Open the CA Functions drop-down menu in the top menu bar.
Select Crypto Tokens to open the Manage Crypto Tokens page.
The EJBCA Crypto Token #1 is displayed in a list. Click on it.
On the following page EJBCA Crypto Token #1 is displayed with further information.
In the last row: Crypto Token currently does not contain any key pairs
select in the rightmost drop-down field: Sign/Verify.
Click Generate new key pair.The page will be updated and a key information row is displayed.
Alias: signKey
Key Algorithm: RSA
Key Specification: 4096
SubjectKey ID: xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
Action: Test or Remove Download Public Key