Installing or Updating the Cluster Package
Use these instructions to install or update the cluster secure package. You must use LunaSH to perform the updates.
>Installing the Cluster Package
CAUTION! TECHNICAL PREVIEW -- EVALUATION ENVIRONMENT ONLY
Clusters are presented as a technical preview, to give customers the opportunity to validate our new HSM management features, designed to reduce operation cost and maximize the return on investment of a fleet of HSMs. This release does not provide a migration path from standard Luna partitions or Luna Cloud HSM services to keyrings. Thales recommends Luna Appliance Software 7.8.3 with cluster package 1.0.3, Luna HSM Firmware 7.8.2,
DO NOT INSTALL THE CLUSTER PACKAGE ON A LUNA NETWORK HSM IN PRODUCTION
When the cluster package is installed, access to any existing partitions on the HSM is disabled, and this can only be reversed by re-imaging the Luna Network HSM 7 appliance (see Re-Imaging the Appliance to Baseline Software/Firmware Versions). Re-imaging is a destructive action; all roles, partitions, and keys are destroyed. The Luna Network HSM 7 must be completely reconfigured; all partitions must be recreated and their contents restored from backup. In particular, do not attempt to configure clustering on a Luna Network HSM 7 that already has V1 partitions created; either delete these partitions or re-image the appliance before configuring a cluster.
Installing the Cluster Package
This procedure will allow you to install the cluster package on the Luna Network HSM 7 appliance for the first time.
Prerequisites
>The Luna Network HSM 7 must be configured and accessible over the network.
>The Luna Network HSM 7 must be initialized (see Initializing the HSM).
>You require a client computer with an operating system supported by your desired client version (refer to the Customer Release Notes).
>Thales recommends Luna Appliance Software 7.8.3 with cluster package 1.0.3, Luna HSM Firmware 7.8.2,
Refer to:
•Updating the Luna Network HSM 7 Appliance Software
•Updating the Luna HSM Firmware
•Updating the Luna HSM Client Software
To install the cluster package on the Luna Network HSM 7
1.Transfer the secure package update file to the Luna Network HSM 7 using pscp or scp.
pscp <path>/lnh_cluster-1.0.#-###.spkg admin@<appliance_host/IP>:
2.Using a serial or SSH connection, log in to the appliance as admin (see Logging In to LunaSH).
3.Log in as HSM SO (see Logging In as HSM Security Officer).
lunash:> hsm login
4.[Optional] Verify that the secure package file is present on the Luna Network HSM 7.
lunash:> package listfile
5. [Optional] Verify the package file, specifying the authorization code you received from Thales.
lunash:> package verify <filename>.spkg -authcode <code_string>
6.Install the secure package for the cluster service.
lunash:> package update lnh_cluster-1.0.#-###.spkg -authcode <authcode_string>
7.Run the restart command for the cluster service, as prompted. This step completes the service installation procedure.
lunash:> service restart cluster
The new cluster and keyring commands become available when you open a new LunaSH session.
8.If you plan to use REST API to work with clusters, set up the webserver service so that the appliance can accept calls from your web application.
Refer to Webserver Setup.
After configuring the webserver service, you must synchronize the HSM time with the time on the appliance.
lunash:> hsm time sync
9.Install the Luna HSM Client software on the client machine you will use to configure your application partition(s).
Refer to Luna HSM Client Software Installation.
Updating Cluster Members
The following procedure will allow you to update the appliance software, firmware, and cluster package on all members of a cluster, using REST API or LunaSH.
NOTE Thales recommends Luna Appliance Software 7.8.3 with cluster package 1.0.3, Luna HSM Firmware 7.8.2,
REST API
Prerequisites
>All cluster members must be functioning and visible to the primary member ("memberActive": true, "visibleToServicingNode": true, "restartService": false).
GET /api/clusters/{clusterID}/members
>Stop all client applications during the update process.
To update all members of a cluster using REST API
1.Identify the primary cluster member ("primaryNode": true).
GET /api/clusters/{clusterID}/members
2.Choose one of the non-primary members to update.
a.Stop the cluster service on that member (serviceid: cluster, actionid: stop).
POST /api/lunasa/services/{serviceid}/actions/{actionid}
b.Disable the cluster service to prevent automatic restart during the update procedure (serviceid: cluster, actionid: disable).
POST /api/lunasa/services/{serviceid}/actions/{actionid}
c.Update the Luna Network HSM 7 appliance software. You must be updating from Luna Appliance Software 7.8.3 or newer to use REST API for this action.
If you are updating from an older appliance software version, refer to the LunaSH procedure (Updating the Luna Network HSM 7 Appliance Software).
d.Update the Luna HSM firmware (actionid: upgrade).
POST /api/lunasa/hsms/{hsmid}/firmware/actions/{actionid}
e.Update the cluster package and restart the cluster service. You require Luna Appliance Software 7.8.3 or newer to use REST API for this action (version you updated to in step b above).
At this point, the member becomes active again. Repeat step 2 for each non-primary member, one at a time.
3.Promote one of the updated members to primary.
Refer to Promoting a Member to Primary.
4.Repeat step 2 for the final (formerly primary) member.
5.[Optional] If you wish, promote the original primary member back to primary.
Refer to Promoting a Member to Primary.
6.Update the Luna HSM Client software.
Refer to Updating the Luna HSM Client Software.
After updating the client, you may restart applications from that client. Repeat for each additional client.
LunaSH
Prerequisites
>All cluster members must be functioning and visible to the primary member (not displayed in the list with an x or R).
lunash:> cluster member list
>Stop all client applications during the update process.
To update all members of a cluster using LunaSH
1.Identify the primary cluster member.
lunash:> cluster member list
The primary member is displayed in the list with a P.
2.Choose one of the non-primary members to update. Log in to LunaSH on the appliance as admin.
a.Stop the cluster service.
lunash:> service stop cluster
b.Disable the cluster service to prevent automatic restart during the update procedure.
lunash:> cluster disable
c.Update the Luna Network HSM 7 appliance software.
Refer to Updating the Luna Network HSM 7 Appliance Software.
d.Update the Luna HSM firmware.
Refer to Updating the Luna HSM Firmware.
e.Update the cluster package and restart the cluster service.
Refer to Installing the Cluster Package.
At this point, the member becomes active again. Repeat step 2 for each non-primary member, one at a time.
3.Promote one of the updated members to primary.
Refer to Promoting a Member to Primary.
4.Repeat step 2 for the final (formerly primary) member.
5.[Optional] If you wish, promote the original primary member back to primary.
Refer to Promoting a Member to Primary.
6.Stop your client applications and update the Luna HSM Client software.
Refer to Updating the Luna HSM Client Software.
After updating the client, you may restart applications from that client. Repeat for each additional client.
Troubleshooting
If you encounter any issues, refer to Reading System Logs to check recent activity on the appliance. To report an issue that is not described below, export the appliance syslog to a client workstation and provide it to your Thales representative (refer to Exporting System Logs).
