Set up Hardware Security Module in High Availability mode
Recommendation for Hardware Security Module in High Availability: We recommend using a minimum of two HSM devices with appropriate backups, due to the irreversibility of operations.
Configure Virtual High Availability Slots
The following are the steps to configure the virtual HA slots:
-
In the registry, navigate to the following path:
HEY_LOCAL_MACHINE>SOFTWARE>Safenet>PTKC>GENERAL
Change the value of
ET_PTKC_GENERAL_LIBRARY_MODE
to NORMAL, if not set already. -
Navigate to the following path:
HEY_LOCAL_MACHINE>SOFTWARE>Safenet>HSM>NETCLIENT
Double-click
ET_HSM_NETCLIENT_SERVERLIST
and assign IP addresses (of both HSMs) separated by a space.You also need to create an environment variable:
ET_HSM_NETCLIENT_SERVERLIST = <IP1>SPACE< IP2>
where;
IP1 is the IP address of the HSM device 0 (first HSM machine Administrator is configuring, as defined earlier).
IP2 is the IP address of the HSM device 1 (second HSM machine Administrator is configuring as a failover server).Perform IISRESET operation.
-
Reopen the Command Prompt, and run the
HSMstate.exe
file, available at the following path:C:\Program Files\SafeNet\Protect Toolkit 5\Network HSM\bin
.A list of all the configured HSMs is displayed.
As shown in the above screenshot, another HSM device, HSM device 1 is now added.
If device 1 is not available, edit environment variable with its IP address.
After adding device 1, we need to create an uninitialized slot which can be used for replication.
Follow the steps to create an uninitialized slot in HSM device 1.-
To open, double-click
gCTAdmin HSM.bat
batch file, available at the following path:C:\Program Files\SafeNet\Protect Toolkit 5\Protect Toolkit C SDK\bin
For PSEv3, path is
C:\Program Files\Safenet\ProtectToolkit 7\Runtime\bin
-
In Select an Adapter dialog box, select appropriate AdminToken option (the one that belongs to device 1), and click OK.
-
Enter User PIN in the Enter PIN popup window, and click OK.
-
For slot creation, navigate to File > Create Slots.
-
Enter the number of slots to be created in the Input popup window, and click OK. The tokens are created with uninitialized slots.
Example: If an Administrator enters 1 in the field, and click OK, one token is created with an uninitialized slot.
-
The Adapter Management window restarts. The Administrator needs to enter the Admin PIN.
-
-
For PSEv2, follow this step.
Establish Trust: For token replication to be performed from one HSM (holding the token labels) to another, both HSMs must have a trust relationship with each other.
Run the following commands after navigating to the path:
C:\Program Files\SafeNet\Protect Toolkit 5\Protect Toolkit C SDK\bin
-
ctident gen all
: This command generates the identity Key Pair on all the HSMs connected to the client (or available to the client machine). -
ctident trust all all
: This command creates the trust between all the HSMs (both ways, from HSM 0 --> HSM 1 and vice versa)For PSEv3, follow this step. This step is the only difference in setting up HA for PSEV3.
For token replication to be performed from one HSM (holding the token labels) to another, both HSMs must have a trust relationship with each other.
Run the following commands after navigating to the path:
C:\Program Files\Safenet\ProtectToolkit 7\Runtime\bin
Prerequisite
To acquire serial number, execute the below command:
ctconf -a <slot number>
-
ctident gen-selfsigned -f sn:serialnumber_1hsm
ctident gen-selfsigned -f sn:serialnumber_2hsm
-
ctident trust all all -f
: This command creates the trust between all the HSMs (both ways, from HSM 0 --> HSM 1 and vice versa).
-
-
Replicate Tokens: Once the trust is established, the tokens can be replicated. The HSM device 0 can not be replicated to any of the uninitialized/initialized slots of the HSM device 1.
-
For Uninitialized Slot: The following command can be used to replicate the tokens:
ctkmu rt –s<SLOT_NUMBER> –d<SLOT_NUMBER>
where,
s is the slot number of the Source HSM.d is the slot number of the Destination HSM, which is in the uninitialized state.
As shown below, Slot 0 of HSM device 0 is now replicated with Slot 2 of HSM device 1, and the label of the uninitialized token is also changed. -
For Initialized Slot: Please ensure that PINs (User PIN and Security Officer PIN) of HSM device 1 is same as that of HSM device 0. You can either modify device 1 PIN or reinitialize the slot and go through the point (a) again.
-
-
Verify that the Key Checksum Value (KCV) of the key in both slots is the same.
For details on how to verify, refer to the Verifying Key Checksum Value in Replicated Slots section. -
Create a new registry under PTKC and name it as HA, if not set already.
Navigate to the following path:HKEY_LOCAL_MACHINE\SOFTWARE\SafeNet\PTKC\WLD
Create string values as:
ET_PTKC_WLD_SLOT_<HA SLOT_NUMBER>=<HA SLOTS LABEL>
.Example:
Variable (String Values) Assigment ET_PTKC_WLD_SLOT_0 Slot 0 (Slot Label) -
Set Library Mode to HA.
In the registry, navigate toHEY_LOCAL_MACHINE>SOFTWARE>Safenet>PTKC>GENERAL
and change the value ofET_PTKC_GENERAL_LIBRARY_MODE
to HA. -
Check HA Slot Configuration:
Run thectkmu l
(HA mode) utility to view the slots. Example:Only the HA virtual slots should be visible.
Any HSM physical slot on the system which has not been associated with an HA virtual slot can no longer be accessed.
-
Advanced HA Configurations:
Set the following environment variables.-
ET_PTKC_HA_RECOVER_DELAY = <number of minutes>
Example:ET_PTKC_HA_RECOVER_DELAY = 2
-
ET_PTKC_HA_RECOVER_WAIT= <YES / NO>
Example:ET_PTKC_HA_RECOVER_WAIT= YES
-