24/10/2014

8.6. Setting up HA and Load balancing for LunaSA LinOTP 2.7 documentation

LinOTP 2.7 documentation

PRE VI OU S|N E XT |I ND EX

8.6. Setting up HA and Load balancing for LunaSA

TABLE OF CONTENTS
1.LinOTPManagementGuide

SeveralLunaSAscanjoinaHAgroup.
YouhavetoconfiguretheLinOTPmachinewitheachLunaSA.Usingthevtltoolyoucannow
createtheHAgroup.
Note
The policies Allow Cloning and Allow Network Replication must be turned on. Use hsm
setPolicytosetthosepoliciesifnecessary.

2.LinOTPInstallationGuide
1.SupportedOperatingSystems
2.Checklist
3.Serverinstallation
4.InstallingManagementClients
5.InstallingAuthenticationModules

Note

6.Customization

BothpartitionsneedtohavetheAutoActivatedpolicyturnedon.

7.Databaseconnection
8.SecurityModules

Note
BothHSMsneedtousethesameredDomainkey.

8.1.DefiningSecurityModules
8.2.DefiningSafeNetLunaSA

Note
The HA is set up between two partitions on two HSMs. Therefore these partitions need to
havethesamepassword.Thepartitionsdonotneedtohavethesamename.
Changethepasswordsofthepartitions,sothatthepartitionshavethesamepassword:
partition changePw

Usepartitionshowtorecordtheserialnumberofthepartition.

8.3.SettingupSafeNetLunaSA
8.4.CreateAESKeys
8.5.Backupandrestorewith
LunaSA
8.6.SettingupHAandLoad
balancingforLunaSA

8.6.1. Register LinOTP

8.6.1.RegisterLinOTP

You need to register the LinOTP (client) with both HSMs as described in section Setting up
HSMclientsandassigningclientstoHSMpartitions.

8.6.3.Monitoring

8.6.2. Creating HA group

Finallywhenthe vtl verifycommandshowsyoubothHSMsyoucansetuptheHAgroup:
./vtl haAdmin -newGroup
-serialNum <serialnumber-of-first-HSM>

8.6.2.CreatingHAgroup

8.7.ManagingPasswordswith
LunaSA
9.Integrationexamples
10.Updates
11.MigratingfromLinOTP1.3or
LinOTP1.0

-label <label-of-HA-group>

12.Securityadvisories

-password <partition-Password>

13.Troubleshooting

Thefile /etc/Chrystoki.confnowshouldhaveanewentry VirtualToken.

Note

3.LinOTPUserGuide
4.LinOTPApplianceManual

Internally the partition gets an HA key created to identify to which HA group this partition
belongs. If this new HA group is a copy of a group on another LinOTP server, you will be
warnedthatthereisanexistingHAkeyonthispartition.IfyouwanttohavebothLinOTP
serverstalktothissameHAgroup,youmusttypecopytokeeptheexistingHAkey.Ifyou
wanttostartoverwiththeHAgroup,thentyperemove.TheHAkeyonthispartitionwill
beremoved.
Foraddingfurthermemberstothegroup,youneedtheHAgroupnumber.Youcaneithersee
thisnumberinthe cryptoki.conffileoryoucanseethisnumberbyissuingthecommand:

5.LinOTPModuleDevelopmentGuide

SEARCH

Go

Entersearchtermsoramodule,classor
functionname.

./vtl haAdmin -listGroups

YoucannowaddthesecondHSMtotheHAgroup:
./vtl haAdmin -addMember
-group <serialnumber-of-the-ha-group>
-serialNum <serialnumber-of-second-HSM>
-password <partition-password>

Finally,whenallmembersareadded,youneedtoissuethecommand:
./vtl haAdmin -synchronize -group <group-label>

Note
Incaseyouneedtorecoverafailedmember,usethecommand haadmin -recover.Formore
detailsseesectionRestoreanHAgroup.
http://www.linotp.org/doc/2.6/part-installation/HSM/lunasa_ha.html

1/2

24/10/2014

8.6. Setting up HA and Load balancing for LunaSA LinOTP 2.7 documentation

TheVirtualTokeninthefile cryptoki.confnowshouldcontainboththeserialnumbersofthe
twopartitions.
Note
The vtl verifycommandwillnotshowthevirtualtoken.Youcanusethe cmu listtooltolist
allthreeslots.Thevirtualtoken(HA)usuallywillbeslot#3.Using cmu listyoushouldalso
list the objects in the virtual slot to check, which handles the three encryption keys were
assigned.
Pleasereconfigure /etc/linotp2/linotp.initousetheHAVirtualCardSlot.

8.6.3. Monitoring
OntheLinOTPmachineyoucanusethecommand:
/usr/lunasa/bin/vtl haAdmin -status -show

tocheckwhichHSMisalive.

8.6.3.1. Restore an HA group

Usuallyyouwillnothavetorestoreusingthebackuptoken.
IfonlyonememberoftheHAgroupfailed,youcanusethecommand:
./vtl haAdmin -recover <group name>

whichwillrecoverafailedmember(poweroutage)totheHAgroup.
IfyouhadahardwarefailureandneedtoinstallanewHSM,youneedtoremovethebroken
memberfromtheHAgroupandaddthenewHSMtotheHAgroup:
1. RemovethebrokenHSMfromtheHAgroupusingthecommand:
vtl haAdmin -removeMember <group-name> -serialNum <serial-of-the-failing-partition>

2. Initialize the new HSM, create the new partition, assign the partition to the client,
setthepartitionpasswordand
3. addthepartitiontotheHAgroupusingthecommand vtl haAdmin --addMember.
4. SynchronizetheHAgroup,sothatthekeysaresynchronizedtothenewHSM:
vtl haAdmin -synchronize -group <group-name>

IfbothofyourHSMsfail,youneedtosetupbothHSMswiththeHAgroupsfromthescratch
(seeRestore).Thenyouneedyourbackuptokentopopulatethefirstpartitionwiththekeys
again.
Note
In this case, the handles of the keys may have changed. Check if you need to adapt
/etc/linotp2/linotp.ini.

PREVIOUS|NEXT|INDEX
SHOWSOURCE
Copyright2014,LSELeadingSecurityExpertsGmbH.CreatedusingSphinx1.1.3.

http://www.linotp.org/doc/2.6/part-installation/HSM/lunasa_ha.html

2/2