Documente Academic
Documente Profesional
Documente Cultură
8.6. Setting up HA and Load balancing for LunaSA LinOTP 2.7 documentation
TABLE OF CONTENTS
1.LinOTPManagementGuide
SeveralLunaSAscanjoinaHAgroup.
YouhavetoconfiguretheLinOTPmachinewitheachLunaSA.Usingthevtltoolyoucannow
createtheHAgroup.
Note
The policies Allow Cloning and Allow Network Replication must be turned on. Use hsm
setPolicytosetthosepoliciesifnecessary.
2.LinOTPInstallationGuide
1.SupportedOperatingSystems
2.Checklist
3.Serverinstallation
4.InstallingManagementClients
5.InstallingAuthenticationModules
Note
6.Customization
BothpartitionsneedtohavetheAutoActivatedpolicyturnedon.
7.Databaseconnection
8.SecurityModules
Note
BothHSMsneedtousethesameredDomainkey.
8.1.DefiningSecurityModules
8.2.DefiningSafeNetLunaSA
Note
The HA is set up between two partitions on two HSMs. Therefore these partitions need to
havethesamepassword.Thepartitionsdonotneedtohavethesamename.
Changethepasswordsofthepartitions,sothatthepartitionshavethesamepassword:
partition changePw
Usepartitionshowtorecordtheserialnumberofthepartition.
8.3.SettingupSafeNetLunaSA
8.4.CreateAESKeys
8.5.Backupandrestorewith
LunaSA
8.6.SettingupHAandLoad
balancingforLunaSA
8.6.1.RegisterLinOTP
You need to register the LinOTP (client) with both HSMs as described in section Setting up
HSMclientsandassigningclientstoHSMpartitions.
8.6.3.Monitoring
8.6.2.CreatingHAgroup
8.7.ManagingPasswordswith
LunaSA
9.Integrationexamples
10.Updates
11.MigratingfromLinOTP1.3or
LinOTP1.0
-label <label-of-HA-group>
12.Securityadvisories
-password <partition-Password>
13.Troubleshooting
3.LinOTPUserGuide
4.LinOTPApplianceManual
Internally the partition gets an HA key created to identify to which HA group this partition
belongs. If this new HA group is a copy of a group on another LinOTP server, you will be
warnedthatthereisanexistingHAkeyonthispartition.IfyouwanttohavebothLinOTP
serverstalktothissameHAgroup,youmusttypecopytokeeptheexistingHAkey.Ifyou
wanttostartoverwiththeHAgroup,thentyperemove.TheHAkeyonthispartitionwill
beremoved.
Foraddingfurthermemberstothegroup,youneedtheHAgroupnumber.Youcaneithersee
thisnumberinthe cryptoki.conffileoryoucanseethisnumberbyissuingthecommand:
5.LinOTPModuleDevelopmentGuide
SEARCH
Go
Entersearchtermsoramodule,classor
functionname.
YoucannowaddthesecondHSMtotheHAgroup:
./vtl haAdmin -addMember
-group <serialnumber-of-the-ha-group>
-serialNum <serialnumber-of-second-HSM>
-password <partition-password>
Finally,whenallmembersareadded,youneedtoissuethecommand:
./vtl haAdmin -synchronize -group <group-label>
Note
Incaseyouneedtorecoverafailedmember,usethecommand haadmin -recover.Formore
detailsseesectionRestoreanHAgroup.
http://www.linotp.org/doc/2.6/part-installation/HSM/lunasa_ha.html
1/2
24/10/2014
8.6. Setting up HA and Load balancing for LunaSA LinOTP 2.7 documentation
TheVirtualTokeninthefile cryptoki.confnowshouldcontainboththeserialnumbersofthe
twopartitions.
Note
The vtl verifycommandwillnotshowthevirtualtoken.Youcanusethe cmu listtooltolist
allthreeslots.Thevirtualtoken(HA)usuallywillbeslot#3.Using cmu listyoushouldalso
list the objects in the virtual slot to check, which handles the three encryption keys were
assigned.
Pleasereconfigure /etc/linotp2/linotp.initousetheHAVirtualCardSlot.
8.6.3. Monitoring
OntheLinOTPmachineyoucanusethecommand:
/usr/lunasa/bin/vtl haAdmin -status -show
tocheckwhichHSMisalive.
whichwillrecoverafailedmember(poweroutage)totheHAgroup.
IfyouhadahardwarefailureandneedtoinstallanewHSM,youneedtoremovethebroken
memberfromtheHAgroupandaddthenewHSMtotheHAgroup:
1. RemovethebrokenHSMfromtheHAgroupusingthecommand:
vtl haAdmin -removeMember <group-name> -serialNum <serial-of-the-failing-partition>
2. Initialize the new HSM, create the new partition, assign the partition to the client,
setthepartitionpasswordand
3. addthepartitiontotheHAgroupusingthecommand vtl haAdmin --addMember.
4. SynchronizetheHAgroup,sothatthekeysaresynchronizedtothenewHSM:
vtl haAdmin -synchronize -group <group-name>
IfbothofyourHSMsfail,youneedtosetupbothHSMswiththeHAgroupsfromthescratch
(seeRestore).Thenyouneedyourbackuptokentopopulatethefirstpartitionwiththekeys
again.
Note
In this case, the handles of the keys may have changed. Check if you need to adapt
/etc/linotp2/linotp.ini.
PREVIOUS|NEXT|INDEX
SHOWSOURCE
Copyright2014,LSELeadingSecurityExpertsGmbH.CreatedusingSphinx1.1.3.
http://www.linotp.org/doc/2.6/part-installation/HSM/lunasa_ha.html
2/2