Go to content

Replication

Requirements

  • Physical access to the HSMs with the smart cards and PIN for each one.
  • Keyboard and monitor.
  • HSMs with a configured network interface and network access.
  • Connectivity via TCP port 4433 between all HSMs.
  • It is recommended to configure NTP on the HSMs. If this is not possible, set the clock.
  • In all HSMs:
  • service started.
  • same operating mode.
  • same firmware.
  • activated with the same SVMK (Server Master Key).

Step by step

First choose which HSM you would like to replicate and write down the IP address, this will be the base HSM. All the others will have their data overwritten with that of the base HSM.

Info

Note that calling a base HSM is for configuration purposes only.

HSM replication is multi-master; more details in the Replication topic.

The replication mechanism is only configured on the incoming HSM, so there is no need to change the HSMs in the original pool, if there is one.

No configuration is required on the base HSM.

Run the following procedure on each HSM that will be part of the pool (except the base one):

Attention

The HSM database (keys, certificates, etc.) will be overwritten by the base HSM. It is recommended that you make a backup before adding the HSM to the replication pool.

  1. Access the HSM physically, using a monitor and keyboard, and authenticate with the cards.

  2. Go to Configuration and then Replication.

    Replication screen
    Replication screen

  3. Under Replication choose Node List and then choose DiscoverEnter the IP of the base HSM. This will import the list of HSMs known to the base HSM, saving the operator from having to add the pool IPs manually.

    Don't use the Add option, as you would have to enter the entire list of pool IPs manually.

    List of nodes
    List of nodes

  4. Confirm the addition of the base HSM IP list.

    Adding Node
    Adding Node

  5. Go back to the Replication section and choose Database Live Sync. In this step you will need to redo the authentication with the cards.

    Base synchronization
    Base synchronization

  6. Accept the warning. Remember again that this HSM will have its data overwritten by that of the base HSM.

    Synchronization warning
    Synchronization warning

  7. Wait for synchronization.

    Synchronizing the base
    Synchronizing the base

  8. Once synchronization is complete, a message with theSync Point will be displayed.

    Synchronization completed
    Synchronization completed

  9. Back in the menu, choose the option Cross Check and check the entire report shown.

    Cross Check Report
    Cross Check Report

Warning

In the Cross Check report for the last HSM to join the pool, check carefully that each HSM contains all the others in its IP list and also check for any warning messages in the report.

Cross-checking

HSM has a tool(Cross Check) to check cross-replication between all nodes. With it, you can check for unbalances in the replication pool. You can run this tool locally or remotely. In the latter case, you can use the HTTP console or the command line console.

HTTP console

Connect using a browser, enter the IP of one of the HSMs in https (example: https://192.168.1.100).

Webcon Login

Webcon Login

Choose Replication from the menu

Replication

Replication

Choose the cross-check option

Cross-replication

Cross-replication

A screen like this will appear:

Hassle-free replication

Hassle-free replication

If there is an imbalance, it will appear like this:

Replication problems

Replication problems

Command Line Console

Open a command line (prompt/shell) and type hsmcon to run the program and connect to one of the HSMs in the replication pool.

On the main screen, type in the Replication item number and enter.

Dinamo - Remote Management Console v. 4.7.12.0 2018 (c) Dinamo Networks

HSM 192.168.1.141 e - Engine 5.0.22.0 (DXP) - TCA0000000 - ID master

Main Menu

Keys/Objects Users HSM

 1 - Create...            17 - Create 33 - Info
 2 - Remove 18 - Remove 34 - Logs...
 3 - Attributes 19 - List 35 - Backup...
 4 - Import...            20 - Attributes 36 - Monitoring...
 5 - Export...            21 - Trust Relations 37 - Firmware update
 6 - List 22 - Password Policy 38 - Replication...
 7 - Permissions...       23 - My Password 39 - SPB...
 8 - Backup 40 - EFT...
 9 - Restore 41 - IP Filter...
                                                       42 - Tests...
                                                       43 - Dinamo Services...
                                                       44 - Tools...




 0 - Exit

Option: 38

Then type 4 and enter

Dinamo - Remote Management Console v. 4.7.12.0 2018 (c) Dinamo Networks

HSM 192.168.1.141 e - Engine 5.0.22.0 (DXP) - TCA0000000 - ID master

HSM - Replication



 1 - Info
 2 - Nodes
 3 - Refresh
 4 - Cross Check
 5 - Notify Node Down











 0 - Main Menu

Option: 4

The result shows all the nodes on the list

Dinamo - Remote Management Console v. 4.7.12.0 2018 (c) Dinamo Networks

HSM 192.168.1.141 e - Engine 5.0.22.0 (DXP) - TCA0000000 - ID master

HSM - Replication - Cross Check

this 01 node(s)
    version : 5.0.22.0
    node list :
        192.168.1.159

192.168.1.159 01 node(s)
    version : 5.0.22.0
    node list :
        172.17.0.2


Press ENTER key to continue...

If there is an imbalance, a message saying !!! please check !! will appear next to the node that has a problem. This usually means that the HSM does not have the correct list of nodes.

Dinamo - Remote Management Console v. 4.7.12.0 2018 (c) Dinamo Networks

HSM 192.168.1.141 e - Engine 5.0.22.0 (DXP) - TCA0000000  - ID master

HSM - Replication - Cross Check

this                 01 node(s)
    version   : 5.0.22.0
    node list :
        192.168.1.159

192.168.1.159        00 node(s)         !! please check !!
    version   : 5.0.22.0
    <empty>

Press ENTER key to continue...