Replication
Requirements
- Physical access to the HSMs with the smart cards and PIN for each one.
- Keyboard and monitor.
- HSMs with a configured network interface and network access.
- Connectivity via TCP port 4433 between all HSMs.
- It is recommended to configure NTP on the HSMs. If this is not possible, set the clock.
- In all HSMs:
- service started.
- same operating mode.
- same firmware.
- activated with the same SVMK (Server Master Key).
Local Console
First choose which HSM you would like to replicate and write down the IP address, this will be the base HSM. All the others will have their data overwritten with that of the base HSM.
Info
Note that calling a base HSM is for configuration purposes only.
HSM replication is multi-master; more details in the topic Replication.
The replication mechanism is only configured on the incoming HSM, so there is no need to change the HSMs in the original pool, if there is one.
No configuration is required on the base HSM.
Run the following procedure on each HSM that will be part of the pool (except the base one):
Attention
The HSM database (keys, certificates, etc.) will be overwritten by the base HSM. It is recommended that you make a backup before adding the HSM to the replication pool.
-
Access the HSM physically, using a monitor and keyboard, and authenticate with the cards.
-
Go to Configuration and then Replication.
Dinamo - Local Management Console ┌──────┤ Replication ├──────┐ │ ◂ │ │ Domain │ │ Neighborhood Scan │ │ Node List │ │ Cross Check │ │ Pending Transaction │ │ Sync Point │ │ Interface Binding │ │ Policy │ │ Database Live Sync │ └───────────────────────────┘ Service running... Replication Domain: <none>Replication screen -
Under Replication choose Node List and then choose DiscoverEnter the IP of the base HSM. This will import the list of HSMs known to the base HSM, saving the operator from having to add the pool IPs manually.
Don't use the Add option, as you would have to enter the entire list of pool IPs manually.
Dinamo - Local Management Console ┌─────────────────────┤ Node List ├──────────────────────┐ │ │ │ ┌────────────────────────────────────────────────────┐ │ │ │ ↑ │ │ │ │ ░ │ │ │ │ ▒ │ │ │ │ ▒ │ │ │ │ ▒ │ │ │ │ ▒ │ │ │ │ ▒ │ │ │ │ ↓ │ │ │ └────────────────────────────────────────────────────┘ │ │ │ │ A - Auto Discovered M - Manual Entry │ │ │ │ ┌──────────┐ ┌──────┐ ┌───────┐ ┌───────┐ ┌───────┐ │ │ │ Discover │ │ Test │ │ Add │ │ Del │ │ Close │ │ │ └──────────┘ └──────┘ └───────┘ └───────┘ └───────┘ │ │ │ └────────────────────────────────────────────────────────┘ Service running... Replication Domain: <none>List of nodes -
Confirm the addition of the base HSM IP list.
Dinamo - Local Management Console ┌─────────────────────┤ Node List ├──────────────────────┐ │ │ │ ┌────────────────────────────────────────────────────┐ │ │ │ ↑ │ │ │ │ ░ │ │ │ │ ▒ │ │ │ │ ┌───────────────────┤ ├───────────────────┐ ▒ │ │ │ │ │ │ ▒ │ │ │ │ │ Retrieve list from specific remote node? │ ▒ │ │ │ │ │ │ ▒ │ │ │ │ │ ┌────┐ ┌─────┐ │ ↓ │ │ │ └────│ │ No │ │ Yes │ │ ───┘ │ │ │ └────┘ └─────┘ │ │ │ │ │ │ │ │ │ │ │ ┌──└──────────────────────────────────────────┘ ──┐ │ │ │ Di e │ │ │ └──────────┘ └──────┘ └───────┘ └───────┘ └───────┘ │ │ │ └────────────────────────────────────────────────────────┘ Service running... Replication Domain: <none>Adding Node -
Go back to the Replication section and choose Database Live Sync. In this step you will need to redo the authentication with the cards.
Dinamo - Local Management Console ┌──────┤ Replication ├──────┐ │ ◂ │ │ Domain │ │ Neighborhood Scan │ │ Node List │ │ Cross Check │ │ Pending Transaction │ │ Sync Point │ │ Interface Binding │ │ Policy │ │ Database Live Sync │ └───────────────────────────┘ Service running... Replication Domain: <none>Base synchronization -
Accept the warning. Remember again that this HSM will have its data overwritten by that of the base HSM.
Dinamo - Local Management Console ┌─────────────────┤ Database Live Sync ├──────────────────┐ │ │ │ IMPORTANT NOTE │ │ │ │ In order to continue, the HSM database │ │ will be fully overwritten. │ │ │ │ Are you sure you want to proceed? │ │ │ │ ┌────┐ ┌─────┐ │ │ │ No │ │ Yes │ │ │ └────┘ └─────┘ │ │ │ │ │ └─────────────────────────────────────────────────────────┘ Service running... Replication Domain: <none>Synchronization warning -
Wait for synchronization.
Dinamo - Local Management Console ┌──────────┤ Live Syncing Database ├──────────┐ │ │ │ │ │ setup: step 15 of 22 │ │ │ │ 89% │ │ │ │ │ └─────────────────────────────────────────────┘ Service running... Replication Domain: <list>Synchronizing the base -
Once synchronization is complete, a message with theSync Point will be displayed.
Dinamo - Local Management Console ┌─────────┤ Sync Point ├─────────┐ │ │ │ Database live sync done. │ │ │ │ D4257575BD61632B 6331 │ │ │ │ │ │ ┌────┐ │ │ │ OK │ │ │ └────┘ │ │ │ │ │ └────────────────────────────────┘ Service running... Replication Domain: <list>Synchronization completed -
Back in the menu, choose the option Cross Check and check the entire report shown.
Dinamo - Local Management Console ┌───────────────────────────┤ Cross Check ├────────────────────────────┐ │ │ │ │ │ this 01 node(s) ↑ │ │ version : 5.2.0.0 ░ │ │ node list : ▒ │ │ 172.17.0.2 ▒ │ │ ▒ │ │ 172.17.0.2 01 node(s) ▒ │ │ version : 5.2.0.0 ▒ │ │ node list : ▒ │ │ 172.17.0.3 ▒ │ │ ▒ │ │ ↓ │ │ │ │ ┌───────┐ │ │ │ Close │ │ │ └───────┘ │ │ │ └──────────────────────────────────────────────────────────────────────┘ Service running... Replication Domain: <list>Cross Check Report
Warning
In the Cross Check report of the last HSM to join the pool, check carefully that each HSM contains all the others in its IP list and also check for any warning messages in the report.
Cross-checking
HSM has a tool(Cross Check) to check cross-replication between all nodes. With it, you can check for unbalances in the replication pool. You can run this tool locally or remotely. In the latter case, you can use the HTTP console or the command line console.
HTTP console
Connect using a browser, enter the IP of one of the HSMs in https (example: https://192.168.1.100).
Choose Replication from the menu.
Click on the cross-check icon in the top right-hand corner:
If there is a configuration imbalance or other error detected, the report will alert you:
CLI console
Open a command line (prompt/shell) and type hsmcon to run the program and connect to one of the HSMs in the replication pool.
On the main screen, type the Replication item number and Enter.
Dinamo - Remote Management Console v. 4.7.12.0 2018 (c) Dinamo Networks
HSM 192.168.1.141 e - Engine 5.0.22.0 (DXP) - TCA0000000 - ID master
Main Menu
Keys/Objects Users HSM
1 - Create... 17 - Create 33 - Info
2 - Remove 18 - Remove 34 - Logs...
3 - Attributes 19 - List 35 - Backup...
4 - Import... 20 - Attributes 36 - Monitoring...
5 - Export... 21 - Trust Relations 37 - Firmware update
6 - List 22 - Password Policy 38 - Replication...
7 - Permissions... 23 - My Password 39 - SPB...
8 - Backup 40 - EFT...
9 - Restore 41 - IP Filter...
42 - Tests...
43 - Dinamo Services...
44 - Tools...
0 - Exit
Option: 38
Then type 4 and enter:
Dinamo - Remote Management Console v. 4.7.12.0 2018 (c) Dinamo Networks
HSM 192.168.1.141 e - Engine 5.0.22.0 (DXP) - TCA0000000 - ID master
HSM - Replication
1 - Info
2 - Nodes
3 - Refresh
4 - Cross Check
5 - Notify Node Down
0 - Main Menu
Option: 4
The result is showing all the nodes on the list:
Dinamo - Remote Management Console v. 4.7.12.0 2018 (c) Dinamo Networks
HSM 192.168.1.141 e - Engine 5.0.22.0 (DXP) - TCA0000000 - ID master
HSM - Replication - Cross Check
this 01 node(s)
version : 5.0.22.0
node list :
192.168.1.159
192.168.1.159 01 node(s)
version : 5.0.22.0
node list :
172.17.0.2
Press ENTER key to continue...
If there is an imbalance, a message saying !!! please check !! will appear next to the node that has a problem. This usually means that the HSM does not have the correct list of nodes.
Dinamo - Remote Management Console v. 4.7.12.0 2018 (c) Dinamo Networks
HSM 192.168.1.141 e - Engine 5.0.22.0 (DXP) - TCA0000000 - ID master
HSM - Replication - Cross Check
this 01 node(s)
version : 5.0.22.0
node list :
192.168.1.159
192.168.1.159 00 node(s) !! please check !!
version : 5.0.22.0
<empty>
Press ENTER key to continue...