Skip to main content
Skip table of contents

Cluster: Initial HSM and Key Synchronization in a Cluster for u.trust SE100/SE2K

Initial HSM Synchronization and Setup Generation of Keys

To synchronize the HSMs of the cluster nodes for the first time, perform the following steps.
While synchronizing the HSMs all existing keys will automatically be synchronized as well.

  1. Log in to your Next Generation Hardware Appliance that joined the cluster (here Node2).

  2. Open the Security page.

  3. In the HSM Configuration section the appliance is in the Factory Reset Mode.
    Click on Synchronize HSM in the red field.

  4. A modal dialog window for synchronizing the HSM is displayed.

    1. HSM Guide Setup
      Choose PIN pad
      only configured PIN pads are displayed in a drop down menu.
      Click Preview Restore

  5. A modal dialog window is displayed.

    1. HSM Guided Restore Summary
      Be aware that PIN Pad interactions are required!
      Make sure to have the MBK Cards in reach. Depending on the set you need e.g. 2 out of 3
      Click Start Restore.

  6. Follow the guide to finish the synchronization.

Repeat the steps described above on all other nodes that join the cluster.

Post-cluster Setup Generation of Keys

If you generate new keys (or change the key material in any other way) after setting up the cluster, you must synchronize the key material manually to all other nodes. 

Note that applications that are connected to the shared database may not work properly if they try to use references to keys that are not yet synchronized.

For example, if a Certificate Authority in EJBCA is renewed with new key generation, other cluster nodes will try to use the new key shortly after the renewal. This will fail because the key generation took place locally on the node on which it was performed.

Synchronize Key Material

Key material that is stored on the HSM of a node in a cluster needs to be synchronized to all cluster members in case it changes.
This needs to be done manually using the Key Synchronization Package (KSP).

Proceed as follows to synchronize the key material:

  1. Log in to your Next Generation Hardware Appliance that has the latest key material you want to synchronize (here Node1).

  2. Open the Security page.

  3. Go to the Key Synchronization section.

  4. Click Download Cluster Key Synchronization Package to download a Cluster Key Synchronization Package.

  5. Switch to the Node to be synchronized (here Node2) by using the cluster menu bar at the top of Webconf, or by a manual login.

  6. Open the Security page.

  7. Go to the Key Synchronization section.

  8. In the Key Synchronization section use the Drag and Drop function or Select a File to upload the Cluster Key Synchronization Package you want to restore from.

  9. Click on Upload to transfer the KSP to the HSM on this Appliance.

  10. A modal dialog is displayed.
    Restore Keys from Key Synchronization Package
    A table displays the synchronized/restored keys.

  11. Click Finish to confirm.
    The keys will be now be displayed in the Admin Web of Node2.

  12. Repeat steps 5 to 11 for every other cluster member.

JavaScript errors detected

Please note, these errors can depend on your browser setup.

If this problem persists, please contact our support.

Contact Support Close