Having already created an HSM configuration in Address Manager, you can
now add HSM servers from the HSM servers tab on the HSM
configuration details page that is displayed after you successfully create an
HSM configuration.
The HSM server will generate DNSSEC keys that are defined by the DNSSEC-HSM signing
policy which you will create in
Address Manager.
Note: You can add multiple HSM servers (an HSM
cluster) to an HSM configuration. BlueCat recommends adding at least two HSM
servers for redundancy and disaster recovery.
To add an HSM server:
-
From the HSM servers tab, select New.
-
Under General, set the following parameters:
- Name—enter a name for the HSM server.
- Address—enter the IP address for the HSM server on your
network.
- Port—enter the port number of the HSM server (by default,
9004).
-
In the Change control
section, add comments if required.
-
Select Create to add the HSM server and return to the
HSM servers tab, or select Create and add another to add
another HSM server.
Your newly added HSM servers appear in the HSM
servers tab of the HSM configuration details page.
With HSM servers added to your HSM configuration, the next steps are to configure
the Security World, then join
Address Manager to the Security World.
Note: Disconnected HSM servers won't be added to
HSM configurationAs a best practice, verify that you are connected to all
HSM servers listed in the
Address Manager user interface. To
confirm the connectivity status of HSM servers, perform the following:
- Log in to Address Manager via SSH as root.
- Run the following command:
hsm-status.sh
Address Manager should return ‘connection status OK’
for each HSM server. Ensure that the number of connection status messages
matches the number of HSM servers you configured in the Address Manager user interface.
If Address Manager
can't connect to an HSM server(s), or if the confirmed connections are less that
the number of HSM servers added to the Address Manager user
interface, refer to Troubleshooting.