Adding HSM servers to an HSM configuration - BlueCat Integrity - 9.4.0

Address Manager Administration Guide

Locale
English
Product name
BlueCat Integrity
Version
9.4.0

Having already created an HSM configuration in Address Manager, you can now add HSM servers.

The HSM server will generate DNSSEC keys that are defined by the DNSSEC-HSM signing policy which you will create in Address Manager.
Note: You can add multiple HSM servers (an HSM cluster) to an HSM configuration. BlueCat recommends adding at least two HSM servers for redundancy and disaster recovery.

To add an HSM server:

  1. Select the Administration tab. Tabs remember the page you last worked on, so select the tab again to ensure you're on the Administration page.
  2. Under General, click HSM Configurations.
  3. Click the HSM Servers tab.
  4. Under HSM Servers, click New and select HSM Server.
  5. Under HSM Server, complete the following:
    • Name—enter a name for the HSM server
    • IP Address—enter the IP address for the HSM server on your network
      Note: If you make an error when entering the IP address, you will receive the prompt, Invalid IP address. Ensure to enter a valid IPv4 address.
    • Port—enter the port number of the HSM server (by default, 9004)
  6. Under Change Control, add comments, if required.
  7. Click Add, or click Add Next to add another HSM server.
Your newly added HSM servers appear in the HSM Servers tab of the HSM configuration information page.
With HSM servers added to your HSM configuration, the next steps are to configure the Security World, then join Address Manager to the Security World.
Note: Disconnected HSM servers won't be added to HSM configuration
As a best practice, verify that you are connected to all HSM servers listed in the Address Manager user interface. To confirm the connectivity status of HSM servers, perform the following:
  1. Log in to Address Manager via SSH as root.
  2. Run the following command:
    hsm-status.sh

Address Manager should return ‘connection status OK’ for each HSM server. Ensure that the number of connection status messages matches the number of HSM servers you configured in the Address Manager user interface.

If Address Manager can't connect to an HSM server(s), or if the confirmed connections are less that the number of HSM servers added to the Address Manager user interface, refer to Troubleshooting.