After adding HSM servers, configuring the Security World, and joining Address Manager to the Security World, the next step is to enable HSM support on managed BlueCat DNS Servers on your network.
- Enabling HSM on your managed BlueCat DNS Servers allows the DNS Servers to join the HSM Security World. DNS deployment will fail if the DNS Servers aren't part of the Security World.
- Once you have enabled HSM on your managed DNS Servers and they have joined the HSM Security World, connectivity between the managed DNS Servers and at least one HSM Server is required at all times. That is, connectivity between a managed DNS Server and the HSM Server is necessary during all normal operations of the DNS Server and not only with DNSSEC-HSM zone signing. This is to ensure correct operation of DNS service.
- HSM will NOT function if Dedicated Management is enabled. Disable Dedicated Management from the DNS/DHCP Server Administration Console prior to configuring the server in Address Manager.
- You can configure HSM with xHA but with certain limitations. For details, refer to OPTIONAL: HSM with xHA.
- If using a Remote File System to join Address Manager and managed DNS Servers to the Security World, the RFS is configured for No Authentication, which is the preferred state for DNSSEC and HSM failover. RFS-synchronization with Authentication would set authentication to a single HSM server, which could prevent other clients from joining the Security World.
BlueCat advises customers not to attempt to take more than one DNS/DHCP Server under Address Manager control at the same time while enabling HSM. For example, from multiple browser tabs or windows, or from multiple admin users working in parallel (not necessarily from the same workstation). Doing so can result in misconfiguration of the DNS/DHCP Server.
To enable HSM on DNS Servers:
In the General section of the Details tab, you will see Enable HSM Support: Yes — this confirms that HSM has been enabled on the managed BlueCat DNS Server. Also, the HSM Servers section lists the HSM server(s) linked to your managed DNS Server.
- Log in to Address Manager via SSH as root.
- Run the following command:
hsm-status.sh
Address Manager should return ‘connection status OK’ for each HSM server. Ensure that the number of connection status messages matches the number of HSM servers you configured in the Address Manager user interface.
If Address Manager can't connect to an HSM server(s), or if the confirmed connections are less that the number of HSM servers added to the Address Manager user interface, refer to Troubleshooting.
With HSM enabled on your managed DNS Servers, the next step is to create an DNSSEC-HSM policy.