Joining Address Manager to the Security World - BlueCat Integrity - 9.4.0

Address Manager Administration Guide

Locale
English
Product name
BlueCat Integrity
Version
9.4.0

After you have configured the Security World using either the RFS or by uploading Security World Files, you must next join Address Manager to the Security World.

This involves associating Address Manager with HSM servers already created in Address Manager. Select HSM servers from the drop-down menu and re-order them as necessary; the top-most HSM server in the list acts as the Primary. Choose as many HSM servers as you wish, and set the order that allows for the fastest communication between Address Manager and the HSM servers.

If using a Remote File System to join Address Manager and DNS Servers to the Security World, the RFS is configured for No Authentication, which is the preferred state for DNSSEC and HSM failover. RFS-synchronization with Authentication would set authentication to a single HSM server, which could prevent other clients from joining the Security World.

To join Address Manager to the Security World:

  1. Select the Administration tab. Tabs remember the page you last worked on, so select the tab again to ensure you're on the Administration page.
  2. Under General, click HSM Configurations.
  3. Under the Join Security World, click Join Address Manager to Security World.
  4. Under General, select an HSM Server from the HSM Servers drop-down menu and click Add. Repeat this step to add as many HSM servers as necessary.
  5. To re-order the hierarchy of the HSM servers in the list, select an HSM server and click Move Up or Move Down. The HSM server at the top of the order will be the Primary; HSM servers below the Primary will be the Standby servers (Secondary, or Tertiary). Click Remove to delete an HSM server from the list.
  6. Click Join. Address Manager returns you to the HSM configuration information page.
    Note: If running Address Manager in replication, you must manually join the Standby Address Manager server to the Security World. This involves breaking replication then logging into the user interface of the Standby Address Manager server and repeating the HSM configuration process:
    • Create an HSM configuration (use the same name and key provider)
    • Add the same HSM servers as the Primary (use the same port number)
    • Configure the Security World using the same mode as the Primary
    • Join the Standby Address Manager to the Security World

    After joining the Standby Address Manager to the Security World, you must reset Address Manager replication. For complete details on breaking and resetting Address Manager replication, refer to Replicating the database for Address Manager disaster recovery.

Once Address Manager has joined the Security World, additional options become available:
Next, you must enable HSM on managed DNS Servers. For details, refer to Enabling HSM on DNS Servers.
Note: Disconnected HSM servers won't be added to HSM configuration
As a best practice, verify that you are connected to all HSM servers listed in the Address Manager user interface. To confirm the connectivity status of HSM servers, perform the following:
  1. Log in to Address Manager via SSH as root.
  2. Run the following command:
    hsm-status.sh

Address Manager should return ‘connection status OK’ for each HSM server. Ensure that the number of connection status messages matches the number of HSM servers you configured in the Address Manager user interface.

If Address Manager can't connect to an HSM server(s), or if the confirmed connections are less that the number of HSM servers added to the Address Manager user interface, refer to Troubleshooting.

Note: Address Manager or DNS/DHCP Server fails to connect to Security World
If Address Manager or DNS/DHCP Server fails to connect to Security World, the server might not connect to Security World at a later point in time. If this occurs, perform the following before attempting to reconnect Address Manager or DNS/DHCP Server to Security World:
  1. Log in to the Address Manager or DNS/DHCP Server via SSH as root.
  2. Remove the settings for HSM modules and RFS within the /opt/nfast/kmdata/config/config file.
  3. Restore the following permissions of the file.
    -rwxr-x--- 1 nfast nfast 15187 Mar 24 19:56 /opt/nfast/kmdata/config/config
  4. Restart the nCipher service using the following command:
    /opt/nfast/sbin/init.d-ncipher restart

Once you have successfully restarted the service, you can reattempt to add the Address Manager or DNS/DHCP Server to Security World.