After you have configured the Security World using either the RFS or by uploading Security World Files, you must next join Address Manager to the Security World.
This involves associating Address Manager with HSM servers already created in Address Manager. Select HSM servers from the drop-down menu and re-order them as necessary; the top-most HSM server in the list acts as the Primary. Choose as many HSM servers as you wish, and set the order that allows for the fastest communication between Address Manager and the HSM servers.
If using a Remote File System to join Address Manager and DNS Servers to the Security World, the RFS is configured for No Authentication, which is the preferred state for DNSSEC and HSM failover. RFS-synchronization with Authentication would set authentication to a single HSM server, which could prevent other clients from joining the Security World.
To join Address Manager to the Security World:
- Select the Administration tab. Tabs remember the page you last worked on, so select the tab again to ensure you're on the Administration page.
- Under General, click HSM Configurations.
- Under the Join Security World, click Join Address Manager to Security World.
- Under General, select an HSM Server from the HSM Servers drop-down menu and click Add. Repeat this step to add as many HSM servers as necessary.
- To re-order the hierarchy of the HSM servers in the list, select an HSM server and click Move Up or Move Down. The HSM server at the top of the order will be the Primary; HSM servers below the Primary will be the Standby servers (Secondary, or Tertiary). Click Remove to delete an HSM server from the list.
Click Join. Address Manager returns you to
the HSM configuration information page.
Note: If running Address Manager in replication, you must manually join the Standby Address Manager server to the Security World. This involves breaking replication then logging into the user interface of the Standby Address Manager server and repeating the HSM configuration process:
- Create an HSM configuration (use the same name and key provider)
- Add the same HSM servers as the Primary (use the same port number)
- Configure the Security World using the same mode as the Primary
- Join the Standby Address Manager to the Security World
After joining the Standby Address Manager to the Security World, you must reset Address Manager replication. For complete details on breaking and resetting Address Manager replication, refer to Replicating the database for Address Manager disaster recovery.
- Update the Security World Configuration—change the configuration mode for the Security World; either use an RFS, or upload Security World files. For details, refer to Updating the Security World configuration.
- Update Security World for Address Manager—click to add, remove, or move the HSM servers in the Security World. For details, refer to Updating the Security World for Address Manager.
- Remove Address Manager from Security World—click to withdraw Address Manager from the Security World. For details, refer to Removing Address Manager from the Security World.
- Log in to Address Manager via SSH as root.
- Run the following command:
Address Manager should return ‘connection status OK’ for each HSM server. Ensure that the number of connection status messages matches the number of HSM servers you configured in the Address Manager user interface.
If Address Manager can't connect to an HSM server(s), or if the confirmed connections are less that the number of HSM servers added to the Address Manager user interface, refer to Troubleshooting.
- Log in to the Address Manager or DNS/DHCP Server via SSH as root.
- Remove the settings for HSM modules and RFS within the /opt/nfast/kmdata/config/config file.
- Restore the following permissions of the
-rwxr-x--- 1 nfast nfast 15187 Mar 24 19:56 /opt/nfast/kmdata/config/config
- Restart the nCipher service using the following
Once you have successfully restarted the service, you can reattempt to add the Address Manager or DNS/DHCP Server to Security World.