After you have configured the Security World using either the RFS or by uploading Security World Files, you must next join Address Manager to the Security World.
This involves associating Address Manager with HSM servers already created in Address Manager. Select HSM servers from the drop-down menu and re-order them as necessary; the top-most HSM server in the list acts as the Primary. Choose as many HSM servers as you wish, and set the order that allows for the fastest communication between Address Manager and the HSM servers.
If using a Remote File System to join Address Manager and DNS Servers to the Security World, the RFS is configured for No Authentication, which is the preferred state for DNSSEC and HSM failover. RFS-synchronization with Authentication would set authentication to a single HSM server, which could prevent other clients from joining the Security World.
To join Address Manager to the Security World:
- Update the Security World Configuration—change the configuration mode for the Security World; either use an RFS, or upload Security World files. For details, refer to Updating the Security World configuration.
- Update Security World for Address Manager—click to add, remove, or move the HSM servers in the Security World. For details, refer to Updating the Security World for Address Manager.
- Remove Address Manager from Security World—click to withdraw Address Manager from the Security World. For details, refer to Removing Address Manager from the Security World.
- Log in to Address Manager via SSH as root.
- Run the following command:
hsm-status.sh
Address Manager should return ‘connection status OK’ for each HSM server. Ensure that the number of connection status messages matches the number of HSM servers you configured in the Address Manager user interface.
If Address Manager can't connect to an HSM server(s), or if the confirmed connections are less that the number of HSM servers added to the Address Manager user interface, refer to Troubleshooting.
- Log in to the Address Manager or DNS/DHCP Server via SSH as root.
- Remove the settings for HSM modules and RFS within the /opt/nfast/kmdata/config/config file.
- Restore the following permissions of the
file.
-rwxr-x--- 1 nfast nfast 15187 Mar 24 19:56 /opt/nfast/kmdata/config/config
- Restart the nCipher service using the following
command:
/opt/nfast/sbin/init.d-ncipher restart
Once you have successfully restarted the service, you can reattempt to add the Address Manager or DNS/DHCP Server to Security World.