Joining Address Manager to the security world - BlueCat Integrity

Joining Address Manager to the security world - BlueCat Integrity - 26.1.0

Address Manager Administration Guide

ft:locale

en-US

Product name

BlueCat Integrity

Version

26.1.0

After you have configured the security world using either the RFS or by uploading security world files, you must next join Address Manager to the security world.

This involves associating Address Manager with HSM servers already created in Address Manager. Select HSM servers from the drop-down menu and re-order them as necessary; the top-most HSM server in the list acts as the Primary. Choose as many HSM servers as you wish, and set the order that allows for the fastest communication between Address Manager and the HSM servers.

If using a Remote File System to join Address Manager and DNS Servers to the security world, the RFS is configured for No Authentication, which is the preferred state for DNSSEC and HSM failover. RFS-synchronization with Authentication would set authentication to a single HSM server, which could prevent other clients from joining the security world.

To join Address Manager to the security world:

Select the Settings tab in the sidebar, then select HSM settings.
Select the HSM configuration name menu, then select View details.
In the expanded details section, select Join Address Manager to security world.
Select an HSM server from the HSM servers drop-down menu and select the add icon (+). Repeat this step to add as many HSM servers as necessary. Select the remove icon (x) for an HSM server to remove it from the selected list.
To re-order the HSM server hierarchy in the selected list, drag and drop a server to move it up or down in the list. The top-most HSM server acts as the Primary. HSM servers below the Primary act as Standby servers (Secondary, Tertiary).
In the Change control section, add comments if required.
Select Join. Address Manager returns you to the HSM configuration details page.
Note: If running Address Manager in replication, you must manually join the Standby Address Manager server to the security world. This involves breaking replication then logging into the user interface of the Standby Address Manager server and repeating the HSM configuration process:
- Create an HSM configuration (use the same name and key provider)
- Add the same HSM servers as the Primary (use the same port number)
- Configure the security world using the same mode as the Primary
- Join the Standby Address Manager to the security world
After joining the Standby Address Manager to the security world, you must reset Address Manager replication. For complete details on breaking and resetting Address Manager replication, refer to Replicating the database for Address Manager disaster recovery.

Once Address Manager has joined the security world, additional options become available in the expanded details section:

Update the security world configuration—change the configuration mode for the security world; either use an RFS, or upload security world files. For details, refer to Updating the security world configuration.
Update security world for Address Manager—select to add, remove, or move the HSM servers in the security world. For details, refer to Updating the security world for Address Manager.
Remove Address Manager from security world—select to withdraw Address Manager from the security world. For details, refer to Removing Address Manager from the security world.

Next, you must enable HSM on managed DNS Servers. For details, refer to Enabling HSM on DNS Servers.

Note: Disconnected HSM servers won't be added to HSM configuration

As a best practice, verify that you are connected to all HSM servers listed in the Address Manager user interface. To confirm the connectivity status of HSM servers, perform the following:

Log in to Address Manager via SSH as root.
Run the following command:
```
hsm-status.sh
```

Address Manager should return ‘connection status OK’ for each HSM server. Ensure that the number of connection status messages matches the number of HSM servers you configured in the Address Manager user interface.

If Address Manager can't connect to an HSM server(s), or if the confirmed connections are less that the number of HSM servers added to the Address Manager user interface, refer to Troubleshooting.

Note: Address Manager or DNS/DHCP Server fails to connect to security world

If Address Manager or DNS/DHCP Server fails to connect to security world, the server might not connect to security world at a later point in time. If this occurs, perform the following before attempting to reconnect Address Manager or DNS/DHCP Server to security world:

Log in to the Address Manager or DNS/DHCP Server via SSH as root.
Remove the settings for HSM modules and RFS within the /opt/nfast/kmdata/config/config file.

Restore the following permissions of the file.

-rwxr-x--- 1 nfast nfast 15187 Mar 24 19:56 /opt/nfast/kmdata/config/config

Restart the nCipher service using the following command:
```
/opt/nfast/sbin/init.d-ncipher restart
```

Once you have successfully restarted the service, you can reattempt to add the Address Manager or DNS/DHCP Server to security world.