Key material stored in the HSM is not automatically synchronized after the cluster has been set up. Manual synchronization is however possible. Consider the following scenarios:
- Pre-cluster setup generation of keys
If suitable for your use-case, you could generate all keys that will be used during the installations life-time after installing the first node, but before starting the cluster configuration for the additional nodes. This way, all additional cluster nodes will be provisioned with the complete key material on installation and no additional manual key synchronization will be necessary. - Post-cluster setup generation of keys
When generating new keys (or in any other way modifying the key material) after the cluster has been setup, you need to manually synchronize the key material. Note that applications that are connected to the shared database may malfunction if they try to use references to keys that are not yet synchronized. For example, if a Certificate Authority in EJBCA is renewed with new key generation, other cluster nodes shortly after the renewal will try to use the new key. This will fail since the key generation was local to the node where it was performed.
Proceed as follows to synchronize key material:
- On Node 1: Generate the key pair(s) on the first node.
- On Node 1: Go to the HSM tab of the Hardware Appliance WebConf and download a Cluster Key Synchronization Package by clicking Download Cluster Key Synchronization Package.
- On Node n: Go to the HSM tab of the Hardware Appliance WebConf and upload the package.
- Repeat step 3 for each node (n>1).
- Configure the application to start using the new key pair(s).
Since node 1 has higher database quorum vote weight, it is generally advised to generate the keys there to avoid a reboot and potential downtime in a two node setup.