Multiple HSMs through PKCS#11

Question

I have multiple SafeNet HSMs that i wish to connect to all of them at any one time from a single client. I know this cannot be done through PKCS#11 because PKCS#11 has the concept of a single HSM at a time with multiple slots.

So, is it possible to connect to the multiple HSMs at any one time?

Answer 1

I'm not sure whether this question is referring to the ability to connect to separate HSMs for separate functions, or to load-balance and provide failover between the HSMs.

For the first scenario, if you have multiple HSMs registered with the client, they should show up as separate slots and you can use the desired slot in your PKCS #11 code:

Output from ckdemo option 11 (Slot Info):

Slots available:
        slot#1 - LunaNet Slot
        slot#2 - LunaNet Slot

As Raj mentioned, Safenet Luna HSMs do have a High Availability (HA) mode that allows load-balancing and failover. To expand on that answer, if you configure your HSMs for HA use and create a HA group on your Safenet client using the vtl haAdmin command, you will see a virtual slot in addition to the separate slots for the individual HSMs:

Output from ckdemo option 11 (Slot Info):

Slots available:
        slot#1 - LunaNet Slot
        slot#2 - LunaNet Slot
        slot#3 - HA Virtual Card Slot 

You can now use that Virtual slot in your PKCS #11 code to interface with the HSMs in the HA pool and the Safenet client software will take care of determining how to route the requests between the HSMs.

Answer 2

Yes, Safenet's HSM model's support something called High availability mode. This allows the Application to see a virtual HSM rather than a group of HSMs.