To configure SafeNet Luna HSM's working with ERPM via the latest PKCS#11 drivers.
1. Install the 32-bit PKCS#11 SafeNet Luna client to all ERPM Admin Console/ZP servers, Web Console/Web Services servers.
2. Obtain the SSH certificates from the Luna HSM's and copy these certs to each ERPM Admin Console/ZP server, Web Console/Web Services server.
3. Add the HSM certs to the Luna client via the following command: vtl addServer -n pki-hsm-server-a -c c:\temp\pki-hsm-server-a.pem (where pki-hsm-server-a is the correct FQDN name and path to the .pem cert from that HSM node.) Repeat for each HSM node cert (pki-hsm-server-b, etc...)
4. Create client certs on each ERPM server Luna client via the following command: vtl createCert -n fully-qualified-hostname-erpm-server (where fully-qualified-hostname-erpm-server is the FQDN of the ERPM server.)
5. Copy the FQDN ERPM server certs from step#4 above to each HSM node and add to the target HSM partition.
6. On the ERPM Server Luna client, list the servers to verify all HSM nodes have been added to the client: vtl listServers
7. On the ERPM server Luna client, verify that you can see the Luna partition(s) via the following command: vtl verify
8. Once HA has been properly configured on the Luna HSM nodes, on the ERPM server Luna client, add a High Availability group via the following command: vtl haAdmin -newGroup -serialNum <serialnumber> -label <label> -password <password>
9. On the ERPM server Luna client, add each HSM member to the High Availability group via the following command: vtl haAdmin -addMember -group <groupNum> -serialNum <SN> -password <password>
10. On the ERPM server Luna client, verify the High Availability group via the following command: vtl haadmin -status -show
Reconfigure encryption settings in the ERPM Admin Console to use PKCS#11 encryption, per the Installation Guide.
Re-deploy or update the Web Consoles, from the Admin Console, after changing encryption settings.