You must set up a remote file system (RFS)
as a hub to synchronize key data for all firewalls (HSM clients)
in your organization that use the nCipher nShield Connect HSM. To
ensure the nShield Connect client version on your firewalls is compatible
with your nShield Connect server, see
Set
Up Connectivity with an HSM.
Before the HSM and firewalls
connect, the HSM authenticates the firewalls based on their IP addresses.
Therefore, you must
configure the firewalls to use static
IP addresses—not dynamic addresses assigned through DHCP. (Operations
on the HSM stop working if a firewall IP address changes during runtime).
HSM
configurations are not synchronized between high availability (HA)
firewall peers. Consequently, you must configure the HSM separately
on each peer. In active/passive HA configurations, you must
manually perform one failover to individually
configure and authenticate each HA peer to the HSM. After this initial
manual failover, user interaction is not required for failover to function
properly.