Launch the First Server Triplet

If you plan for intensive symmetric key crypto processing, consider deploying a triplet of CORE servers: EP, Partner, and Auxiliary. The auxiliary server accelerates calculations in the symmetric crypto operations.

If you do not plan for intensive symmetric key crypto processing, consider starting with the foundation pair only. In such a case, see Launch the First Server Pair.

Triplet Quickstart on Linux

In the following example, we create a CORE system with one partition and one RSA key.

Step Run on Command
1 EP,
Partner and Aux

Install the CORE Server software.

sudo rpm -ivh <CORE Server Software>.rpm

2 EP,
Partner and Aux

Bootstrap the software.

On EP:

Note: This script creates the Root SOClosedSecurity officer - UKC partition administrator role. with credentials (so, Password1!).

sudo /opt/ekm/bin/ekm_boot_ep.sh \
--self ep1 -p partner1 -x aux1 -f -w Password1!

On Partner:

sudo /opt/ekm/bin/ekm_boot_partner.sh \
--self partner1 -p ep1 -x aux1 -f

On Aux:

sudo /opt/ekm/bin/ekm_boot_auxiliary.sh \
--self aux1 -e ep1 -p partner1 -f

Note
By default, the time gap between the bootstraps should not exceed 30 minutes. To allow longer gap between the bootstraps, use -a (attempts) and/or -t (time between attempts) options in the bootstrap commands. See Bootstrap Parameters.

3 EP,
Partner and Aux

Start the EKMClosedEnterprise Key Management - previous name of the product. service.

sudo service ekm start

4 EP

Make sure that the system is up and running.

ucl server test

Continue using UCLClosedUnbound Command Language or jump to Step #7 to switch to UI.

5 EP

Create a CORE partition "test".

Note: The ucl partition create creates the partition's SOClosedSecurity officer - UKC partition administrator role. with credentials (so, Password2!).

sudo ucl partition create -p test --so_password Password2! -w Password1!

6 EP

Create and display an RSA key.

ucl generate -t rsa --name rsa1 -p test
ucl show --name rsa1 -p test

7 EP

Disable client certificate requirement for using UI.

Note: This change of the default system settings releases UI user from owning certificates of the targeted partition.

ucl system-settings set -k no-cert -v 1 -w Password1!

8 Workstation https://ep1

Triplet Bootstrap in Details

The deployment of the CORE cluster foundation server requires CORE Server Installation in the selected triplet of servers followed by:

  1. Launch the First Server Triplet.
  2. Step 2 - Activate the Triplet.
  3. Step 3 - Prepare the EP.
  4. Step 4 - Commissioning Test.

Before You Continue

Check the following notes if this is the first time you are running CORE pair bootstrapping.

  • Concurrent Execution
  • EP, Partner, and Auxiliary servers are bootstrapped in parallel to complete their mutual authentication. The order is non-essential.

  • Mutual Server Identity Approval
  • During the parallel bootstrapping of three servers, the administrator of each server is asked to approve the self-signed temporary certificates presented by the other two servers.

    Mutual approval in a triplet

  • Permanent Certificate
  • Once the identities of the participating servers are confirmed, each server receives its permanent (default: 2 yearsClosedFor any time interval setting in years, 1 year is converted to 365 days) certificate signed by the Unbound Root CA.

  • Server Identification in Boot Scripts
  • The bootstrap procedure is done on each server of the triplet by running the ekm_boot_<EP/Partner/Auxiliary> script. The (--self) parameter specifies the running server. The other servers of the triplet are specified using the following script-specific parameters:

    Script --self -e -p -x
    ekm_boot_ep EP   Partner Auxiliary
    ekm_boot_partner Partner   EP Auxiliary
    ekm_boot_auxiliary Auxiliary EP Partner  

  • Server Endpoint Identification
  • All servers are identified by their inter-server connection endpoints: <IP address or hostname>[:<port>]. The default port is port 443.

    Note
    The selected identification of each server (IP address or hostname[:<port>] ) must be repeated in all scripts.

  • Optional: EP Server's Alternative Names
  • To create the EP server certificate with additional names and IP addresses in its certificate's subject alternative names list (SANClosedSubject Alternative Names - Certificate field with a list of IP addresses.), use the -n option in the ekm_boot_ep script.

    Note
    You can always update the EP certificate's SANClosedSubject Alternative Names - Certificate field with a list of IP addresses. by using ekm_renew_server_certificate.

Step 1 - Bootstrap the Triplet

Note
This topic specifies the bootstrapping of the first triplet. To add a triplet to a cluster, see Add Server Triplet.

In the following example we assume the following:

  • The hostnames of EP, Partner, and Auxiliary servers are ep1, partner1, and aux1.
  • We are bootstrapping all servers using the default port 443.
  • If the [-f] option is omitted you are prompted to approve the certificates presented by the other two servers. See Validation of the Bootstrapping Server.

For the detailed specification of the parameters in the ekm_boot_<server role> scripts, see Bootstrapping Scripts.

Note
By default, the time gap between the bootstraps should not exceed 30 minutes. To allow longer gap between the bootstraps, use -a (attempts) and/or -t (time between attempts) options in the bootstrap commands. See Bootstrap Parameters.

Parameter Description
-a Attempts – the number of handshake attempts between the paired servers (default = 2000).
-t Timeout – the duration of a pause between each attempt (default = one second).

Step 2 - Activate the Triplet

The bootstrap procedure created the system service (named ekm on Linux and ekmsvc on Windows) on each server. To activate the triplet, start this service on all three servers:

The Next Steps and Troubleshooting

Continue with the following steps:

For troubleshooting, see Launch the First Server Pair.