Launch the First Server Triplet
If you plan for intensive symmetric key crypto processing, consider deploying a triplet of CORE servers: EP, Partner, and Auxiliary. The auxiliary server accelerates calculations in the symmetric crypto operations.
If you do not plan for intensive symmetric key crypto processing, consider starting with the foundation pair only. In such a case, see Launch the First Server Pair.
Triplet Quickstart on Linux
In the following example, we create a CORE system with one partition and one RSA key.
- The hostnames of EP, Partner, and Auxiliary servers are ep1, partner1, and aux1.
- The Root SO
Security officer - UKC partition administrator role. credentials are (so, Password1!).
- The partition's name is test. Its SO
Security officer - UKC partition administrator role. credentials are (so, Password2!).
- Passwords are parameters. They must fulfill Password Requirements.
- See Inline Password Options for options on how the password can be specified.
Step | Run on | Command |
---|---|---|
1 | EP, Partner and Aux |
Install the CORE Server software. sudo rpm -ivh <CORE Server Software>.rpm |
2 | EP, Partner and Aux |
Bootstrap the software. On EP: Note: This script creates the Root SO sudo /opt/ekm/bin/ekm_boot_ep.sh \ On Partner: sudo /opt/ekm/bin/ekm_boot_partner.sh \ On Aux: sudo /opt/ekm/bin/ekm_boot_auxiliary.sh \ Note: |
3 | EP, Partner and Aux |
Start the EKM sudo service ekm start |
4 | EP |
Make sure that the system is up and running. ucl server test Continue using UCL |
5 | EP |
Create a CORE partition "test". Note: The sudo ucl partition create -p test --so_password Password2! -w Password1! |
6 | EP |
Create and display an RSA key. ucl generate -t rsa --name rsa1 -p test |
7 | EP |
Disable client certificate requirement for using UI. Note: This change of the default system settings releases UI user from owning certificates of the targeted partition. ucl system-settings set -k no-cert -v 1 -w Password1! |
8 | Workstation | https://ep1 |
Triplet Bootstrap in Details
The deployment of the CORE cluster foundation server requires CORE Server Installation in the selected triplet of servers followed by:
- Launch the First Server Triplet.
- Step 2 - Activate the Triplet.
- Step 3 - Prepare the EP.
- Step 4 - Commissioning Test.
Before You Continue
Check the following notes if this is the first time you are running CORE pair bootstrapping.
- Concurrent Execution
- Mutual Server Identity Approval
- For the details of the manual validation procedure, see Validation of the Bootstrapping Server.
- To bypass the manual validation, append the
-f
option to the bootstrapping command. - Permanent Certificate
- Server Identification in Boot Scripts
- Server Endpoint Identification
- Optional: EP Server's Alternative Names
EP, Partner, and Auxiliary servers are bootstrapped in parallel to complete their mutual authentication. The order is non-essential.
During the parallel bootstrapping of three servers, the administrator of each server is asked to approve the self-signed temporary certificates presented by the other two servers.
Once the identities of the participating servers are confirmed, each server receives its permanent (default: 2 yearsFor any time interval setting in years, 1 year is converted to 365 days) certificate signed by the Unbound Root CA.
The bootstrap procedure is done on each server of the triplet by running the ekm_boot_<EP/Partner/Auxiliary> script. The (--self
) parameter specifies the running server. The other servers of the triplet are specified using the following script-specific parameters:
Script | --self | -e | -p | -x |
---|---|---|---|---|
ekm_boot_ep | EP | Partner | Auxiliary | |
ekm_boot_partner | Partner | EP | Auxiliary | |
ekm_boot_auxiliary | Auxiliary | EP | Partner |
All servers are identified by their inter-server connection endpoints: <IP address or hostname>[:<port>]
. The default port is port 443.
Note
The selected identification of each server (IP address or hostname[:<port>]
) must be repeated in all scripts.
To create the EP server certificate with additional names and IP addresses in its certificate's subject alternative names list (SANSubject Alternative Names - Certificate field with a list of IP addresses.), use the
-n
option in the ekm_boot_ep script.
Note
You can always update the EP certificate's SANSubject Alternative Names - Certificate field with a list of IP addresses. by using ekm_renew_server_certificate.
Step 1 - Bootstrap the Triplet
Note
This topic specifies the bootstrapping of the first triplet. To add a triplet to a cluster, see Add Server Triplet.
In the following example we assume the following:
- The hostnames of EP, Partner, and Auxiliary servers are ep1, partner1, and aux1.
- We are bootstrapping all servers using the default port 443.
- If the
[-f]
option is omitted you are prompted to approve the certificates presented by the other two servers. See Validation of the Bootstrapping Server.
For the detailed specification of the parameters in the ekm_boot_<server role> scripts, see Bootstrapping Scripts.

- EP:
- Partner:
- Auxiliary:
sudo /opt/ekm/bin/ekm_boot_ep.sh --self ep1 -p partner1 -x aux1 [-f] -w <define the Root SO password>
sudo /opt/ekm/bin/ekm_boot_partner.sh --self partner1 -p ep1 -x aux1 [-f]
sudo /opt/ekm/bin/ekm_boot_auxiliary.sh --self aux1 -e ep1 -p partner1 [-f]

- EP:
- Partner:
- Auxiliary:
C:\Progra~1\Dyadic\ekm\tomcat\bin\ekm_boot_ep.bat --self ep1 -p partner1 -x aux1 [-f] -w <define the Root SO password>
C:\Progra~1\Dyadic\ekm\tomcat\bin\ekm_boot_partner.bat --self partner1 -p ep1 -x aux1 [-f]
C:\Progra~1\Dyadic\ekm\tomcat\bin\ekm_boot_auxiliary.bat --self aux1 -e ep1 -p partner1 [-f]
Note:
By default, the time gap between the bootstraps should not exceed 30 minutes. To allow longer gap between the bootstraps, use -a (attempts) and/or -t (time between attempts) options in the bootstrap commands. See Bootstrap Parameters.
Parameter | Description |
---|---|
-a
|
Attempts – the number of handshake attempts between the paired servers (default = 2000). |
-t
|
Timeout – the duration of a pause between each attempt (default = one second). |
Step 2 - Activate the Triplet
The bootstrap procedure created the system service (named ekm on Linux and ekmsvc on Windows) on each server. To activate the triplet, start this service on all three servers:
-
Linux:
sudo service ekm start
For further details, see EKM Service Management.
The Next Steps and Troubleshooting
Continue with the following steps:
For troubleshooting, see Launch the First Server Pair.