Launch the First Server Triplet

If you plan for intensive symmetric key crypto processing, consider deploying a triplet of CORE servers: EP, Partner, and Auxiliary. The auxiliary server accelerates calculations in the symmetric crypto operations.

If you do not plan for intensive symmetric key crypto processing, consider starting with the foundation pair only. In such a case, see Launch the First Server Pair.

Triplet Quickstart on Linux

In the following example, we create a CORE system with one partition and one RSA key.

• The hostnames of EP, Partner, and Auxiliary servers are ep1, partner1, and aux1.
• The Root SOSecurity officer - UKC partition administrator role. credentials are (so, Password1!).
• The partition's name is test. Its SOSecurity officer - UKC partition administrator role. credentials are (so, Password2!).
• Passwords are parameters. They must fulfill Password Requirements.
• See Inline Password Options for options on how the password can be specified.

Step	Run on	Command
1	EP, Partner and Aux	Install the CORE Server software. sudo rpm -ivh <CORE Server Software>.rpm
2	EP, Partner and Aux	Bootstrap the software. On EP: Note: This script creates the Root SOSecurity officer - UKC partition administrator role. with credentials (so, Password1!). sudo /opt/ekm/bin/ekm_boot_ep.sh \ --self ep1 -p partner1 -x aux1 -f -w Password1! On Partner: sudo /opt/ekm/bin/ekm_boot_partner.sh \ --self partner1 -p ep1 -x aux1 -f On Aux: sudo /opt/ekm/bin/ekm_boot_auxiliary.sh \ --self aux1 -e ep1 -p partner1 -f Note:  By default, the time gap between the bootstraps should not exceed 30 minutes. To allow longer gap between the bootstraps, use -a (attempts) and/or -t (time between attempts) options in the bootstrap commands. See Bootstrap Parameters.
3	EP, Partner and Aux	Start the EKMEnterprise Key Management - previous name of the product. service. sudo service ekm start
4	EP	Make sure that the system is up and running. ucl server test Continue using UCLUnbound Command Language or jump to Step #7 to switch to UI.
5	EP	Create a CORE partition "test". Note: The ucl partition create creates the partition's SOSecurity officer - UKC partition administrator role. with credentials (so, Password2!). sudo ucl partition create -p test --so_password Password2! -w Password1!
6	EP	Create and display an RSA key. ucl generate -t rsa --name rsa1 -p test ucl show --name rsa1 -p test
7	EP	Disable client certificate requirement for using UI. Note: This change of the default system settings releases UI user from owning certificates of the targeted partition. ucl system-settings set -k no-cert -v 1 -w Password1!
8	Workstation	https://ep1

Triplet Bootstrap in Details

The deployment of the CORE cluster foundation server requires CORE Server Installation in the selected triplet of servers followed by:

1. Launch the First Server Triplet.
2. Step 2 - Activate the Triplet.
3. Step 3 - Prepare the EP.
4. Step 4 - Commissioning Test.

Before You Continue

Check the following notes if this is the first time you are running CORE pair bootstrapping.

• Concurrent Execution

EP, Partner, and Auxiliary servers are bootstrapped in parallel to complete their mutual authentication. The order is non-essential.

• Mutual Server Identity Approval

During the parallel bootstrapping of three servers, the administrator of each server is asked to approve the self-signed temporary certificates presented by the other two servers.



• For the details of the manual validation procedure, see Validation of the Bootstrapping Server.
• To bypass the manual validation, append the -f option to the bootstrapping command.
• Permanent Certificate

Once the identities of the participating servers are confirmed, each server receives its permanent (default: 2 yearsFor any time interval setting in years, 1 year is converted to 365 days) certificate signed by the Unbound Root CA.

• Server Identification in Boot Scripts

The bootstrap procedure is done on each server of the triplet by running the ekm_boot_<EP/Partner/Auxiliary> script. The (--self) parameter specifies the running server. The other servers of the triplet are specified using the following script-specific parameters:

Script	--self	-e	-p	-x
ekm_boot_ep	EP		Partner	Auxiliary
ekm_boot_partner	Partner		EP	Auxiliary
ekm_boot_auxiliary	Auxiliary	EP	Partner

• Server Endpoint Identification

All servers are identified by their inter-server connection endpoints: <IP address or hostname>[:<port>]. The default port is port 443.

Note
The selected identification of each server (IP address or hostname[:<port>] ) must be repeated in all scripts.


• Optional: EP Server's Alternative Names

To create the EP server certificate with additional names and IP addresses in its certificate's subject alternative names list (SANSubject Alternative Names - Certificate field with a list of IP addresses.), use the -n option in the ekm_boot_ep script.

Note
You can always update the EP certificate's SANSubject Alternative Names - Certificate field with a list of IP addresses. by using ekm_renew_server_certificate.

Step 1 - Bootstrap the Triplet

Note
This topic specifies the bootstrapping of the first triplet. To add a triplet to a cluster, see Add Server Triplet.

In the following example we assume the following:

• The hostnames of EP, Partner, and Auxiliary servers are ep1, partner1, and aux1.
• We are bootstrapping all servers using the default port 443.
• If the [-f] option is omitted you are prompted to approve the certificates presented by the other two servers. See Validation of the Bootstrapping Server.

For the detailed specification of the parameters in the ekm_boot_<server role> scripts, see Bootstrapping Scripts.

Note: 
By default, the time gap between the bootstraps should not exceed 30 minutes. To allow longer gap between the bootstraps, use -a (attempts) and/or -t (time between attempts) options in the bootstrap commands. See Bootstrap Parameters.

Parameter	Description
-a	Attempts – the number of handshake attempts between the paired servers (default = 2000).
-t	Timeout – the duration of a pause between each attempt (default = one second).

Step 2 - Activate the Triplet

The bootstrap procedure created the system service (named ekm on Linux and ekmsvc on Windows) on each server. To activate the triplet, start this service on all three servers:

• Linux:

  sudo service ekm start

• Windows:

  1. Open Task Manager ˃ Services.

     

  2. Right-click ekmsvc. and select Start.

For further details, see EKM Service Management.

The Next Steps and Troubleshooting

Continue with the following steps:

• Step 3 - Prepare the EP
• Step 4 - Commissioning Test

For troubleshooting, see Launch the First Server Pair.