Cluster Scale-out
CORE cluster scale-out includes two steps:
- Bootstrapping of the required number of the additional servers. See Prepare an Additional Server.
- Inclusion of the new server(s) in the cluster:
Prepare an Additional Server
Make sure that the selected server meets the cluster's Connectivity Requirements.
The preparation depends on the bootstrap release of the cluster's first EP:
| Step |
The 1st EP bootstrapped |
The 1st EP bootstrapped |
|---|---|---|
| Install |
Install the server release 2.0.1807 |
Install the server release that is running in the cluster |
| Bootstrap | ekm_boot_additional_server | |
| Upgrade | Server Upgrade to the release that is running in the cluster |
skip |
Start the EKM Enterprise Key Management - previous name of the product. Service |
||
Quickstart Additional Server on Linux
If the first server pair was bootstrapped using the UKC 2.0.1807 or earlier release:
| Run on | Command |
|---|---|
| New Server |
Install the UKC Server software release 2.0.1807. sudo rpm -ivh <UKC Server Software Release 2.0.1807>.rpm |
|
Bootstrap the server as additional server. Name according to its designation in the cluster sudo /opt/ekm/bin/ekm_boot_additional_server.sh -s <a new server name in the cluster> |
|
|
Upgrade the UKC Server software release to the currently running in the cluster. sudo rpm -Uvh <the currently running UKC Server Software>.rpm |
|
|
Start the EKM sudo service ekm start |
If the first server pair was bootstrapped using the UKC 2.0.1810 or later release:
| Run on | Command |
|---|---|
| New Server |
Install the CORE Server software release that is running in the cluster. sudo rpm -ivh <the currently running CORE Server Software>.rpm |
|
Bootstrap the server as additional server. Name according to its designation in the cluster sudo /opt/ekm/bin/ekm_boot_additional_server.sh -s <a new server name in the cluster> |
|
|
Start the EKM sudo service ekm start |
Add an Auxiliary Server
Quickstart on Linux
In the following example, we add a server aux2 to the CORE cluster and assign it to become an auxiliary server.
| Step | Run on | Command |
|---|---|---|
| 1 | New Server | |
| 2 | EP |
Add the new server as an auxiliary server to the cluster sudo ucl server create -a aux2 |
| 3 | aux2 |
Restart the EKM sudo service ekm restart |
| 4 | EP |
Make sure that the system is up and running. ucl server test |
Add Auxiliary Server in Details
- Prepare an Additional Server and take a note of the
--selfname and port (if any) used in its bootstrap. - Add Aux.
- Activate the new server
- Test
On the main EP, run the ucl server create referring to the new server by its name:port as specified in their bootstrap procedures. The new server shall present its self-signed certificate. Examine and approve it.
See Validation of the Bootstrapping Server.
Restart the EKMEnterprise Key Management - previous name of the product. Service on the new server. See EKM Service Management.
On EP, run
ucl server test. The new server must have the expected "role": "AUXILIARY" and "status": { "reachable": "YES" }.
Add Server Pair
Quickstart on Linux
In the following example, we add a triplet of servers (ep2 and partner2) to the CORE cluster.
| Step | Where | Command |
|---|---|---|
| 1a | The first new server |
Quickstart Additional Server on Linux Name it ep2 |
| 1b | The second new server |
Quickstart Additional Server on Linux Name it partner2 |
| 2 | The main EP |
Add the pair to the cluster sudo ucl server create -e ep2 -p partner2 |
| 3a | ep2 |
Restart the EKM sudo service ekm restart |
| 3b | partner2 |
Restart the EKM sudo service ekm restart |
| 4 | The main EP |
Make sure that the system is up and running. ucl server test |
| 5 | Clients or Load Balancer | Add ep2 server as applicable end-point for the CORE service requests. |
Add Server Pair in Details
- Prepare two servers
- Run Prepare an Additional Server on the first server and make a note of the
--selfname and port (if any) used in its bootstrap procedure. - Run Prepare an Additional Server on the second server and take a note of the
--selfname and port (if any) used in its bootstrap procedure.
- Run Prepare an Additional Server on the first server and make a note of the
- Add the New Pair.
- Activate the New Servers.
- Test.
- Modify Clients or Load Balancer
- If the CORE clients connect to their servers via a load-balancer, add the newly added EP to the list of EPs handled by the load-balancer.
- Otherwise, for each CORE client, add the newly added EP to the Servers Setting primary or alternative group. See Client-Controlled High Availability .
On the main EP, run the ucl server create referring to the new servers by their name:port as specified in their bootstrap procedures. The new servers shall present their self-signed certificates. Examine and approve the certificates.
See Validation of the Bootstrapping Server.
Note
Error 0x00000100: error code {EKM_ERROR}, destination, {https://partner1:443}message {No certificate found for partner2}
This error indicates that the partner2 server is not among the allow-listed Partner servers. See Scale-Out Approval.
On each new server, restart the EKMEnterprise Key Management - previous name of the product. Service.
On the main EP, run
the ucl server test. The new servers must have the expected role and "status": { "reachable": "YES" }.
Add Server Triplet
Quickstart on Linux
In the following example, we add a triplet of servers (ep2, partner2, and aux2) to the CORE cluster.
| Step | Where | Command |
|---|---|---|
| 1a | The first new server |
Quickstart Additional Server on Linux
|
| 1b | The second new server |
Quickstart Additional Server on Linux
|
| 1c | The third new server |
Quickstart Additional Server on Linux
|
| 2 | The main EP |
Add the triplet to the cluster sudo ucl server create -e ep2 -p partner2 -a aux2 |
| 3a | ep2 |
Restart the EKM sudo service ekm restart |
| 3b | partner2 |
Restart the EKM sudo service ekm restart |
| 3c | aux2 |
Restart the EKM sudo service ekm restart |
| 4 | EP |
Make sure that the system is up and running. ucl server test |
| 5 | Clients or Load Balancer | Add "ep2" server as applicable end-point for the CORE service requests. |
Add Server Triplet in Details
Prepare three servers and follow the description in Add Auxiliary Server in Details. Instead of two servers, use three.
Scale-Out Approval
The Add Server Pair and Add Server Triplet procedures are controlled by a single Root SOSecurity officer - UKC partition administrator role. of EP server. To protect the cluster from adding adversary server pair or triplet by a single person, choose one of the following options or both of them:
- Activate the CORE quorum-based protection concerning the addition of a server to the cluster.
- Make sure EP Root SOSecurity officer - UKC partition administrator role. and Partner admin are different persons. Enable the Partner admin to approve the addition of a new Partner server to the cluster:
- Partner1:
Once the first server pair is created, activate the approval policy. See ekm_set_allowed_server. - Partner2:
Prepare Partner2. See Prepare an Additional Server. - Partner2:
To permit the addition of the Partner2 as a Partner in a new server pair, run ekm_add_allowed_server.
- Partner1:
