Cluster Scale-out

CORE cluster scale-out includes two steps:

  1. Bootstrapping of the required number of the additional servers. See Prepare an Additional Server.
  2. Inclusion of the new server(s) in the cluster:

Prepare an Additional Server

Make sure that the selected server meets the cluster's Connectivity Requirements.

The preparation depends on the bootstrap release of the cluster's first EP:

Step

The 1st EP bootstrapped
using 2.0.1807 or earlier

The 1st EP bootstrapped

using 2.0.1810 or later

Install

Install the server release 2.0.1807

Install the server release that is running in the cluster
Bootstrap ekm_boot_additional_server
Upgrade Server Upgrade to the release that is running in the cluster
skip
Start the EKMClosedEnterprise Key Management - previous name of the product. Service

EKM Service Management.

Quickstart Additional Server on Linux

Add an Auxiliary Server

Quickstart on Linux

In the following example, we add a server aux2 to the CORE cluster and assign it to become an auxiliary server.

Step Run on Command
1 New Server

Quickstart Additional Server on Linux

2 EP

Add the new server as an auxiliary server to the cluster

sudo ucl server create -a aux2

3 aux2

Restart the EKMClosedEnterprise Key Management - previous name of the product. service

sudo service ekm restart

4 EP

Make sure that the system is up and running.

ucl server test

Add Auxiliary Server in Details

  1. Prepare an Additional Server and take a note of the --self name and port (if any) used in its bootstrap.
  2. Add Aux.
  3. On the main EP, run the ucl server create referring to the new server by its name:port as specified in their bootstrap procedures. The new server shall present its self-signed certificate. Examine and approve it. See Validation of the Bootstrapping Server.

  4. Activate the new server
  5. Restart the EKMClosedEnterprise Key Management - previous name of the product. Service on the new server. See EKM Service Management.

  6. Test
  7. On EP, run ucl server test. The new server must have the expected "role": "AUXILIARY" and "status": { "reachable": "YES" }.

Add Server Pair

Quickstart on Linux

In the following example, we add a triplet of servers (ep2 and partner2) to the CORE cluster.

Step Where Command
1a The first new server

Quickstart Additional Server on Linux Name it ep2

1b The second new server

Quickstart Additional Server on Linux Name it partner2

2 The main EP

Add the pair to the cluster

sudo ucl server create -e ep2 -p partner2

3a ep2

Restart the EKMClosedEnterprise Key Management - previous name of the product. service

sudo service ekm restart

3b partner2

Restart the EKMClosedEnterprise Key Management - previous name of the product. service

sudo service ekm restart

4 The main EP

Make sure that the system is up and running.

ucl server test

5 Clients or Load Balancer Add ep2 server as applicable end-point for the CORE service requests.

Add Server Pair in Details

  1. Prepare two servers
  2. Add the New Pair.
  3. On the main EP, run the ucl server create referring to the new servers by their name:port as specified in their bootstrap procedures. The new servers shall present their self-signed certificates. Examine and approve the certificates. See Validation of the Bootstrapping Server.

    Note

    Error 0x00000100: error code {EKM_ERROR}, destination, {https://partner1:443}message {No certificate found for partner2}

    This error indicates that the partner2 server is not among the allow-listed Partner servers. See Scale-Out Approval.

  4. Activate the New Servers.
  5. On each new server, restart the EKMClosedEnterprise Key Management - previous name of the product. Service.

  6. Test.
  7. On the main EP, run the ucl server test. The new servers must have the expected role and "status": { "reachable": "YES" }.

  8. Modify Clients or Load Balancer
    • If the CORE clients connect to their servers via a load-balancer, add the newly added EP to the list of EPs handled by the load-balancer.
    • Otherwise, for each CORE client, add the newly added EP to the Servers Setting primary or alternative group. See Client-Controlled High Availability .

Add Server Triplet

Quickstart on Linux

In the following example, we add a triplet of servers (ep2, partner2, and aux2) to the CORE cluster.

Step Where Command
1a The first new server

Quickstart Additional Server on Linux
Name it ep2.

1b The second new server

Quickstart Additional Server on Linux
Name it partner2.

1c The third new server

Quickstart Additional Server on Linux
Name it aux2.

2 The main EP

Add the triplet to the cluster

sudo ucl server create -e ep2 -p partner2 -a aux2

3a ep2

Restart the EKMClosedEnterprise Key Management - previous name of the product. service

sudo service ekm restart

3b partner2

Restart the EKMClosedEnterprise Key Management - previous name of the product. service

sudo service ekm restart

3c aux2

Restart the EKMClosedEnterprise Key Management - previous name of the product. service

sudo service ekm restart

4 EP

Make sure that the system is up and running.

ucl server test

5 Clients or Load Balancer Add "ep2" server as applicable end-point for the CORE service requests.

Add Server Triplet in Details

Prepare three servers and follow the description in Add Auxiliary Server in Details. Instead of two servers, use three.

Scale-Out Approval

The Add Server Pair and Add Server Triplet procedures are controlled by a single Root SOClosedSecurity officer - UKC partition administrator role. of EP server. To protect the cluster from adding adversary server pair or triplet by a single person, choose one of the following options or both of them:

  1. Activate the CORE quorum-based protection concerning the addition of a server to the cluster.
  2. Make sure EP Root SOClosedSecurity officer - UKC partition administrator role. and Partner admin are different persons. Enable the Partner admin to approve the addition of a new Partner server to the cluster:
    1. Partner1:
      Once the first server pair is created, activate the approval policy. See ekm_set_allowed_server.
    2. Partner2:
      Prepare Partner2. See Prepare an Additional Server.
    3. Partner2:
      To permit the addition of the Partner2 as a Partner in a new server pair, run ekm_add_allowed_server.

Scale-out approval flow