Bootstrapping Scripts
CORE server bootstrapping prepares the servers to fulfill the assigned role (EP, Partner, Auxiliary, or an Additional Server with the yet undefined role). This section includes:
- Bootstrapping scripts for CORE cluster foundation.
- Bootstrapping scripts for CORE cluster expansion and its approval.
Important
Start or restart the EKMEnterprise Key Management - previous name of the product. service after running any of the scripts in this section.
ekm_boot_ep
Bootstraps EP server of the CORE cluster foundation.
Note
This script is also used (with the -restore
option) in the cluster's restore procedure. See Step 3 - Bootstrap the Restored Pair.
- To bootstrap a triplet, also specify the
-x <aux>
server. - To bootstrap a triplet in FIPS
Federal Information Processing Standards - standards developed by the United States federal government for use in computer systems by non-military government agencies and government contractors mode, specify the
-fips
option. - To bypass mutual validation of peer(s) certificate(s), append the
-f --force
flag.
Syntax:
-w <the password of the root SO> // See note below.
[-n <CSV list of EP hostnames and IP addresses>] [-e <expiry of the root CA certificate in years>] // default:8 years
[-restore] // reuse the existing database
See the description of these and additional parameters in Appendix - Bootstrapping Parameters.
Notes
- The password must meet the default complexity and length requirements specified in Password Requirements. The password may be provided using various Inline Password Options.
- If the "
-e
" option is used, the same option must be applied in ekm_boot_partner. - UCL
Unbound Command Language availability on EP following the bootstrap:
- Linux:
ucl
is ready to use. - Windows: You must configure the embedded CORE client:
- Open Client Configuration registry.
- Set Servers Setting
to the value specified by the
-s
parameter in theekm_boot_ep.bat
command.
- Linux:
Example.
Bootstrap an EP server of the ep1-partner1
pair:
- Linux
- Windows
sudo /opt/ekm/bin/ekm_boot_ep.sh -s ep1 -p partner1 \
-w <root SO password>
C:\Progra~1\Dyadic\ekm\tomcat\bin\ekm_boot_ep.bat -s ep1 -p partner1 \
-w <root SO password>
ekm_boot_partner
Bootstraps Partner server of the CORE cluster foundation.
Note
The script is also used (with the -restore
option) in the cluster's restore procedure. See Step 3 - Bootstrap the Restored Pair.
- To bootstrap a triplet, also specify the
-x <aux>
server. - To bootstrap a triplet in FIPS
Federal Information Processing Standards - standards developed by the United States federal government for use in computer systems by non-military government agencies and government contractors mode, specify the
-fips
option. - To bypass mutual validation of peer(s) certificate(s), append the
-f --force
flag.
Syntax:
ekm_boot_partner
-s <self – hostname/IP of this server [:<port>]>
-p <paired server – hostname/IP of the EP[:<port>]>
[-x <auxiliary – hostname/IP of the auxiliary server [:<port>]>] // triplet bootstrap
[-e <expiry of the root CA certificate in years>] // default: 8 years
[-restore] // reuse the existing database
See the description of these and additional parameters in Appendix - Bootstrapping Parameters.
Notes
- The
-p
parameter specifies the "paired" server. In this case, it isep1
. - If the "
-e
" option is used, the same option must be applied in ekm_boot_ep.
Example.
Bootstrap a Partner server of the ep1-partner1
pair:
Note
The -p
parameter specifies the "paired" server. In this case, it is ep1
.
- Linux
- Windows
sudo /opt/ekm/bin/ekm_boot_partner.sh -s partner1 -p ep1
C:\Progra~1\Dyadic\ekm\tomcat\bin\ekm_boot_partner.bat -s partner1 -p ep1
ekm_boot_auxiliary
Applicable only when bootstrapping a triplet.
- To bootstrap a triplet in FIPS
Federal Information Processing Standards - standards developed by the United States federal government for use in computer systems by non-military government agencies and government contractors mode, specify the
-fips
option. - To bypass mutual validation of peer(s) certificate(s), append the
-f --force
flag.
Syntax:
ekm_boot_auxiliary
-s <self – hostname/IP of this server [:<port>]>
-e <the EP server's hostname/IP [:<port>]>
-p <the Partner server's hostname/IP [:<port>]>
[-restore] // reuse the existing database
Note
The -p
parameter specifies the "partner" server. In this case, it is partner1
.
- Linux
- Windows
sudo /opt/ekm/bin/ekm_boot_auxiliary.sh -s aux1 -e ep1 -p partner1
C:\Progra~1\Dyadic\ekm\tomcat\bin\ekm_boot_auxiliary.bat -s aux1 \
-e ep1 -p partner1
ekm_boot_additional_server
Prepares (bootstraps) a CORE server without specifying its role. The corresponding Cluster Scale-out procedure assigns to the server its role in the cluster (EP, Partner, or Auxiliary server).
Syntax:
ekm_boot_additional_server
-s <hostname/IP> [:<port>]> // self – hostname/IP of this server. Default port: 443
Example:
- Linux
- Windows
sudo /opt/ekm/bin/ekm_boot_additional_server.sh -s myname
C:\Progra~1\Dyadic\ekm\tomcat\bin\ekm_boot_additional_server.bat \
-s myname
ekm_set_allowed_server
Activates or deactivates the approval to add a new partner server to the cluster. By default, this feature is deactivated - the cluster could be expanded by a single person with the Root SOSecurity officer - UKC partition administrator role. privileges.
This script must be executed on one of the active Partner servers.
Syntax:
Example:
sudo /opt/ekm/bin/ekm_set_allowed_server.sh -f 1
ekm_add_allowed_server
Adds the specified server to the list of approved Partner servers.
This script must be executed on one of the active Partner servers.
Syntax:
Tip
If the
-c
option is omitted the script attempts to retrieve the certificate from the specified server. In this case, it is assumed
that the specified server:
- Is running the EKMEnterprise Key Management - previous name of the product. Service as specified in EKM Service Management.
- Has performed the
ekm_boot_additional_server
step.
Appendix - Bootstrapping Parameters
All ekm_boot_xxx
scripts call the Java ekmconfig.jar
, passing CLICommand Line Interface parameters and arguments embedded in the script. In particular:
- Use the
--restore
flag when bootstrapping the cluster foundation servers after restoring its database. - Use the
-a
and-t
parameters to extend the permitted gap between scripts when bootstrapping the foundation servers.
Parameter | Description |
---|---|
-s<host>[:<port>]
|
Self – hostname or IP of this server. It will be included in the SAN [:<port>] - optionally followed by TCP/IP port number used to access this server from other servers in the cluster. |
-p<host>[:<port>]
|
Paired server – hostname or IP of the other server in the EP-Partner pair. Must appear in the SAN [:<port>] - optionally followed by TCP/IP port number used to access this server from other servers in the cluster. |
-x<host>[:<port>]
|
Auxiliary server – hostname or IP of the auxiliary server paired with the EP and its Partner servers. [:<port>] - optionally followed by TCP/IP port number used to access this server from other servers in the cluster. |
-n
|
A CSV - Valid IP addresses are stored and tagged with the - Valid hostname strings are stored and tagged with the To update this list after deploying the system, use ekm_renew_server_certificate. |
-fips
|
This flag indicates that the server is designated for a system operating in FIPS |
-f
|
Force – run without the need for user approval of the presented self-signed certificates. |
-externaldb
|
Bootstrap expects DB configuration file(s) to be present on the server. See |
-restore
|
Reuse (do not overwrite) the existing CORE database. Applicable in |
-e
|
This parameter is context-specific:
To use this option, apply the same value in
|
-w
|
The initial password for the root partition SO Mandatory and applicable in the |
-a
|
Attempts – the number of handshake attempts between the paired servers (default = 2000). |
-t
|
Timeout – the duration of a pause between each attempt (default = one second). |