CORE Bootstrapping Scripts User Interface Guide

Bootstrapping Scripts

CORE server bootstrapping prepares the servers to fulfill the assigned role (EP, Partner, Auxiliary, or an Additional Server with the yet undefined role). This section includes:

Bootstrapping scripts for CORE cluster foundation.
Bootstrapping scripts for CORE cluster expansion and its approval.

Important
Start or restart the EKMEnterprise Key Management - previous name of the product. service after running any of the scripts in this section.

ekm_boot_ep

Bootstraps EP server of the CORE cluster foundation.

Note
This script is also used (with the -restore option) in the cluster's restore procedure. See Step 3 - Bootstrap the Restored Pair.

To bootstrap a triplet, also specify the -x <aux> server.
To bootstrap a triplet in FIPSFederal Information Processing Standards - standards developed by the United States federal government for use in computer systems by non-military government agencies and government contractors mode, specify the -fips option.
To bypass mutual validation of peer(s) certificate(s), append the -f --force flag.

Syntax:

ekm_boot_ep 
 -s <self – hostname/IP of this server>[:<port>]  		 
 -p <paired server – hostname/IP of the partner [:<port>]>	
[-x <auxiliary – hostname/IP of the aux server [:<port>]]>  // triplet bootstrap 	 
 -w <the password of the root SO>		 	    // See note below. 
[-n <CSV list of EP hostnames and IP addresses>]
[-e <expiry of the root CA certificate in years>] 	     // default:8 years

[--force -f] // bypass manual validation of certificates

[-fips] 			// enable FIPS mode. Requires -x <Aux>
[-restore]                     // reuse the existing database

[-externaldb] // use External CORE database

See the description of these and additional parameters in Appendix - Bootstrapping Parameters.

Notes

The password must meet the default complexity and length requirements specified in Password Requirements. The password may be provided using various Inline Password Options.
If the "-e" option is used, the same option must be applied in ekm_boot_partner.
UCLUnbound Command Language availability on EP following the bootstrap:
- Linux: ucl is ready to use.
- Windows: You must configure the embedded CORE client:
  1. Open Client Configuration registry.
  2. Set Servers Setting to the value specified by the -s parameter in the ekm_boot_ep.bat command.

Example.

Bootstrap an EP server of the ep1-partner1 pair:

Linux

sudo /opt/ekm/bin/ekm_boot_ep.sh -s ep1 -p partner1 \
-w <root SO password>

Windows

C:\Progra~1\Dyadic\ekm\tomcat\bin\ekm_boot_ep.bat -s ep1 -p partner1 \
-w <root SO password>

ekm_boot_partner

Bootstraps Partner server of the CORE cluster foundation.

Note
The script is also used (with the -restore option) in the cluster's restore procedure. See Step 3 - Bootstrap the Restored Pair.

To bootstrap a triplet, also specify the -x <aux> server.
To bootstrap a triplet in FIPSFederal Information Processing Standards - standards developed by the United States federal government for use in computer systems by non-military government agencies and government contractors mode, specify the -fips option.
To bypass mutual validation of peer(s) certificate(s), append the -f --force flag.

Syntax:

ekm_boot_partner
-s <self – hostname/IP of this server [:<port>]>
-p <paired server – hostname/IP of the EP[:<port>]>
[-x <auxiliary – hostname/IP of the auxiliary server [:<port>]>] // triplet bootstrap
[-e <expiry of the root CA certificate in years>] // default: 8 years

[--force -f]                              // bypass manual validation of certificates

[-fips] 			// enable FIPS mode. Requires -x <Aux>
[-restore]                     // reuse the existing database

[-externaldb] // use External CORE database

See the description of these and additional parameters in Appendix - Bootstrapping Parameters.

Notes

The -p parameter specifies the "paired" server. In this case, it is ep1.
If the "-e" option is used, the same option must be applied in ekm_boot_ep.

Example.

Bootstrap a Partner server of the ep1-partner1 pair:

Note
The -p parameter specifies the "paired" server. In this case, it is ep1.

Linux

sudo /opt/ekm/bin/ekm_boot_partner.sh -s partner1 -p ep1

Windows

C:\Progra~1\Dyadic\ekm\tomcat\bin\ekm_boot_partner.bat -s partner1 -p ep1

ekm_boot_auxiliary

Applicable only when bootstrapping a triplet.

To bootstrap a triplet in FIPSFederal Information Processing Standards - standards developed by the United States federal government for use in computer systems by non-military government agencies and government contractors mode, specify the -fips option.
To bypass mutual validation of peer(s) certificate(s), append the -f --force flag.

Syntax:

ekm_boot_auxiliary
-s <self – hostname/IP of this server [:<port>]>
-e <the EP server's hostname/IP [:<port>]>
-p <the Partner server's hostname/IP [:<port>]>

[--force -f] // bypass manual validation of certificates

[-fips] 			// enable FIPS mode. Requires -x <Aux>
[-restore]                     // reuse the existing database

Note
The -p parameter specifies the "partner" server. In this case, it is partner1.

Linux

sudo /opt/ekm/bin/ekm_boot_auxiliary.sh -s aux1 -e ep1 -p partner1

Windows

C:\Progra~1\Dyadic\ekm\tomcat\bin\ekm_boot_auxiliary.bat -s aux1 \
-e ep1 -p partner1

ekm_boot_additional_server

Prepares (bootstraps) a CORE server without specifying its role. The corresponding Cluster Scale-out procedure assigns to the server its role in the cluster (EP, Partner, or Auxiliary server).

Syntax:

ekm_boot_additional_server
-s <hostname/IP> [:<port>]> // self – hostname/IP of this server. Default port: 443

[-fips] // prepare for use in a system running in FIPS mode

Example:

Linux

sudo /opt/ekm/bin/ekm_boot_additional_server.sh -s myname

Windows

C:\Progra~1\Dyadic\ekm\tomcat\bin\ekm_boot_additional_server.bat \
-s myname

ekm_set_allowed_server

Activates or deactivates the approval to add a new partner server to the cluster. By default, this feature is deactivated - the cluster could be expanded by a single person with the Root SOSecurity officer - UKC partition administrator role. privileges.

This script must be executed on one of the active Partner servers.

Syntax:

ekm_set_allowed_server  
 -f <0|1>          // 1 - activate the approval. 0 - deactivate (default).

[-s,--self <arg>]  // self – hostname/IP of this server. 
[-o <port>] 	    // self Bootstrap-Port. Default: 443

Example:

sudo /opt/ekm/bin/ekm_set_allowed_server.sh -f 1

ekm_add_allowed_server

Adds the specified server to the list of approved Partner servers.

This script must be executed on one of the active Partner servers.

Syntax:

ekm_add_allowed_server
 -s <URL of the candidate server>
[-c <the candidite's certificate file>]// must certify the identify of the URL.

[-s,--self <arg>] 			// self – hostname/IP of this server. 
[-o <port>] 				// self Bootstrap-Port. Default: 443

Tip
If the -c option is omitted the script attempts to retrieve the certificate from the specified server. In this case, it is assumed that the specified server:
- Is running the EKMEnterprise Key Management - previous name of the product. Service as specified in EKM Service Management.
- Has performed the ekm_boot_additional_server step.

Appendix - Bootstrapping Parameters

All ekm_boot_xxx scripts call the Java ekmconfig.jar, passing CLICommand Line Interface parameters and arguments embedded in the script. In particular:

Use the --restore flag when bootstrapping the cluster foundation servers after restoring its database.
Use the -a and -t parameters to extend the permitted gap between scripts when bootstrapping the foundation servers.

Parameter	Description
`-s<host>[:<port>]`	Self – hostname or IP of this server. It will be included in the SANSubject Alternative Names - Certificate field with a list of IP addresses. field of the server's certificate in addition to names obtained from the OS. [:<port>] - optionally followed by TCP/IP port number used to access this server from other servers in the cluster.
`-p<host>[:<port>]`	Paired server – hostname or IP of the other server in the EP-Partner pair. Must appear in the SANSubject Alternative Names - Certificate field with a list of IP addresses. field of the paired server's certificate. [:<port>] - optionally followed by TCP/IP port number used to access this server from other servers in the cluster.
`-x<host>[:<port>]`	Auxiliary server – hostname or IP of the auxiliary server paired with the EP and its Partner servers. [:<port>] - optionally followed by TCP/IP port number used to access this server from other servers in the cluster.
`-n`	A CSVComma Separated Values list of alternative hostnames and IP addresses. This list parsed and stored in the EP `/etc/ekm/ssl/cert.crt` certificate's `Subject Alternative Names` field as follows: - Valid IP addresses are stored and tagged with the `"IP Address ="` tag. - Valid hostname strings are stored and tagged with the `"DNS Name="` tag. To update this list after deploying the system, use ekm_renew_server_certificate.
`-fips`	This flag indicates that the server is designated for a system operating in FIPSFederal Information Processing Standards - standards developed by the United States federal government for use in computer systems by non-military government agencies and government contractors mode.
`-f`	Force – run without the need for user approval of the presented self-signed certificates.
`-externaldb`	Bootstrap expects DB configuration file(s) to be present on the server. See
`-restore`	Reuse (do not overwrite) the existing CORE database. Applicable in `ekm_boot_ep` and `ekm_boot_partner` scripts only.
`-e`	This parameter is context-specific: In `ekm_boot_ep` and `ekm_boot_partner` scripts it indicates the expiry period (longevity) of the `root CA certificate`. See Certificate Validity and Renewal. Default: 8 yearsFor any time interval setting in years, 1 year is converted to 365 days. To use this option, apply the same value in `ekm_boot_ep` and `ekm_boot_partner` scripts. In `ekm_boot_auxiliary` it indicates the EP.
`-w`	The initial password for the root partition SOSecurity officer - UKC partition administrator role.. See Inline Password Options. Mandatory and applicable in the `ekm_boot_ep` script only.
`-a`	Attempts – the number of handshake attempts between the paired servers (default = 2000).
`-t`	Timeout – the duration of a pause between each attempt (default = one second).