Bootstrapping Scripts

CORE server bootstrapping prepares the servers to fulfill the assigned role (EP, Partner, Auxiliary, or an Additional Server with the yet undefined role). This section includes:

  • Bootstrapping scripts for CORE cluster foundation.
  • Bootstrapping scripts for CORE cluster expansion and its approval.

Important
Start or restart the EKMClosedEnterprise Key Management - previous name of the product. service after running any of the scripts in this section.

ekm_boot_ep

Bootstraps EP server of the CORE cluster foundation.

Note
This script is also used (with the -restore option) in the cluster's restore procedure. See Step 3 - Bootstrap the Restored Pair.

Syntax:

ekm_boot_ep -s <self – hostname/IP of this server>[:<port>] -p <paired server – hostname/IP of the partner [:<port>]> [-x <auxiliary – hostname/IP of the aux server [:<port>]]> // triplet bootstrap
-w <the password of the root SO> // See note below.
[-n <CSV list of EP hostnames and IP addresses>] [-e <expiry of the root CA certificate in years>] // default:8 years
[--force -f] // bypass manual validation of certificates
[-fips] // enable FIPS mode. Requires -x <Aux>
[-restore] // reuse the existing database
[-externaldb] // use External CORE database

See the description of these and additional parameters in Appendix - Bootstrapping Parameters.

Notes

Example.

Bootstrap an EP server of the ep1-partner1 pair:

  • Linux
  • sudo /opt/ekm/bin/ekm_boot_ep.sh -s ep1 -p partner1 \
    -w <root SO password>

  • Windows
  • C:\Progra~1\Dyadic\ekm\tomcat\bin\ekm_boot_ep.bat -s ep1 -p partner1 \
    -w <root SO password>

ekm_boot_partner

Bootstraps Partner server of the CORE cluster foundation.

Note
The script is also used (with the -restore option) in the cluster's restore procedure. See Step 3 - Bootstrap the Restored Pair.

Syntax:

ekm_boot_partner
-s <self – hostname/IP of this server [:<port>]>
-p <paired server – hostname/IP of the EP[:<port>]>
[-x <auxiliary – hostname/IP of the auxiliary server [:<port>]>] // triplet bootstrap
[-e <expiry of the root CA certificate in years>] // default: 8 years

[--force -f] // bypass manual validation of certificates
[-fips] // enable FIPS mode. Requires -x <Aux>
[-restore] // reuse the existing database
[-externaldb] // use External CORE database

See the description of these and additional parameters in Appendix - Bootstrapping Parameters.

Notes

  • The -p parameter specifies the "paired" server. In this case, it is ep1.
  • If the "-e" option is used, the same option must be applied in ekm_boot_ep.

Example.

Bootstrap a Partner server of the ep1-partner1 pair:

Note
The -p parameter specifies the "paired" server. In this case, it is ep1.

  • Linux
  • sudo /opt/ekm/bin/ekm_boot_partner.sh -s partner1 -p ep1

  • Windows
  • C:\Progra~1\Dyadic\ekm\tomcat\bin\ekm_boot_partner.bat -s partner1 -p ep1

ekm_boot_auxiliary

Applicable only when bootstrapping a triplet.

Syntax:

ekm_boot_auxiliary
-s <self – hostname/IP of this server [:<port>]>
-e <the EP server's hostname/IP [:<port>]>
-p <the Partner server's hostname/IP [:<port>]>

[--force -f] // bypass manual validation of certificates
[-fips] // enable FIPS mode. Requires -x <Aux>
[-restore] // reuse the existing database

Note
The -p parameter specifies the "partner" server. In this case, it is partner1.

  • Linux
  • sudo /opt/ekm/bin/ekm_boot_auxiliary.sh -s aux1 -e ep1 -p partner1

  • Windows
  • C:\Progra~1\Dyadic\ekm\tomcat\bin\ekm_boot_auxiliary.bat -s aux1 \
    -e ep1 -p partner1

ekm_boot_additional_server

Prepares (bootstraps) a CORE server without specifying its role. The corresponding Cluster Scale-out procedure assigns to the server its role in the cluster (EP, Partner, or Auxiliary server).

Syntax:

ekm_boot_additional_server
-s <hostname/IP> [:<port>]> // self – hostname/IP of this server. Default port: 443

[-fips] // prepare for use in a system running in FIPS mode

Example:

  • Linux
  • sudo /opt/ekm/bin/ekm_boot_additional_server.sh -s myname

  • Windows
  • C:\Progra~1\Dyadic\ekm\tomcat\bin\ekm_boot_additional_server.bat \
    -s myname

ekm_set_allowed_server

Activates or deactivates the approval to add a new partner server to the cluster. By default, this feature is deactivated - the cluster could be expanded by a single person with the Root SOClosedSecurity officer - UKC partition administrator role. privileges.

This script must be executed on one of the active Partner servers.

Syntax:

ekm_set_allowed_server -f <0|1> // 1 - activate the approval. 0 - deactivate (default).
[-s,--self <arg>] // self – hostname/IP of this server. [-o <port>] // self Bootstrap-Port. Default: 443

Example:

sudo /opt/ekm/bin/ekm_set_allowed_server.sh -f 1

ekm_add_allowed_server

Adds the specified server to the list of approved Partner servers.

This script must be executed on one of the active Partner servers.

Syntax:

ekm_add_allowed_server -s <URL of the candidate server> [-c <the candidite's certificate file>]// must certify the identify of the URL.
[-s,--self <arg>] // self – hostname/IP of this server. [-o <port>] // self Bootstrap-Port. Default: 443

Tip
If the -c option is omitted the script attempts to retrieve the certificate from the specified server. In this case, it is assumed that the specified server:
- Is running the EKMClosedEnterprise Key Management - previous name of the product. Service as specified in EKM Service Management.
- Has performed the ekm_boot_additional_server step.

Appendix - Bootstrapping Parameters

All ekm_boot_xxx scripts call the Java ekmconfig.jar, passing CLIClosedCommand Line Interface parameters and arguments embedded in the script. In particular:

  • Use the --restore flag when bootstrapping the cluster foundation servers after restoring its database.
  • Use the -a and -t parameters to extend the permitted gap between scripts when bootstrapping the foundation servers.
Parameter Description
-s<host>[:<port>]

Self – hostname or IP of this server. It will be included in the SANClosedSubject Alternative Names - Certificate field with a list of IP addresses. field of the server's certificate in addition to names obtained from the OS.

[:<port>] - optionally followed by TCP/IP port number used to access this server from other servers in the cluster.

-p<host>[:<port>]

Paired server – hostname or IP of the other server in the EP-Partner pair. Must appear in the SANClosedSubject Alternative Names - Certificate field with a list of IP addresses. field of the paired server's certificate.

[:<port>] - optionally followed by TCP/IP port number used to access this server from other servers in the cluster.

-x<host>[:<port>]

Auxiliary server – hostname or IP of the auxiliary server paired with the EP and its Partner servers.

[:<port>] - optionally followed by TCP/IP port number used to access this server from other servers in the cluster.

-n

A CSVClosedComma Separated Values list of alternative hostnames and IP addresses. This list parsed and stored in the EP /etc/ekm/ssl/cert.crt certificate's Subject Alternative Names field as follows:

- Valid IP addresses are stored and tagged with the "IP Address =" tag.

- Valid hostname strings are stored and tagged with the "DNS Name=" tag.

To update this list after deploying the system, use ekm_renew_server_certificate.

-fips

This flag indicates that the server is designated for a system operating in FIPSClosedFederal Information Processing Standards - standards developed by the United States federal government for use in computer systems by non-military government agencies and government contractors mode.

-f Force – run without the need for user approval of the presented self-signed certificates.
-externaldb Bootstrap expects DB configuration file(s) to be present on the server. See
-restore Reuse (do not overwrite) the existing CORE database.

Applicable in ekm_boot_ep and ekm_boot_partner scripts only.

-e

This parameter is context-specific:

  • In ekm_boot_auxiliary it indicates the EP.
-w

The initial password for the root partition SOClosedSecurity officer - UKC partition administrator role..
See Inline Password Options.

Mandatory and applicable in the ekm_boot_ep script only.

-a Attempts – the number of handshake attempts between the paired servers (default = 2000).
-t Timeout – the duration of a pause between each attempt
(default = one second).