Configuring the quota enforcement server

On each DataPower® Gateway, you can configure the quota enforcement server to store keys and associated metadata. In peer group mode, you must define the connection among peers.

About this task

When you configure the quota enforcement server, you can set the server port and monitor port.

The server port that communicates with the quota enforcement server.
The monitor port that listens for operational state changes of the quota enforcement server.

You can specify whether data storage is persisted on the RAID volume or is in-memory. When quota enforcement works in peer group mode, each peer group member must use the same data storage location.

For persistent storage, select the raid0 RAID volume.
For in-memory storage, do not select the RAID volume. By default, the data storage is in-memory.

When quota enforcement works in peer group mode, all peers must use the same server port and monitor port. In peer group mode, you configure the following settings.

The IP address of other peers to connect to. The IP address can be the IP address on any DataPower network interface and must be accessible by other peers in the peer group. The IP address cannot be for all addresses (0.0.0.0 or ::) or loopback addresses (127.0.0.1 or ::1). This IP address uniquely identifies the DataPower Gateway.
The IP address or hostname of peers. The DataPower Gateway connects to each peer in the order in which peers are specified in the Peers list.
- When the DataPower Gateway connects to no peer in the list, this DataPower Gateway is the first active server and joins the peer group as primary.
- When the DataPower Gateway connects to any peer in the list, it joins the peer group as a replica.
If you know which DataPower Gateway joined the peer group, you can specify only that DataPower Gateway and not list all peers in the Peers list.
The priority of the DataPower Gateway. The priority is used to promote a replica as the new primary during failover. The replica with the lowest priority number is promoted. A replica with the priority of 0 can never be promoted.
TLS is used to secure connection among the peers. All peers must use the same TLS configuration, which means that the following settings must be the same.
- State of TLS enablement
- Key alias
- Certificate alias
Based on your requirements for quota enforcement, decide whether to enable or disable strict mode. All peers must use the same strict mode.

Tip: For any type of IP address, you can use a local host alias instead of a static IP address. A host alias resolves a locally configured alias to a static IP address. Aliasing can help when you move configurations among peers.

Procedure

In the search field, enter quota.
From the search results, click Quota enforcement server.
Make sure that the administrative state is enabled. Otherwise, enable the administrative state.
In the Comments field, enter a brief, descriptive summary for the configuration.
Specify the password alias to secure the data store for member communication. If not specified, the system default is used.
When the configuration uses the system default and you upgrade to 10.5.0.1 or later, a warning message is shown in the GUI. The use of the system default is classified as a security vulnerability (CVE-2022-31776).
Specify the server port.
Specify the monitor port.
Optional: Specify the location of data storage.
When quota enforcement works in peer group mode, enable and define the peer group.
For the IP address of the DataPower Gateway and peers, you can use a local host alias. In these cases, click Select alias.
1. Enter the IP address of the DataPower Gateway.
2. Optional: To the Peers list, specify peers.
  Do not specify the IP address or hostname of this DataPower Gateway.
3. Specify the priority.
4. To secure connection among peers, enable TLS and configure the key and certificate.
5. Optional: Based on your requirements, decide whether to enable or disable strict mode.
Click Apply to save changes to the running configuration.
Click Save to save changes to the persisted configuration.