Adding a standby master server to a cluster

In IBM Security Guardium Key Lifecycle Manager, high-availability solution is implemented by using Multi-Master cluster configuration. IBM Security Guardium Key Lifecycle Manager Multi-Master cluster must contain a primary master server and a standby master server. Add a standby master server to the cluster for setting up a Multi-Master environment.

Before you begin

Before you add a standby master server to the cluster, review the considerations and restrictions that are listed in the Requirements and considerations for Multi-Master configuration topic.

About this task

To provide continuous data availability to all the IBM Security Guardium Key Lifecycle Manager instances in a Multi-Master cluster, Db2 high-availability disaster recovery (HADR) configuration is used. Db2 HADR is a database replication feature that provides a high-availability solution. HADR protects against data loss by replicating data changes from a source database, called primary, to a target database, called the standby. Db2 HADR supports up to three standby databases in your Multi-Master setup.

The server from where you add the first standby master server to a cluster is configured as the primary master server. After the cluster is created with a minimum of one primary and one standby master server, you can add master servers from any of the master servers in the cluster. You can use the graphical user interface or REST interface to add a master server to the cluster. Your role must have the permission to add standby master servers to the Multi-Master cluster.

To add a standby master server to a cluster when another master server in the cluster is out of network or unreachable, you can use the REST interface only. For more information about the REST API, see REST service for adding a master when other master in the cluster is not reachable.

Procedure

  1. Go to the appropriate page or directory.
    Graphical user interface
    1. Log in to the graphical user interface.
    2. On the Welcome page, click Administration > Multi-Master > Masters > Add Master.
    REST interface
    Open a REST client.
  2. Add a standby master server to the cluster.
    Graphical user interface
    1. Click the Basic Properties tab.
    2. On the Basic Properties dialog, specify information for the standby master server that you are adding.
      Host name / IP adress Specify the host name of the IBM Security Guardium Key Lifecycle Manager standby master server that is added to the cluster.
      IBM Security Guardium Key Lifecycle Manager user name Specify the name of the IBM Security Guardium Key Lifecycle Manager administrator. The administrator name is displayed by default.
      IBM Security Guardium Key Lifecycle Manager password Specify the password for the IBM Security Guardium Key Lifecycle Manager server administrator.
      WebSphere Application Server user name Specify the WebSphere Application Server Liberty login user ID for the IBM Security Guardium Key Lifecycle Manager server administrator profile. The WebSphere Application Server Liberty login ID is displayed by default.
      WebSphere Application Server password Specify the password for the WebSphere Application Server Liberty login user ID.
      UI port Specify the HTTPS port to access IBM Security Guardium Key Lifecycle Manager graphical user interface and REST services. The port number is displayed by default.
    3. Click the Advanced Properties tab.
    4. On the Advanced Properties dialog, specify information for the standby master server that you are adding.
      Do you want to set this master as standby database? Select Yes to add the current instance of IBM Security Guardium Key Lifecycle Manager as a standby master server to the cluster.
      HADR port Specify the port number for the standby HADR database to communicate with the primary HADR database.
      Standby priority index Specify the priority index value for the standby database. You can set the priority index to any value in the range 1-3. The standby server with a higher priority index level (lower number) takes precedence over the lower-priority databases for being promoted to primary when the primary database is down.
    5. If you want the primary master server to automatically accept the certificate of the master server that you are adding, select Accept host certificate automatically. Otherwise, import the certificate to the truststore of the primary master server. For instructions, see Importing a client device certificate.
      Note: By default, the certificate is not automatically accepted.
    6. Click Check Prerequisites. The master server performs some checks. For example, communication between the standby master server that you are adding and the current primary master server is successful, user login credentials are valid, and so on.
    7. Click Add.
    REST interface
    1. Obtain a unique user authentication identifier to access IBM Security Guardium Key Lifecycle Manager REST services. For more information about the authentication process, see Authentication process for REST services.
    2. Run the Check Prerequisites REST Service to ensure that the master server that you want to add meets all requirements and conditions that are defined for IBM Security Guardium Key Lifecycle Manager Multi-Master configuration.
    3. Run the Add Master REST Service. For example:
      POST https://localhost:port/SKLM/rest/v1/ckms/config/nodes/addNodes
[
{
"clusterName" : "multimaster",
"hadrPort" : "60020"
},
{
"type" : "Standby",
"ipHostname"   :  "cimkc2b151",
"httpPort"     :  "9443",
"sklmUsername" :  "sklmadmin",
"sklmPassword" :  "your_sklmadmin_password"
"standbyPriorityIndex" : "1",
"autoAccept"   : "Yes"
}
]
    The primary master server restarts, and is temporarily unavailable. The status of the Db2 HADR configuration on the graphical user interface might be yellow for some time before it turns green.

What to do next

Viewing the configuration status of all master servers