Requirements and considerations for Multi-Master configuration
Before you set up IBM Security Guardium Key Lifecycle Manager Multi-Master environment, review the requirements and considerations to ensure a successful configuration.
Operating system and database requirements
- Ensure that the master servers with primary and standby Db2 HADR database host systems have the same operating
system version and fix pack levels. The non-HADR master servers can have a different operating
system.Note: The support for adding a non-HADR master server to a Multi-Master cluster will be deprecated in the later versions of IBM Security Guardium Key Lifecycle Manager. It is recommended to add a HADR master server to a Multi-Master cluster.
- For a master server that is installed on a Linux®
operating system, ensure that the Db2 kernel
parameters are set. Here is an example for a computer with 16 GB RAM:
For more information about the procedure, see Modifying kernel parameters.#Example for a computer with 16 GB RAM sysctl -w kernel.msgmni=16384 sysctl -w kernel.sem="250 1024000 100 4096" echo "kernel.msgmni=16384" >>/etc/sysctl.conf echo "kernel.sem=250 1024000 100 4096" >>/etc/sysctl.conf
- IBM Security Guardium Key Lifecycle Manager Multi-Master architecture is based on Db2 High Availability Disaster Recovery (HADR) technology to implement high-availability solution. Therefore, all the Db2 HADR configuration rules and guidelines are applicable for IBM Security Guardium Key Lifecycle Manager Multi-Master configuration.
- Db2 user name and password must be same on all the master servers of the IBM Security Guardium Key Lifecycle Manager Multi-Master cluster.
Port requirements
- Ensure that the agent port (60015) and HADR
port (60030) that are used for Multi-Master
configuration are not blocked by the firewall.
Default agent port is 60015, which you can update through UI. Default HADR port is 60030, which is assigned during the Multi-Master setup. It is configurable.
- Ensure that the KMIP, TLS, TCP, and agent ports are not blocked for communication before you set up IBM Security Guardium Key Lifecycle Manager masters for Multi-Master configuration.
- A TCP/IP interface must be available between primary and standby Db2 HADR database host systems with a dedicated, high speed, and high capacity network bandwidth.
Other requirements and considerations
- If you want to add an existing IBM Security Guardium Key Lifecycle Manager server to the cluster, use the device group export and import feature. For more information, see Adding an existing IBM Security Guardium Key Lifecycle Manager instance with data to the Multi-Master cluster.
- The IBM Security Guardium Key Lifecycle Manager server that you want to add to a Multi-Master cluster must not contain any data. Adding of server with data results in loss of data that was previously created.
- For IBM Security Guardium Key Lifecycle Manager Multi-Master deployment, the cluster must contain a minimum of one primary master server and one standby master server. When you set up a Multi-Master cluster, the server from which you add a master server or standby master server to the cluster becomes the primary master server. You must add at least one standby master server to the cluster before you add other master servers.
- Server certificate must be created in the IBM Security Guardium Key Lifecycle Manager server before you add it to the cluster as the primary master.
- IBM Security Guardium Key Lifecycle Manager Multi-Master cluster supports up to three standby master servers. When you add a standby master server to the cluster, the priority index value must be in the range of 1-3.
- After the Multi-Master cluster is configured, you must avoid running manual backup and restore operations on any of the master servers in the cluster.
- Run the IBM Security Guardium Key Lifecycle Manager Multi-Master configuration operations only from the primary master server of the cluster to avoid any problems.
- Before you add a server that runs the Linux operating
system, to a cluster, the permissions for the /tmp directory must be set to 777
that is full execute, read, and write permissions.
Also, ensure that the /tmp directory is empty and contains no files (for example, installer logs) from a previously installed IBM Security Guardium Key Lifecycle Manager.
- If you want to configure the Multi-Master cluster to use the external master key store (for example, HSM) to store the master key, you must configure all the master servers in the cluster to use the same external master key store.
- Before you add a master server to the cluster through the migrated system, modify the IBM Security Guardium Key Lifecycle Manager administrator user name and the password in the
following situations:
- When users and groups are migrated from previous version to version 4.2.1 through cross-migration process.
- IBM Security Guardium Key Lifecycle Manager administrator user name and the password are different than that of the credentials specified during version 4.2.1 installation.
- You cannot remove a standby master server from the Multi-Master cluster if a standby server is down.
- To enable backup of large amount of data, ensure that the enableHighScaleBackup property is set to true in the SKLMConfig.properties configuration file on every master server.
- If you plan to integrate LDAP with the Multi-Master setup for user authentication, you must
configure LDAP on all master servers before configuring the Multi-Master cluster. Ensure that all
the master servers use the same LDAP, and have the same users as IBM Security Guardium Key Lifecycle Manager Administrator. Best practice: If you plan to use IBM Security Guardium Key Lifecycle Manager REST services to connect to the IBM Security Guardium Key Lifecycle Manager server for key management operations, integrate with LDAP for user authentication and management.
- The MMConfig.properties file contains the Multi-Master configuration
properties.Note: Do not update the configuration file manually.
- Ensure that your computer host name is configured correctly and the mapping of the IP address (private or pubic) to host name is added to the hosts file. For more information, see IP address to hostname mapping
- Ensure that any new or incoming client device communication certificates appear as pending for acceptance to allow secure communication between the device and the server. To do so, navigate to Configuration > Key Serving Parameters page and ensure that Keep pending client device communication certificates check box is selected.