Requirements and considerations for Multi-Master configuration

Before you set up IBM Guardium Key Lifecycle Manager Multi-Master environment, review the requirements and considerations to ensure a successful configuration.

Operating system and database requirements

  • Ensure that the master servers with primary and standby Db2 HADR database host systems have the same operating system version and fix pack levels.
  • For a master server that is installed on a Linux® operating system, ensure that the Db2 kernel parameters are set. An example for a computer with 16 GB RAM. 
    #Example for a computer with 16 GB RAM 
sysctl -w kernel.msgmni=16384
sysctl -w kernel.sem="250 1024000 100 4096"
echo "kernel.msgmni=16384" >>/etc/sysctl.conf 
echo "kernel.sem=250 1024000 100 4096" >>/etc/sysctl.conf
    For more information about the procedure, see Modifying kernel parameters.
  • IBM Guardium Key Lifecycle Manager Multi-Master architecture is based on Db2 High Availability Disaster Recovery (HADR) technology to implement high-availability solution. Therefore, all the Db2 HADR configuration rules and guidelines are applicable for IBM Guardium Key Lifecycle Manager Multi-Master configuration.
  • Db2 user name and password must be same on all the master servers of the IBM Guardium Key Lifecycle Manager Multi-Master cluster.

Port requirements

  • Ensure that the agent port (60015) and HADR port (60030) that are used for Multi-Master configuration are not blocked by the firewall.

    The default agent port is 60015, which you can update through UI. The default HADR port is 60030, which is assigned during the Multi-Master setup. It is configurable.

  • Ensure that the KMIP, TLS, TCP, and agent ports are not blocked for communication before you set up IBM Guardium Key Lifecycle Manager masters for Multi-Master configuration.
  • A TCP/IP interface must be available between primary and standby Db2 HADR database host systems with a dedicated, high speed, and high capacity network bandwidth.

Other requirements and considerations

  • If you want to add an existing IBM Guardium Key Lifecycle Manager server to the cluster, use the endpoint export and import feature. For more information, see Adding an existing IBM Guardium Key Lifecycle Manager instance with data to the Multi-Master cluster.
  • The IBM Guardium Key Lifecycle Manager server that you want to add to a Multi-Master cluster must not contain any data. Adding of server with data results in loss of data that was previously created.
  • For IBM Guardium Key Lifecycle Manager Multi-Master deployment, the cluster must contain a minimum of one primary master server and one standby master server. When you set up a Multi-Master cluster, the server from which you add a master server or standby master server to the cluster becomes the primary master server. Add at least one standby master server to the cluster before you add other master servers.
  • A server certificate must be created in the IBM Guardium Key Lifecycle Manager server before you add it to the cluster as the primary master.
  • IBM Guardium Key Lifecycle Manager Multi-Master cluster supports up to three standby master servers. When you add a standby master server to the cluster, the priority index value must be in the range of 1-3.
  • After the Multi-Master cluster is configured, you must avoid running manual backup and restore operations on any of the master servers in the cluster.
  • Run the IBM Guardium Key Lifecycle Manager Multi-Master configuration operations only from the primary master server of the cluster to avoid any problems.
  • Before you add a server that runs the Linux operating system, to a cluster, the permissions for the /tmp directory must be set to 777 that is full execute, read, and write permissions.

    Also, ensure that the /tmp directory is empty and contains no files (for example, installer logs) from a previously installed IBM Guardium Key Lifecycle Manager.

  • If you want to configure the Multi-Master cluster to use the external master key store (for example, HSM) to store the master key, you must configure all the master servers in the cluster to use the same external master key store.
  • Before you add a master server to the cluster through the migrated system, modify the IBM Guardium Key Lifecycle Manager administrator user name and the password in the following situations:
    1. When users and groups are migrated from previous version to version 5.0 through cross-migration process.
    2. IBM Guardium Key Lifecycle Manager administrator user name and the password are different than that of the credentials specified during version 5.0 installation.
  • You cannot remove a standby master server from the Multi-Master cluster if a standby server is down.
  • To enable backup of large amount of data, ensure that the enableHighScaleBackup property is set to true in the SKLMConfig.properties configuration file on every master server.
  • If you plan to integrate LDAP with the Multi-Master setup for user authentication, you must configure LDAP on all master servers before configuring the Multi-Master cluster. Ensure that all the master servers use the same LDAP, and have the same users as IBM Guardium Key Lifecycle Manager Administrator.
    Best practice: If you plan to use IBM Guardium Key Lifecycle Manager REST services to connect to the IBM Guardium Key Lifecycle Manager server for key management operations, integrate with LDAP for user authentication and management.
  • The MMConfig.properties file contains the Multi-Master configuration properties.
    Note: Do not update the configuration file manually.
  • Ensure that your computer host name is configured correctly and the mapping of the IP address (private or public) to host name is added to the hosts file. For more information, see IP address to hostname mapping
  • Ensure that any new or incoming encryption endpoint certificates appear as pending for acceptance to allow secure communication between the endpoint and the server. To do so, click the main menu icon and navigate to the Configuration > Key serving parameters page. Make sure that the Keep pending encryption endpoint certificates option is set to On.
  • Run the following steps before you set up Multi-Master on an AIX operating system.
    1. Open a terminal window.
    2. Run the following command to connect to the Db2 instance.
      db2 connect to <Db2 instance name> user root using <root password>

Example:
db2 connect to klmdb50 user root using rtpassword
    3. Run the following command for providing executive permission to the mon_get_hadr table function.
      db2 "GRANT EXECUTE ON FUNCTION  SYSPROC.mon_get_hadr to user <db user name>"

Example:
db2 "GRANT EXECUTE ON FUNCTION  SYSPROC.mon_get_hadr to user klmdb50"