Requirements and considerations for Multi-Master configuration

Before you set up IBM® Security Guardium® Key Lifecycle Manager Multi-Master environment, review the requirements and considerations to ensure a successful configuration.

Operating system and database requirements

  • Ensure that the master servers with primary and standby Db2® HADR database host systems have the same operating system version and fix pack levels. The non-HADR master servers can have a different operating system.
  • For a master server that is installed on a Linux® operating system, ensure that the Db2 kernel parameters are set. Here is an example for a computer with 16 GB RAM: 
    #Example for a computer with 16 GB RAM 
sysctl -w kernel.msgmni=16384
sysctl -w kernel.sem="250 1024000 100 4096"
echo "kernel.msgmni=16384" >>/etc/sysctl.conf 
echo "kernel.sem=250 1024000 100 4096" >>/etc/sysctl.conf
    For more information about the procedure, see Modifying kernel parameters.
  • IBM Security Guardium Key Lifecycle Manager Multi-Master architecture is based on Db2 High Availability Disaster Recovery (HADR) technology to implement high-availability solution. Therefore, all the Db2 HADR configuration rules and guidelines are applicable for IBM Security Guardium Key Lifecycle Manager Multi-Master configuration.
  • Db2 user name and password must be same on all the master servers of the IBM Security Guardium Key Lifecycle Manager Multi-Master cluster.

Port requirements

  • Ensure that the agent port (60015) and HADR port (60028) that are used for Multi-Master configuration are not blocked by the firewall.

    Default agent port is 60015, which you can update through UI. Default HADR port is 60028, which is assigned during the Multi-Master setup. It is configurable.

  • Ensure that the KMIP, TLS, TCP, and agent ports are not blocked for communication before you set up IBM Security Guardium Key Lifecycle Manager masters for Multi-Master configuration.
  • A TCP/IP interface must be available between primary and standby Db2 HADR database host systems with a dedicated, high speed, and high capacity network bandwidth.

Other requirements and considerations

  • If you want to add an existing IBM Security Guardium Key Lifecycle Manager server to the cluster, use the device group export and import feature. For more information, see Adding an existing IBM Security Guardium Key Lifecycle Manager instance with data to the Multi-Master cluster.
  • The IBM Security Guardium Key Lifecycle Manager server that you want to add to a Multi-Master cluster must not contain any data. Adding of server with data results in loss of data that was previously created.
  • For IBM Security Guardium Key Lifecycle Manager Multi-Master deployment, the cluster must contain a minimum of one primary master server and one standby master server. When you set up a Multi-Master cluster, the server from which you add a master server or standby master server to the cluster becomes the primary master server. You must add at least one standby master server to the cluster before you add other master servers.
  • Server certificate must be created in the IBM Security Guardium Key Lifecycle Manager server before you add it to the cluster as the primary master.
  • IBM Security Guardium Key Lifecycle Manager Multi-Master cluster supports up to three standby master servers. When you add a standby master server to the cluster, the priority index value must be in the range of 1-3.
  • After the Multi-Master cluster is configured, you must avoid running manual backup and restore operations on any of the master servers in the cluster.
  • Run the IBM Security Guardium Key Lifecycle Manager Multi-Master configuration operations only from the primary master server of the cluster to avoid any problems.
  • Before you add a server that runs the Linux operating system, to a cluster, the permissions for the /tmp directory must be set to 777 that is full execute, read, and write permissions.

    Also, ensure that the /tmp directory is empty and contains no files (for example, installer logs) from a previously installed IBM Security Guardium Key Lifecycle Manager.

  • If you want to configure the Multi-Master cluster to use HSM to store the master key, you must configure all the master servers in the cluster to use the same HSM.
  • Before you add a master server to the cluster through the migrated system, modify the IBM Security Guardium Key Lifecycle Manager administrator user name and the password in the following situations:
    1. When users and groups are migrated from previous version to version 4.1 through cross-migration process.
    2. IBM Security Guardium Key Lifecycle Manager administrator user name and the password are different than that of the credentials specified during version 4.1 installation.
  • You cannot remove a standby master server from the Multi-Master cluster if a standby server is down.
  • To enable backup of large amount of data, ensure that the enableHighScaleBackup property is set to true in the SKLMConfig.properties configuration file on every master server.
  • If you plan to integrate LDAP with the Multi-Master setup for user authentication, you must configure LDAP on all master servers before configuring the Multi-Master cluster. Ensure that all the master servers use the same LDAP, and have the same users as IBM Security Guardium Key Lifecycle Manager Administrator.
    Best practice: If you plan to use IBM Security Guardium Key Lifecycle Manager REST services to connect to the IBM Security Guardium Key Lifecycle Manager server for key management operations, integrate with LDAP for user authentication and management.
  • The MMConfig.properties file contains the Multi-Master configuration properties.
    Note: Do not update the configuration file manually.
  • Ensure that any new or incoming client device communication certificates appear as pending for acceptance to allow secure communication between the device and the server. To do so, navigate to Configuration > Key Serving Parameters page and ensure that Keep pending client device communication certificates check box is selected.
Date Change description
13 Aug 2021 Added a new consideration.
05 Aug 2021 Corrected a command in the example to set kernel parameters.
10 Feb 2021 Added a comment to the Db2 kernel parameters requirement. Refreshed only the English language content.
30 Mar 2020 Initial version.