Requirements and considerations for Multi-Master configuration
Before you set up IBM Security Key Lifecycle Manager Multi-Master environment, review the requirements and considerations to ensure a successful configuration.
- Ensure that the KMIP, SSL, TCP, and agent ports are not blocked for communication before you set up IBM Security Key Lifecycle Manager masters for Multi-Master configuration.
- Ensure that the agent port (60015) and HADR
port (60025) that are used for multi-master
configuration are not blocked by the firewall.
Default agent port is 60015, which you can update through UI. Default HADR port is 60025, which is assigned during Multi-Master setup, and that can be configured.
- IBM Security Key Lifecycle Manager Multi-Master architecture is based on Db2 High Availability Disaster Recovery (HADR) technology to implement high-availability solution. Therefore, all the Db2 HADR configuration rules and guidelines are applicable for IBM Security Key Lifecycle Manager Multi-Master configuration.
- Ensure that the IBM Security Key Lifecycle Manager masters with primary and standby Db2 HADR database host systems have the same operating system version and fix pack levels.
- For a master server that is installed on a Linux operating system, ensure that the DB2® kernel parameters are set as follows:
For more information about the procedure, see Modifying kernel parameters.#Example for a computer with 16 GB RAM sysctl -w kernel.msgmni=16384 sysctl -w kernel.sem="250 1024000 100 4096" echo "kernel.msgmni=16384" >>/etc/sysctl.conf echo "kernel.sem=250 1024000 100 4096" >>/etc/sysctl.conf - Db2 user name and password must be same on all the masters of IBM Security Key Lifecycle Manager Multi-Master cluster.
- IBM Security Key Lifecycle Manager instance that you want to add to
the Multi-Master cluster must not contain any data. Adding of master server with data results in
loss of data that was previously created.
- If you want to add an existing IBM Security Key Lifecycle Manager instance into the cluster, use the device group export and import feature. See Adding an existing IBM Security Key Lifecycle Manager instance with data to the Multi-Master cluster for more details.
- A TCP/IP interface must be available between primary and standby Db2 HADR database host systems with a dedicated, high speed, and high capacity network bandwidth.
- For IBM Security Key Lifecycle Manager Multi-Master deployment, the cluster must contain a minimum of one primary master and one standby master. When you set up an IBM Security Key Lifecycle Manager Multi-Master cluster, the server from which you add a master or standby to the cluster becomes the primary master. You must add a standby to the cluster before you add other masters.
- Server certificate must be created in an IBM Security Key Lifecycle Manager instance before you add it to the cluster as the primary master.
- IBM Security Key Lifecycle Manager Multi-Master cluster supports up to three standby masters. When you add standbys to the cluster, priority index value must be in the range of 1-3.
- After the IBM Security Key Lifecycle Manager Multi-Master configuration, you must avoid running the manual backup and restore operations from any of the masters in the cluster.
- Run the IBM Security Key Lifecycle Manager Multi-Master configuration operations only from the primary master of the cluster to avoid any problems.
- Before you add a master to the IBM Security Key Lifecycle Manager Multi-Master cluster on Linux operation system, the permissions for the /tmp directory must be set to 777 that is full execute, read, and write permissions.
- Before you add a master server to the cluster, run Check Prerequisites REST Service to verify whether the master meets all the requirements. For more information about the REST service, see Check Prerequisites REST Service.
- If you want to configure IBM Security Key Lifecycle Manager Multi-Master setup to use HSM to store the master key, you must configure all the masters in the cluster to use the same HSM.
- Before you add a master server to the cluster through the migrated system, you must modify the
IBM Security Key Lifecycle Manager administrator user name and the
password in the following situations:
- When users and groups are migrated from previous version to version 3.0.1 through cross-migration process.
- IBM Security Key Lifecycle Manager administrator user name and the password are different than that of the credentials specified during version 3.0.1 installation.
- You cannot remove standby or master server from the Multi-Master cluster if a standby server is down.
| Date | Change description |
| 10 Aug 2021 | Corrected a command in the example to set kernel parameters. |
| 29 Mar 2019 | Initial version. |