In IBM Security Key Lifecycle Manager, high-availability
solution is implemented by using Multi-Master cluster configuration. IBM Security Key Lifecycle Manager Multi-Master cluster must contain a primary and
a standby master. Add a standby master to the cluster for setting up a Multi-Master
environment.
About this task
To provide continuous data availability to all the IBM Security Key Lifecycle Manager instances in a Multi-Master cluster, DB2
high-availability disaster recovery (HADR) configuration is used. DB2 HADR is a database replication
feature that provides a high-availability solution. HADR protects against data loss by replicating
data changes from a source database, called primary, to a target database, called the standby. DB2
HADR supports up to three standby databases in your Multi-Master setup.
When you create an IBM Security Key Lifecycle Manager Multi-Master
cluster, the server from which you add a master or standby to the cluster becomes the primary
master. Once the cluster is created with a minimum of one primary master and standby master, you can
then add masters to the cluster from any of the masters in the cluster. Use the
Multi-Master Configuration - Add Master dialog or Add Master REST
Service to add a master to the cluster. Your role must have a permission to add standby
master to the IBM Security Key Lifecycle Manager Multi-Master
cluster.
You cannot add a standby master to the cluster by using the Multi-Master Configuration
- Add Master page when a standby or master server in the cluster is out of network or not
reachable. To add a standby master in this scenario, you must use Add Master REST
Service with additional parameters. For more information about the REST service, see REST service for adding a master when other master in the cluster is not reachable.
Procedure
-
Go to the appropriate page or directory.
- Graphical user interface
-
- Log on to the graphical user interface.
- On the Welcome page, click .
- REST interface
- Open a REST client.
-
Add a standby master to the cluster.
- Graphical user interface
-
- Click the Basic Properties tab.
- On the Basic Properties dialog, specify information for the standby master
that you are adding.
| Host name / IP adress |
Specify the host name of the IBM Security Key Lifecycle Manager
standby master that is added to the cluster. |
| IBM Security Key Lifecycle Manager user name |
Specify the name of the IBM Security Key Lifecycle Manager
administrator. The administrator name is displayed by default. |
| IBM Security Key Lifecycle Manager password |
Specify the password for the IBM Security Key Lifecycle Manager
server administrator. |
| WebSphere Application Server user name |
Specify the WebSphere® Application Server login user ID for the
IBM Security Key Lifecycle Manager server administrator profile. The
WebSphere Application Server login ID is displayed by default. |
| WebSphere Application Server password |
Specify the password for the WebSphere Application Server login
user ID. |
| UI port |
Specify the HTTPS port to access IBM Security Key Lifecycle Manager graphical user interface and REST services. The
port number is displayed by default. |
- Click the Advanced Properties tab.
- On the Advanced Properties dialog, specify information for the standby
master that you are adding.
| Do you want to set this master as standby database? |
Select Yes to add the current instance of IBM Security Key Lifecycle Manager as a standby master to the cluster. |
| HADR port |
Specify the port number for the standby HADR database to communicate with the primary HADR
database. |
| Standby priority index |
Specify the priority index value for the standby database to takeover when the primary
database is down. You can set the priority index to any value in the range 1-3. The standby server
with a higher priority index level (lower number) takes precedence over the lower-priority
databases. |
- If you want the primary master to automatically accept the certificate of the
master that you are adding, select Accept host certificate automatically.
Otherwise, manually add the certificate to the truststore of the primary master. For instructions,
see Adding a certificate to the truststore.
Note: By
default, the certificate is not automatically accepted.
- Click Test Connection to test whether the communication between the
standby master that you are adding and the current primary master is successful. For more
information, see Perform a test connection.
- Click Add.
- REST interface
-
- Obtain a unique user authentication identifier to access IBM Security Key Lifecycle Manager REST services. For more information about the
authentication process, see Authentication process for REST services.
- To run Add Master REST Service, send the HTTP POST request. Pass the user
authentication identifier that you obtained in
Step a along with the request
message as shown in the following
example.POST https://localhost:<port>/SKLM/rest/v1/ckms/config/nodes/addNodes
Content-Type: application/json
Accept: application/json
Authorization: SKLMAuth userAuthId=139aeh34567m
[
{
"clusterName" : "multimaster",
"hadrPort" : "60020"
},
{
"type" : "Standby",
"ipHostname" : "cimkc2b151",
"httpPort" : "443",
"sklmUsername" : "sklmadmin",
"sklmPassword" : "SKLM@admin123",
"wasUsername" : "wasadmin",
"wasPassword" : "WAS@admin123",
"standbyPriorityIndex" : "1",
"autoAccept" : "Yes"
}
]
What to do next
The primary master restarts, and is temporarily unavailable during this process after you add a
standby master to the cluster. Verify whether the standby master with its health status information
is listed in the Masters table, and also on the IBM Security Key Lifecycle Manager welcome page.