000022325 - How to configure redundant RSA ClearTrust server components

Document created by RSA Customer Support Employee on Jun 16, 2016Last modified by RSA Customer Support Employee on Apr 21, 2017
Version 2Show Document
  • View in full screen mode

Article Content

Article Number000022325
Applies ToRSA ClearTrust 5.5.3
IssueHow to configure redundant RSA ClearTrust server components
ResolutionRedundant AServer

- Set up the ClearTrust servers on two different machines. Run the ClearTrust servers on one machine (primary), and copy over the working data adapter configuration file (sql.conf or ldap.conf) to the second machine (secondary).

- On the primary machine, you will have a keyserver.sec and keyclient.sec and _5608 files on your system. Use the keygen utility to generate a secret key for the host/secondary machine. This will add a new entry into your keyserver.sec file. Copy this primary keyserver.sec file into the secondary machine. Replace the old key on the secondary machine?s keyclient.sec file with the newly added entry in the keyserver.sec file. For subsequent back up machines, repeat this step.

- Copy the license.xml file from your primary machine to each of your secondary machines

- Then startup the AServer on the secondary machine and restart the web server. You have set up a backup AServer in your environment.

Redundant dispatcher

- Setup the ClearTrust servers on two different machines. On your primary machine, set your keyserver.conf to have:

cleartrust.keyserver.key_port=5606 (or the value that is appropriate in your environment)
cleartrust.keyserver.keyserver_list=machine1.domain.net:5609, machine2.domain.net:5609, etc.  -  this list must be exactly the same for all redundant keyservers
cleartrust.keyserver.v2_key_port=5609

- On your primary machine, set your dispatcher.conf to have:

cleartrust.dispatcher.reg_port=5607
cleartrust.dispatcher.list_port=5608

- On your primary machine, set your aserver.conf to have:

cleartrust.aserver.keyserver_list= machine1.xxx.net:5606, machine2.xxx.net:5606
cleartrust.aserver.dispatcher_list= machine1.xxx.net:5607, machine2.xxx.net:5607

- On your primary machine, set your eserver.conf to have:

cleartrust.eserver.dispatcher_list= machine1.xxx.net:5608, machine2.xxx.net:5608

- Copy the primary ClearTrust .conf files to the secondary machine. If you have more than one secondary machine, ensure that within that particular secondary machine's keyserver.conf, the cleartrust.keyserver.local_id parameter is set to its own fully qualified domain name and port number (machine2.domain.net:5609).

- Copy the keyserver.sec file from the primary machine to the secondary machines (if not done already). You must copy this file to each secondary machine each time a new key is added to the primary machine.

- Copy the license.xml file from your primary machine to each of your secondary machines (if not done already)

- Within your webagent.conf file, set:

Cleartrust.agent.dispatcher_list= machine1.xxx.net:5608, machine2.xxx.net:5608
Cleartrust.agent.keyserver_list= machine1.xxx.net:5606, machine2.xxx.net:5606

- Ensure primary machines ClearTrust servers are running and start up dispatcher on secondary machine and restart the web server. You have set up a backup dispatcher.

Redundant EServer

- Set up the ClearTrust servers on two different machines. Configure the load balancer hardware within your environment so it fails over from the primary EServer to the backup EServer. Load balancers are designed to have a virtual IP instead on one side and a standalone server on the other. The EServer is now setup to point to the virtual IP instead of a particular EServer IP address.

- For a software solution (non-load balancer), you must utilize high-availability tools on the ClearTrust servers. You can review your specific high-availability tools documentation regarding integrating them with ClearTrust.

Redundant data servers

- ClearTrust support LDAP server failover for search operations only. View your ldap.conf file. set:

Cleartrust.data.ldap.failover_group: user_failover, policy_failover, admin_failover
Cleartrust.data.ldap.failover_group.user_failover: user, userreplica1, userreplica2
Cleartrust.data.ldap.failover_group.policy_failover: policy, policyreplica1, policyreplica2
Cleartrust.data.ldap.failover_group.admin_failover: admin, adminreplica1, adminreplica2
Cleartrust.data.ldap.adminstore: admin_failover
Cleartrust.data.ldap.policystore: policy_failover
Cleartrust.data.ldap.userstore: user_failover

- Ensure that the LDAP server connection parameters are correct

- Set the appropriate value for cleartrust.data.ldap.directory.<aux-store-name>.ssl.use to be either clear or anon (for anon, you need to setup authenticated ssl)

- Restart your ClearTrust servers

For details on how to use the keygen utility, refer to the RSA ClearTrust 5.5.3 Servers Installation and Configuration Guide, page 128
Legacy Article IDa27932

Attachments

    Outcomes