000014756 - How to replace a 2.5.0.3 standby appliance with 2.6 appliance in a cluster?

Document created by RSA Customer Support Employee on Jun 16, 2016Last modified by RSA Customer Support Employee on Apr 21, 2017
Version 2Show Document
  • View in full screen mode

Article Content

Article Number000014756
Applies ToRSA Key Manager Appliance 2.6
RSA Key Manager Appliance 2.5.0.3
A single RKM Appliance cluster containing one primary and a standby node
IssueHow to replace a 2.5.0.3 standby appliance with 2.6 appliance in a cluster?
How to replace a 2.5.0.3 standby appliance (Dell 2950 hardware) with 2.6 appliance (Dell R-710 hardware) in a cluster?
Need to replace the standby appliance (with older hardware - Dell 2950) with new hardware (Dell R-710)
ResolutionThe following procedure explains replacing an existing Appliance 2.5.0.3 standby node (2950 hardware) with a new Appliance 2.6 (R-710 hardware):

1. Ensure that the cluster is in a healthy state. Ensure that the active/primary server can reach the standby server.

2. Pleases make a note of the network configuration of standby node.

3. Uninstall the standby, run uninstall command on the standby node $/opt/rsa/setup/uninstall, this will prompt:
  Drop database on 'hostname'
  DANGER: all keys will be lost!!!!
  Type 'YES' to continue
This will uninstall the software and gracefully disconnect the standby from the primary.

4. Remove the standby node which was uninstalled in the previous step from the network and power off the same.

5. At this point of time Primary will be running in read only mode.
Note:  If we want the primary server to be in write mode for some time, you can make the primary to accept the updates, refer to the section "2.5.1 Steps to make Primary accept updates" in the RKM Appliance troubleshooting guide, or follow these steps on the primary:
  - su - oracle
  - Connect to dgmgrl cli by command dgmgrl sys/passwd
  - Disable fast start faiover in primary with the force option :  DGMGRL> disable fast_start failover force;
  - Connect to sqlplus / as sysdba and issue the command  alter system set dg_broker_start=false;
  - Shutdown the primary database with shutdown immediate command in sqlplus
  - Startup the primary database with startup command in sqlplus.  If the KMS GUI is failing (If we are getting this error while trying to access the KMS:You are not authorized to access this resource.), we might need to restart the clear trust (Access Manager). In that case, restart ClearTrust and then Tomcat.

6. Connect the new Appliance 2.6 (R-710 hardware) to the network

7. Ensure that there are no active client connections to primary when the replace secondary script is executed.

8. Run /opt/rsa/setup/sh/replace_secondary.sh on the newly added secondary node and provide the all the information prompted.

9. When prompted for Temporary IP, Netmask, and Gateway, you can use the same network configuration saved in step 2.
Note:  RKM Appliance doesn't accept $, $$  in the password and space in security admin password .

10. After completing the replace secondary process , it is recommended to verify the status of the cluster
Note:  We can find the log information of the replacing secondary in the /opt/rsa/setup/logs/replace_secondary.<timestamp>.log.

11. Do the following on the Primary node to verify the status of the above process:
  #su - oracle
  $dgmgrl sys/passwd
  DGMGRL> show configuration verbose

  Configuration
  Name:                Demorkm
  Enabled:             YES
  Protection Mode:     MaxAvailability
  Fast-Start Failover: ENABLED
  Databases:
  Demorkmp - Primary database
  Demorkms - Physical standby database
  Fast-Start Failover target
  Fast-Start Failover
  Threshold:           30 seconds
  Observer:            m206.sqa.com
  Shutdown Primary:    FALSE
  Current status for "Demorkm":
  SUCCESS

12. Check if there is any time difference between the clocks of primary and stand by appliance. RKM may not function properly if they are different.
Note:  To verify this view /etc/ntp.conf file on both the appliances, check for the line which is not commented and starts with "server" followed by the ntp server ip address or hostname:
  cat  /etc/ntp.conf (primary)
  server 3.rpath.pool.ntp.org
  cat /etc/ntp.conf (standby)
  server 3.rpath.pool.ntp.org

If they are not pointing to the same ntp server run the following command to synch the clock (command needs to run 3 times):
"ntpdate -u <ntpserver>" (replace ntpserver with actual NTP hostname and should be same as for primary) .

For example:
  service ntpd stop
  ntpdate -u 3.rpath.pool.ntp.org
  ntpdate -u 3.rpath.pool.ntp.org
  ntpdate -u 3.rpath.pool.ntp.org
  service ntpd start
Legacy Article IDa49069

Attachments

    Outcomes