Add Auxiliary Server

To add an AUX server, perform the following steps on behalf of the root so:

Step 1 – Prepare a Candidate Server

  • Apply the Provision Additional Server procedure.
  • Take note of the hostname and port (if any) specified while bootstrapping this server.

At this point, the EKMEnterprise Key Management - The previous name of the product. Replaced by UKC. service is started on the candidate server, and connectivity to the Cluster is verified.
The server is ready to be added to the cluster.

Step 2 – Add Server to the Cluster

On EP1 – add the new server to the UKCUnbound Key Control - The name of Unbound's key management product. cluster, assigning it the auxiliary server role:

ucl server create
-a <additional server> [:<port>]

  • additional server - the value specified by the -s <self> parameter in the additional server's bootstrap.
  • The value must be the same as specified in the -s <self> bootstrap of the additional server. For example, if -s <self> specified the IP address - use the IP address, if it specified the hostname - use the hostname. Do not mix.

  • The port parameter must be equal to the one specified by the ekm_boot_additional_server procedure.

For example,

ucl server create -a Aux1

This command establishes a connection with the specified server, retrieves its certificate, makes sure that the <additional server> value is specified in the certificate, recalculates its thumbprint, and presents it for the approval:

Auxiliary certificate:
Thumbprint:
8832FB7CA0B9917DA9FE112BE2BC0765587E2621E7196847E5D290A4448D8BD5
Certificate:

//truncated

Do you accept this server? (Y/N)? y
Auxiliary was added successfully

Note
To validate the integrity of the received certificate, compare the recalculated thumbprint with the original one that was computed in the Provision Additional Server step.

Tip
If the ucl server create -a <hostname> command hangs, check IP connectivity to the <hostname>. As needed, add the name to the hosts file.

Step 3 – Activate the New Server

Restart the EKMEnterprise Key Management - The previous name of the product. Replaced by UKC. Service in the additional server as specified in Service Management.

Check the recent logs in the ekm.log file. For example,

sudo tail -40 /opt/ekm/logs/ekm.log

The expected result is:

SystemStart N/A 0 0 N/A OK

Tip
The following error indicates that the AUX can't resolve the EP or its Partner IP address:

  • SystemStart 1 0 N/A: ep1: unknown error
  • SystemStart 1 0 N/A: partner1: unknown error

In such a case, add the unresolved server names to the "hosts" file.

Step 4 - Test

Check the enhanced cluster status.

ucl server test

The new server must show reachable: YES in its status.

{
"name": "Aux1"
"address": "Aux1:8443",
"role": "AUXILIARY",
"status": { "reachable": "YES" }
}