Sunday, April 5, 2015

High Availability for PKI in 8 Simple Steps

PKI Appliance takes HA Clustering to the next level

Historically, setting up and maintaining High Availability (HA) setups for PKI, required a lot of knowledge about the database in use and how it would interact with HA.
Lately, the packaged PKI product PrimeKey PKI Appliance (running EJBCA and/or SignServer), manages to hide the HA complexity and makes HA easy to setup, robust during operation and simple to handle during recovery. Clustering a PKI has never been easier!
On the PKI Appliance we define the meaning of High Availability as being able to keep services running non-stop, with full data integrity for all included applications.

High Availability Fail Scenarios

Real High Availability requires a cluster setup of three nodes. The reasoning here is that in the case of a node failure, the system should continue to operate on its own, without any administrator measures needed.
Hot standby with manual fail-over is a two nodes cluster setup, which to a lesser extent reduces administration efforts for running systems. Here, the assumption is that depending on which node eventually fails, the system either continues to operate or needs to have a button clicked.
A main site hosting two PKI Appliances and a DR site hosting one PKI Appliance.
With its handy instructions and simple web GUI configuration, PrimeKey PKI Appliance makes it possible to quickly set up a cluster for Disaster Recovery (includes a main site and a remote site).

Technical details

High Availability with the PKI Appliance is implemented using database replication between cluster nodes connected within a network. Using active-active cluster technology means that all the nodes can be fully utilized in the cluster setup. The implementation uses regular network connectivity over the application interface for all cluster communication, which means that cluster nodes don’t have to be placed physically close, as long as they have good network connectivity.
The drawback of most cluster technologies, is that a node cannot distinguish between a failure of another node (such as a broken power supply) and disrupted network connectivity (such as a broken network switch). So in order to avoid a situation where cluster nodes start to operate independently and get diverging data sets, a so called split brain, the cluster nodes take a vote and cease to operate unless they are part of the majority of connected nodes. This way there is only a single data set that can be updated at a specific time.
In case of a temporary network failure, disconnected nodes automatically synchronize their data as soon as the network is back, then start to operate again as if nothing had happened.

Howto: Setting up a 2 node cluster (Hot standby with fail-over)

Using the Appliance Web Configurator it's easy to set up a two node cluster in a few easy steps. Setting up a three node PKI cluster (real High Availability) works the same way, and clustering a PKI has never been easier!
  1. Make an installation according to the standard installation procedure on the initial Appliance node.
  2. On the initial node, go to the cluster tab in the Appliance Web Configurator. To start with it shows the Appliance running as a single instance.
    The PrimeKey PKI Appliance Web Configurator showing cluster configuration of a single instance.

  3. Still on the initial node, add a connection (IP address) to where the second node’s application interface will be. The Appliance will now configure the cluster settings and produce a setup bundle for the second node.
  4. Adding a second cluster node IP in the PKI Appliance.
    PKI Appliance cluster configuration going on.
    PKI Appliance cluster configuration completed.

  5. Download the setup bundle for the second node by clicking Create and Download.
    From the first node, downloading the configuration package for the second cluster node.

  6. Factory reset the second node and connect to the Web Configurator.
    PrimeKey PKI Appliance initial screen after Factory Reset.

  7. On the second node, select the Connect to cluster option and upload the setup bundle.
  8. Uploading cluster setup bundle on the PKI Appliance.
    When processing an uploaded cluster setup bundle, a domain master secret must be specified.
    Date and time settings when connecting PKI Appliance cluster node.
    PrimeKey PKI Appliance Cluster configuration preview on second node.
    Ready to begin installation of second Appliance cluster node.

  9. After the installation has been completed, you should be able to manage the new node using the same login credentials as with the first one.
  10. The two nodes are now installed and can be used. Status of the second cluster node shows up as Connected.
  11. PrimeKey PKI Appliance Web Configuration cluster status with two nodes.

More information

Basic information on EJBCA Enterprise PKI and PKI Appliance is available here.
EJBCA is a registered trademark of PrimeKey Solutions AB in the EU, the United States, Japan and certain other countries.