Manualshelf

Specifications

ManualsBrandsMicroNet ManualsMusical equipmentFibre to SAS/SATA II RAID Subsystem
919293949596979899100
Using Custom Certificates with the SPS API
LCMNUMHBEATS=2
LifeKeeper will use a 1 second interval for the TCP communications path, and a 2 second interval for
TTY. In the case of a server failure, LifeKeeper will detect the TCP failure first because its interval is
shorter (2 heartbeats that are 1 second apart), but then will do nothing until it detects the TTY failure,
which will be after 2 heartbeats that are 2 seconds apart.
Using Custom Certificates with the SPS API
Beginning with Release 7.5, the SteelEye Protection Suite (SPS) API uses SSL/TLS to
communicate between different systems. Currently, this API is only partially used and is reserved for
internal use only but may be opened up to customer and third party usage in a future release. By
default, the product is installed with default certificates that provide some assurance of identity
between nodes. This document explains how to replace these default certificates with certificates
created by your own Certificate Authority (CA).
Note: Normal SPS communication does not use these certificates.
How Certificates Are Used
In cases where SSL/TLS is used for communications between SPS servers to protect the data being
transferred, a certificate is provided by systems to identify themselves. The systems also use a CA
certificate to verify the certificate that is presented to them over the SSL connection.
Three certificates are involved:
l
/opt/LifeKeeper/etc/certs/LK4LinuxValidNode.pem (serverī€ƒcertificate)
l
/opt/LifeKeeper/etc/certs/LK4LinuxValidClient.pem (client certificate)
l
/opt/LifeKeeper/etc/certs/LKCA.pem (certificate authority)
The first two certificates must be signed by the CA certificate to satisfy the verification performed by
the servers. Note that the common name of the certificates is not verified, only that the certificates
are signed by the CA.
Using Your Own Certificates
In some installations, it may be necessary to replace the default certificates with certificates that are
created by an organization's internal or commercial CA. If this is necessary, replace the three
certificates listed above with new certificates using the same certificate file names. These
certificates are of the PEM type. The LK4LinuxValidNode.pemī€ƒand LK4LinuxValidClient.pem each
contain both their respective key and certificate. The LK4LinuxValidNode.pemī€ƒcertificate is aī€ƒserver
type certificate. LK4LinuxValidClient.pem is a client type certificate.
If the default certificates are replaced, SPS will need to be restarted to reflect the changes. If the
certificates are misconfigured, steeleye-lighttpd daemon will not start successfully and errors will be
received in the LifeKeeper log file. If problems arise, refer to this log file to see the full command that
should be run.
74Configuration