beautypg.com

The cluster key, The cluster password, Local certificate authority replication – HP Secure Key Manager User Manual

Page 192

background image

LDAP Server

SSL

Administrators and Remote Administration

IP Authorization

Logging

Service Startup

Known CAs, CRLs, and Trusted CA List Profiles

The following configuration settings can not be automatically replicated within a cluster:

Network settings

Certificates (other than the Log Signing Certificate)

NOTE:

Items not replicated by the clustering feature can be replicated manually using the Backup and Restore
mechanism described in

Services Configuration Page

.

The Cluster Key

A cluster uses a cluster key to authenticate members during replication and synchronization. When
a cluster is created, this key is created automatically.

If a cluster member is stolen or the key is otherwise compromised, remove all devices from the cluster
(this will effectively delete the cluster). You can then create a new cluster and add members using the
new key.

The Cluster Password

A cluster key is protected by a cluster password, which is provided by the administrator when creating
the cluster. This password must be provided when devices attempt to join a cluster, or when an
administrator attempts to restore a cluster backup.

You can change the password by editing Cluster Password and Confirm Cluster Password on the
Cluster Settings section of the Cluster Configuration page for every member of the cluster. You can
do this if you forget the original password, for example. However, to restore an automatic
synchronization backup, you will need the cluster password used when the backup was created.
Therefore, if you forget a cluster password you can still maintain the cluster, but you will lose the
backups that use that password.

Local Certificate Authority Replication

The cluster feature enables you to replicate local certificate authorities (CAs) within a cluster. This
includes the CA's public and private keys, the list of signed certificates, and the list of revoked
certificates.

During synchronization, an SKM will inherit a new list of local CAs from the cluster. The device's old
list of local CAs will be deleted. Should you need to access a deleted local CA, you can restore the
automatic synchronization backup.

Using the Management Console

192