Using kerberos with gsa mirroring, Using certificates with gsa mirroring, Before you configure gsa mirroring – Google Search Appliance Configuring GSA Mirroring version 7.2 User Manual
Page 9

Google Search Appliance: Configuring GSA Mirroring
9
Using Kerberos with GSA Mirroring
You must configure Kerberos on the master and all mirrored search appliances by using the Search >
Secure Search > Universal Login Auth Mechanisms > Kerberos page in the Admin Console. Kerberos
keytabs are unique, so ensure that you generate and import different Kerberos keytabs for the master
and mirrored search appliances.
When you configure Kerberos on a replica search appliance, use a different Mechanism Name from the
one used for the master. The Mechanism Name for the replica will be synchronized automatically with
the master’s Mechanism Name. After they are synchronized, the replica’s Mechanism Name will
match the master’s Mechanism Name.
If you intend to access the search appliance using a URL such as http://gsa.yourdomain.com, where
the DNS A record is gsa.yourdomain.com, the SPN specified during keytab generation should be HTTP/
[email protected]. During typical operations, gsa.yourdomain.com should point
to the master GSA. If you need to make a mirror search appliance the master search appliance,
gsa.yourdomain.com should point to the mirror. Because the same keytab and name are used, IWA
serving functions normally. If you attempt to perform a secure search on a mirror without the DNS
switch (for example, using the IP address or other DNS name), the search fails if the additional SPN is
not defined for the search appliance’s account in Active Directory. Additional information about
Kerberos and troubleshooting search appliance issues can be found in the search appliance Knowledge
Base at
.
Using Certificates with GSA Mirroring
You must set up CA certificate use in the mirroring configuration in one of the two following ways:
•
No search appliances use CA certificates.
•
All search appliances use CA certificates. In this case, the same CA certificate does not need to be
installed on all search appliances. However, all search appliances must have CA certificates whose
signatures cover the set of certificates used by all search appliances in the configuration.
Before You Configure GSA Mirroring
This section provides a checklist of information you need to collect and decisions you need to make
before you configure GSA mirroring.
Task
Description
Your Values
Determine whether you are
configuring an active-active or active-
passive configuration.
Use an active-active configuration for high
capacity serving. Use an active-passive
configuration for high availability.
Determine which Google Search
Appliance will participate in the
configuration.
Google Search Appliances running the same
software version can participate. See the table
in “Requirements for GSA Mirroring” on page 5
for information about which Google Search
Appliance models can be used as master or
replica search appliances in the configuration.