Product Documentation

    The second step of the process continues on the New SKFS server.  This step restores the database and gets all the keystores from the existing server on the new SKFS server.

    While the new SKFS is being configured, it is necessary to block webservices in the unlikely event that transactions are mistakenly sent into it. Using a text editor (gedit or vi), edit the firewall settings to block port 8181 by adding a comment (#) to the beginning of the line with the rule for port 8181. Once the changes have been saved, restart the firewall

    1. Using the Standalone Installation steps, install and configure the new server VM as if this was an individual server.
    2. As a root user, perform the following tasks:
      • Login as "root"
      • If DNS is configured, make sure it is configured for forward and reverse lookups—meaning that it should be possible to resolve the IP address using the FQDN, as well as resolve the FQDN using the IP address doing a reverse lookup. Without the reverse resolution, services in the Payara application server configuration will not work correctly.

        If Domain Name Service (DNS) is not configured, add the following entries to the /etc/hosts file to identify the cluster nodes. Use a text editor such as vi to modify the /etc/hosts file. For the two-node cluster, add the following to the end of the hosts file, substituting the strongkey.com domain name for your own environment:

        fidoserver1.strongkey.com fidoserver1
fidoserver2.strongkey.com fidoserver2
      • Modify the firewall configuration to open ports 7001, 7002, and 7003 to accept connections between just the FIDO2 servers to enable multi-way replication. Run the following command once for each cluster node's IP address (substituting for ).

        Do not execute this command for the IP address of the cluster node on which you are executing the command itself. It is not necessary to open the node's ports on the firewall for itself, since the replication module in SKFS does not need to replicate to itself.

        shell> firewall-cmd --permanent --add-rich-rule 'rule family="ipv4" source address='<ip-target-fidoserver>' port port=7001-7003 protocol=tcp accept'

      • After adding the new rule, restart the firewall:

        shell> systemctl restart firewalld
    3. Log out of the root.
    4. Login as 'strongkey' into the SKFS
    5. Using a text editor, edit the configuration properties of the SKFS node; if the specified file is empty add these properties:
      shell> vi /usr/local/strongkey/appliance/etc/appliance-configuration.properties

appliance.cfg.property.serverid=3 (set value to serverID)
appliance.cfg.property.replicate=true (should be set to true)
    6. In Window 1, copy the the database dump created from the previous step onto the new appliance 
      shell> scp fidoserver1.<domain-name>:/usr/local/strongkey/dbdumps/skfs-newserver.db /usr/local/strongkey/dbdumps
    7. In Window 1, log into mysql database 'skfs' as the 'skfsdbuser' user 
      shell> mariadb -u skfsdbuser -p skfs
    8. Truncate the existing SERVERS table—this deletes all contents of the SERVERS table:
      mysql> truncate SERVERS;
      When the dump has finished sourcing, log out of mysql.
    9. Source the database dump to bring the new server up to date with the others in the cluster 
      mysql> source /usr/local/strongkey/dbdumps/skfs-newserver.db
      When the dump has finished sourcing, log out of mysql.
    10. If any custom configurations have been added to the cluster, copy over configuration files the cluster to New Node under same directory: 
      /usr/local/strongkey/skce/etc/skce-configuration.properties
/usr/local/strongkey/skfs/etc/skfs-configuration.properties
    11. All SKFS instances should use the same JWT and SAML keystores. Therefore, copy the JWT and SAML keys from the first server to replace the keys on the other servers. These keys can be found in the /usr/local/strongkey/skfs/keystores directory: 
      shell> scp -r fidoserver1.<domain-name>:/usr/local/strongkey/skfs/keystores /usr/local/strongkey/skfs
    12. In Window 1, restart the Payara application server 
      shell> sudo systemctl restart payara
    13. In Window2, go the /usr/local/strongkey/payara6/glassfish/domains/domain1/logs directory 
      shell> cd /usr/local/strongkey/payara6/glassfish/domains/domain1/logs
    14. In Window2, run the tail -f command on the server.log file 
      shell> tail -f server.log
OR 
you can use the alias 'tsl'
shell> tsl
    15. Verify if replication is working as expected
      shell> zmq
    16. Test functionality using the ping web service or the sample skfsadminclient tool: 
      shell> java -jar skfsclient/skfsadminclient.jar P https://<newserver.domain-name>:8181 1 REST PASSWORD fidoadminuser Abcd1234!