In typical production Encryption & Key Management (EKM) environments using the SAKA, there are at least two (2) SAKA servers configured in an active-active cluster for high availability. Each cluster-node is capable of handling cryptographic services independently while replicating to every other node asynchronously in the background. As such, sites may choose to redirect their client applications to requesting cryptographic webservices from all nodes in the EKM, as shown in the following diagram. This distributed communication can be achieved in many ways:
This appendix explains how to set up a free and open source load balancer - HAProxy (available in the Base repository for most Linux distributions) - on a separate server (called the proxy-server in this document) running Rocky Linux.
To install and configure HAProxy for use with the SAKA server cluster, follow the steps below:
shell> yum install haproxy
shell> openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout /etc/pki/tls/private/sakaserver.key -out /etc/pki/tls/certs/sakaserver.crt -subj "/CN=saka01.strongkey.com"
shell> cat /etc/pki/tls/certs/sakaserver.crt /etc/pki/tls/private/sakaserver.key > /etc/pki/tls/certs/sakaserver.pem
shell> vi /etc/haproxy/haproxy.cfg
global
log 127.0.0.1 local0
log 127.0.0.1 local1 debug
maxconn 45000 # Total Max Connections.
daemon
nbproc 1 # Number of processing cores.
defaults
timeout server 86400000
timeout connect 86400000
timeout client 86400000
timeout queue 1000s
listen https_web
bind *:443 ssl crt /etc/pki/tls/certs/sakaserver.pem
option tcplog
mode http
balance roundrobin
option forwardfor
server server1 <ip-sakaserver1>:8181 check ssl verify none
server server2 <ip-sakaserver2>:8181 check ssl verify none
shell> firewall-cmd --permanent --add-rich-rule 'rule family="ipv4" port port=443 protocol=tcp accept'
shell> service haproxy restart
https://<sakaserver.mydomain.com_>
If the above URL cannot be accessed in the browser, ensure that the selinux config has been set to permissive instead of enforcing. The following command will show the current status of selinux:
shell> sestatus
If it is set to enforcing, change it to permissive by running the following command (this is a temporary fix that will reset on machine reboot, and which will be updated in a future release):
shell> setenforce 0