The following procedure describes how to configure a newly deployed node to join an existing Cryptographic Security Platform Compliance Manager cluster.
Before You Begin
- Make sure you know the IP address of any Cryptographic Security Platform Compliance Manager node that is already part of the cluster you want to join.
- If the node is currently part of a different cluster, you should remove the node from the original cluster so that the original cluster does not become degraded. For details, see Removing a Node from a Cluster.
Make sure that you have tested the port connection between the joining node and the existing cluster node to ensure that they can communicate with each other. You can test the port connection through the console.
- If you are re-joining a node to an existing cluster and you are using an externally signed SSL certificate for Cryptographic Security Platform Compliance Manager, make sure that you use the same hostname for the Cryptographic Security Platform Compliance Manager node that it had originally. If you change the hostname, you will need to reinstall the externally signed SSL certificate on that node.
- A Cryptographic Security Platform Compliance Manager node cannot be joined to an existing Cryptographic Security Platform Compliance Manager cluster if the internal web server of the joining node is configured with a custom SSL certificate.
- Entrust recommends that you configure the Cryptographic Security Platform Compliance Manager node with a private IP address.
Procedure
Log into the Cryptographic Security Platform Compliance Manager webGUI on the node you want to join with the cluster.
Review the EULA (end user license agreement). When you are done, click I Agree to accept the license terms.
On the Welcome to Appliance Management screen, click Join an Existing Cluster.
On the Get Started page, review the overview information to determine that you are ready to begin. This includes:
- Access to the cluster you are joining the node to. We recommend that you open the Cryptographic Security Platform Compliance Manager webGUI for the cluster in a different tab or browser window.
- Permissions on both this node and the cluster node so you can download and import the required certificates and files.
- A passphrase to use during the joining process. The passphrase must contain 12 alphanumeric characters. It cannot contain spaces or special characters. This phrase is a temporary string used to encrypt the initial communication between this node and the existing Cryptographic Security Platform Compliance Manager cluster.
- Verifying that both this node and the cluster node are running the same Cryptographic Security Platform Compliance Manager version and build. The version number for the cluster node is on the Settings > System Upgrade page.
- Click Continue.
- On the Download CSR page, click Generate and Download CSR.
- Click Continue.
- Switch to one of the existing nodes in the cluster and navigate to the Cluster page.
- Select Actions > Add a Node.
On the Add a Node window, upload the CSR that you downloaded from the new node (in .pem format) and enter a passphrase to use during the joining process.
Click Save and Download Bundle to download the certificate bundle from the cluster node.
The certificate bundle is a .zip file you must unpack. It contains both an encrypted SSL certificate in .p12 format and a CA certificate in .pem format.
- Click OK to close the Add a Node window.
- Return to the new node and click Continue.
- On the Node page, upload the encrypted SSL certificate and CA certificate that you downloaded from the cluster node, enter the IP address or hostname of any node in the existing cluster, and enter the passphrase that you selected.
Click Join.
During the joining process, a status page is displayed on the new node. Do not refresh the browser while this is in process.
The cluster will automatically be placed in maintenance mode.
The node will restart after the join is complete.
- When the node has successfully restarted, click Login.