Managing Clusters
You manage KeyControl nodes through clicking the Cluster Icon in the webGUI, which brings up a dialog box where you can make changes.
Managing Cluster Settings
On the Cluster tab, you can choose:
- Description: You can add or change the description for the cluster. This is optional.
- Backup Hosts: Enter the names or IP addresses of host systems that are allowed to NFS mount the backup directory. (
0.0.0.0means any server can have access.) - Cluster Operation Timeout: This value is the amount of time that a KeyControl node waits to receive a response from another KeyControl node. If a response is not received by the specified timeout, the KeyControl cluster goes into degraded mode, which indicates a network connectivity problem. You should enter a value in the range of 1 second to 5 seconds. By default, the cluster timeout is set to 5 seconds. If a KeyControl cluster frequently switches between degraded state and healthy state, increase the timeout value of cluster operation. We recommend setting the timeout value at a lower number.
- Allow Reconnect: the default is Yes, to allow reconnect.
- Require Authentication Passphrase: The default is Yes, to require an authentication passphrase.
- Hide Authentication Passphrase Entry: the default is No, so that the user can see what is being typed.
- Check Hardware ID: the default is Yes, to validate the hardware ID.
On reconnect (if reconnect is allowed, see above) we check a collection of hardware signatures to validate that a node is indeed the same as we expect. If this option is enabled, then this ID is checked each time a reconnect happens. If it is not checked, this ID is not checked. If reconnect is rejected, authentication has to be redone for the node.
NOTE: This should only be disabled in very, very secure environments. Even in these environments it should be left checked unless it is known that machines will be moved around frequently.
KC to KC Heartbeat: This setting enables you to fine tune the heartbeat among the nodes in your KeyControl cluster. You can modify the default settings for Heartbeat Timeout, Healthy Interval, Degraded Interval, Healthy Threshold, and Degraded Threshold. Hovering over the queston mark icon describes each parameter in more detail.
Make sure your settings are accurate, and then click Save after each one.
Nodes that have been authenticated successfully will, when restarted, attempt to automatically reconnect to the KeyControl cluster. If this choice is set to Yes, then such attempts are allowed (subject to hardware ID check, see below). If it is set to No, then no reconnect is allowed and an admin has to perform authentication any time a node restarts. Note that you change status by checking and clearing the checkbox.
NOTE: This is a security feature and the default is most permissive. To strengthen security, clear the checkbox to NOT allow reconnection.
Initial authentication performs a handshake between a new node and an existing KeyControl cluster. If this option is set to Yes, a one-time passphrase will be required on both ends to give an out-of-band assurance that the node is valid and should be allowed to join. If it is not checked, then no passphrase is required and joining the node is assumed valid. Note that you change status by checking and clearing the checkbox.
NOTE: This is a security feature and the default is the strongest choice. It should only be set to No in a very secure environment.
If set to Yes, passphrases entered in the webGUIwill not be echoed to the screen.
Passphrases for admin accounts input in the webGUI are never echoed, and are unaffected by this option.
On the Servers tab, you can check the online and authentication status of individual servers and sort them by a variety of fields
See also: KeyControl Clustering and Upgrade, elsewhere in this guide.
See also: Using the Settings Icon to Configure Defaults, in the Guide to Using the WebGUI.