Managing Clusters

You manage KeyControl nodes by clicking the Cluster icon in the webGUI and setting the desired options on the Cluster tab. The options are:

Description: You can add or change the description for the cluster. This is optional.
Backup Hosts: Enter the names or IP addresses of host systems that are allowed to NFS mount the backup directory. (0.0.0.0 means any server can have access.)
Cluster Operation Timeout: This value is the amount of time that a KeyControl node waits to receive a response from another KeyControl node. If a response is not received by the specified timeout, the KeyControl cluster goes into degraded mode, which indicates a network connectivity problem. You should enter a value in the range of 1 second to 5 seconds. By default, the cluster timeout is set to 5 seconds. If a KeyControl cluster frequently switches between degraded state and healthy state, increase the timeout value of cluster operation. We recommend setting the timeout value at a lower number.

Allow Reconnect: the default is Yes, to allow reconnect.

Nodes that have been authenticated successfully will, when restarted, attempt to automatically reconnect to the KeyControl cluster. If this choice is set to Yes, then such attempts are allowed (subject to hardware ID check, see below). If it is set to No, then no reconnect is allowed and an admin has to perform authentication any time a node restarts. Note that you change status by checking and clearing the checkbox.

Note:

This is a security feature and the default is most permissive. To strengthen security, clear the checkbox to NOT allow reconnection.

Require Authentication Passphrase: The default is Yes, to require an authentication passphrase.

Initial authentication performs a handshake between a new node and an existing KeyControl cluster. If this option is set to Yes, a one-time passphrase will be required on both ends to give an out-of-band assurance that the node is valid and should be allowed to join. If it is not checked, then no passphrase is required and joining the node is assumed valid. Note that you change status by checking and clearing the checkbox.

Note:

This is a security feature and the default is the strongest choice. It should only be set to No in a very secure environment.

Hide Authentication Passphrase Entry: the default is No, so that the user can see what is being typed.

If set to Yes, passphrases entered in the webGUI will not be echoed to the screen.

Passphrases for admin accounts input in the webGUI are never echoed, and are unaffected by this option.
Check Hardware ID: the default is Yes, to validate the hardware ID.
On reconnect (if reconnect is allowed, see above) we check a collection of hardware signatures to validate that a node is indeed the same as we expect. If this option is enabled, then this ID is checked each time a reconnect happens. If it is not checked, this ID is not checked. If reconnect is rejected, authentication has to be redone for the node.
Note: This should only be disabled in very, very secure environments. Even in those environments it should be left checked unless it is known that machines will be moved around frequently.
KC to KC Heartbeat: This setting enables you to fine tune the heartbeat among the nodes in your KeyControl cluster. You can modify the default settings for a variety of parameters, listed below. When you are using KeyControl, hovering over the question mark icon describes each parameter in more detail. Here are the descriptions you can see with a hover:
- Hearbeat Timeout: Number of seconds to wait for a KeyControl heartbeat response (2 — 15 seconds)
- Healthy Interval: Number of seconds between successful KeyControl heartbeat responses (1 — 10 seconds)
- Degraded Interval: Number of seconds between failed KeyControl heartbeat responses (1 — 10 seconds)
- Healthy Threshold: Number of consecutive successful KeyControl responses to transition cluster into healthy state (2 — 10 seconds)
- Degraded Threshold: Number of consecutive failed KeyControl responses to transition cluster into degraded state (2 — 10 seconds)

On the Servers tab, you can check the online and authentication status of individual servers and sort them by a variety of fields

For more information, see KeyControl Clustering and Upgrades.

Open topic with navigation