Geographical HA and encryption keys

Manually put encryption keys on the appliances in a high availability pair configured for explicit-trust.

Procedure
  1. Generate keys on both appliances by running /etc/crm/haconfig.sh -k .
  2. On the local directory of the remote appliance, copy the file CAcert.pem from /opt/iss/etc/ssl/ha/ to /etc/apache2/ssl.crt/.
  3. On the remote appliance, copy the file server_lmi.crt to the directory /var/spool/crm/leafcerts/.
  4. Rename the file server_lmi.crt to <name>_443.pem.
    Note: <name> is the IP address or the DNS name of the remote appliance. This is the appliance you specify as the HA Address in the security interface policy later in this procedure. If <name> is an IPv6 address, the file name must begin with v6_. You must convert : to _.
  5. In IPS Local Management Interface, go to Manage System Settings > Network > Security Interfaces and configure the sensor high availability mode to
    Setting Option
    Mode Geographical HA
    Authentication Level Explicit-trust
    HA Address IP or DNS Name of the appliance
  6. Save and apply the policy changes.