Manually put encryption keys on the appliances in a high
availability pair configured for explicit-trust.
Procedure
- Generate keys on both appliances by running /etc/crm/haconfig.sh
-k .
- On the local directory of the remote appliance, copy the
file CAcert.pem from /opt/iss/etc/ssl/ha/ to /etc/apache2/ssl.crt/.
- On the remote appliance, copy the file server_lmi.crt to
the directory /var/spool/crm/leafcerts/.
- Rename the file server_lmi.crt to <name>_443.pem.
Note: <name> is the IP address or
the DNS name of the remote appliance. This is the appliance you specify
as the HA Address in the security interface
policy later in this procedure. If <name> is
an IPv6 address, the file name must begin with v6_. You must convert
: to _.
- In IPS Local Management Interface, go to and configure
the sensor high availability mode to
Setting |
Option |
Mode |
Geographical HA |
Authentication Level |
Explicit-trust |
HA Address |
IP or DNS Name of the appliance |
- Save and apply the policy changes.