Geographical HA and encryption keys

You must manually put encryption keys on the appliances in a high availability pair that is configured for explicit-trust.

Procedure

  1. Generate keys on both appliances by running /etc/crm/haconfig.sh -k .
  2. On the local directory of the remote appliance, copy the file CAcert.pem from /opt/iss/etc/ssl/ha/ to /etc/apache2/ssl.crt/.
  3. On the remote appliance, copy the file server_lmi.crt to the directory /var/spool/crm/leafcerts/.
  4. Rename the file server_lmi.crt to <name>_443.pem.
    Note: <name> is the IP address or the DNS name of the remote appliance. This appliance is the appliance that you specify as the HA Address in the security interface policy that is explained later in this procedure. If <name> is an IPv6 address, the file name must begin with v6_. You must convert : to _.
  5. In the IPS Local Management Interface, go to Manage System Settings > Network > Security Interfaces and configure the sensor high availability mode.
    Setting Option
    Mode Geographical HA
    Authentication Level Explicit-trust
    HA Address IP or DNS Name of the appliance
  6. Save and apply the policy changes.