You must manually put encryption keys on the appliances
in a high availability pair that is configured for explicit-trust.
Procedure
- Generate keys on both appliances by running /etc/crm/haconfig.sh
-k .
- On the local directory of the remote appliance, copy the
file CAcert.pem from /opt/iss/etc/ssl/ha/ to /etc/apache2/ssl.crt/.
- On the remote appliance, copy the file server_lmi.crt to
the directory /var/spool/crm/leafcerts/.
- Rename the file server_lmi.crt to <name>_443.pem.
Note: <name> is the IP address or
the DNS name of the remote appliance. This appliance is the appliance
that you specify as the HA Address in the security
interface policy that is explained later in this procedure. If <name> is
an IPv6 address, the file name must begin with v6_. You
must convert : to _.
- In the IPS Local Management Interface, go to and configure
the sensor high availability mode.
Setting |
Option |
Mode |
Geographical HA |
Authentication Level |
Explicit-trust |
HA Address |
IP or DNS Name of the appliance |
- Save and apply the policy changes.