Clustering with Azure Database for MariaDB Servers
Backing up and restoring a node's configuration from EJBCA Cloud 2.0 to another version of 2.0 or later, allows the node to be automatically configured in a cluster using an Azure Database for MariaDB servers.
If an older version before the wizard-based installation is configured or the instance is manually configured to point to the Azure Database for MariaDB server, please skip the first sections below and proceed to Manual Azure Database for MariaDB Configuration.
Wizard Based Configuration EJBCA CLOUD 2.1
The following describes how to configure nodes using the wizard as of version EJBCA Cloud 2.1.
If the Existing EJBCA Database option is chosen with Azure Key Vault backed ManagementCA keys, you must supply the Azure Key Vault Credentials to join the cluster. Please see the documentation on configuring Azure Key Vault with EJBCA Cloud.
To configure nodes (using the wizard as of version EJBCA Cloud 2.1):
- Launch the same quantity of nodes from the AWS Marketplace as is currently in production according to the Azure Launch Guide.
- If using a VIP in this EJBCA cluster, add the VIP address in the wizard Step 1: Host Settings.
- Select the option to use an Existing EJBCA Database in the configuration wizard at launch time.
- Wait for the node to boot using the configuration from the existing installation.
- Once the new nodes are running and connected to the Azure Database for MariaDB server database, remove the old nodes from the load balancer (if used) and add the new ones.
- Confirm the new nodes are properly serving traffic.
Automatic Configuration with Backup/Restore Scripts
To automatically configure with backup and/or restore scripts, using EJBCA Cloud version 2.0:
- Backup your cloud node according to instructions in the EJBCA Cloud Azure Backup Guide.
- Launch another instance in Azure from the Azure Marketplace, according to the EJBCA Cloud Azure Launch Guide.
- Pick the wizard defaults and install a local database. Note that this configuration will be overwritten when the node is clustered to the RDS database.
- Copy the backup file to the new instance.
- Run the
/opt/PrimeKey/support/system_restore.sh
script pointing it to the backup file you just copied to the new instance. For information on restoring a backup, see the EJBCA Cloud Azure Restore and Upgrade Guide. - Generate new TLS certificates for the EJBCA host with the
/opt/PrimeKey/support/new_tls_cert.sh
script. For more information on how to use thenew_tls_cert.sh
script, see the EJBCA Cloud TLS Certificate Generation Guide.
Manual Azure Database for MariaDB Configuration
This procedure assumes that an EJBCA instance is running in Azure and it is connected to Azure Database for MariaDB server and a second node for redundancy is needed:
- Launch another instance in AWS from the AWS Marketplace, according to the EJBCA Cloud Azure Launch Guide. Select the defaults and install a local database. Note that this configuration will be overwritten when the node is restored.
SSH into the newly launched node and edit the
datasource.properties
file.BASHvi /opt/PrimeKey/wildfly_config/datasource.properties
Edit the configuration so that it points to the Azure Database for MariaDB server database using the password you configured. You can get these values from the Azure Database for MariaDB server console, or from node 1. The file contains the following properties:
- DATABASE_ADDRESS: The RDS address of the database in AWS.
- DATABASE_NAME: The name of the database chosen in the EJBCA Cloud Configuration Wizard.
- DATABASE_USERNAME: The name of the user chosen in the EJBCA Cloud Configuration Wizard.
- DATABASE_PASSWORD: The password chosen in the RDS console when configuring the database.
Restart WildFly:
BASHsystemctl restart wildfly
Ensure the EJBCA UI loads correctly and that the contents of EJBCA match the installation on Node 1.
Generate a new TLS certificate for the host from the Azure Database for MariaDB server database. If you are going to use a VIP to load balance between the two nodes, add that into the certificate. For example, if using pki.company.com, add that with -d. This VIP should be in the TLS certificate on both nodes. If node 1 does not have the VIP in its certificate, run the following. For more information on how to use the
new_tls_cert.sh
script, see the EJBCA Cloud TLS Certificate Generation Guide.BASH/opt/PrimeKey/support/new_tls_cert.sh -p -d pki.domain.com
Ensure the EJBCA UI loads and the data is consistent with Node 1.