Cluster: Add a Node to a Cluster

Preconditions for Adding Cluster Nodes

  • Only newly created nodes that no one has logged into yet can be added.

  • If the node that initiates another node to join the cluster has a hostname, this hostname must be resolvable from the joining node.
    If this cannot be guaranteed, the hostname should be temporarily removed until the new node has been added.

  • During the reverse TLS check, the default interface IP is always sent to the other node.
    To successfully set up a cluster, the node (Node2) being added must be able to reach Node1.
    This is only possible if both nodes are on the same network, or if Node1 is on the default interface. If that is not the case, this can be done by specifying the This Node's Address dialog.

  • If the joining node (Node2) is added via FQDN, make sure that it can resolve the name of Node1.
    In general, the initializing node (Node1) sends a reverse DNS probe to the joining node. A reverse DNS probe is a method of looking up a domain name associated with an IP address. This ensures that Node2 can resolve the name of Node1. If the DNS check fails, the configuration of the name server is incorrect or missing.

  • If you add a node that is not newly deployed, you will see the following error after clicking Fetch TLS Fingerprint: Connection to other node failed.

  • If you want to add a new cluster node to an existing cluster, all existing nodes must be connected.

  • It is important that all nodes in the cluster are running the same version!

Proceed as follows to create a first cluster node or to add a node to an existing cluster:

  1. Log in to your Keyfactor Next Generation Hardware Appliance.

  2. Open the Cluster page.

  3. In the section Cluster Members, click Unlock to make changes.

  4. Click Add Cluster Node to open the Add Cluster Node dialog:

    • Enter the Cluster Node Address of the new node as IPv4 or IPv6 address or as FQDN.

    • In the This Node's Address dialog specify how the joining node should reach the new node to be created. This field is already pre-filled and only needs to be adjusted if the other node cannot reach this node via its default interface.

    • Trust Link
      Click Fetch Fingerprint to get the TLS fingerprint of the new node.
      The TLS fingerprint will be displayed.

    • Compare the indicated TLS fingerprint with the TLS fingerprint shown on the front display of the new node.

    • If the two fingerprints are identical, confirm this by activating the option TLS Fingerprint matches. The field OTP will becomes editable.

    • Enter the OTP for the new node.

    • Click Add Cluster Node to confirm your entries and create the new node.

  5. In the section Cluster Status information about the current cluster is displayed. After the new node has been added, the VPN between the nodes will be created and the new node will receive information about the cluster configuration and the HSM type.

  6. In the section Cluster Members, the already existing node is displayed in a list.

    1. The Connectivity for the existing node is named This Node.

    2. In the Action column Show Status and Edit is available.
      The new node appears with the connectivity status Initializing,
      which changes to Connecting and
      finally to Connected.

    3. In the Action column is now Show Status, Edit and Remove available.

    4. At the same time, the Last Transaction ID (LTID) of all nodes will converge.

  7. When the new node appears as Connected, the cluster is operational.


Resolving Cluster Node Addresses

When a node is added to a new cluster, two entries are added to the cluster configuration.

  • The address for the new node

  • and the adjusted address for Node1.

The entry for the address of the newly added node is exactly as specified. The current network configuration of Node1 is used to decide which of the available addresses of Node1 is selected for the cluster configuration.

The rules for the Node1 address in the cluster configuration are as follows:

  1. You enter an IPv4 address for the new node → pick the IPv4 address of Node1.

  2. You enter an IPv6 address for the new node → pick the IPv6 address of Node1.

  3. You enter a hostname for the new node and

    1. Node1 has a hostname → we pick the hostname of Node1.

    2. Node1 does not have a hostname and

      • The hostname of the new node only resolves to IPv4 → pick the IPv4 address of Node1.

      • The hostname of the new node only resolves to IPv6 → pick the IPv6 address of Node1.

      • The hostname of the new node resolves to IPv4 and IPv6 → pick the IPv6 address of Node1.

Switch between Cluster Nodes

As soon as a cluster is configured you will find a drop down node selection list in the title bar:

The list offers the following:

  • Node1: The name in the title bar is the name of the cluster node you are currently connected to.

  • Cluster Nodes in list: The list contains all available cluster nodes, excluding the node to which you are currently connected. Click any node to switch to its Webconf.

  • Configure cluster: To go directly to the Cluster page of the node you are currently connected to, click Configure cluster. It is also possible to click on Cluster in the Webconf menu.


Next Step: HSM and Key Synchronization in a Cluster

To continue the HSM of the newly connected cluster must synchronized.


For u.trust please refer to HSM and Key Synchronization in a Cluster for u.trust

For Luna please refer to HSM and Key Synchronization in a Cluster for Luna