Clustering with RDS
Backing up and restoring a node's configuration from SignServer Cloud 2.0 to another version of 2.0 or later allows the node to be automatically configured in a cluster using a Relational Database Service (RDS). This automatic method will also get the CloudHSM keys as well as TLS certificates automatically.
If a version prior to SignServer Cloud 2.0 is installed or the instance is manually configured to point to RDS, please skip the first sections below and proceed to Manual RDS Configuration.
Wizard Based Configuration SIGNSERVER CLOUD 2.1
The following describes how to configure nodes using the wizard as of version SignServer Cloud 2.0.
To configure nodes (using the wizard as of version SignServer Cloud 2.0):
- Launch the same quantity of nodes from the AWS Marketplace as is currently in production according to the AWS Launch Guide.
- If using a VIP in this SignServer cluster, add the VIP address in the wizard Step 1: Host Settings.
- Select the option to use an Existing SignServer Database in the configuration wizard at launch time.
- Wait for the node to boot using the configuration from the existing installation.
- Once the new nodes are running and connected to the RDS database, remove the old nodes from the load balancer (if used) and add the new ones.
- Confirm the new nodes are properly serving traffic.
Automatic Configuration with Backup/Restore Scripts
To automatically configure with backup and/or restore scripts, using SignServer Cloud version 2.0:
- Backup your cloud node according to instructions in the SignServer Cloud AWS Backup Guide.
- Launch another instance in AWS from the AWS Marketplace, according to the SignServer Cloud AWS Launch Guide.
- Pick the wizard defaults and install a local database. Note that this configuration will be overwritten when the node is clustered to the RDS database.
- Copy the backup file to the new instance.
- Run the
/opt/PrimeKey/support/system_restore.sh
script pointing it to the backup file you just copied to the new instance. For information on restoring a backup, see the SignServer Cloud AWS Restore and Upgrade Guide. - Generate new TLS certificates for the SignServer host with the
/opt/PrimeKey/support/new_tls_cert.sh
script. For more information on how to use thenew_tls_cert.sh
script, see the SignServer Cloud TLS Certificate Generation Guide.
Manual RDS Configuration
This procedure assumes that an SignServer instance is running in AWS and it is connected to RDS and a second node for redundancy is needed:
- Launch another instance in AWS from the AWS Marketplace, according to the SignServer Cloud AWS Launch Guide. Select the defaults and install a local database. Note that this configuration will be overwritten when the node is restored.
SSH into the newly launched node and edit the
datasource.properties
file.BASHvi /opt/PrimeKey/wildfly_config/datasource.properties
- Edit the configuration so that it points to the RDS database using the password you configured. You can get these values from the RDS console, or from node 1. The file contains the following properties:
- DATABASE_ADDRESS: The RDS address of the database in AWS.
- DATABASE_NAME: The name of the database chosen in the SignServer Cloud Configuration Wizard.
- DATABASE_USERNAME: The name of the user chosen in the SignServer Cloud Configuration Wizard.
- DATABASE_PASSWORD: The password chosen in the RDS console when configuring the database.
Restart WildFly:
BASHsystemctl restart wildfly
Ensure the SignServer UI loads correctly and that the contents of SignServer match the installation on Node 1.
Generate a new TLS certificate for the host from the RDS database. If you are going to use a VIP to load balance between the two nodes, add that into the certificate. For example, if using pki.company.com, add that with -d. This VIP should be in the TLS certificate on both nodes. If node 1 does not have the VIP in its certificate, run the following. For more information on how to use the
new_tls_cert.sh
script, see the SignServer Cloud TLS Certificate Generation Guide.BASH/opt/PrimeKey/support/new_tls_cert.sh -p -d pki.domain.com
Ensure the SignServer UI loads and the data is consistent with Node 1.