Configuring the Secure Factory Service cluster
To configure the Secure Factory Service cluster, on the first node (HOST1) only:
-
Extract the contents of the ZIP archive:
tar -C <extraction path> -xvzf secure_factory_<Secure Factory version>.tar.gzWhere
<extraction path>is an existing directory to which you have access rights. -
Set an installation path by defining the
FACTORY_HOME_DIRenvironment variable:export FACTORY_HOME_DIR=<installation path>Where
<installation path>must be different from the<extraction path>to which you extracted the tar.gz file.Note: Add
export FACTORY_HOME_DIR=<installation path>to your.bashrcfile to have the environment variable be available after signing out.If you do not set an installation path, the script installs Secure Factory Service in the
/usr/local/arm/secure_factorypath by default. In most systems, using this path requires root access rights or explicitly granting the user read and write access rights. -
Set up the Secure Factory Service cluster on the first node (HOST1):
-
Set the parameters in the
service-deployment/prod/config.propertiesfile:################################## # Cluster host names / IP addresses ############################################################ HOST1= HOST2= HOST3= HSM_SERVER_1= HSM_SERVER_2= ############################################################ # Secure Factory Command server basic authentication configuration ############################################################ SERVICE_ADMIN_USERNAME=admin ############################################################ # Secure Factory TLS configuration ############################################################ COMPANY= FACTORY_NAME=-
Set the host values in the order in which you intend to install the machines:
HOST1=<IP address of the first machine on which you install Secure Factory Service>HOST2=<IP address of the second Secure Factory Service installation>HOST3=<IP address of the third Secure Factory Service installation>
Development note: To install a single server for development purposes, define
HOST1only and setHOST2=mockandHOST3=mock. Subsequently, you must uninstall the server and begin the installation process from scratch to configure a cluster.Note: We recommend installing all three cluster nodes together. However, if you do not have three nodes available, you can install two nodes following the regular installation procedure, and later add the third node to the cluster as described in Adding a third node after installing only two nodes. Please note that if you only have two MongoDB nodes and one of the nodes goes offline, the cluster becomes unavailable.
-
Set the
HSM_SERVER_1andHSM_SERVER_2values to<new-hsm-hostname-1.domain.com>and<new-hsm-hostname-2.domain.com>defined during HSM setup.Development note: To use an HSM emulator for development purposes, leave the
HSM_SERVER_1andHSM_SERVER_2lines blank and add a new line withHSM_TYPE=db. -
Define
SERVICE_ADMIN_USERNAME. This is the username that an admin user enters to log in to the Secure Factory Command UI.Note: You configure the password related to this username as part of the
setupcommand in the next step. The username and password values are the same on all three machines. -
Define the
COMPANYandFACTORY_NAMEfields in theSecure Factory TLS configurationsections of the configuration file.Secure Factory Service uses these fields in creating the Secure Factory CA certificate (
ca.crt) and Secure Factory server certificates.These certificates enable components of the Secure Factory solution to authenticate communication with each other using the TLS protocol.
-
-
Run the
setupcommand with the-cluster-initflag in theservice-deployment/proddirectory on the first node:./sfn setup --cluster-initThe
setupcommand generates all required resources, credentials and certificates for the various services and loads the services' docker images.Adding the
-cluster-initflag on the first node generates resources that are common to all three nodes.The Secure Factory Node (
sfn) CLI tool prompts you to set the Secure Factory Command password.
-