Configuring the Secure Factory Service cluster
To configure the Secure Factory Service cluster, on the first node (HOST1) only:
-
Extract the contents of the ZIP archive:
tar -C <extraction path> -xvzf secure_factory_<Secure Factory version>.tar.gz
Where
<extraction path>
is an existing directory to which you have access rights. -
Set an installation path by defining the
FACTORY_HOME_DIR
environment variable:export FACTORY_HOME_DIR=<installation path>
Where
<installation path>
must be different from the<extraction path>
to which you extracted the tar.gz file.Note: Add
export FACTORY_HOME_DIR=<installation path>
to your.bashrc
file to have the environment variable be available after signing out.If you do not set an installation path, the script installs Secure Factory Service in the
/usr/local/arm/secure_factory
path by default. In most systems, using this path requires root access rights or explicitly granting the user read and write access rights. -
Set up the Secure Factory Service cluster on the first node (HOST1):
-
Set the parameters in the
service-deployment/prod/config.properties
file:################################## # Cluster host names / IP addresses ############################################################ HOST1= HOST2= HOST3= HSM_SERVER_1= HSM_SERVER_2= ############################################################ # Secure Factory Command server basic authentication configuration ############################################################ SERVICE_ADMIN_USERNAME=admin ############################################################ # Secure Factory TLS configuration ############################################################ COMPANY= FACTORY_NAME=
-
Set the host values in the order in which you intend to install the machines:
HOST1=<IP address of the first machine on which you install Secure Factory Service>
HOST2=<IP address of the second Secure Factory Service installation>
HOST3=<IP address of the third Secure Factory Service installation>
Development note: To install a single server for development purposes, define
HOST1
only and setHOST2=mock
andHOST3=mock
. Subsequently, you must uninstall the server and begin the installation process from scratch to configure a cluster.Note: We recommend installing all three cluster nodes together. However, if you do not have three nodes available, you can install two nodes following the regular installation procedure, and later add the third node to the cluster as described in Adding a third node after installing only two nodes. Please note that if you only have two MongoDB nodes and one of the nodes goes offline, the cluster becomes unavailable.
-
Set the
HSM_SERVER_1
andHSM_SERVER_2
values to<new-hsm-hostname-1.domain.com>
and<new-hsm-hostname-2.domain.com>
defined during HSM setup.Development note: To use an HSM emulator for development purposes, leave the
HSM_SERVER_1
andHSM_SERVER_2
lines blank and add a new line withHSM_TYPE=db
. -
Define
SERVICE_ADMIN_USERNAME
. This is the username that an admin user enters to log in to the Secure Factory Command UI.Note: You configure the password related to this username as part of the
setup
command in the next step. The username and password values are the same on all three machines. -
Define the
COMPANY
andFACTORY_NAME
fields in theSecure Factory TLS configuration
sections of the configuration file.Secure Factory Service uses these fields in creating the Secure Factory CA certificate (
ca.crt
) and Secure Factory server certificates.These certificates enable components of the Secure Factory solution to authenticate communication with each other using the TLS protocol.
-
-
Run the
setup
command with the-cluster-init
flag in theservice-deployment/prod
directory on the first node:./sfn setup --cluster-init
The
setup
command generates all required resources, credentials and certificates for the various services and loads the services' docker images.Adding the
-cluster-init
flag on the first node generates resources that are common to all three nodes.The Secure Factory Node (
sfn
) CLI tool prompts you to set the Secure Factory Command password.
-