FAQs on TAC
This section lists the FAQs on TAC.
| Question | Answer |
|---|---|
| Can I block communication between appliances? | No. Blocking communication between appliances is disabled from release v7.1.0 MR2. |
| What is the recommended minimum quorum of servers required in a cluster? | The recommended minimum quorum of servers required in a cluster is three. |
| How to determine which appliance is the leader of the cluster? | In the OS Console of an appliance, run the following command:/usr/local/consul operator raft list-peers -http-addr https://localhost:9000 -ca-file /opt/consul/ssl/ca.pem -client-cert /opt/consul/ssl/cert.pem -client-key /opt/consul/ssl/cert.key |
| Can I change the certificates of an appliance that is added to a cluster? | Yes. Ensure that the certificates are valid. For more information about the validity of the certificates, refer here. |
| Can I remove the last server from the cluster? | No, you cannot remove the last server from the cluster. The clients depend on this server for cluster related information. If you remove this server, then you risk de-stabilizing the cluster. |
| How to determine the role of an appliance in a cluster? | In the Web UI, navigate to the Trusted Appliance Cluster. On the screen, the labels for the appliances appear. The label for the server is Consul Server and that of the client is Consul Client. |
| Can I add an appliance other than ESA as server? | Yes. Ensure that the value of the type attribute in the agent.json file under the /opt/cluster-consul-integration/configure directory is set as server. |
| Can I clone a machine and join it to the cluster? | Yes, you can clone a machine to join in the cluster.However, if you are using cloned machines to join a cluster, it is necessary to rotate the keys on all cloned nodes before joining the cluster. If the cloned machines have proxy authentication, two factor authentication, or TAC enabled, it is recommended to use new machines. This avoids any limitations or conflicts, such as, inconsistent TAC, mismatched node statuses, conflicting nodes, and key rotation failures due to keys in use. |
| For more information about rotating the keys, refer here. |