Trusted Appliances Cluster (TAC) on

TAC Topology

Mon, 01 Jan 0001 00:00:00 +0000

The TAC is a connected graph with a fully connected cluster. In a fully connected cluster, every node directly communicates with other nodes in the cluster.

The following figure shows a connected graph with four nodes A, B, C, and D that are directly connected to each other.

In a TAC, each appliance is classified either as a client or a server.

Client: A client is a stateless agent that requests information from a server.
Server: A server maintains information about all the appliances in the cluster, performs regular health checks, and responds to queries from the clients.

A server can be further classified as a leader or a follower. The leader is responsible for maintaining the status of cluster and replicating cluster-related information among other servers in the cluster. The first appliance that is added the cluster is the leader. The other appliances added to the cluster are followers.

Cluster Configuration Files

Mon, 01 Jan 0001 00:00:00 +0000

In a cluster, you can deploy an appliance as a server or a client by modifying the cluster configuration files. For deploying an appliance on a cluster, the following configuration files are available for an appliance.

agent.json

The agent.json file specifies the role of an appliance in the cluster. The file is available in the /opt/cluster-consul-integration/configure directory.

The following table describes the attributes that can be configured in the agent.json file.

Deploying Appliances in a Cluster

Mon, 01 Jan 0001 00:00:00 +0000

You can deploy the appliances in a cluster as a server or a client. The type attribute in the agent.json file and the PAP_eligible_servers and maximum_servers attributes in the agent_auto.json file determine how the appliance is deployed in the cluster.

The files agent.json and agent_auto.json are located at /opt/cluster-consul-integration/configure directory.

The following flowchart illustrates how an appliance is deployed in a cluster.

Cluster Security

Mon, 01 Jan 0001 00:00:00 +0000

This section describes about the Cluster Security.

Gossip Key

In the cluster, the appliances communicate using the Gossip protocol. The cluster supports encrypting the communication using the gossip key. This key is generated during the creation of the cluster. The gossip key is then shared across all the appliances in the cluster.

SSL Certificates

SSL certificates are used to authenticate the appliances on the cluster. Every appliance contains the following default cluster certificates in the certificate repository:

Reinstalling Cluster Services

Mon, 01 Jan 0001 00:00:00 +0000

If the configuration files for TAC are corrupted, you can reinstall the consul service.

Before you begin

Ensure that Cluster-Consul-Integration service is uninstalled before reinstalling Consul service.

To reinstall the Cluster-Consul-Integration service:

In the CLI Manager, navigate to Administration > Add/Remove Services.
Press ENTER.
Enter the root password and select OK.
Select Install applications.
Select the Consul service and select OK.
Select Yes.

The Consul product is reinstalled on your appliance.

Uninstalling Cluster Services

Mon, 01 Jan 0001 00:00:00 +0000

If there is cluster with a maximum of ten nodes and you do not want to continue with the integrated cluster services, then uninstall the cluster services.

To uninstall cluster services:

Remove the appliance from the TAC.
In the CLI Manager, navigate to Administration > Add/Remove Services.
Press ENTER.
Enter the root password and select OK.
Select Remove already installed applications.
Select Cluster-Consul-Integration v1.0.0 and select OK.

The integration service is uninstalled.

FAQs on TAC

Mon, 01 Jan 0001 00:00:00 +0000

This section lists the FAQs on TAC.

Question	Answer
Can I block communication between appliances?	No. Blocking communication between appliances is disabled from release v7.1.0 MR2.
What is the recommended minimum quorum of servers required in a cluster?	The recommended minimum quorum of servers required in a cluster is three.
How to determine which appliance is the leader of the cluster?	In the OS Console of an appliance, run the following command: `/usr/local/consul operator raft list-peers -http-addr https://localhost:9000 -ca-file /opt/consul/ssl/ca.pem -client-cert /opt/consul/ssl/cert.pem -client-key /opt/consul/ssl/cert.key`
Can I change the certificates of an appliance that is added to a cluster?	Yes. Ensure that the certificates are valid. For more information about the validity of the certificates, refer here.
Can I remove the last server from the cluster?	No, you cannot remove the last server from the cluster. The clients depend on this server for cluster related information. If you remove this server, then you risk de-stabilizing the cluster.
How to determine the role of an appliance in a cluster?	In the Web UI, navigate to the Trusted Appliance Cluster. On the screen, the labels for the appliances appear. The label for the server is Consul Server and that of the client is Consul Client.
Can I add an appliance other than ESA as server?	Yes. Ensure that the value of the type attribute in the `agent.json` file under the `/opt/cluster-consul-integration/configure` directory is set as server.
Can I clone a machine and join it to the cluster?	Yes, you can clone a machine to join in the cluster.However, if you are using cloned machines to join a cluster, it is necessary to rotate the keys on all cloned nodes before joining the cluster. If the cloned machines have proxy authentication, two factor authentication, or TAC enabled, it is recommended to use new machines. This avoids any limitations or conflicts, such as, inconsistent TAC, mismatched node statuses, conflicting nodes, and key rotation failures due to keys in use.
For more information about rotating the keys, refer here.

Creating a TAC using the Web UI

Mon, 01 Jan 0001 00:00:00 +0000

You can create a TAC, where you add an appliance to the cluster.

Before you begin

When setting up or adding appliances to your cluster, you may be required to request a license for new nodes from Protegrity.
For more information about licensing, refer to the Protegrity Data Security Platform Licensing and your license agreement with Protegrity.

Before creating a TAC, ensure that the SSH Authentication type is set to Password + PublicKey.

Connection Settings

Mon, 01 Jan 0001 00:00:00 +0000

In a TAC, you can create a partially connected cluster using the Connecting Setting feature. In a partially connected cluster, the nodes selectively communicate with other nodes in the cluster without disconnecting the graph. If you want to avoid redundant information between certain nodes in the cluster, you can block the direct communication between them.

This feature is only supported if the Cluster-Consul-Integration and Consul components are not installed on your system.

Joining an Existing Cluster using the Web UI

Mon, 01 Jan 0001 00:00:00 +0000

If your appliance is not a part of any trusted appliances cluster, then you can add it to an existing cluster. This section describes the steps to join a TAC using the Web UI.

Before you begin

If you are using cloned machines to join a cluster, it is necessary to rotate the keys on all cloned nodes before joining the cluster.

If the cloned machines have proxy authentication, two factor authentication, or TAC enabled, it is recommended to use new machines. This avoids any limitations or conflicts, such as, inconsistent TAC, mismatched node statuses, conflicting nodes, and key rotation failures due to keys in use.

Managing Communication Methods for Local Node

Mon, 01 Jan 0001 00:00:00 +0000

Every node in a network is identified using a unique identifier. A communication method is a qualifier for the remote nodes in the network to communicate with the local node.

There are two standard methods by which a node is identified:

Local IP Address of the system (ethMNG)
Host name

The nodes joining a cluster use the communication method to communicate with each other. The communication between nodes in a cluster occur over one of the accessible communication methods.

Viewing Cluster Information

Mon, 01 Jan 0001 00:00:00 +0000

This section describes the how to view cluster information using the Web UI.

To execute commands using Web UI:

In the Web UI, navigate to System > Trusted Appliances Cluster .

The screen with the appliances connected to the cluster appears.
Select All in the drop-down list.

The following options appear:

Node Summary
Cluster Tasks
DiskFree
MemoryFree
Network
System Info
Top 10 CPU
Top 10 Memory
All

Select the required option.

Removing a Node from the Cluster using the Web UI

Mon, 01 Jan 0001 00:00:00 +0000

This section describes the steps to remove a node from a cluster using the Web UI.

Before you begin

If a node is associated with a cluster task that is based on the hostname or IP address, then the Leave Cluster operation will not remove node from the cluster. Ensure that you delete all such tasks before removing any node from the cluster.

Removing the node

On the Web UI of the node that you want to remove from the cluster, navigate to System > Trusted Appliances Cluster.