TAC Replication of Key Store-specific Files and Certificates

A Trusted Appliances cluster (TAC) is a tool, where appliances such as the ESA replicate and maintain information. A trusted channel is created to transfer data between the appliances in a cluster. This section describes the steps that must be followed for replication of the Key Store-specific files and certificates in a TAC. In addition, it also explains the measures you must take while performing a replication without the Key Store files and certificates.

For more information about TAC, refer to the section Trusted Appliances Cluster (TAC).

A Key Store can be configured to accept either of the following:

• Same certificate from all the clients. In this scenario, select the Backup Policy-Management for Trusted Appliances Cluster option from the System > Backup & Restore > Export screen.
• Client-specific certificates. In this case, the TAC replication must not include Key Store files and certificates. In addition, all the nodes in the cluster must be configured to connect to the same Key Store host and Key Store slot. In this scenario, select the Backup Policy-Management for Trusted Appliances Cluster without Key Store option from the System > Backup & Restore > Export screen.

Replicating the Key Store-specific Files and Certificates in a TAC

This section explains the steps that must be followed to ensure replication of the Key Store files and certificates in a Trusted Appliances Cluster (TAC).

1. On the source ESA, switch from Protegrity Soft HSM to Key Store.
   For more information about switching from Protegrity Soft HSM to Key Store, refer to section Switching Key Stores.

2. Create a TAC between the source and the target ESA.
   For more information about creating a TAC, refer to the section Trusted Appliances Cluster (TAC).

3. On the source ESA, navigate to the ESA Web UI > System > Backup & Restore.

4. Select Cluster Export.

5. Select Backup Policy-Management for Trusted Appliances Cluster.
   This option exports the policy management configurations and data from the source ESA to a specific target ESA node in a Trusted Appliances Cluster. The data includes the Key Store specific files and certificates.

Excluding the Key Store-specific Files and Certificates in a TAC Replication

This section explains the measures you must take while performing a TAC replication without the Key Store files and certificates.

Caution: This section must be followed only when you have a Key Store configured with client-specific certificates on the target ESA nodes, but the Key Store is not in Active state.

If you are using the Backup Policy-Management Trusted Appliances Cluster option by navigating to the ESA Web UI > System > Backup & Restore, then the TAC replication process replaces the Key Store specific files and certificates on the target ESA with the files and certificates from the source ESA. If you want to retain client-specific Key Store files and certificates on the target ESA during TAC replication, then ensure that you select the Backup Policy-Management for Trusted Appliances Cluster without Key Store option.

The following steps must be performed to ensure that the initial TAC replication setup is completed successfully with the client-specific Key Store files and certificates for the source ESA and the target ESA.

1. On the source ESA, switch from Protegrity Soft HSM to Key Store.
   For more information about switching from Protegrity Soft HSM to Key Store, refer to section Switching Key Stores.

2. On the target ESA, configure the Key Store with the same name as that of the Key Store on the source ESA.

Important: Do not activate the Key Store on the target ESA.

3. Create a TAC between the source and the target ESA.
   For more information about creating a TAC, refer to the section Trusted Appliances Cluster (TAC).

4. On the source ESA, navigate to the ESA Web UI > System > Backup & Restore.

5. Select Cluster Export.

6. Select Backup Policy-Management for Trusted Appliances Cluster without Key Store.
   This option exports the policy management configurations and data excluding the Key Store files and certificates to a specific cluster node in a Trusted Appliances Cluster.