Geographical HA and encryption keys

You must manually put encryption keys on the Network IPS appliances in a high availability pair that are configured for explicit-trust.

Procedure

  1. Generate keys on both appliances by running /etc/crm/haconfig.sh -k.
  2. On the local directory of the remote appliance, copy the CAcrt.pem file from /opt/iss/etc/ssl/ha/ to /etc/apache2/ssl.crt/.
  3. On the remote appliance, copy the server_lmi.crt file to the directory /var/spool/crm/leafcerts/.
  4. Rename the server_lmi.crt file to <name>_443.pem.
    Note: <name> is the IP address or the DNS name of the remote appliance. This appliance is the appliance that you specify as the HA Address in the security interface policy that is explained later in this procedure. If <name> is an IPv6 address, the file name must begin with v6_. You must convert : to _.
  5. In the Network IPS Local Management Interface, go to Manage System Settings > Network > Security Interfaces and configure the following options for the sensor high availability mode:
    Option Description
    Mode Geographical HA
    Authentication Level Explicit-trust
    HA Address IP or DNS Name of the appliance
  6. Save and apply the policy changes.