You must manually
put encryption keys on the Network IPS
appliances in a high availability pair that are configured for explicit-trust.
Procedure
- Generate
keys on both appliances by running /etc/crm/haconfig.sh
-k.
- On the local directory of the
remote appliance, copy the CAcrt.pem file
from /opt/iss/etc/ssl/ha/ to /etc/apache2/ssl.crt/.
- On the remote appliance, copy the server_lmi.crt file
to the directory /var/spool/crm/leafcerts/.
- Rename the server_lmi.crt file
to <name>_443.pem.
Note: <name> is the IP address or the
DNS name of the remote appliance. This appliance is the appliance
that you specify as the HA Address in the security
interface policy that is explained later in this procedure. If <name> is
an IPv6 address, the file name must begin with v6_. You
must convert : to _.
- In the Network IPS Local Management Interface, go
to and configure
the following options for the sensor high availability mode:
Option |
Description |
Mode |
Geographical
HA |
Authentication Level |
Explicit-trust |
HA Address |
IP or DNS Name of the appliance |
- Save and apply the policy changes.