Configure the Keyfactor AnyCA Gateway DCOM with Clustering (Optional)

The AnyCAGateway DCOM provides the option to implement multiple AnyCAGateway DCOM servers using clustering for a highly available and redundant implementation. This option relies on Microsoft Failover Clustering and a shared storage solution (such as a NAS).

https://docs.microsoft.com/en-us/windows-server/failover-clustering/failover-clustering-overview

Configuration of network attached storage and failover clustering is beyond the scope of this guide.

Failover clustering with shared storage must be in place before you begin installation of any of the AnyCAGateway DCOM nodes.

In addition to the general preparing and implementing steps described for the AnyCAGateway DCOM as a whole, the process for implementing the AnyCAGateway DCOM with clustering has some specific requirements and processes. The following is a general overview of the process:

  1. Ready the NAS and prepare quorum and storage disks for the AnyCAGateway DCOM cluster.
  2. Give each AnyCAGateway DCOM server a NIC on the NAS network.
  3. Install the Microsoft Failover Clustering role on each server that will host an AnyCAGateway DCOM and create the failover cluster:

    https://docs.microsoft.com/en-us/windows-server/failover-clustering/create-failover-cluster

  4. If you will be using a client authentication certificate, acquire it, distribute it to all the cluster nodes, and grant permissions on its private keyClosed Private keys are used in cryptography (symmetric and asymmetric) to encrypt or sign content. In asymmetric cryptography, they are used together in a key pair with a public key. The private or secret key is retained by the key's creator, making it highly secure. on all nodes (see Install a Client Authentication Certificate).
  5. Install the chain certificates from the CAClosed A certificate authority (CA) is an entity that issues digital certificates. Within Keyfactor Command, a CA may be a Microsoft CA or a Keyfactor gateway to a cloud-based or remote CA. on all the nodes (see Acquire and Install a Chain Certificate).
  6. Install the AnyCAGateway DCOM on each server that will host a AnyCAGateway DCOM node but do not take any further steps in the configuration process at this point (see Installation).

  7. In the Microsoft Failover Cluster Manager, create a role for the AnyCAGateway DCOM service. ClosedShow role creation steps.

    The role for the main AnyCAGateway DCOM service is created part way through the implementation after the gateway product is installed but before it has been configured with the configuration scripts.

    To create the role:

    1. On the AnyCAGateway DCOM server that is the owner node in the failover cluster, open the Failover Cluster Manager.
    2. In the Failover Cluster Manager, drill down to Roles and click Configure Role... in the Actions pane.
    3. On the Select Role page of the High Availability Wizard, choose Generic Service and click Next.
    4. On the Select Service page, scroll down to locate the AnyCAGateway DCOM service.
    5. On the Client Access Point page, give the AnyCAGateway DCOM cluster a meaningful Name of not more than 15 characters (e.g. AnyGatewayClosed The Keyfactor AnyGateway is a generic third party CA gateway framework that allows existing CA gateways and custom CA connections to share the same overall product framework.) and enter an available IP address that can be associated with this DNSClosed The Domain Name System is a service that translates names into IP addresses. name.
    6. On the Select Storage page, select the storage disk(s) you prepared for the AnyCAGateway DCOM cluster.
    7. Accept the defaults for the remainder of the wizard and click Finish at the end to create the role.

      Figure 578: Configure a Cluster Role

    8. In the Failover Cluster Manager, confirm that the new role has started successfully and shows a status of Running.
  8. In the Microsoft Failover Cluster Manager, make sure that the node where you are going to run the configuration is the owner node.
  9. Run the configuration process on the owner node and complete the configuration as normal (see Gateway Configuration Steps).

  10. Run a subset of the configuration on each of the other nodes. ClosedShow subset configuration steps.

    The process of configuring the AnyCAGateway DCOM in a clustered environment is very similar to that for a non-clustered environment. The primary difference is that most of the configuration steps are done only on the owner node, though two of them (*) apply to all nodes. The specific differences/adjustments are:

    1. Create the database only once in a clustered environment on the owner node (see Create the Database). Once you have created the database, you must grant access in SQL to each of the other nodes in the cluster. See Appendix - Verify the AnyCAGateway DCOM Database. By default only the node on which the database create command is run is given permissions in SQL via the script.
    2. Set the encryption on each node of the clustered environment (see Set the Encryption Certificate).
    3. Set the gateway connection on each node of the clustered environment (see Set the Database Connection String).

    4. The configuration cmdlets that create and import the JSON configuration file (see Create a JSON Configuration File and Import the JSON Configuration File) are run only on the owner node.

      Note:  Instead of entering the server FQDN/logical nameClosed The logical name of a CA is the common name given to the CA at the time it is created. For Microsoft CAs, this name can be seen at the top of the Certificate Authority MMC snap-in. It is part of the FQDN\Logical Name string that is used to refer to CAs when using command-line tools and in some Keyfactor Command configuration settings (e.g. ca2.keyexample.com\Corp Issuing CA Two). in the -CAHostname parameterClosed A parameter or argument is a value that is passed into a function in an application., enter the FQDN of the role you created as per step 7, above (e.g. AnyGateway.keyexample.com, if AnyGateway was the name of the role you created in the keyexample.com domain).
      Note:  The AD parameters (-PublishAD and -UnpublishAD) are independent of the nodes.

    Refer to the Gateway Configuration Steps section for more information about each of these steps.

  11. You may wish to modify logging to send logs to the shared storage (see Configure Logging).

  12. Change dNSHostName with ADSIEdit. Open ADSIEdit, connect to the Configuration naming context, and browse to Configuration > Services > Public Key Services > Enrollment Services. Find the entry for the clustered gateway's logical name, go to Properties, and look for the attribute 'dNSHostName'. Change this value to the Host NameClosed The unique identifier that serves as name of a computer. It is sometimes presented as a fully qualified domain name (e.g. servername.keyexample.com) and sometimes just as a short name (e.g. servername). of the clustered role that was created for the gateway (it currently defaults to the machine name the configuration was run on).

Note:  The AnyCAGateway DCOM should only be running on the owner node of the cluster.Keyfactor recommends checking the Microsoft Services utility on all other nodes and making sure the AnyCAGateway DCOM service is set to Manual on them.
Note:  When referencing the AnyCAGateway DCOM in a clustered environment as a CA in Keyfactor Command you will reference it by the FQDN of the cluster role, rather than individual host names of node servers, in the host name field. If you've opted not to publish to AD, you will need to manually add a record for the AnyCAGateway DCOM cluster on the Certificate AuthorityClosed A certificate authority (CA) is an entity that issues digital certificates. Within Keyfactor Command, a CA may be a Microsoft CA or a Keyfactor gateway to a cloud-based or remote CA. page in the Keyfactor Command Management Portal. See Add the AnyCAGateway DCOM CA to Keyfactor Command.