Manualshelf

User guide

ManualsBrandsJuniper ManualsNetworkingSA6500 FIPS
31323334353637383940
Related
Documentation
FIPS Overview on page 9
Deploying a Cluster in a Secure Access FIPS Environment
In addition to sharing state, user profile, user session, and monitoring state data, the
members of a Secure Access FIPS cluster also share security world data. All cluster
members share the same private key and are accessible using the same administrator
cards. Since changing a security world requires physical access to a cryptographic module,
however, Secure Access FIPS cluster members cannot share all of their data using the
standard Secure Access synchronization process. Instead, to create a Secure Access
FIPS cluster, you must:
Create a cluster of Secure Access FIPS machines through the admin console—As with
a standard Secure Access cluster, each cluster node in a Secure Access FIPS cluster
is initialized using system state data from the specified cluster member, overwriting
all existing data on the node machine.
Manually update the security world on each of the machines—After creating a cluster,
you must initialize each cluster node with the specified member’s security world using
an administrator card that is pre-initialized to the security world and the serial console.
Prior to joining a cluster, each node is in its own security world. As a consequence, after
a node joins the cluster, the administrator card from the joining node will be invalid.
Only the administrator card set from the cluster will be valid.
Similarly, if you want to modify an existing security world on a cluster, you must individually
update each cluster members cryptographic module using an administrator card and
the Secure Access serial console.
The basic process for creating a cluster follows these high-level steps:
1. Initialize one Secure Access from the serial console, creating administrator cards.
2. Create the cluster from this Secure Access’ admin console.
3. Add nodes to the cluster from this Secure Access’ admin console.
4. Reboot the joining node from the serial console.
5. When prompted, supply the cluster details, including the current node’s IP address,
netmask, and domain.
6. When prompted, insert an administrator card from the cluster’s set of cards. The
node’s administrator card, if any, will become invalid as the node joins the security
world of the cluster.
Copyright © 2012, Juniper Networks, Inc.28
SA Series 4500, 6500, and FIPS Appliances