opHA3 - Authentication
Discovery
opHA 3 has two different Authentication configurations to discover a peer:
- user/password
- user/sharedkey
For the user/password, it should be a valid user and password with permissions over module_opcore_view module.
For the user/sharedkey:
- user must have permissions over module_opcore_view module. Used for authorisation.
- sharedkey should be one in
omkd_secrets
in opCommon.json in the poller. Used for authentication.
A token will be generated using this user and password to protect the shared key.
Peer Communication
opHA 3 needs to have the "token" authentication method setup in order to perform the internal communication.
It can be changed in opCommon.json setting in the pollers:
"auth_method_1" : "token",
It can also use auth_method_2 or auth_method_3.
After the change, omkd daemon should be restarted.
For this purpose, the following settings are sent from the poller to the primary:
"auth_token_key" : ["ForAnotherTrustedTP"], "opha_api_user" : "omkapiha",
And they would be saved in the the registry in the primary, that will generate a token with this data to perform the communication.
Upgrade Poller configurations
After upgrade of any of the poller configurations:
- omkd should be restarted (In the poller).
- The Poller should be Rediscovered from the Primary.
SSL Configuration
Urls
On the peer discovery, we specify the url of the peer. The peer, is going to provide to the poller the url for their communications.
If we specify a discovery url using https but this is not set in the pollers configuration, the internal communications will go into http. It can be changed in the poller in opCommon.json in the setting:
"opha_url_base" : "https://myserver.com",
If we set this property, we also need to change:
"opha_hostname" : "myservername",
After the change, we would need to upgrade the poller configurations.
SSL Certificates
If the certificate is self signed, there are a couple of settings that can be changed to avoid validation. But this is not recommended in production environments:
"opha_allow_insecure" : 1,
And for editing remote nodes:
"omk_ua_insecure" : 1,