Configuring Dual Backup on Atlas IES

• The two devices must be able to communicate with each other.
• The software versions and system time of the two Atlas 500 AI edge stations must be the same. Otherwise, dual backup may fail.
• Containerized applications can be configured only after dual backup is enabled. Containerized applications configured before dual backup is enabled or after the dual backup is disabled do not support dual backup.

Perform the following steps on the two Atlas 500 AI edge stations to configure parameters:

1. Log in to the intelligent edge system (IES) WebUI of an Atlas 500 AI edge station. For details, see Logging In to the Atlas 500 AI Edge Station WebUI.
2. Choose Management > Dual Backup.
3. Click Configure Parameter on the Local Device tab page. The Configure Local Device Parameters page is displayed.
4. Configure local device parameters.
   1. Configure the parameters as prompted. Table 5-2 describes the parameters.
      Table 5-2 Parameters for configuring the local device

      Parameter	Description	Operation
      Node ID	Specifies the node ID generated when the local device connects to FusionDirector. NOTE: If an Atlas 500 AI edge station is faulty, use a new Atlas 500 AI edge station with the same node ID.	Retain the default value.
      Heartbeat IP address	Specifies the IP address used by the active and standby nodes to send heartbeat detection packets for monitoring the peer network status and system health status.	Configure the heartbeat IP address by using one of the following methods: Preset IP address: The preset IP address is the built-in heartbeat IP address. The device automatically selects and configures one or two preset IP addresses as the heartbeat IP addresses. The preset IP address cannot be changed. Customized: uses the heartbeat IP address, subnet mask, network port, and VLAN ID configured by the user. Currently, a maximum of two IP address records are supported. NOTICE: When configuring the heartbeat IP address, ensure that the heartbeat IP address is not in use. When multiple heartbeat IP addresses are configured, the IP addresses must be different. The heartbeat IP addresses configured on the two devices must be in the same network segment. The IP addresses must be different, and the number of IP addresses must be the same. Two network ports ETH0 and ETH1 are available. Each network port can be configured with a maximum of two heartbeat links.
      Floating IP address	Used for communication between edge nodes and external devices, for example, IPCs. If the active node is faulty, the floating IP address of the active node is migrated to the standby node, and the IP address of the standby node is used to communicate with external devices. If the customer's services do not need to connect to external devices, you do not need to configure the floating IP address.	Set the IP addresses, subnet masks, network ports, and VLAN IDs of the active and standby nodes. You can add or delete records based on the actual requirements. A maximum of eight floating IP addresses can be configured. NOTICE: If you need to set this parameter, ensure that the floating IP addresses of the two devices are the same. When configuring the floating IP address, ensure that the floating IP address is not in use. When multiple floating IP addresses are configured, the IP addresses must be different.
      Arbitration IP address	Used to assist the dual backup function in active/standby arbitration. The system periodically checks whether the arbitration IP address can be pinged to determine the network connectivity. This parameter is optional.	If you need to set this parameter, it is recommended that the arbitration IP addresses of the two devices be the same. You can configure a maximum of one arbitration IP address and the address cannot be the same as other IP address to be configured. There is no requirement on the network segment. You are advised to use the gateway IP address.

   2. Click OK.

      The configured device parameters are displayed on the Local Device tab page.

   3. (Optional) Click Configure Parameter to modify the parameters of the local device.
   4. Click Download Certificate.

5. Upload the peer certificate.

   On the Peer Device tab page of each Atlas 500 AI edge station, upload the certificate downloaded by the other Atlas 500 AI edge station to ensure mutual authentication between the two Atlas 500 AI edge stations. For example, upload the certificate of edge station B on the Peer Device tab page of edge station A.

   1. On the Peer Device tab page, click Upload Peer Certificate. The Upload Peer Certificate dialog box is displayed.
   2. Click Select File and select the certificate to be uploaded.
   3. Click OK.

      On the Peer Device tab page, the configured device parameters and peer fingerprint information of the certificate are displayed.

6. Repeat 1 to 5 on the other Atlas 500 AI edge station.
7. Enable dual backup.
   1. Click Enable Dual Backup on both Atlas 500 AI edge stations. A confirmation dialog box is displayed.
   2. Click OK.

      If Enabled Dual Backup changes to Disable Dual Backup, the dual backup function is enabled.

   • If you want to modify the parameters after enabling dual backup, disable dual backup first.
   • When you reconfigure parameters, a new certificate will be generated to overwrite the original certificate. In this case, you need to synchronize the new certificate on the two devices. In this way, the two Atlas 500 AI edge stations can complete the new authentication.

8. (Optional) Import a custom certificate.

   If you do not want to use the certificate automatically generated by the system for authentication when setting up a dual backup connection, you can use the imported custom certificate for authentication. The import procedure is as follows:

   Disable the dual backup function before importing or deleting the custom certificate.

   1. Log in to the Atlas 500 CLI by using SSH.
   2. Run the develop command to enter the Atlas 500 development mode.
   3. Upload the peer root certificate, local service certificate, private key of the local service certificate, and revocation list of the peer service certificate to a directory (for example, /tmp) on the Atlas 500.
   4. Run the following command to go to the /opt/middleware/ha/module/hacom/script directory:

      cd /opt/middleware/ha/module/hacom/script

   5. Run the following command to import the certificate uploaded in 8.c:

      ./import_ha_cert.sh --peer-root-ca-path=/tmp/root-ca.crt --local-server-ca-path=/tmp/server-ca.crt --local-server-key-path=/tmp/server-key.pem --crl-path=/tmp/ha.crl

      Parameter	Description
      --peer-root-ca-path	(Mandatory) Path of the peer root certificate, for example, /tmp/root-ca.crt.
      --local-server-ca-path	(Mandatory) Path of the local service certificate, for example, /tmp/server-ca.crt.
      --local-server-key-path	(Mandatory) Path where the private key of the local service certificate is stored, for example, /tmp/server-key.pem.
      --crl-path	(Optional) Path of the CRL of the peer service, for example, /tmp/ha.crl.

   6. Run the following command to import the private key password of the local service certificate:

      ./update_server_key_pass.sh xxxxxx

      xxxxxx indicates the private key password of the local service certificate.

   7. Repeat 8.a to 8.f on the peer device.

   If you do not want to use a custom certificate for authentication, go to the /opt/middleware/ha/module/hacom/script directory and run the ./delete_user_define_cert.sh command to delete the certificate. After the deletion, you need to reconfigure the dual backup function. Otherwise, the dual backup function is unavailable.