Configuring Dual Backup on FusionDirector
- The two devices must be able to communicate with each other.
- The software versions and system time of the two devices must be the same. Otherwise, the dual backup may fail.
- Containerized applications can be configured only after dual backup is enabled. Containerized applications configured before dual backup is enabled or after the dual backup is disabled do not support dual backup.
- Devices whose health status is Unknown do not support dual back configuration.
- Enter https://FusionDirector IP address in the address box of the browser and press Enter. The FusionDirector login page is displayed.
- Enter the user name and password to log in to FusionDirector.
- Choose to go to the page for managing edge devices.
- On the Edge Devices page, click the name of an edge device to access the details page.
- On the edge device details page, click the Dual Backup tab page.
- Set dual backup parameters.
- Click Operations in the upper right corner, and choose Set Dual Backup Parameter.
In the displayed window, set parameters by referring to Table 5-1.
Table 5-1 Parameters for configuring the local and peer devicesParameter
Description
Operation
Peer device
Specifies the peer device used to set up dual back with the local device.
Click Select on the right of Peer Device to select the peer device for certification synchronization.
NOTE:After the peer device is selected, the configured floating IP address and arbitration IP address take effect for both the local and peer devices.
Local heartbeat IP address
Peer heartbeat IP address
Enter the heartbeat IP addresses of the local and peer devices. The IP addresses are used by the active and standby nodes to send heartbeat detection packets to monitor the network status and system health status of the peer device.
Configure the heartbeat IP address by using one of the following methods:- Preset IP address: The preset IP address is the built-in heartbeat IP address. The device automatically selects and configures one or two preset IP addresses as the heartbeat IP addresses. The preset IP address cannot be changed.
- Customized: uses the heartbeat IP address, subnet mask, network port, and VLAN ID configured by the user. Currently, a maximum of two IP address records are supported.
NOTICE:- When configuring the heartbeat IP address, ensure that the heartbeat IP address is not in use.
- When multiple heartbeat IP addresses are configured, the IP addresses must be different.
- The heartbeat IP addresses configured on the two devices must be in the same network segment. The IP addresses must be different, and the number of IP addresses must be the same.
- Two network ports ETH0 and ETH1 are available. Each network port can be configured with a maximum of two heartbeat links.
Floating IP address
Used for communication between edge nodes and external devices, for example, IPCs. If the active node is faulty, the floating IP address of the active node is migrated to the standby node, and the IP address of the standby node is used to communicate with external devices.
If the customer's services do not need to connect to external devices, you do not need to configure the floating IP address.
Set the IP addresses, subnet masks, network ports, and VLAN IDs of the active and standby nodes.
You can add or delete records based on the actual requirements. A maximum of eight floating IP addresses can be configured.
NOTICE:- If you need to set this parameter, ensure that the floating IP addresses of the two devices are the same.
- When configuring the floating IP address, ensure that the floating IP address is not in use.
- When multiple floating IP addresses are configured, the IP addresses must be different.
Arbitration IP address
Used to assist the dual backup function in active/standby arbitration. The system periodically checks whether the arbitration IP address can be pinged to determine the network connectivity.
This parameter is optional.
- If you need to set this parameter, it is recommended that the arbitration IP addresses of the two devices be the same.
- You can configure a maximum of one arbitration IP address and the address cannot be the same as other IP address to be configured. There is no requirement on the network segment. You are advised to use the gateway IP address.
- Click OK.
After the configuration is successful, the configured device parameters are displayed.
- Click Operations in the upper right corner, and choose Set Dual Backup Parameter.
- Enable dual backup.
Select Enable/Disable Dual Backup from the Operation drop-down list on the right, enable the dual backup function of the local and peer devices, and click OK.
After dual backup is enabled, if both devices are running properly and their roles are displayed, the two devices are running properly.
If you want to modify the parameters after enabling dual backup, disable dual backup first.
- (Optional) Import a custom certificate.
If you do not want to use the certificate automatically generated by the system for authentication when setting up a dual backup connection, you can use the imported custom certificate for authentication. The import procedure is as follows:
Disable the dual backup function before importing or deleting the custom certificate.
- Log in to the Atlas 500 CLI by using SSH.
- Run the develop command to enter the Atlas 500 development mode.
- Upload the peer root certificate, local service certificate, private key of the local service certificate, and revocation list of the peer service certificate to a directory (for example, /tmp) on the Atlas 500.
- Run the following command to go to the /opt/middleware/ha/module/hacom/script directory:
cd /opt/middleware/ha/module/hacom/script
- Run the following command to import the certificate uploaded in 8.c:
./import_ha_cert.sh --peer-root-ca-path=/tmp/root-ca.crt --local-server-ca-path=/tmp/server-ca.crt --local-server-key-path=/tmp/server-key.pem --crl-path=/tmp/ha.crl
Parameter
Description
--peer-root-ca-path
(Mandatory) Path of the peer root certificate, for example, /tmp/root-ca.crt.
--local-server-ca-path
(Mandatory) Path of the local service certificate, for example, /tmp/server-ca.crt.
--local-server-key-path
(Mandatory) Path where the private key of the local service certificate is stored, for example, /tmp/server-key.pem.
--crl-path
(Optional) Path of the CRL of the peer service, for example, /tmp/ha.crl.
- Run the following command to import the private key password of the local service certificate:
./update_server_key_pass.sh xxxxxx
xxxxxx indicates the private key password of the local service certificate.
- Repeat 8.a to 8.f on the peer device.
If you do not want to use a custom certificate for authentication, go to the /opt/middleware/ha/module/hacom/script directory and run the ./delete_user_define_cert.sh command to delete the certificate. After the deletion, you need to reconfigure the dual backup function. Otherwise, the dual backup function is unavailable.