Unable to complete a cluster join in Encryption Management Server

book

Article ID: 222740

calendar_today

Updated On:

Products

Gateway Email Encryption Encryption Management Server

Issue/Introduction

When joining one Encryption Management Server to another in order to create a cluster, you do the following:

  1. Ensure that each server can resolve the name and IP address of the other using nslookup. Ensure that both forward and reverse name lookup is configured correctly. In other words, a command like nslookup keys.example.com will return the IP address of keys.example.com and nslookup 10.0.0.2 will return the name keys.example.com.
  2. Ensure that the network Interface (by default Interface 1) of each server has an SSL certificate associated with it.
  3. Ensure that each server trusts the SSL certificate of the other. To do this, ensure that the issuing certificates are listed in the administration console under Keys / Trusted Keys and trusted for SSL.
  4. In the administration console of the sponsor, navigate to System / Clustering.
  5. Click on the Add button to add the name of the joiner server. Always use the FQDN and not the IP address.
  6. In the administration console of the joiner, navigate to System / Clustering.
  7. Click on the Join Cluster button and add the FQDN of the sponsor (not its IP address).
  8. On the sponsor server, click the Contact button.
  9. The database of the sponsor is exported and replicated to the joiner where it is imported. Depending on the size of the database this may take some time.

You may find that although the cluster join seems to work, in the administration console of the sponsor, the status of the joiner reverts to Pending.

Environment

Encryption Management Server 10.5 and above.

Resolution

Replication uses TCP port 444.

Ensure that bidirectional TCP port 444 is permitted between all cluster members by your firewall. Sometimes an organization's firewall rules are not configured to allow bidirectional traffic.