After installation, here are some considerations and best practices for maintaining your Virtru Private Keystore (for Virtru Solutions).
Traffic flows directly to containers
Traffic flows to a load balancer and is terminated. The traffic is then reinitiated to the containers.
For the load balancer we will be using the following scenario:
Perform status checks on each host
curl https://cksa.example.com:443 --insecure
curl https://cksb.example.com:443 --insecure
To check the /status of the Virtru Private Keystore please run the following commands:
In all cases, you should get a JSON document returned that contains a version field.
Any other endpoint on the Virtru Private Keystore requires authentication and cannot be accessed without a special client (a browser or curl alone will not be sufficient).
For your local machine (during testing):
TLS: Not Validated
curl https://127.0.0.1/status --insecure
For a single server in the deployment of Virtru Private Keystore:
TLS: Not Validated
curl https://cksa.example.com:443/status --insecure
For your deployment of Virtru Private Keystore
For multiple checks
for i in `seq 1 $max`
echo " - $i"
Backups of the Virtru Private Keystore environment and servers is as simple as backing up the base folder the CKS is installed to.
- The default location is /var/virtru/cks this will include all configuration files and certificates.
This will not include the Docker images that are accessed during the docker-compose process.
- If the images do not exist in the local repository, they will be downloaded automatically.
In a Disaster recovery scenario, a couple of items will need to be available:
- Docker Hub
- Docker Compose
- Backup of the Virtru Private Keystore environment
- Public DNS Management
- Modify DNS to point to new Public IP
- Forward the same port that was used for the backup to the new host
- Install Docker on the Host
- Install Docker Compose
- Restore the backup to the replacement server
- Connect to the console and run docker-compose up -d
The containers should be running and functioning. Verify with a Status Check and Logs.
Standard settings will log all entries to JouralId on the CKS host. To change the location of the logging, the docker-compose.yml file will need to be modified, some examples are below.
For more information, please consult the Docker Documentation.
Once the logs are redirected to a remote server, they are no longer stored on the host and the standard docker logs command will not function.
Syslog Server Logging
Logging to an external server from the container is controlled by:
- Configuration Files
- [Path to Install Folder]/rsyslog
The best practice is to log to Docker and manage the logging on the system level.