About
After installation, here are some considerations and best practices for maintaining your Virtru Private Keystore (for Virtru Solutions).
Jump To
Load Balancer
Scenario 1
Traffic flows directly to containers
Scenario 2
Traffic flows to a load balancer and is terminated. The traffic is then reinitiated to the containers.
Design
For the load balancer we will be using the following scenario:
Perform status checks on each host
Shell
curl https://cksa.example.com:443 --insecure
curl https://cksb.example.com:443 --insecure
Status Check
To check the /status of the Virtru Private Keystore please run the following commands:
In all cases, you should get a JSON document returned that contains a version field.
Any other endpoint on the Virtru Private Keystore requires authentication and cannot be accessed without a special client (a browser or curl alone will not be sufficient).
For your local machine (during testing):
Host: Localhost
Port: 443
TLS: Not Validated
Shell
curl https://127.0.0.1/status --insecure
For a single server in the deployment of Virtru Private Keystore:
Host: cksa.example.com
Port: 443
TLS: Not Validated
Shell
curl https://cksa.example.com:443/status --insecure
For your deployment of Virtru Private Keystore
Host: cks.example.com
Port: 443
TLS: Validated
Shell
curl https://cks.example.com/status
For multiple checks
Shell
max=50
for i in `seq 1 $max`
do
curl https://cks.example.com/status
echo " - $i"
done
Backup
Backups of the Virtru Private Keystore environment and servers is as simple as backing up the base folder the CKS is installed to.
- The default location is /var/virtru/cks this will include all configuration files and certificates.
This will not include the Docker images that are accessed during the docker-compose process.
- If the images do not exist in the local repository, they will be downloaded automatically.
Disaster Recovery
In a Disaster recovery scenario, a couple of items will need to be available:
Prerequisites:
- A backup host that has internet connection
- Host must meet these prerequisites
- Docker
- Docker Compose
- Backup of the Virtru Private Keystore (CKS) environment (contents of /var/virtru/cks)
- This step assumes that you have a fully functioning CKS server
- Public DNS Management
Actions
- Modify DNS to point to new Public IP of new host
- Forward the same port that was used for the backup to the new host
- Install Docker on the Host
- Install Docker Compose
- Restore the backup to the replacement server
- Connect to the console and run docker-compose up -d
- The containers should be running and functioning.
- Verify with a Status Check and examine container logs.
- Repeat steps above for any additional host in a high availability scenario.
Logs
Standard settings will log all entries to JournalId on the CKS host. To change the location of the logging, the docker-compose.yml file will need to be modified, some examples are below.
For more information, please consult the Docker Documentation.
Once the logs are redirected to a remote server, they are no longer stored on the host and the standard docker logs command will not function.
Syslog Server Logging
Logging to an external server from the container is controlled by:
- Installer
- Configuration Files
- [Path to Install Folder]/rsyslog
Recommendation
The best practice is to log to Docker and manage the logging on the system level.