Create secure connection to PNs
The network connection between the HA and the PN is generally over a trusted LAN. In some cases, though, it might be desirable to provide strong authentication between the HA and the PN.
The onQ Appliance uses an X.509 certificate for security. Your onQ Appliance ships with a unique certificate already installed. onQ automatically copies over this certificate to the PNs when you
enroll protected nodes and again when you upgrade them, establishing a secure connection between the onQ Appliance and the PNs. The onQ portal’s Connection Status column uses a green padlock icon to indicate a secure connection as outlined in
Monitor protected nodes. The certificate has a long expiration.
You can regenerate and/or reinstall a new certificate at any time. There are a couple of scenarios where you might want to do so:
• Your HA’s certificate is corrupt; therefore, so too is the certificate on your PNs.
• You experienced a disaster scenario that resulted in you having to change the role of the DR Appliance to HA. In order for the RNs to establish a connection to that DR Appliance, you need to install the DR Appliance’s certificate on those RNs.
To fix a corrupt certificate:
Fixing a corrupt certificate on requires that you regenerate and reinstall a new certificate. This procedure assumes that the HA’s certificate is corrupt, but you can extrapolate.
1. Log on to the HA’s onQ Portal.
2. Go to APPLIANCE CONFIG tab > ADVANCED button > SECURITY page.
3. Click
Remove Certificate, then
Yes to remove the existing certificate on the onQ Appliance. An example certificate is as follows:
4. Click Generate Certficate.
5. For each PN, re-install the HA Appliance certificate on the PNs by launching the HA’s onQ Portal from each PN and
re-enrolling the protected nodes using the
Protect Me button.
To establish a secure connection between RNs and a DR Appliance:
Let’s assume that you experienced a disaster scenario that resulted in you having to change the role of the DR Appliance to HA. (If you’re performing a failback, extrapolate). In order for the RNs to establish a connection to that DR Appliance, you need to install the DR Appliance’s certificate on those RNs because the certificate that was originally installed on the PNs is specific to the HA Appliance, which has a different hostname than the DR Appliance, the current acting HA.
To manually install the certificate:
onQ automatically installs the certificate that you generate when you
enroll protected nodes and again when you upgrade them. However, you can manually install the certificate, if you desire.
1. Log on to the HA’s onQ Portal.
2. RDP to the protected node.
3. From that PN,
launch the HA’s onQ Portal.
4. Go to PROTECTION CONFIG tab, then click on the Update PN Security button.
5. Click Yes to download the file to the protected node. Your browser saves the file to its default location.
6. Move the onQApplianceName.cert file to C:\Program Files\Quorum\QuorumDCRM-NODE\security\.